How do I disassemble raw 16-bit x86 machine code?

I'd like to disassemble the MBR (first 512 bytes) of a bootable x86 disk that I have. I have copied the MBR to a file using

dd if=/dev/my-device of=mbr bs=512 count=1

Any suggestions for a Linux utility that can disassemble the file `mbr`?

I like <code>ndisasm</code> for this purpose. It comes with the NASM assembler, which is free and open source and included in the package repositories of most linux distros.

The GNU tool is called **objdump**, for example:

objdump -D -b binary -m i8086 <file>

You can use objdump. According to [this article][1] the syntax is:

objdump -D -b binary -mi386 -Maddr16,data16 mbr


[1]:

[To see links please register here]

ndisasm -b16 -o7c00h -a -s7c3eh mbr

**Explanation** - from ndisasm manpage

- `-b` = Specifies 16-, 32- or 64-bit mode. The default is 16-bit mode.
- `-o` = Specifies the notional load address for the file. This option causes ndisasm to get the addresses it lists down the left hand margin, and the target addresses of PC-relative jumps and calls, right.
- `-a` = Enables automatic (or intelligent) sync mode, in which ndisasm will attempt to guess where synchronisation should be performed, by means of examining the target addresses of the relative jumps and calls it disassembles.
- `-s` = Manually specifies a synchronisation address, such that ndisasm will not output any machine instruction which encompasses bytes on both sides of the address. Hence the instruction which starts at that address will be correctly disassembled.
- `mbr` = The file to be disassembled.

[starblue](

[To see links please register here]

) and [hlovdal](

[To see links please register here]

) both have parts of the canonical answer. If you want to disassemble raw i8086 code, you usually want Intel syntax, not AT&T syntax, too, so use:

objdump -D -Mintel,i8086 -b binary -m i386 mbr.bin
objdump -D -Mintel,i386 -b binary -m i386 foo.bin # for 32-bit code
objdump -D -Mintel,x86-64 -b binary -m i386 foo.bin # for 64-bit code

If your code is ELF (or a.out (or (E)COFF)), you can use the short form:

objdump -D -Mintel,i8086 a.out # disassembles the entire file
objdump -d -Mintel,i8086 a.out # disassembles only code sections

For 32-bit or 64-bit code, omit the `,8086`; the ELF header already includes this information.

`ndisasm`, as suggested by [jameslin](

[To see links please register here]

), is also a good choice, but `objdump` usually comes with the OS and can deal with all architectures supported by GNU binutils (superset of those supported by GCC), and its output can usually be fed into GNU `as` (ndisasm’s can usually be fed into `nasm` though, of course).

[Peter Cordes](

[To see links please register here]

) suggests that “[Agner Fog's objconv](

[To see links please register here]

) is very nice. It puts labels on branch targets, making a lot easier to figure out what the code does. It can disassemble into NASM, YASM, MASM, or AT&T (GNU) syntax.”

[Multimedia Mike](

[To see links please register here]

) already found out about `--adjust-vma`; the `ndisasm` equivalent is the `-o` option.

To disassemble, say, `sh4` code (I used one binary from Debian to test), use this with GNU binutils (almost all other disassemblers are limited to one platform, such as x86 with `ndisasm` and `objconv`):

objdump -D -b binary -m sh -EL x

The `-m` is the machine, and `-EL` means Little Endian (for `sh4eb` use `-EB` instead), which is relevant for architectures that exist in either endianness.