Free online disassembler. Convert hex bytes (or Base64) to assembly for x86, x86-64, ARM, ARM64, RISC-V, MIPS, PowerPC, SPARC and 68K — Intel/AT&T syntax, runs entirely in your browser.
A free online disassembler that converts hex machine code to assembly directly in your browser. Paste hexadecimal bytes (or Base64), choose your architecture, and get readable assembly instantly. Supports x86, x86-64, ARM, ARM64 (AArch64), RISC-V, MIPS, PowerPC, SPARC, and Motorola 68K, with selectable modes (16/32/64-bit, ARM/Thumb), Intel or AT&T syntax, a configurable base address, and instruction-encoding breakdowns. Powered by the Capstone engine compiled to WebAssembly, it runs 100% client-side — your bytes are never uploaded. Copy or download the output as TXT or JSON, or share a permalink that reproduces the exact disassembly.
This free online disassembler turns raw machine-code bytes into human-readable assembly, right in your browser. Paste hexadecimal bytes (or Base64), pick the target CPU architecture and mode, and the tool decodes each instruction into its mnemonic, operands, and byte breakdown. The decoding engine is Capstone compiled to WebAssembly, so the same disassembler library used by professional reverse-engineering tooling runs 100% client-side — your bytes are never uploaded to a server.
Select the architecture and mode that match the code you are decoding. "Hex to assembly" only produces correct output when the architecture and bit-width are right — the same bytes disassemble to completely different instructions on x86 versus ARM.
| Architecture | Modes available |
|---|---|
| x86 / x86-64 | 16-bit, 32-bit, 64-bit |
| ARM (32-bit) | ARM, Thumb, Cortex-M |
| ARM64 (AArch64) | 64-bit |
| RISC-V | RV32, RV64 |
| MIPS | MIPS32, MIPS64, microMIPS |
| PowerPC | 32-bit, 64-bit |
| SPARC | SPARC32, SPARC V9 |
| Motorola 68K | 68000–68040 |
For x86 you can also switch between Intel syntax (mov rax, rdi) and AT&T syntax (movq %rdi, %rax) to match the toolchain you are used to.
48 89 e5, 0x48, 0x89, 0xe5, 4889e5, or \x48\x89\xe5) or switch the toggle to Base64 and paste a Base64-encoded byte string.You can also upload a binary file (.bin, .exe, .elf, .o, .dll, .so, .dylib); the tool reads it locally, detects common executable headers, and disassembles the code section.
By default the first byte is shown at address 0. Set a base address (in hex) to match where the code is actually loaded in memory — this makes relative branch and call targets resolve to meaningful addresses, which is essential when you are cross-referencing a disassembly against a debugger or a memory dump.
The tool also offers an instruction-encoding breakdown (prefixes, opcode, ModR/M, SIB, displacement) for learning how x86 instructions are built, string extraction, shellcode and packer detection, and a call-graph view for understanding control flow in larger buffers.
Every step — hex parsing, Base64 decoding, file reading, and disassembly via the Capstone WebAssembly module — runs entirely in your browser. Nothing you paste or upload is transmitted to a server, which makes this safe for analyzing untrusted or sensitive binaries.
Machine code disassembly is the process of converting binary machine code (hexadecimal bytes) back into human-readable assembly language instructions. When software is compiled, high-level source code (like C, C++, or Rust) is transformed into machine code—the raw binary instructions that processors execute directly. Disassembly reverses this process, allowing security researchers, reverse engineers, and developers to analyze compiled binaries without access to the original source code.
The disassembly process involves:
This tool uses the Capstone disassembly framework, a lightweight and powerful engine that supports multiple architectures and is widely used in professional security tools like IDA Pro, Ghidra, and radare2.
Disassemblers are essential tools across multiple domains:
Security researchers use disassemblers to analyze malicious software, understand attack techniques, and develop detection signatures. By examining the assembly code, analysts can identify shellcode, detect obfuscation techniques, and reverse-engineer malware behavior without executing it.
When source code is unavailable, disassembly allows developers to understand how proprietary software works, identify security vulnerabilities, or ensure compatibility. This is critical for legacy system maintenance, interoperability research, and vulnerability disclosure.
Capture The Flag (CTF) competitions frequently include reverse engineering challenges where participants must disassemble binaries to find hidden flags, bypass protection mechanisms, or understand exploitation techniques. Disassembly skills are fundamental for binary exploitation and pwn challenges.
Firmware reverse engineering requires disassembling compiled code from IoT devices, routers, and embedded systems. This helps identify security flaws in devices that may lack proper security updates or contain hardcoded credentials.
Students and developers learning assembly language can use disassemblers to see how compilers translate high-level code into machine instructions, understand optimization techniques, and learn how different CPU architectures handle the same operations.
Different processor architectures use distinct instruction sets, each with unique characteristics:
The most common architecture for desktop and server systems. x86-64 uses variable-length instructions (1-15 bytes), complex instruction set computing (CISC), and supports both Intel and AT&T assembly syntax. It's widely used in Windows, Linux, and macOS systems.
