Disassembly vs Decompiling
Readability
Requires knowing assembly and low-level knowledge of computing concepts.
Requires familiarity with programming and logic
Level of Output
The translated output is the exact instructions that the machine will perform.
The translated output is often a "best guess". The output may not be accurate, and useful information, such as variables, function names, etc., will likely be lost.
Difficulty
The difficulty can be considered higher as the machine instructions are translated into assembly.
The machine instructions are translated into a high-level language, which makes them easier to understand if you are familiar with the language the binary is written in.
Usefulness
The entire behavior of the binary can be studied given enough time.
Decompiling is a quick way to understand some of the logic of the binary.
Explanation
When reverse engineering binaries, you will employ two primary techniques.
1) Disassembling
Disassembling a binary shows the low-level machine instructions the binary will perform (you may know this as assembly). Because the output is translated machine instructions, you can see a detailed view of how the binary will interact with the system at what stage. Tools such as IDA, Ghidra, and GDB can do this.
2) Decompiling
Decompiling, however, converts the binary into its high-level code, such as C++, C#, etc., making it easier to read. However, this translation can often lose information such as variable names. This method of reverse engineering a binary is useful if you want to get a high-level understanding of the application's flow.
How to choose one or the other
There are specific circumstances where you would choose one method over the other. For example, decompiling is sometimes a "best guess" based on the tooling you've used and does not provide the actual full source code.
Last updated