Read the original article here.

---

The Forbidden Code: Understanding Binaries with Disassemblers

In the realm of "forbidden code" – the low-level techniques often omitted from standard programming curricula – understanding how software operates at its most fundamental level is paramount. While high-level languages abstract away the complexities of the machine, the ability to peer into the raw binary allows us to analyze, debug, modify, and secure code in ways not otherwise possible. This is where the disassembler becomes an indispensable tool.

What is a Disassembler? The Inverse Operation

At its core, a computer executes instructions encoded in machine language – sequences of raw binary bytes (0s and 1s). These bytes are utterly incomprehensible to humans. Programmers typically write code in higher-level languages (like C++, Python, Java) or, for performance-critical tasks or direct hardware interaction, in assembly language.

Machine Language: The lowest-level programming language, consisting of binary instructions that a computer's CPU can directly execute. It is specific to a particular processor architecture.

Assembly Language: A low-level programming language with a strong correspondence between the statements in the language and the architecture's machine code instructions. It uses mnemonic codes (like MOV, ADD, JMP) to represent machine instructions and provides limited symbolic addressing.

To turn human-readable assembly language into machine language, we use an assembler.

Assembler: A program that takes assembly language code written by a programmer and translates it into machine language (binary code) that the computer's CPU can execute.

A disassembler performs the inverse operation. It takes the binary machine code and attempts to translate it back into assembly language.

Disassembler: A computer program that translates machine language code (raw binary) back into assembly language. The output is designed for human understanding, not typically for re-assembly.

Think of it like this: if an assembler is like a compiler that goes from source code to executable binary, a disassembler is a tool that lets you peek inside that executable binary and see the closest thing to human-readable instructions.

Disassemblers vs. Decompilers

It's crucial to distinguish disassemblers from decompilers.

Decompiler: A program that attempts to translate machine language or bytecode back into a higher-level programming language (like C, C++, Java, etc.).

While both are forms of reverse engineering tools, they target different levels of abstraction. A disassembler gives you the assembly code, which is a direct, one-to-one (or close) mapping to the machine instructions. A decompiler tries to reconstruct the original logic using higher-level constructs like loops, functions, variables, and data structures, which were present in the source code but are lost during the compilation process. Decompilation is significantly harder and often less accurate than disassembly because more information is discarded when going from a high-level language to machine code. Disassembly gives you the raw instructions; decompilation tries to infer the original intent.

Why Use a Disassembler? Applications in the "Forbidden" World

The output of a disassembler isn't usually perfect assembly source code (like what went into the assembler originally). It lacks comments, meaningful variable names, and symbolic constants that a human programmer would add. Its primary purpose is reverse engineering.

Reverse Engineering: The process of analyzing a system or software to understand its structure, function, or operation, often without access to the original design specifications or source code.

In the context of "forbidden code" and low-level exploration, disassemblers are vital tools for numerous tasks:

1. Analyzing Compiler Output and Optimizations: Ever wonder exactly how a compiler translates your C++ code, or how different optimization flags affect the resulting binary? Disassembly lets you see the precise assembly instructions generated. This is invaluable for performance tuning or understanding subtle behavioral differences.

   • Example: You write a simple loop in C. Disassembling the compiled output shows you if the compiler unrolled the loop, used specific SIMD instructions, or performed other optimizations you didn't explicitly request.

2. Recovering Source Code (Partial): If the original source code for a program is lost, disassembly provides the most detailed view possible of the program's logic at the instruction level. While difficult to work with compared to source, it's often the only way to understand or recreate functionality.

3. Malware Analysis: This is one of the most critical applications in cybersecurity. Malware rarely comes with source code. Disassemblers are the primary tool for security researchers to understand exactly what a piece of malware does – how it infects a system, how it communicates, what data it steals, and how to detect or neutralize it.

   • Example: Analyzing a virus involves disassembling its code to identify malicious functions, hidden strings, system calls it makes, and persistence mechanisms.

4. Modifying Software (Binary Patching): Sometimes, you need to change the behavior of a compiled program without having the source code. Disassembly allows you to locate the specific instructions responsible for a certain action and then modify the binary bytes directly (patching) to change that behavior.

   • Example: You might disassemble a game executable to find the instruction that checks if the game is registered and then patch it to always report as registered. Or patch out a security check in a piece of software.

5. Software Cracking: Related to binary patching, disassemblers are fundamental to understanding license checks, copy protection mechanisms, and other anti-piracy measures embedded in software. By disassembling the code, crackers can identify these checks and patch them out.

In essence, disassemblers pull back the curtain on compiled code, revealing the fundamental machine instructions. This low-level visibility is powerful for deep analysis, security work, and modifying programs in ways that aren't possible by just looking at source code or running the program.

The Disassembly Process: From Bytes to Mnemonics

A disassembler reads the bytes of an executable file and translates them instruction by instruction.

