Is it possible to decompile a Windows exe Or at least view the Assembly

Question

A friend of mine downloaded some malware from Facebook  and I m curious to see what it does without infecting myself  I know that you can t really decompile an  exe  but can I at least view it in Assembly or attach a debugger    Edit to say it is not a  NET executable  no CLI header

User · Answer

What you want is a type of software called a  Disassembler    Quick google yields this  Link

User · Answer

Sure  have a look at IDA Pro   They offer an eval version so you can try it out

User · Answer

If you have no time  submit the malware to cwsandbox    http   www cwsandbox org   http   jon oberheide org blog 2008 01 15 detecting-and-evading-cwsandbox   HTH

User · Answer

psoul s excellent post answers to your question so I won t replicate his good work  but I feel it d help to explain why this is at once a perfectly valid but also terribly silly question  After all  this is a place to learn  right   Modern computer programs are produced through a series of conversions  starting with the input of a human-readable body of text instructions  called  source code   and ending with a computer-readable body of instructions  called alternatively  binary  or  machine code     The way that a computer runs a set of machine code instructions is ultimately very simple  Each action a processor can take  e g   read from memory  add two values  is represented by a numeric code  If I told you that the number 1 meant scream and the number 2 meant giggle  and then held up cards with either 1 or 2 on them expecting you to scream or giggle accordingly  I would be using what is essentially the same system a computer uses to operate   A binary file is just a set of those codes  usually call  op codes   and the information   arguments   that the op codes act on   Now  assembly language is a computer language where each command word in the language represents exactly one op-code on the processor  There is a direct 1 1 translation between an assembly language command and a processor op-code  This is why coding assembly for an x386 processor is different than coding assembly for an ARM processor   Disassembly is simply this  a program reads through the binary  the machine code   replacing the op-codes with their equivalent assembly language commands  and outputs the result as a text file  It s important to understand this  if your computer can read the binary  then you can read the binary too  either manually with an op-code table in your hand  ick  or through a disassembler   Disassemblers have some new tricks and all  but it s important to understand that a disassembler is ultimately a search and replace mechanism  Which is why any EULA which forbids it is ultimately blowing hot air  You can t at once permit the computer reading the program data and also forbid the computer reading the program data    Don t get me wrong  there have been attempts to do so  They work as well as DRM on song files    However  there are caveats to the disassembly approach  Variable names are non-existent  such a thing doesn t exist to your CPU  Library calls are confusing as hell and often require disassembling further binaries  And assembly is hard as hell to read in the best of conditions   Most professional programmers can t sit and read assembly language without getting a headache  For an amateur it s just not going to happen   Anyway  this is a somewhat glossed-over explanation  but I hope it helps  Everyone can feel free to correct any misstatements on my part  it s been a while

User · Answer

You may get some information viewing it in assembly  but I think the easiest thing to do is fire up a virtual machine and see what it does  Make sure you have no open shares or anything like that that it can jump through though

User · Answer

You can use dotPeek  very good for decompile exe file  It is free    https   www jetbrains com decompiler

User · Answer

x64dbg is a good and open source debugger that is actively maintained

User · Answer

Boomerang may also be worth checking out

User · Answer

psoul s excellent post answers to your question so I won t replicate his good work  but I feel it d help to explain why this is at once a perfectly valid but also terribly silly question  After all  this is a place to learn  right   Modern computer programs are produced through a series of conversions  starting with the input of a human-readable body of text instructions  called  source code   and ending with a computer-readable body of instructions  called alternatively  binary  or  machine code     The way that a computer runs a set of machine code instructions is ultimately very simple  Each action a processor can take  e g   read from memory  add two values  is represented by a numeric code  If I told you that the number 1 meant scream and the number 2 meant giggle  and then held up cards with either 1 or 2 on them expecting you to scream or giggle accordingly  I would be using what is essentially the same system a computer uses to operate   A binary file is just a set of those codes  usually call  op codes   and the information   arguments   that the op codes act on   Now  assembly language is a computer language where each command word in the language represents exactly one op-code on the processor  There is a direct 1 1 translation between an assembly language command and a processor op-code  This is why coding assembly for an x386 processor is different than coding assembly for an ARM processor   Disassembly is simply this  a program reads through the binary  the machine code   replacing the op-codes with their equivalent assembly language commands  and outputs the result as a text file  It s important to understand this  if your computer can read the binary  then you can read the binary too  either manually with an op-code table in your hand  ick  or through a disassembler   Disassemblers have some new tricks and all  but it s important to understand that a disassembler is ultimately a search and replace mechanism  Which is why any EULA which forbids it is ultimately blowing hot air  You can t at once permit the computer reading the program data and also forbid the computer reading the program data    Don t get me wrong  there have been attempts to do so  They work as well as DRM on song files    However  there are caveats to the disassembly approach  Variable names are non-existent  such a thing doesn t exist to your CPU  Library calls are confusing as hell and often require disassembling further binaries  And assembly is hard as hell to read in the best of conditions   Most professional programmers can t sit and read assembly language without getting a headache  For an amateur it s just not going to happen   Anyway  this is a somewhat glossed-over explanation  but I hope it helps  Everyone can feel free to correct any misstatements on my part  it s been a while