Dominant in mobile devices, embedded systems, and increasingly in desktop computers (Apple Silicon). ARM uses fixed-length 32-bit instructions (or 16-bit in Thumb mode), reduced instruction set computing (RISC), and is known for power efficiency. ARM64 is the 64-bit evolution with enhanced capabilities.
An open-source instruction set architecture gaining traction in embedded systems, IoT devices, and research. RISC-V emphasizes simplicity, modularity, and extensibility, making it popular for custom processor designs and educational purposes.
Historically used in routers, embedded systems, and game consoles (PlayStation). While declining in new designs, MIPS remains important for legacy device analysis and security research.
Found in older Apple computers (pre-Intel Macs), gaming consoles (PlayStation 3, Xbox 360), and embedded systems. PowerPC uses a RISC architecture with fixed-length 32-bit instructions.
Each architecture requires different disassembly approaches, as instruction encoding, registers, and calling conventions vary significantly.
x86/x86-64 assembly can be written in two main syntaxes, which differ in instruction ordering and formatting:
mov eax, 5 ; destination first, source second
add rax, rbx ; rax = rax + rbx
mov [rax], ebx ; store ebx into memory at address raxIntel syntax is more intuitive for beginners: destination comes first (like x = y in programming), and memory references use brackets without size prefixes.
movl $5, %eax ; source first, destination second
addq %rbx, %rax ; rax = rax + rbx
movl %ebx, (%rax) ; store ebx into memory at address raxAT&T syntax requires percent signs before registers, dollar signs before immediate values, and suffixes indicating operand size (b=byte, w=word, l=long, q=quad).
This tool defaults to Intel syntax but allows switching for compatibility with different tools and workflows.
Professional reverse engineering tools offer different capabilities and trade-offs:
The industry standard for professional reverse engineering. IDA Pro offers advanced features like cross-references, function recognition, automatic commenting, and the Hex-Rays decompiler (converts assembly back to C-like pseudocode). It excels at analyzing large, complex binaries and provides extensive plugin support.
Developed by the NSA and released publicly in 2019, Ghidra rivals IDA Pro in functionality while being completely free. It includes a powerful decompiler, collaborative analysis features, and strong multi-architecture support. Ghidra is ideal for large-scale analysis and team collaboration.
A command-line reverse engineering framework with a GUI frontend (Cutter). Radare2 emphasizes scriptability, debugging capabilities, and supports the widest range of architectures. It's preferred for dynamic analysis, embedded systems, and users comfortable with terminal workflows.
A modern disassembler known for its clean interface, powerful API, and intermediate language (BNIL) for analysis. Binary Ninja is popular among CTF players and security researchers who value customization and scripting.
Our tool focuses on quick, online disassembly without installation requirements. It's ideal for:
While professional tools offer deeper analysis capabilities (control flow graphs, function analysis, decompilation), this online disassembler provides instant access for focused, instruction-level analysis without the complexity or cost of full reverse engineering suites.
Follow these guidelines for effective disassembly and reverse engineering:
Always confirm the target architecture before disassembly. x86-64 uses little-endian byte ordering, while some ARM and MIPS systems use big-endian. Incorrect architecture selection produces nonsensical output.
For executable files, begin disassembly at the program entry point (often found in PE/ELF headers). For shellcode, identify the starting instruction carefully—shellcode often includes NOP sleds or position-independent code.
Not all bytes in a binary are instructions. Compilers mix code with embedded data (strings, constants, jump tables). If disassembly produces strange instructions, you may be looking at data regions.
Combine disassembly with other analysis techniques:
Professional reverse engineers maintain detailed notes about:
Only reverse engineer software where you have legal authorization:
Unauthorized reverse engineering may violate software licenses, anti-circumvention laws (DMCA), or computer fraud statutes.
A disassembler converts machine code (binary instructions) back into assembly language, the human-readable representation of CPU instructions. Unlike decompilers which attempt to produce high-level source code, disassemblers produce low-level assembly that directly corresponds to the machine code bytes.
Disassemblers are essential for reverse engineering, malware analysis, debugging compiled programs, and understanding how software works at the lowest level. They help security researchers identify vulnerabilities, analyze suspicious files, and verify that compiled code matches its intended behavior.
Learn more: Read our comprehensive guide Disassemblers Explained: Your Complete Guide to Assembly-Level Reverse Engineering to understand how disassemblers work, compare professional tools, and explore career opportunities.
This tool supports multiple processor architectures commonly encountered in reverse engineering:
For x86/x86-64, you can choose between Intel syntax (destination first) and AT&T syntax (source first).
The tool accepts machine code in multiple common formats for maximum flexibility:
4831c0bb2a00000048 31 c0 bb 2a 00 00 00\x48\x31\xc0\xbb\x2a\x00\x00\x00b"\x48\x31\xc0\xb"The tool automatically strips common formatting characters (spaces, newlines, backslashes, quotes) to process the raw bytes. For uploaded files, it attempts to detect the file format and locate executable code sections automatically.
Shellcode analysis is a primary use case for this disassembler. Follow these steps:
Obtain shellcode from exploit code, CTF challenges, or malware samples.
