Skip to content

diswasm - WebAssembly Decompiler & RE Cheatsheet

diswasm - WebAssembly Decompiler & RE Cheatsheet

diswasm is an open-source decompiler and reverse-engineering tool for WebAssembly (.wasm) binaries. As more application logic ships as wasm — in browsers, edge functions, plugins, and even malware — analysts need to read it. diswasm parses a wasm module, disassembles its functions, recovers structure, and produces higher-level pseudocode from the stack-machine bytecode, making it far easier to understand than raw wasm. It complements the WebAssembly Binary Toolkit (WABT) for a full wasm RE workflow.

Installation

MethodHow
From sourcegit clone https://github.com/wasmkit/diswasm && cd diswasm
Buildfollow the repo’s build steps (per language)
Companion toolspair with WABT (wasm2wat) and wasm-tools
Verifyrun against a known .wasm and inspect output

Understanding wasm First

ConceptMeaning
ModuleThe .wasm unit: functions, memory, tables, globals
Stack machinewasm executes on an operand stack (no registers)
WATWebAssembly Text format (human-readable .wat)
Sectionstype, import, function, code, data, export, …
Typesi32, i64, f32, f64 (plus reference types)

Basic Workflow

# 1) Inspect structure with WABT's disassembler
wasm2wat module.wasm -o module.wat

# 2) Decompile to pseudocode with diswasm
diswasm module.wasm > module.pseudo

# 3) Read the recovered functions and control flow
StepToolOutput
Disassemblewasm2wat (WABT).wat text (low-level)
Decompilediswasmpseudocode (higher-level)
Objdump-stylewasm-objdump (WABT)sections/opcodes

What diswasm Recovers

FeatureHelps with
Function boundariesWhere each function starts/ends
Control flowblock/loop/if reconstructed as structured code
Locals/paramsTyped variables per function
Memory opsloads/stores against linear memory
Imports/exportsHost functions called / functions exposed

Reading the Output (Triage)

SignalLook for
Imported host functionsJS/host calls (env.*) reveal capabilities
String/data sectionEmbedded constants, URLs, keys
Exported functionsThe module’s entry points
Memory growth / bulk opsUnpacking or large buffers
Indirect callsFunction-table dispatch (obfuscation)

Complementary wasm Tools

ToolRole
diswasmDecompile wasm → pseudocode
WABT (wasm2wat, wasm-objdump)Disassemble / inspect
wasm-toolsRust low-level manipulation/validation
Binaryen (wasm-dis)Compiler-grade analysis/optimization
Ghidra + wasm pluginFull RE environment

Common Workflows

# Analyze an unknown browser wasm payload
wasm2wat suspicious.wasm -o suspicious.wat   # structure
diswasm suspicious.wasm > suspicious.c       # readable logic
grep -iE "fetch|eval|XMLHttp|import" suspicious.wat  # capabilities

# Compare two versions of a wasm module
diswasm v1.wasm > v1.pseudo; diswasm v2.wasm > v2.pseudo
diff v1.pseudo v2.pseudo

diswasm vs Other Approaches

Aspectdiswasmwasm2wat (WABT)JEB (commercial)
Output levelPseudocodeLow-level WATPseudo-C decompiler
CostFree/open-sourceFree/open-sourceCommercial
Best forQuick readable decompilationFaithful disassemblyDeep, polished RE

Resources