User · Answer

Any decent debugger can do this  Try OllyDbg   edit  which has a great disassembler that even decodes the parameters to WinAPI calls

User · Answer

psoul s excellent post answers to your question so I won t replicate his good work  but I feel it d help to explain why this is at once a perfectly valid but also terribly silly question  After all  this is a place to learn  right   Modern computer programs are produced through a series of conversions  starting with the input of a human-readable body of text instructions  called  source code   and ending with a computer-readable body of instructions  called alternatively  binary  or  machine code     The way that a computer runs a set of machine code instructions is ultimately very simple  Each action a processor can take  e g   read from memory  add two values  is represented by a numeric code  If I told you that the number 1 meant scream and the number 2 meant giggle  and then held up cards with either 1 or 2 on them expecting you to scream or giggle accordingly  I would be using what is essentially the same system a computer uses to operate   A binary file is just a set of those codes  usually call  op codes   and the information   arguments   that the op codes act on   Now  assembly language is a computer language where each command word in the language represents exactly one op-code on the processor  There is a direct 1 1 translation between an assembly language command and a processor op-code  This is why coding assembly for an x386 processor is different than coding assembly for an ARM processor   Disassembly is simply this  a program reads through the binary  the machine code   replacing the op-codes with their equivalent assembly language commands  and outputs the result as a text file  It s important to understand this  if your computer can read the binary  then you can read the binary too  either manually with an op-code table in your hand  ick  or through a disassembler   Disassemblers have some new tricks and all  but it s important to understand that a disassembler is ultimately a search and replace mechanism  Which is why any EULA which forbids it is ultimately blowing hot air  You can t at once permit the computer reading the program data and also forbid the computer reading the program data    Don t get me wrong  there have been attempts to do so  They work as well as DRM on song files    However  there are caveats to the disassembly approach  Variable names are non-existent  such a thing doesn t exist to your CPU  Library calls are confusing as hell and often require disassembling further binaries  And assembly is hard as hell to read in the best of conditions   Most professional programmers can t sit and read assembly language without getting a headache  For an amateur it s just not going to happen   Anyway  this is a somewhat glossed-over explanation  but I hope it helps  Everyone can feel free to correct any misstatements on my part  it s been a while

User · Answer

I d say in 2019  Ghidra  https   ghidra-sre org   is worth checking out  It s open source  and free   and has phenomenal code analysis capabilities  including the ability to decompile all the way back to fairly readable C code

User · Answer

If you want to run the program to see what it does without infecting your computer  use with a virtual machine like VMWare or Microsoft VPC  or a program that can sandbox the program like SandboxIE

User · Answer

What you want is a type of software called a  Disassembler    Quick google yields this  Link

User · Answer

The explorer suite can do what you want

User · Answer

The explorer suite can do what you want

User · Answer

What you want is a type of software called a  Disassembler    Quick google yields this  Link