• Basic Translation: For a given CPU architecture (like x86, ARM, etc.), specific byte sequences correspond to specific instructions (opcodes). The disassembler looks up these byte sequences and prints the corresponding assembly mnemonic and its operands.
• Operand Interpretation: Identifying operands (registers, memory addresses, constants) requires understanding the instruction format and the CPU architecture's addressing modes.
• Generating Output: The output is typically formatted for human readability, often showing the original byte address, the raw bytes of the instruction, the assembly instruction, and potentially other information.

What's Lost and How Tools Help:

As mentioned, source code details like original variable names, complex data structures, comments, and symbolic constants are typically removed during assembly/compilation. The raw machine code just has addresses and values.

• Lack of Context: A disassembler sees MOV EAX, [0x401000]. The original source might have been total_count = data_buffer[index];. The meaningful names total_count, data_buffer, and index are gone, replaced by registers (EAX) and memory addresses (0x401000).
• Adding Meaning: Good disassemblers provide features to help the human analyst restore some context:
  • Automatic Commenting: Some can add comments identifying known API calls (e.g., CALL 0x77A30120 might be commented as CALL kernel32.CreateFileA).
  • Symbolic Debug Information: Executables sometimes contain debugging symbols (.debug sections in ELF, PDB files on Windows). Disassemblers can parse this info to recover function names, global variable names, and even local variable stack locations, making the output much easier to understand.
  • Interactive Renaming: The most powerful feature is allowing the user to manually rename addresses (e.g., rename 0x401000 to data_buffer_start) or create custom comments based on their analysis. This human insight is critical for complex reverse engineering.

The Challenges of Disassembly: Why It's Not Always Simple

Disassembling a binary isn't just a straightforward mechanical translation. Several factors make it challenging, particularly for complex or intentionally obscured code:

1. Code vs. Data Ambiguity: A binary file is just a sequence of bytes. How does the disassembler know if a byte sequence represents an instruction or a piece of data (like a string, a number, or part of an image)?

   • File Formats: Modern executable formats like ELF (used on Linux/Unix) and PE (Portable Executable, used on Windows) divide the file into sections, often explicitly marking code sections (.text) and data sections (.data, .rdata). This helps, but isn't foolproof.
   • Flat Binaries: Older formats or raw memory dumps (flat binaries) have no such section information, making the distinction very difficult. The disassembler might misinterpret data as code or vice-versa, leading to incorrect disassembly.

   ELF (Executable and Linkable Format): A standard file format for executables, object code, shared libraries, and core dumps used widely on Unix-like operating systems (Linux, BSD, macOS). It uses sections to organize different types of data (code, data, symbols, etc.). PE (Portable Executable): The file format used by Windows executables, object code, DLLs, and other system files. Like ELF, it uses sections to structure the binary data.

2. Dynamic Control Flow: Programs don't just execute instructions linearly. They jump to different locations based on conditions, function calls, and calculated addresses.

   • Indirect Jumps/Calls: Instructions like JMP EAX or CALL [ESI+8] mean the target address is computed at runtime and stored in a register or memory location. Static disassembly (analyzing the code without running it) cannot determine the possible targets of these instructions, making it impossible to trace all potential execution paths.

3. Variable-Width Instructions: On some architectures, particularly CISC (Complex Instruction Set Computing) architectures like x86, instructions can vary in length (from 1 to 15+ bytes). If the disassembler starts parsing in the middle of an instruction due to misidentifying code or data, it will likely get out of sync, leading to incorrect disassembly for the rest of the section.

   CISC (Complex Instruction Set Computing): An architecture where single instructions can perform multiple low-level operations (like loading from memory, an arithmetic operation, and storing to memory), and instructions can have variable lengths.

4. Self-Modifying Code: Some advanced or older programs, and often malware, can modify their own instruction bytes while running. A static disassembler sees the code in its initial state and cannot account for these runtime changes, rendering its output inaccurate for the actual executed code.

5. Obfuscation, Packing, and Encryption: These techniques are specifically designed to thwart reverse engineering.

   • Packing: Compressing or encrypting the executable's code section. The original code is only unpacked/decrypted into memory when the program runs.
   • Encryption: Similar to packing, but focusing purely on making the code unreadable until decrypted at runtime.
   • Obfuscation: Transforming the code into a functionally equivalent but extremely difficult-to-understand form, often using complex control flow, junk instructions, or anti-disassembly tricks.

   Before meaningful disassembly can begin on packed, encrypted, or heavily obfuscated code, these layers must often be removed or defeated, which requires additional techniques and tools.

These challenges mean that while disassemblers provide the foundational view, a successful reverse engineering process often requires advanced analysis techniques and significant human effort to interpret the output correctly.

