Connect and share knowledge within a single location that is structured and easy to search. Since the compilation output of. There are many applications which can do that. My favourite is dnSpy since it's free, open source and has debugging functionalities. But under certain circumstances some information is lost during the compilation process. You would have to manually fix those errors.
For example anonymous functions can confuse a decompiler easily. And of course - if the developer tries to protect his application there are various techniques like obfuscation which would make your life harder. Sign up to join this community. The best answers are voted up and rise to the top.
Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? It only takes a minute to sign up. Connect and share knowledge within a single location that is structured and easy to search. I have been wondering, if every program is based on machine code, can we not decompile a program until it hits machine code and make it up to real programming languages? If my computer understands the processes it should take, isn't it also be able return me the steps of what's its done, values from memory exc..?
This question is based on a false premise; namely that every program is based on machine code. Programs are typically written in high-level languages, which are by design architecture independent and therefore must be translated into an architecture-specific form in order to be executed:.
Machine independence is a fairly simple concept. Basically it says that a programming language should not rely on the features of any particular instruction set for its efficient implementation. The translation of the series of statements written in a programming language in a program source file to semantically equivalent object code is accomplished by a compiler. Decompilation involves translation of architecture-dependent object code to a semantically equivalent representation source code that is not architecture specific, the reverse process of compilation.
Certainly, fully automated decompilation of arbitrary machine-code programs is not possible -- this problem is theoretically equivalent to the Halting Problem, an undecidable problem in Computer Science. What this means is that automatic no expert intervention decompilation cannot be achieved for all possible programs that are ever written. Further, even if a certain degree of success is achieved, the automatically generated program will probably lack meaningful variable and function names as these are not normally stored in an executable file except when stored for debugging purposes.
Is Decompilation Possible? Each action a processor can take e. If I told you that the number 1 meant scream and the number 2 meant giggle, and then held up cards with either 1 or 2 on them expecting you to scream or giggle accordingly, I would be using what is essentially the same system a computer uses to operate.
A binary file is just a set of those codes usually call "op codes" and the information "arguments" that the op codes act on. Now, assembly language is a computer language where each command word in the language represents exactly one op-code on the processor. There is a direct translation between an assembly language command and a processor op-code. This is why coding assembly for an x processor is different than coding assembly for an ARM processor.
Disassembly is simply this: a program reads through the binary the machine code , replacing the op-codes with their equivalent assembly language commands, and outputs the result as a text file.
It's important to understand this; if your computer can read the binary, then you can read the binary too, either manually with an op-code table in your hand ick or through a disassembler. Disassemblers have some new tricks and all, but it's important to understand that a disassembler is ultimately a search and replace mechanism. Which is why any EULA which forbids it is ultimately blowing hot air. You can't at once permit the computer reading the program data and also forbid the computer reading the program data.
However, there are caveats to the disassembly approach. Variable names are non-existent; such a thing doesn't exist to your CPU. Library calls are confusing as hell and often require disassembling further binaries. And assembly is hard as hell to read in the best of conditions. Most professional programmers can't sit and read assembly language without getting a headache. For an amateur it's just not going to happen.
Anyway, this is a somewhat glossed-over explanation, but I hope it helps. Everyone can feel free to correct any misstatements on my part; it's been a while. Good news. Any decent debugger can do this. Try OllyDbg. If you are just trying to figure out what a malware does, it might be much easier to run it under something like the free tool Process Monitor which will report whenever it tries to access the filesystem, registry, ports, etc Also, using a virtual machine like the free VMWare server is very helpful for this kind of work.
You can make a "clean" image, and then just go back to that every time you run the malware. Sure, have a look at IDA Pro. They offer an eval version so you can try it out. It's open source and free , and has phenomenal code analysis capabilities, including the ability to decompile all the way back to fairly readable C code. You may get some information viewing it in assembly, but I think the easiest thing to do is fire up a virtual machine and see what it does.
Make sure you have no open shares or anything like that that it can jump through though ;. Boomerang may also be worth checking out. I can't believe nobody said nothing about Immunity Debugger , yet. Immunity Debugger is a powerful tool to write exploits, analyze malware, and reverse engineer binary files. It was initially based on Ollydbg 1. It has a well supported Python API for easy extensibility, so you can write your python scripts to help you out on the analysis.
Also, there's a good one Peter from Corelan team wrote called mona. Quick google yields this: Link. If you want to run the program to see what it does without infecting your computer, use with a virtual machine like VMWare or Microsoft VPC, or a program that can sandbox the program like SandboxIE.
The explorer suite can do what you want. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. Is it possible to "decompile" a Windows. Or at least view the Assembly? Ask Question. Asked 13 years, 2 months ago.
0コメント