User · Answer

With a debugger you can step through the program assembly interactively  With a disassembler  you can view the program assembly in more detail  With a decompiler  you can turn a program back into partial source code  assuming you know what it was written in  which you can find out with free tools such as PEiD - if the program is packed  you ll have to unpack it first OR Detect-it-Easy if you can t find PEiD anywhere  DIE has a strong developer community on github currently   Debuggers   OllyDbg  free  a fine 32-bit debugger  for which you can find numerous user-made plugins and scripts to make it all the more useful  WinDbg  free  a quite capable debugger by Microsoft  WinDbg is especially useful for looking at the Windows internals  since it knows more about the data structures than other debuggers  SoftICE  SICE to friends  Commercial and development stopped in 2006  SoftICE is kind of a hardcore tool that runs beneath the operating system  and halts the whole system when invoked   SoftICE is still used by many professionals  although might be hard to obtain and might not work on some hardware  or software - namely  it will not work on Vista or NVIDIA gfx cards    Disassemblers   IDA Pro commercial  - top of the line disassembler debugger  Used by most professionals  like malware analysts etc  Costs quite a few bucks though  there exists free version  but it is quite quite limited  W32Dasm free  - a bit dated but gets the job done  I believe W32Dasm is abandonware these days  and there are numerous user-created hacks to add some very useful functionality  You ll have to look around to find the best version   Decompilers   Visual Basic  VB Decompiler  commercial  produces somewhat identifiable bytecode  Delphi  DeDe  free  produces good quality source code  C  HexRays  commercial  a plugin for IDA Pro by the same company  Produces great results but costs a big buck  and won t be sold to just anyone  or so I hear    NET C    dotPeek  free  decompiles  NET 1 0-4 5 assemblies to C   Support for  dll   exe   zip   vsix   nupkg  and  winmd files   Some related tools that might come handy in whatever it is you re doing are resource editors such as ResourceHacker  free  and a good hex editor such as Hex Workshop  commercial   Additionally  if you are doing malware analysis  or use SICE   I wholeheartedly suggest running everything inside a virtual machine  namely VMware Workstation  In the case of SICE  it will protect your actual system from BSODs  and in the case of malware  it will protect your actual system from the target program  You can read about malware analysis with VMware here  Personally  I roll with Olly  WinDbg  amp  W32Dasm  and some smaller utility tools  Also  remember that disassembling or even debugging other people s software is usually against the EULA in the very least

User · Answer

Sure  have a look at IDA Pro   They offer an eval version so you can try it out

User · Answer

What you want is a type of software called a  Disassembler    Quick google yields this  Link

User · Answer

Boomerang may also be worth checking out

User · Answer

You can use dotPeek  very good for decompile exe file  It is free    https   www jetbrains com decompiler

User · Answer

Good news  IDA Pro is actually free for its older versions now  http   www hex-rays com idapro idadownfreeware htm

User · Answer

If you want to run the program to see what it does without infecting your computer  use with a virtual machine like VMWare or Microsoft VPC  or a program that can sandbox the program like SandboxIE

User · Answer

If you have no time  submit the malware to cwsandbox    http   www cwsandbox org   http   jon oberheide org blog 2008 01 15 detecting-and-evading-cwsandbox   HTH

User · Answer

With a debugger you can step through the program assembly interactively  With a disassembler  you can view the program assembly in more detail  With a decompiler  you can turn a program back into partial source code  assuming you know what it was written in  which you can find out with free tools such as PEiD - if the program is packed  you ll have to unpack it first OR Detect-it-Easy if you can t find PEiD anywhere  DIE has a strong developer community on github currently   Debuggers   OllyDbg  free  a fine 32-bit debugger  for which you can find numerous user-made plugins and scripts to make it all the more useful  WinDbg  free  a quite capable debugger by Microsoft  WinDbg is especially useful for looking at the Windows internals  since it knows more about the data structures than other debuggers  SoftICE  SICE to friends  Commercial and development stopped in 2006  SoftICE is kind of a hardcore tool that runs beneath the operating system  and halts the whole system when invoked   SoftICE is still used by many professionals  although might be hard to obtain and might not work on some hardware  or software - namely  it will not work on Vista or NVIDIA gfx cards    Disassemblers   IDA Pro commercial  - top of the line disassembler debugger  Used by most professionals  like malware analysts etc  Costs quite a few bucks though  there exists free version  but it is quite quite limited  W32Dasm free  - a bit dated but gets the job done  I believe W32Dasm is abandonware these days  and there are numerous user-created hacks to add some very useful functionality  You ll have to look around to find the best version   Decompilers   Visual Basic  VB Decompiler  commercial  produces somewhat identifiable bytecode  Delphi  DeDe  free  produces good quality source code  C  HexRays  commercial  a plugin for IDA Pro by the same company  Produces great results but costs a big buck  and won t be sold to just anyone  or so I hear    NET C    dotPeek  free  decompiles  NET 1 0-4 5 assemblies to C   Support for  dll   exe   zip   vsix   nupkg  and  winmd files   Some related tools that might come handy in whatever it is you re doing are resource editors such as ResourceHacker  free  and a good hex editor such as Hex Workshop  commercial   Additionally  if you are doing malware analysis  or use SICE   I wholeheartedly suggest running everything inside a virtual machine  namely VMware Workstation  In the case of SICE  it will protect your actual system from BSODs  and in the case of malware  it will protect your actual system from the target program  You can read about malware analysis with VMware here  Personally  I roll with Olly  WinDbg  amp  W32Dasm  and some smaller utility tools  Also  remember that disassembling or even debugging other people s software is usually against the EULA in the very least

