Disassembly view

The disassembly view is accessed using the F3 shortcut and allows you to navigate through and edit the instruction flow inside the file. You can view any data, not just data identified as code by the CFG recovery algorithm, which could prove useful against obfuscated programs and exploits. You can click on the different labels or references to follow the control flow of the program.


The disassembly view only displays byte which are present in the file. Purely virtual address space is not displayed.

The disassembly view being a standard view found in many other tools, we will only focus on the few less common features.



CPU instructions in Malcat are categorized into different categories (that’s true for all architectures). The disassembly view allows you to highlight a few of these categories, in order to spot interesting pattern more easily. Like for the Hexadecimal view, holding the Tab key brings the highlight dialog as you can see below:


Highlighting instruction groups

Highlighted instruction groups are automatically saved when the program exits.



Tab (keep pressed)

Display highlighting dialog


Highlights/unhighlight all instruction groups

Augmented scroll bar

Like in the Hexadecimal view, the disassembly view features an augmented scroll bar. Left of the system scrollbar, functions and data blocks are drawn using a 2 colors code. This gives you a lot of information and tells you where you are currently in the file, while using very few horizontal space.

Each identified function is drawn using a rectangle with a border. For big functions, you can easily judge their relative size (relative to the file total size) by taking the size of the rectangle into account. For small functions, the rectangle will be so small you will only see the rectangle’s border color. But then you also get the information that at this location, only small functions are present, which is also valuable.


Making sense of the augmented scroll bar

The second color is used for contiguous data blocks. You may want to avoid looking at these locations, or switch to one of the data views, since no identified code is present there.

Dead code / data

Code which is unreachable is still disassembled on screen, but using a dimmed color. This should allow users to quickly identify dead code. If the analysis was wrong and the code is indeed reachable, you can define a new function, see Define a new function.


dead code beeing displayed in grey

Note that dead code is disassembled using a different algorithm than normal code. Normal code instruction are aligned along the start of their enclosing basic block. Dead code is not aligned at all, and an heuristic is used to approximate the start of the previous instruction. For some architectures like x86, this may produce sub-optimal disassembly when naviguating backward.

Opcode overlapping


normal labels (left) versus smart local labels (right) in disassembly listing

Local labels

Labels which are only referenced by jumps from within the current function are called local labels and are named .1, .2 … .N instead of the usual loc_XXXXX. We find this make the disassembly more readable (in particular if you are familiar with nasm syntax) and also gives extra information to the user, i.e is the label referenced from outside the current function?


normal labels (left) versus smart local labels (right) in disassembly listing

Smart label naming scheme can be turned on or off in the options dialog: Options ‣ Code view ‣ Disasm - local labels.

Opcode encoding

By clicking on any opcode, you’ll also get a detailed view of the selected instruction, showing instruction metadata and encoding details.


normal labels (left) versus smart local labels (right) in disassembly listing


Sometimes, wou will see that Malcat adds automatically some comments alongside some of the instructions. These auto-comments are only visible if no user comment have been defined at this location (cf. Add a comment). Currently two types of auto-comments are added:

  • Call auto-comments: the DNA representation of the called function is displayed (cf. DNA view). This allows you to have a peek of the function’s prolog without having to put the mouse pointer over the call target

  • Dynamic strings: if a stack-string has been identified by Malcat’s Dynamic strings analysis, two auto-comments will be displayed: one at the first instruction responsible for the string’s initialisation, and one on the last instruction.

Note that more auto-comments types may be added in the future.


auto-comment on function call


Define a new function

If you think that Malcat’s CFG reconstruction algorithm was wrong and that some data is actually a piece of code, you have the possibility to create a new function: Right click ‣ Force function start. Malcat will then define a new function at this location and perform a new pass of CFG reconstruction.


normal labels (left) versus smart local labels (right) in disassembly listing

User-defined functions are saved within Malcat project file.

Add a comment

Using the context menu Right click ‣ Add comment on an address or an assembly instruction, you can add user-defined comments. Comments can be multi-line and are saved within Malcat project file.



m or M

Goto next/previous user coMment

Modify bytes

You can modify the bytes displayed in the disassembly view in the same way you would edit any byte in the hexadecimal view (cf. Editing bytes). Just double-click on a byte in the hexadecimal column or use the context menu Right click ‣ Edit bytes. You will enter edit mode.

When you modify bytes, the disassembly listing is updated as you type. This allow you to quickly patch an instruction. Note that while the disassembly is updated, the analysis of the program (e.g. CFG reconstruction) is not updated. Hit Ctrl+R or use the menu Analysis ‣ Reanalyse current file when you are done to reanalyse the file.




Enter/leave edit mode


Enter edit mode


Leave edit mode

Selecting and advanced operations

Selecting instructions

In addition to selecting opcode bytes in the hexadecimal columns (like you would do in the Hexadecimal view, see Selecting), you can directly select opcodes from within the disassembly view using the mouse. Just click on an opcode and move your mouse. You can also click on the first opcode you want to select and then Shift+Click on the last opcode you want to select.


Opcodes selection and copy to the clipboard

Selecting bytes in the hexadecimal column will select the corresponding opcodes and vice-versa. Also note that the selection is synchronized across all views. For more information regarding selection, see Working with the selection.



LeftClick (keep pressed)

Mouse select


Select byte/nibble and set start of selection


Set end of selection


Exclude byte/nibble and set start of exclusion pattern


Set end of exclusion pattern


Select everything

Copy to the clipboard

If you want to export a subset of the disassembly listing (up to 10000 instructions), you can select the instructions you want to copy followed by the shortcut Ctrl+C or the context menu Copy As ‣ Hexadecimal + disassembly (see above).

The selected disassembly listing will be put into the clipboard with the exact same layout as you can see in the disassembly view. Note that both a text version and an html version are put into the clipboard. Also note that the raw bytes will also be saved into the clipboard using the alternative mimetype application/octet-stream. This way, you can paste the data into another view (or another compatible software).




Copy disassembly listing to the clipboard

Add opcodes to a Yara rule

When carefully chosen, a small machine code snippet can go a long way in improving the quality of a Yara rule. Select the instructions you want in the disassembly view and from the context menu chose: Selection ‣ Add selection to yara ‣Add to Yara rule XXX (disassembly).


Adding disassembly listing to a Yara rule

The selected bytes will be added to the current Yara rule as an hexadecimal pattern. The pattern will be prefixed by a large comment showing the actual machine-code representation of these bytes, which should greatly improve the rule’s maintainability.