Disassemblers are tools used to look at the low-level code of a program compiled from either a high-level language, or of the same low-level language. As part of analysis, deadlisting and recognizing the blocks of code help to build up the behavior of the program. It is then be easier to identify only code blocks that need to be thoroughly debugged, without running through the whole program code:
-
IDA Pro: A popular tool used in the software security industry to disassemble various low-level language built on the x86 and ARM architectures. It has a wide list of features. It can generate a graphical flow of code, showing code blocks and branching. It also has scripting that can be used to parse through the code and disassemble it into more meaningful information. IDA Pro has an extended plugin, called Hex-Rays, that is capable of identifying assembly codes to its equivalent C source or syntax. The free version of IDA Pro can be downloaded from https://www.hex-rays.com/products/ida/support/download_freeware.shtml.
- Radare: Available on Windows, Linux, and macOS, this open source tool shows the disassembled equivalent of a given program. It has a command-line interface view, but there are existing plugins that can show it using the computer's browser. Radare's source can be downloaded and built from https://github.com/radare/radare2. Information on how to install binaries can be found at its website, available at https://rada.re.
- Capstone: This is an open source disassembly and decompiler engine. The engine is used by many disassembly and decompiler tools, such as Snowman. Information about this tool can be found at https://www.capstone-engine.org/.
- Hopper: A disassembly tool for Linux and macOS operating systems. It has a similar interface as IDA Pro and is capable of debugging using GDB.
- BEYE: Also known as Binary EYE, this is a hex viewer and editing tool with the addition of a disassembly view mode. BEYE is available for Windows and Linux. It can be downloaded from https://sourceforge.net/projects/beye/.
- HIEW: Also known as Hacker's View, is similar to BEYE, but has better information output for PE files. The paid version of HIEW has more features supporting a lot of file types and machine architectures.