User · Answer

If you have no time  submit the malware to cwsandbox    http   www cwsandbox org   http   jon oberheide org blog 2008 01 15 detecting-and-evading-cwsandbox   HTH

User · Answer

Good news  IDA Pro is actually free for its older versions now  http   www hex-rays com idapro idadownfreeware htm

User · Answer

If you are just trying to figure out what a malware does  it might be much easier to run it under something like the free tool Process Monitor which will report whenever it tries to access the filesystem  registry  ports  etc     Also  using a virtual machine like the free VMWare server is very helpful for this kind of work  You can make a  clean  image  and then just go back to that every time you run the malware

User · Answer

psoul s excellent post answers to your question so I won t replicate his good work  but I feel it d help to explain why this is at once a perfectly valid but also terribly silly question  After all  this is a place to learn  right   Modern computer programs are produced through a series of conversions  starting with the input of a human-readable body of text instructions  called  source code   and ending with a computer-readable body of instructions  called alternatively  binary  or  machine code     The way that a computer runs a set of machine code instructions is ultimately very simple  Each action a processor can take  e g   read from memory  add two values  is represented by a numeric code  If I told you that the number 1 meant scream and the number 2 meant giggle  and then held up cards with either 1 or 2 on them expecting you to scream or giggle accordingly  I would be using what is essentially the same system a computer uses to operate   A binary file is just a set of those codes  usually call  op codes   and the information   arguments   that the op codes act on   Now  assembly language is a computer language where each command word in the language represents exactly one op-code on the processor  There is a direct 1 1 translation between an assembly language command and a processor op-code  This is why coding assembly for an x386 processor is different than coding assembly for an ARM processor   Disassembly is simply this  a program reads through the binary  the machine code   replacing the op-codes with their equivalent assembly language commands  and outputs the result as a text file  It s important to understand this  if your computer can read the binary  then you can read the binary too  either manually with an op-code table in your hand  ick  or through a disassembler   Disassemblers have some new tricks and all  but it s important to understand that a disassembler is ultimately a search and replace mechanism  Which is why any EULA which forbids it is ultimately blowing hot air  You can t at once permit the computer reading the program data and also forbid the computer reading the program data    Don t get me wrong  there have been attempts to do so  They work as well as DRM on song files    However  there are caveats to the disassembly approach  Variable names are non-existent  such a thing doesn t exist to your CPU  Library calls are confusing as hell and often require disassembling further binaries  And assembly is hard as hell to read in the best of conditions   Most professional programmers can t sit and read assembly language without getting a headache  For an amateur it s just not going to happen   Anyway  this is a somewhat glossed-over explanation  but I hope it helps  Everyone can feel free to correct any misstatements on my part  it s been a while

User · Answer

Sure  have a look at IDA Pro   They offer an eval version so you can try it out

User · Answer

If you are just trying to figure out what a malware does  it might be much easier to run it under something like the free tool Process Monitor which will report whenever it tries to access the filesystem  registry  ports  etc     Also  using a virtual machine like the free VMWare server is very helpful for this kind of work  You can make a  clean  image  and then just go back to that every time you run the malware

User · Answer

You may get some information viewing it in assembly  but I think the easiest thing to do is fire up a virtual machine and see what it does  Make sure you have no open shares or anything like that that it can jump through though

