Disassembling

Disassembling is the process of translating an executable program into its equivalent assembly representation. The greatest problem in disassembling is determining what is code (instructions) and what is data, as both are represented in the same way in current machines. Further, disassembling is equivalent to the Halting Problem and hence cannot be fully automated for all input programs.

This page contains information about various commercial, shareware and freeware disassemblers, and tools for building disassemblers.
The best two commercial disassemblers available are IDA Pro and Sourcer.

IDA PRO

IDA is a commercial program for disassembling a wide array of different file types for different processors, written by Ilfak Guilfanov. Binary file formats supported include: EXE, NE, LX, LE, PE, OMF and COFF. IDA Pro has an excellent user interface, with an windowing system. It can do automatic detection of data and code parts, and has auto-commenting abilities.

As of IDA version 3.6, IDA now has FLIRT: Fast Library Identification and Recognition Technology. This technology allows IDA to recognize standard library functions generated by various C compilers. IDA now also supports advanced features, such as functions and structures.

As of version v3.76, IDA Pro supports the PowerPC, AMD K6-2 3DNow!, and Pentium II instruction sets. The binary file formats XCOFF, AIAFF and PEF (BeOS and MacOS) are also now supported. There is partial support for PalmPilot files. Delphi 3 FLIRT library signatures have been added too. Version 3.8 adds support for ARM and PowerPC ELF binaries, floating point emulation instructions, and the Zilog Z-8, Intel 80196 and Hitachi SH-3 processors.
A one-day trial version can be down-loaded. Full version costs $199.

Sourcer by V Communications, Inc

Sourcer is a commercial program, for disassembling x86 binaries (EXE, NE and PE); it costs $149.95. Sourcer does a good job at automatically detecting code and data fragments. More information can be found on their home page. If Sourcer is used together with Windows Source version 3 it produces lots and lots of additional information. Windows Source can extract info from .SYM, Codeview or .DBG files, and work is in progres on improving the Codeview support and adding Turbo Debug Symbols.

MacNosy by Jasik Designs

MacNosy is a disassembler for Mac (68K and PowerPC) applications, resource files or ROM.

ASM Trace

ASM Trace is the disassembler by Tels of ASM Edit. The author wrote it because he was not happy with Sourcer. He has discontinued work on ASM Trace a while ago.

XDASM: Universal Cross Disassembler

This is a commercial disassembler for a large number of 8/16 bit processors (except anything higher than 386) which costs $249. This disassembler uses processor description to do its work, which means you can add your own processor descriptions.

Win32 Program Disassembler

Win32 Program Disassembler is a straight line disassembler of Windows 32-bit executables (i.e. PE) by Sang Cho from South Korea. The program works in console mode (no graphical interface) and uses the following command line option:
disassem yourfile.exe > yourfile.txt

Win32PD appears to understand switch statements as it does not get tripped up by the pointers. It also decodes Win32 API calls. No disassembly of the data section is done, but string statements are emitted where appropriate. This disassembler does not support symbols in PE files.

Borg by Cronos

Borg is a freeware disassembler for Windows 32-bit binaries (PE executables and DLLs), written to overcome some of the limitations of other Windows 9x disassemblers. Borg provides a simple graphical interface with pull down menus. All output is sent to a window, which can then be saved onto an ascii file. Borg disassembles data and recognizes strings. It does not recognize symbols and does not recognize statically-linked library function calls but supports dynamically-linked function names.

Borg v1.08 includes a new option of code flow analysis, which allows it to generate better code and give hints of high-level control structures such as while's, do's and if's (in comments). His author, Paul Young (aka Cronos), implemented a simple yet effective algorithms for structured programs. A list of instructions that affect control flow is created and this map is used to identify simple control structures (if's and while's). This list is reduced, hence recognizing nested control structures. Support for unstructured code (e.g. a break within a loop) is not included yet.

Borg is downloadable from its web site (at the end of its page). The current release is v1.09, which provides support for relocation and is fully statically linked in.

disasm32 Visual Symbolic Disassembler

disasm32 is a visual symbolic disassembler for Windows95 and WindowsNT 32 bits Portables Executables (PE) (it runs under Windows95, WindowsNT or Win32s). This is a commercial product; the latest version is called VDasm32.exe and it does a nice job (according to users of the software). VDasm reads symbolic information in formats codeview (before Visual C++ 2.0), Coff and SYM. (Symbolic information is not required, for the program to work.) Commercial version can also browse and extracts resources and show anonyms exports for DLLs. For more information, contact Jean-Louis Seigne by email or check his web site.

