Skip to content

Disassembly

Disassembly Interface

The Disassembly window provides powerful x86-64 disassembly capabilities for analyzing executable code within memory regions. It transforms raw machine code into human-readable assembly instructions with advanced filtering, modification, and navigation features for reverse engineering tasks.

Features

Code Analysis

  • Multi-Region Support: Disassemble entire memory regions or individual pages
  • PE-Aware Processing: Intelligently handles PE sections, focusing on executable code segments
  • Import Resolution: Automatically resolves and displays imported function names from system libraries
  • Cross-References: Shows memory addresses, module offsets, and resolved symbol information

Interactive Assembly Editing

  • Live Instruction Modification: Edit assembly instructions directly in the interface
  • Byte-Level Editing: Modify raw instruction bytes with hex input
  • NOP Operations: Quickly disable instructions by replacing them with NOP operations
  • Undo System: Revert modifications with Ctrl+Z functionality

Advanced Filtering

  • Multi-Criteria Search: Filter by addresses, mnemonics, operands, or registers
  • Case-Insensitive Options: Flexible text matching for instruction patterns
  • Real-Time Results: Instant filtering with match count display
  • Configurable Criteria: Customize which instruction components to include in searches
  • Address Jumping: Direct navigation to specific memory addresses (press Enter after inputting an address in the textbox)
  • Multi-Selection: Select individual instructions or ranges with Ctrl/Shift
  • Bookmark Integration: Add frequently referenced addresses to bookmarks
  • Memory Browser Integration: Jump directly from disassembly to hex editor

How It Works

The disassembly engine operates through several processes:

Disassembly Process

  • Memory Region Analysis: Automatically detects executable sections within selected regions
  • Instruction Decoding: Uses the Zydis disassembly library for accurate x86-64 instruction parsing
  • Token Colorization: Applies syntax highlighting to different instruction components
  • Cross-Page Handling: Manages instructions that span across memory page boundaries

PE Section Processing

For executable modules, the disassembler:

  • Identifies and processes only executable PE sections
  • Skips non-executable sections (.data, .rdata, etc.) to focus on code
  • Maintains proper address mapping between virtual and physical memory locations
  • Resolves module-relative offsets for better code analysis

Import Resolution

  • Integrates with the system's import lookup functionality
  • Displays resolved function names for external API calls
  • Highlights imported functions with distinctive visual indicators
  • Provides context for understanding code functionality

User Interface

Main Table Columns

Column Description
Index Sequential instruction numbering with selection indicators
Address Virtual memory address of each instruction
Offset Module-relative offset (Module+0xOffset format)
Bytes Raw machine code bytes in hexadecimal format
Instruction Disassembled assembly instruction with syntax highlighting
Values Additional information including resolved imports and operand values

Context Menu Operations

Right-click any instruction to access:

  • Modification Options: Edit instructions or raw bytes
  • Copy Functions: Copy addresses, offsets, bytes, instructions, or complete formatted lines
  • Memory Navigation: Jump to instruction address in the hex editor
  • Bookmark Creation: Add addresses to the bookmark list for quick reference
  • NOP Operations: Replace selected instructions with NOP instructions
  • Selection Management: Clear current selection or select instruction ranges

Copy Operations

Multiple clipboard formats support different workflows:

  • Addresses Only: Copy virtual memory addresses
  • Module Offsets: Copy module-relative addresses for static analysis
  • Raw Bytes: Copy instruction bytes for shellcode analysis
  • Instructions Only: Copy assembly mnemonics and operands
  • Full Lines: Copy complete formatted lines with addresses, offsets, bytes, and instructions

Usage Tips

  • The disassembly window only operates on executable memory regions - ensure your selected region has execute permissions
  • Use the filter system to quickly locate specific instructions or patterns in large code sections
  • Take advantage of the undo system when experimenting with instruction modifications
  • Combine with the hex editor for comprehensive memory analysis by using the "Browse Memory Here" context menu option
  • Large regions may require individual page selection for performance reasons
  • The jump-to-address feature is ideal for following call targets and branch destinations
  • Use the bookmark system to mark important code locations for later reference