User · Answer

Any decent debugger can do this  Try OllyDbg   edit  which has a great disassembler that even decodes the parameters to WinAPI calls

User · Answer

Sure  have a look at IDA Pro   They offer an eval version so you can try it out

User · Answer

Good news  IDA Pro is actually free for its older versions now  http   www hex-rays com idapro idadownfreeware htm

User · Answer

Good news  IDA Pro is actually free for its older versions now  http   www hex-rays com idapro idadownfreeware htm

User · Answer

Boomerang may also be worth checking out

User · Answer

If you are just trying to figure out what a malware does  it might be much easier to run it under something like the free tool Process Monitor which will report whenever it tries to access the filesystem  registry  ports  etc     Also  using a virtual machine like the free VMWare server is very helpful for this kind of work  You can make a  clean  image  and then just go back to that every time you run the malware

User · Answer

x64dbg is a good and open source debugger that is actively maintained

User · Answer

With a debugger you can step through the program assembly interactively  With a disassembler  you can view the program assembly in more detail  With a decompiler  you can turn a program back into partial source code  assuming you know what it was written in  which you can find out with free tools such as PEiD - if the program is packed  you ll have to unpack it first OR Detect-it-Easy if you can t find PEiD anywhere  DIE has a strong developer community on github currently   Debuggers   OllyDbg  free  a fine 32-bit debugger  for which you can find numerous user-made plugins and scripts to make it all the more useful  WinDbg  free  a quite capable debugger by Microsoft  WinDbg is especially useful for looking at the Windows internals  since it knows more about the data structures than other debuggers  SoftICE  SICE to friends  Commercial and development stopped in 2006  SoftICE is kind of a hardcore tool that runs beneath the operating system  and halts the whole system when invoked   SoftICE is still used by many professionals  although might be hard to obtain and might not work on some hardware  or software - namely  it will not work on Vista or NVIDIA gfx cards    Disassemblers   IDA Pro commercial  - top of the line disassembler debugger  Used by most professionals  like malware analysts etc  Costs quite a few bucks though  there exists free version  but it is quite quite limited  W32Dasm free  - a bit dated but gets the job done  I believe W32Dasm is abandonware these days  and there are numerous user-created hacks to add some very useful functionality  You ll have to look around to find the best version   Decompilers   Visual Basic  VB Decompiler  commercial  produces somewhat identifiable bytecode  Delphi  DeDe  free  produces good quality source code  C  HexRays  commercial  a plugin for IDA Pro by the same company  Produces great results but costs a big buck  and won t be sold to just anyone  or so I hear    NET C    dotPeek  free  decompiles  NET 1 0-4 5 assemblies to C   Support for  dll   exe   zip   vsix   nupkg  and  winmd files   Some related tools that might come handy in whatever it is you re doing are resource editors such as ResourceHacker  free  and a good hex editor such as Hex Workshop  commercial   Additionally  if you are doing malware analysis  or use SICE   I wholeheartedly suggest running everything inside a virtual machine  namely VMware Workstation  In the case of SICE  it will protect your actual system from BSODs  and in the case of malware  it will protect your actual system from the target program  You can read about malware analysis with VMware here  Personally  I roll with Olly  WinDbg  amp  W32Dasm  and some smaller utility tools  Also  remember that disassembling or even debugging other people s software is usually against the EULA in the very least

User · Answer

You may get some information viewing it in assembly  but I think the easiest thing to do is fire up a virtual machine and see what it does  Make sure you have no open shares or anything like that that it can jump through though

User · Answer

I can t believe nobody said nothing about Immunity Debugger  yet   Immunity Debugger is a powerful tool to write exploits  analyze malware  and reverse engineer binary files  It was initially based on Ollydbg 1 0 source code  but with names resoution bug fixed  It has a well supported Python API for easy extensibility  so you can write your python scripts to help you out on the analysis   Also  there s a good one Peter from Corelan team wrote called mona py  excelent tool btw

User · Answer

Boomerang may also be worth checking out

User · Answer

You may get some information viewing it in assembly  but I think the easiest thing to do is fire up a virtual machine and see what it does  Make sure you have no open shares or anything like that that it can jump through though

User · Answer

Any decent debugger can do this  Try OllyDbg   edit  which has a great disassembler that even decodes the parameters to WinAPI calls