Most shellcode targets x86-64 or x86-32. Check register usage (RAX/RBX = 64-bit, EAX/EBX = 32-bit).
The tool accepts raw hex, byte arrays, and space-separated formats.
Common types: reverse shells, bind shells, command execution, file operations.
Deep dive: Read our comprehensive Shellcode Analysis for Security Researchers: A Complete Guide for advanced techniques, encoding methods, and real-world examples.
Yes, this tool supports uploading Windows PE files, Linux ELF binaries, macOS Mach-O executables, and raw firmware dumps.
Privacy: All processing in your browser, no server uploads.
Learn more: See our deep dive Understanding PE, ELF, and Mach-O: Executable File Format Deep Dive to understand file structures and analysis techniques.
Packed or obfuscated binaries require special handling. Many programs and malware use packers (UPX, Themida, VMProtect) that compress or encrypt the original code.
This tool includes basic detection using entropy analysis, PE section name analysis, and Detect It Easy (DiE) signatures.
Obfuscation techniques (junk instructions, control flow flattening, opaque predicates) still disassemble correctly, but the assembly will be intentionally convoluted and harder to understand.
Best Practice: Use packer identification tools first (Detect It Easy, PEiD), unpack if necessary, then proceed with disassembly.
Master unpacking: Read our comprehensive Complete Guide to Unpacking and Deobfuscating Malware for manual and automated unpacking techniques.
This tool provides several professional-grade features:
Automatically identifies PE (Windows), ELF (Linux), Mach-O (macOS) formats and extracts entry points and section headers.
Uses Detect It Easy signatures to identify common packers (UPX, Themida), compilers, and entropy analysis to detect encryption.
Scans binaries for ASCII/Unicode strings to find debugging messages, URLs, credentials, and configuration data.
Shows raw byte encoding, instruction size, memory addresses, and syntax-highlighted mnemonics.
Allows switching between 32-bit and 64-bit modes for multi-architecture malware analysis.
Toggles between Intel and AT&T syntax for x86/x86-64 compatibility.
Processes everything client-side using WebAssembly with no server uploads, making it safe for sensitive binaries and functional offline.
Paste your hexadecimal bytes into the input box (formats like "48 89 e5", "0x48, 0x89, 0xe5", "4889e5", and "\x48\x89\xe5" all work), select the target architecture and mode — for example x86 in 64-bit mode — and click Disassemble. The tool decodes each byte sequence into its assembly mnemonic and operands. Getting the architecture and bit-width right is essential: the identical hex bytes produce entirely different instructions on x86 versus ARM, so "hex to assembly" is only meaningful once you tell the disassembler which CPU the bytes are for. The whole conversion runs in your browser using the Capstone WebAssembly engine, so nothing is uploaded.
Yes. Use the Hex / Base64 toggle above the input box and switch it to Base64, then paste a Base64-encoded byte string (standard or URL-safe Base64 are both accepted). When you click Disassemble, the tool decodes the Base64 to raw bytes, converts it to hex, and disassembles it exactly as it would hex input. This is handy when your bytes come from a JSON payload, a config blob, or an API response that already encodes binary as Base64 — you do not have to convert it to hex by hand first.
They are different instruction sets and must be disassembled with the matching architecture setting. "ARM" (also called ARM32 or AArch32) covers 32-bit ARM code and includes the ARM, Thumb, and Cortex-M modes; "ARM64" (AArch64) is the 64-bit instruction set used by modern Apple Silicon, most 64-bit Android devices, and recent server chips. The same bytes decode to nonsense if you pick the wrong one, so choose ARM64 for 64-bit code and ARM (with the correct ARM/Thumb mode) for 32-bit code. Both run through the same Capstone WebAssembly engine in your browser.
By default the disassembler shows the first byte at address 0. Setting a base address (entered in hex) tells the tool where the code is actually loaded in memory, so that relative branch and call targets resolve to the real addresses instead of offsets from zero. This matters when you are matching a disassembly against a debugger, a crash dump, or a memory map — with the correct base address, a "jmp" or "call" target lines up with what you see in your other tooling. If you are just decoding a standalone snippet, you can leave it at 0.
No. Every step — parsing the hex or Base64 input, reading any uploaded binary file, and disassembling via the Capstone engine — runs entirely in your browser. Capstone is compiled to WebAssembly and loaded into the page, so the machine code you paste or the file you select never leaves your device and is never transmitted anywhere. That makes it safe for analyzing untrusted shellcode, proprietary binaries, or anything you would not want to send to a third-party server.
Yes, for x86 and x86-64. Use the Syntax selector to choose Intel syntax (destination first, e.g. "mov rax, rdi") or AT&T syntax (source first with % register prefixes and operand-size suffixes, e.g. "movq %rdi, %rax"). Pick whichever matches the toolchain you are reading alongside — Intel syntax is common in Windows/MASM and most documentation, while AT&T syntax is the default for GNU as and gdb on Linux. The syntax option appears only for x86 architectures, since the other instruction sets have a single canonical assembly form.