Disassembly of executable code revisited

Benjamin Schwarz, Saumya K Debray, Gregory Andrews

Research output: Chapter in Book/Report/Conference proceedingConference contribution

118 Citations (Scopus)

Abstract

Machine code disassembly routines form a fundamental component of software systems that statically analyze or modify executable programs, e.g., reverse engineering systems, static binary translators, and link-time optimizers. The task of disassembly is complicated by indirect jumps and the presence of non-executable data - jump tables, alignment bytes, etc. - in the instruction stream. Existing disassembly algorithms are not always able to cope successfully with executable files containing such features, and they fail silently - i.e., produce incorrect disassemblies without any indication that the results they are producing are incorrect. In this paper we examine two commonly-used disassembly algorithms and illustrate their shortcomings. We propose a hybrid approach that performs better than these algorithms in the sense that it is able to detect situations where the disassembly may be incorrect and limit the extent of such disassembly errors. Experimental results indicate that the algorithm is quite effective: the amount of code flagged as incurring disassembly errors is usually quite small.

Original languageEnglish (US)
Title of host publicationProceedings - Working Conference on Reverse Engineering, WCRE
PublisherIEEE Computer Society
Pages45-54
Number of pages10
Volume2002-January
ISBN (Print)0769517994
DOIs
StatePublished - 2002
Event9th Working Conference on Reverse Engineering, WCRE 2002 - Richmond, United States
Duration: Oct 29 2002Nov 1 2002

Other

Other9th Working Conference on Reverse Engineering, WCRE 2002
CountryUnited States
CityRichmond
Period10/29/0211/1/02

Fingerprint

Reverse engineering

Keywords

  • Assembly
  • Computer science
  • Information analysis
  • Joining processes
  • Libraries
  • Reverse engineering
  • Software systems

ASJC Scopus subject areas

  • Software

Cite this

Schwarz, B., Debray, S. K., & Andrews, G. (2002). Disassembly of executable code revisited. In Proceedings - Working Conference on Reverse Engineering, WCRE (Vol. 2002-January, pp. 45-54). [1173063] IEEE Computer Society. https://doi.org/10.1109/WCRE.2002.1173063

Disassembly of executable code revisited. / Schwarz, Benjamin; Debray, Saumya K; Andrews, Gregory.

Proceedings - Working Conference on Reverse Engineering, WCRE. Vol. 2002-January IEEE Computer Society, 2002. p. 45-54 1173063.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Schwarz, B, Debray, SK & Andrews, G 2002, Disassembly of executable code revisited. in Proceedings - Working Conference on Reverse Engineering, WCRE. vol. 2002-January, 1173063, IEEE Computer Society, pp. 45-54, 9th Working Conference on Reverse Engineering, WCRE 2002, Richmond, United States, 10/29/02. https://doi.org/10.1109/WCRE.2002.1173063
Schwarz B, Debray SK, Andrews G. Disassembly of executable code revisited. In Proceedings - Working Conference on Reverse Engineering, WCRE. Vol. 2002-January. IEEE Computer Society. 2002. p. 45-54. 1173063 https://doi.org/10.1109/WCRE.2002.1173063
Schwarz, Benjamin ; Debray, Saumya K ; Andrews, Gregory. / Disassembly of executable code revisited. Proceedings - Working Conference on Reverse Engineering, WCRE. Vol. 2002-January IEEE Computer Society, 2002. pp. 45-54
@inproceedings{9859662fc13b4913a839056174f88a90,
title = "Disassembly of executable code revisited",
abstract = "Machine code disassembly routines form a fundamental component of software systems that statically analyze or modify executable programs, e.g., reverse engineering systems, static binary translators, and link-time optimizers. The task of disassembly is complicated by indirect jumps and the presence of non-executable data - jump tables, alignment bytes, etc. - in the instruction stream. Existing disassembly algorithms are not always able to cope successfully with executable files containing such features, and they fail silently - i.e., produce incorrect disassemblies without any indication that the results they are producing are incorrect. In this paper we examine two commonly-used disassembly algorithms and illustrate their shortcomings. We propose a hybrid approach that performs better than these algorithms in the sense that it is able to detect situations where the disassembly may be incorrect and limit the extent of such disassembly errors. Experimental results indicate that the algorithm is quite effective: the amount of code flagged as incurring disassembly errors is usually quite small.",
keywords = "Assembly, Computer science, Information analysis, Joining processes, Libraries, Reverse engineering, Software systems",
author = "Benjamin Schwarz and Debray, {Saumya K} and Gregory Andrews",
year = "2002",
doi = "10.1109/WCRE.2002.1173063",
language = "English (US)",
isbn = "0769517994",
volume = "2002-January",
pages = "45--54",
booktitle = "Proceedings - Working Conference on Reverse Engineering, WCRE",
publisher = "IEEE Computer Society",

}

TY - GEN

T1 - Disassembly of executable code revisited

AU - Schwarz, Benjamin

AU - Debray, Saumya K

AU - Andrews, Gregory

PY - 2002

Y1 - 2002

N2 - Machine code disassembly routines form a fundamental component of software systems that statically analyze or modify executable programs, e.g., reverse engineering systems, static binary translators, and link-time optimizers. The task of disassembly is complicated by indirect jumps and the presence of non-executable data - jump tables, alignment bytes, etc. - in the instruction stream. Existing disassembly algorithms are not always able to cope successfully with executable files containing such features, and they fail silently - i.e., produce incorrect disassemblies without any indication that the results they are producing are incorrect. In this paper we examine two commonly-used disassembly algorithms and illustrate their shortcomings. We propose a hybrid approach that performs better than these algorithms in the sense that it is able to detect situations where the disassembly may be incorrect and limit the extent of such disassembly errors. Experimental results indicate that the algorithm is quite effective: the amount of code flagged as incurring disassembly errors is usually quite small.

AB - Machine code disassembly routines form a fundamental component of software systems that statically analyze or modify executable programs, e.g., reverse engineering systems, static binary translators, and link-time optimizers. The task of disassembly is complicated by indirect jumps and the presence of non-executable data - jump tables, alignment bytes, etc. - in the instruction stream. Existing disassembly algorithms are not always able to cope successfully with executable files containing such features, and they fail silently - i.e., produce incorrect disassemblies without any indication that the results they are producing are incorrect. In this paper we examine two commonly-used disassembly algorithms and illustrate their shortcomings. We propose a hybrid approach that performs better than these algorithms in the sense that it is able to detect situations where the disassembly may be incorrect and limit the extent of such disassembly errors. Experimental results indicate that the algorithm is quite effective: the amount of code flagged as incurring disassembly errors is usually quite small.

KW - Assembly

KW - Computer science

KW - Information analysis

KW - Joining processes

KW - Libraries

KW - Reverse engineering

KW - Software systems

UR - http://www.scopus.com/inward/record.url?scp=79958700553&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79958700553&partnerID=8YFLogxK

U2 - 10.1109/WCRE.2002.1173063

DO - 10.1109/WCRE.2002.1173063

M3 - Conference contribution

AN - SCOPUS:79958700553

SN - 0769517994

VL - 2002-January

SP - 45

EP - 54

BT - Proceedings - Working Conference on Reverse Engineering, WCRE

PB - IEEE Computer Society

ER -