User · Answer

If you are just trying to figure out what a malware does  it might be much easier to run it under something like the free tool Process Monitor which will report whenever it tries to access the filesystem  registry  ports  etc     Also  using a virtual machine like the free VMWare server is very helpful for this kind of work  You can make a  clean  image  and then just go back to that every time you run the malware

User · Answer

If you want to run the program to see what it does without infecting your computer  use with a virtual machine like VMWare or Microsoft VPC  or a program that can sandbox the program like SandboxIE

User · Answer

If you have no time  submit the malware to cwsandbox    http   www cwsandbox org   http   jon oberheide org blog 2008 01 15 detecting-and-evading-cwsandbox   HTH

User · Answer

If you want to run the program to see what it does without infecting your computer  use with a virtual machine like VMWare or Microsoft VPC  or a program that can sandbox the program like SandboxIE

User · Answer

I d say in 2019  Ghidra  https   ghidra-sre org   is worth checking out  It s open source  and free   and has phenomenal code analysis capabilities  including the ability to decompile all the way back to fairly readable C code

User · Answer

Any decent debugger can do this  Try OllyDbg   edit  which has a great disassembler that even decodes the parameters to WinAPI calls

User · Answer

With a debugger you can step through the program assembly interactively  With a disassembler  you can view the program assembly in more detail  With a decompiler  you can turn a program back into partial source code  assuming you know what it was written in  which you can find out with free tools such as PEiD - if the program is packed  you ll have to unpack it first OR Detect-it-Easy if you can t find PEiD anywhere  DIE has a strong developer community on github currently   Debuggers   OllyDbg  free  a fine 32-bit debugger  for which you can find numerous user-made plugins and scripts to make it all the more useful  WinDbg  free  a quite capable debugger by Microsoft  WinDbg is especially useful for looking at the Windows internals  since it knows more about the data structures than other debuggers  SoftICE  SICE to friends  Commercial and development stopped in 2006  SoftICE is kind of a hardcore tool that runs beneath the operating system  and halts the whole system when invoked   SoftICE is still used by many professionals  although might be hard to obtain and might not work on some hardware  or software - namely  it will not work on Vista or NVIDIA gfx cards    Disassemblers   IDA Pro commercial  - top of the line disassembler debugger  Used by most professionals  like malware analysts etc  Costs quite a few bucks though  there exists free version  but it is quite quite limited  W32Dasm free  - a bit dated but gets the job done  I believe W32Dasm is abandonware these days  and there are numerous user-created hacks to add some very useful functionality  You ll have to look around to find the best version   Decompilers   Visual Basic  VB Decompiler  commercial  produces somewhat identifiable bytecode  Delphi  DeDe  free  produces good quality source code  C  HexRays  commercial  a plugin for IDA Pro by the same company  Produces great results but costs a big buck  and won t be sold to just anyone  or so I hear    NET C    dotPeek  free  decompiles  NET 1 0-4 5 assemblies to C   Support for  dll   exe   zip   vsix   nupkg  and  winmd files   Some related tools that might come handy in whatever it is you re doing are resource editors such as ResourceHacker  free  and a good hex editor such as Hex Workshop  commercial   Additionally  if you are doing malware analysis  or use SICE   I wholeheartedly suggest running everything inside a virtual machine  namely VMware Workstation  In the case of SICE  it will protect your actual system from BSODs  and in the case of malware  it will protect your actual system from the target program  You can read about malware analysis with VMware here  Personally  I roll with Olly  WinDbg  amp  W32Dasm  and some smaller utility tools  Also  remember that disassembling or even debugging other people s software is usually against the EULA in the very least

User · Answer

I can t believe nobody said nothing about Immunity Debugger  yet   Immunity Debugger is a powerful tool to write exploits  analyze malware  and reverse engineer binary files  It was initially based on Ollydbg 1 0 source code  but with names resoution bug fixed  It has a well supported Python API for easy extensibility  so you can write your python scripts to help you out on the analysis   Also  there s a good one Peter from Corelan team wrote called mona py  excelent tool btw

[debugging] Is it possible to "decompile" a Windows .exe? Or at least view the Assembly?

Examples related to debugging

Examples related to winapi

Examples related to assembly

Examples related to decompiling