Types of Disassemblers and Popular Tools

Disassemblers come in different forms:

• Stand-Alone Disassemblers: These tools take a binary file as input and produce an assembly file as output in a batch process. You then examine the resulting text file.
• Interactive Disassemblers: These are much more powerful for complex analysis. They provide a graphical user interface (GUI) that displays the disassembly and allows the user to interact with it in real-time. You can:
  • Click on addresses to jump to code or data locations.
  • Define data structures.
  • Rename functions, variables, and addresses.
  • Add comments.
  • Change how sections are interpreted (code vs. data).
  • View cross-references (where a function is called from, where data is accessed).
  • Often include integrated decompilers.

Interactive disassemblers are the preferred tools for serious reverse engineering and malware analysis because they allow the analyst to apply their understanding and correct the disassembler's assumptions in real-time.

Notable Disassemblers (often used in "Forbidden" contexts):

• IDA Pro (Interactive Disassembler): Historically considered the industry standard, particularly for complex, multi-architecture binaries. Known for its powerful analysis capabilities and plugin ecosystem. (Commercial, with a free older version sometimes available).
• Ghidra: Developed by the NSA and released as open-source. A powerful, free, and increasingly popular alternative to IDA Pro, featuring integrated disassembly, decompilation, and analysis tools.
• Binary Ninja: Another powerful interactive disassembler and analysis platform. Known for its modern interface and robust API for scripting analysis tasks. (Commercial).
• Radare2 / Cutter: Radare2 is a command-line reverse engineering framework, including a disassembler. Cutter is a popular GUI built on top of Radare2, providing an interactive experience. (Open Source).
• x64dbg / OllyDbg: While primarily debuggers (allowing execution step-by-step), they include excellent integrated dynamic disassemblers, showing the code currently being executed and the state of registers and memory. Useful for dynamic analysis and defeating anti-analysis tricks. (Open Source/Freeware).
• objdump: Part of the GNU Binutils. A classic command-line disassembler often used for simpler tasks or exploring sections of ELF files. (Open Source).
• Ndisasm (Netwide Disassembler): A simple command-line disassembler accompanying the NASM assembler. (Open Source).

Choosing the right tool depends on the target architecture, the complexity of the binary, and the specific task at hand.

Dynamic Disassembly: Tracing Execution

Static disassembly analyzes the binary file without running it. Dynamic disassembly analyzes the code as it is executing.

Dynamic Disassembly: The process of disassembling instructions as they are being executed by the CPU, often provided as a feature of debuggers, emulators, or hypervisors.

This is incredibly useful because it shows the code paths actually taken, resolves dynamic jumps (by showing where the jump lands during execution), and is essential for analyzing self-modifying or packed code (as it disassembles the code after it has been unpacked/decrypted in memory).

Tools like debuggers (mentioned above) and some emulators or hypervisors integrate dynamic disassemblers to provide a step-by-step view of the program's execution, often showing register values, memory contents, and flags changing with each instruction. While generating vast amounts of output, this provides unparalleled insight into runtime behavior.

Specialized Tools: Length Disassemblers

A niche but important tool in low-level programming and reverse engineering is the length disassembler.

Length Disassembler (LDE): A tool or engine that, given a sequence of bytes starting at a specific address, determines how many bytes constitute the single instruction located at that address. It doesn't necessarily fully decode the instruction, just its length.

Why is instruction length important?

• Parsing Binaries: Knowing the length of an instruction is fundamental to parsing a continuous stream of instruction bytes correctly, especially on variable-width architectures like x86.
• Binary Patching: If you want to replace an instruction with a different one, you need to know the exact length of the original instruction and the new instruction to ensure your patch doesn't overwrite surrounding code or leave gaps.
• Instrumentation: Tools that insert code into a running program (e.g., for hooking functions or tracing) need LDEs to accurately navigate the existing instruction stream and place their hooks without corrupting the code.

Beyond Disassembly: Related Techniques

Understanding a disassembled binary often requires applying other analysis techniques:

• Control-Flow Graph (CFG): A graphical representation showing all paths that might be traversed through a program during its execution. Interactive disassemblers often generate CFGs from the disassembled code to visualize the program's logic and identify basic blocks and branches.
• Data-Flow Analysis (DFA): Analyzing how data values propagate through the program, tracking where data originates, where it's used, and how it's modified. This helps in understanding register and memory usage in the assembly code.
• Decompilation: While distinct, decompilers are often used alongside disassemblers. A typical workflow might involve using a disassembler to navigate the code, identify important functions, and then using an integrated decompiler on those functions to get a higher-level, potentially easier-to-understand pseudo-code view of the logic, bouncing between the assembly and pseudo-code as needed.

Conclusion

Disassemblers are fundamental tools for anyone venturing into the low-level world of compiled code and binary analysis, a core part of the "forbidden code" skillset. They provide the essential bridge between raw machine bytes and human-readable assembly language. While challenges exist due to the inherent ambiguities and complexities of binary code, coupled with intentional obfuscation, powerful interactive tools and dynamic analysis techniques empower analysts to uncover the secrets hidden within executables. Mastering disassembly is a crucial step towards understanding how software truly works, enabling deep analysis, security research, and advanced code manipulation.