VXDasm Visual Disassembler for Windows95 VXD Device Drivers

VXDasm is a visual relocatable disassembler for Windows device drivers. A demo version is downloadable from the VXDasm home page. This program was also developed by Jean-Louis Seigne.

WDASM 1.7b: Windows Disassembler Program

This is a shareware Windows program for disassembling Windows 3.1 programs, written by Eric Grass. It also includes a program called hilevel, which can transform the assembler output in a structured assembler format, including definition of procedures, local variables, and if-macro sections (it is also mentioned in the Free Compilers list.)

TC source for 486 code stream disassembler

These Turbo C sources are written by Robin Hilliard and are under the GNU license. As far as we know, no automatic detection system for code and data is included. (Dated: 4-20-93.)

obj2asm TC Source for intelligent .OBJ disassembler

This is not a disassembler of EXE or COM files, but of OBJ files, which are sometimes distributed in LIB files, without the original code. Because of the nature of the OBJ files, a far more accurate disassembling can be done, with even some of the original names of procedures and (global) variables. Sources are provided under the GNU license. This is also from Robin Hilliard. (Dated: 4-20-93.)

Unasource

The current release of Unasource is v0.2b which is described by its author, Francisco Javier Felix, as a little disassembler for .com and .sys x86 binaries.

Unasource is a straight line disassembler for DOS binaries. The long term goal for unasource is to be a full decompiler that generates C, Cobol, Visual Basic and other source codes. At present, it is a disassembler.

If you want to collaborate in this project, send an email to Francisco Javier Felix.

Turbo Pascal disassemblers and DUMPPROG

Duncan Murdoch maintains a page with programs for dumping the various TPU files, up to and including version 7.0.

"Version 3.0 of DUMPPROG now is able to read Borland (Inprise) symbolic information (also known as Turbo Debugger information) from executables. If this is present, a much more comprehensive disassembly listing can be obtained. As of version 3.0 DUMPPROG supports disassembling Borland Delphi executables (PE format for 32 bit Windows)."
Review by Stefan Hoffmeister, who made the following readme file for version 3.00 available.

DUMPPROG version 2.1 online at 2.1 and information about version 3.0 is avaiable here.

tpu2asm.zip contains a disassembler for Turbo Pascal 5 units, and twu1.zip contains a dumper/disassembler for TP6.0 or TPW 1.0 TPUs.

AMSGEN, version 2.01

AMSGEN is a disassembler written by J. Gersbach and J. Damke. (Appears to be freeware.) It is automatic detection of code and data, but extra information can be provided in a .SEQ file. ASMGSQ is a .SEQ file generator. The program has been throughly tested on correctness. A test procedure is included in the distribution. (Dated: 11-23-90.)

Bubble: A disassembler for COM or EXE programs

Is a disassembler program with automatic detection of code and data fragments, but can also be used interactive. (Dated: 3-12-92.)

DIS86, Version 2.29

This is more like a step-by-step debugger, with built in disassembler. You can walk through the code, call subroutines, and return. It keeps some track of the contents of the registers, but not much. You can add your own labels. Does not have an automatic detection of code and data. Written by James R. van Zandt. (Dated: 1-1-79.)

The New Jersey Machine-Code Toolkit

The New Jersey Machine-Code (NJMC) Toolkit helps programmers write applications that process machine code---assemblers, disassemblers, code generators, tracers, profilers, and debuggers. The NJMC Toolkit implements the SLED (Specification Language for Encoding and Decoding) language. SLED specifications for the MIPS, SPARC, Pentium, Alpha and PowerPC have been written. Take a look at a plain vanilla SPARC disassembler example.

nm - print symbol name list (Unix command)

nm prints the name list (symbol table) of each object filename in the argument list. If an argument is an archive, a listing for each object file in the archive will be produced. If no filename is given, the symbols in a.out are listed.

Other sources

Back to decompilation page

Copyright © 1998 The University of Queensland, All Rights Reserved.