"Paul R. Santa-Maria" writes: > You must give my disassembler at least one address of valid code to > start with. In my Monitor example, I told the disassembler to use the > NMI, RESET, and IRQ pointers to valid code. > > It traces the code. Whenever it finds a JMP, JSR, or branch > instruction, it saves the destination address in a list. > > Whenever it finds a JMP, RTS, RTI, BRK, BRA, or illegal opcode it > stops disassembling and gets an address from the destination list to > continues disassembling. When it needs another address but the list > is empty, then it is done. It goes back through all the data it > collected and writes a disassembly listing to disk. This is what I generally refer to as a "flow-tracing" disassembler. I've written probably nearly a dozen of these over the years, including a particularly complicated one for the Renesas (formerly Hitachi) SH RISC processors. I've spent some time enhancing and maintaining a flow-tracing disassembler for the 6502 which was originally written by Robert Bond: http://www.brouhaha.com/~eric/software/dis6502/ It's written in C and tested on Linux, though it should be fairly portable.