debugging - Is it possible to "decompile" a Windows .exe? Or at least view the Assembly? - Stack Overflow
How do I decompile a .NET EXE into readable C# source code? - Stack Overflow
Found this exedecompiler.com website. Does anybody know it? Is it worth it?
How do you decompile game exes and modify them?
Videos
So i found this website called exedecompiler.com that has a few services like code modification or development, and a service that stands out is the "exe to source code" for $50. Has anybody used it or heard about it?
Is it worth $50 for a decompilation into source code?
If i really want to decompile an exe are there "better" alternatives or maybe a service like this is a good idea?
Please give me your thoughts about it.
EDIT:
To clarify my goal on what I want to achieve. The application is a GUI application that in short, operates with the contents of a binary (non executable) file. I am not shure what the source language is, my guesses are C++ since the app interacts with an embedded system, but nothing is confirmed (I'm shure It is not .NET at least, no luck for me)
My goal is not something simple like changing an IP address, as something like a hex editor could maybe do the job. The two main goals would be analyze a certain functionality and to add extra functionality.
I would like to analyze a portion of the code to discover how this executable manipulates the memory given to it (the file contents) and discover what "magic" it does to it.
I would also like to either change some of its code to add extra functionality, but i find this to be harder and unlikely. So i thought of doing some DLL injection that would execute the code i need, that being adding extra UI components to the GUI that would do what i want, but didn't succeed yet in achieving my goal. I am studying what exactly went wrong as it didn't seem to be something obvious like bad code or no permissions.
Thank you for u/NaughtyBlackGuy that recomended Ghidra. It seems like the tool i was looking for. I am not a reverse engineering expert but I know a thing or two and its never too late to learn.
If somebody has any other tips or tricks I would gladly take anything else i can take.
With a debugger you can step through the program assembly interactively.
With a disassembler, you can view the program assembly in more detail.
With a decompiler, you can turn a program back into partial source code, assuming you know what it was written in (which you can find out with free tools such as PEiD - if the program is packed, you'll have to unpack it first OR Detect-it-Easy if you can't find PEiD anywhere. DIE has a strong developer community on github currently).
Debuggers:
- OllyDbg, free, a fine 32-bit debugger, for which you can find numerous user-made plugins and scripts to make it all the more useful.
- WinDbg, free, a quite capable debugger by Microsoft. WinDbg is especially useful for looking at the Windows internals, since it knows more about the data structures than other debuggers.
- SoftICE, SICE to friends. Commercial and development stopped in 2006. SoftICE is kind of a hardcore tool that runs beneath the operating system (and halts the whole system when invoked). SoftICE is still used by many professionals, although might be hard to obtain and might not work on some hardware (or software - namely, it will not work on Vista or NVIDIA gfx cards).
Disassemblers:
- IDA Pro(commercial) - top of the line disassembler/debugger. Used by most professionals, like malware analysts etc. Costs quite a few bucks though (there exists free version, but it is quite quite limited)
- W32Dasm(free) - a bit dated but gets the job done. I believe W32Dasm is abandonware these days, and there are numerous user-created hacks to add some very useful functionality. You'll have to look around to find the best version.
Decompilers:
- Visual Basic: VB Decompiler, commercial, produces somewhat identifiable bytecode.
- Delphi: DeDe, free, produces good quality source code.
- C: HexRays, commercial, a plugin for IDA Pro by the same company. Produces great results but costs a big buck, and won't be sold to just anyone (or so I hear).
- .NET(C#): dotPeek, free, decompiles .NET 1.0-4.5 assemblies to C#. Support for .dll, .exe, .zip, .vsix, .nupkg, and .winmd files.
Some related tools that might come handy in whatever it is you're doing are resource editors such as ResourceHacker (free) and a good hex editor such as Hex Workshop (commercial).
Additionally, if you are doing malware analysis (or use SICE), I wholeheartedly suggest running everything inside a virtual machine, namely VMware Workstation. In the case of SICE, it will protect your actual system from BSODs, and in the case of malware, it will protect your actual system from the target program. You can read about malware analysis with VMware here.
Personally, I roll with Olly, WinDbg & W32Dasm, and some smaller utility tools.
Also, remember that disassembling or even debugging other people's software is usually against the EULA in the very least :)
psoul's excellent post answers to your question so I won't replicate his good work, but I feel it'd help to explain why this is at once a perfectly valid but also terribly silly question. After all, this is a place to learn, right?
Modern computer programs are produced through a series of conversions, starting with the input of a human-readable body of text instructions (called "source code") and ending with a computer-readable body of instructions (called alternatively "binary" or "machine code").
The way that a computer runs a set of machine code instructions is ultimately very simple. Each action a processor can take (e.g., read from memory, add two values) is represented by a numeric code. If I told you that the number 1 meant scream and the number 2 meant giggle, and then held up cards with either 1 or 2 on them expecting you to scream or giggle accordingly, I would be using what is essentially the same system a computer uses to operate.
A binary file is just a set of those codes (usually call "op codes") and the information ("arguments") that the op codes act on.
Now, assembly language is a computer language where each command word in the language represents exactly one op-code on the processor. There is a direct 1:1 translation between an assembly language command and a processor op-code. This is why coding assembly for an x386 processor is different than coding assembly for an ARM processor.
Disassembly is simply this: a program reads through the binary (the machine code), replacing the op-codes with their equivalent assembly language commands, and outputs the result as a text file. It's important to understand this; if your computer can read the binary, then you can read the binary too, either manually with an op-code table in your hand (ick) or through a disassembler.
Disassemblers have some new tricks and all, but it's important to understand that a disassembler is ultimately a search and replace mechanism. Which is why any EULA which forbids it is ultimately blowing hot air. You can't at once permit the computer reading the program data and also forbid the computer reading the program data.
(Don't get me wrong, there have been attempts to do so. They work as well as DRM on song files.)
However, there are caveats to the disassembly approach. Variable names are non-existent; such a thing doesn't exist to your CPU. Library calls are confusing as hell and often require disassembling further binaries. And assembly is hard as hell to read in the best of conditions.
Most professional programmers can't sit and read assembly language without getting a headache. For an amateur it's just not going to happen.
Anyway, this is a somewhat glossed-over explanation, but I hope it helps. Everyone can feel free to correct any misstatements on my part; it's been a while. ;)
Reflector and its add-in FileDisassembler.
Reflector will allow to see the source code. FileDisassembler will allow you to convert it into a VS solution.
When Red Gate said there would no longer be a free version of .Net Reflector, I started using ILSpy and Telerik's JustDecompile. I have found ILSpy to decompile more accurately than JustDecompile (which is still in Beta). Red Gate has changed their decision and still have a free version of .Net Reflector, but now I like ILSpy.
From the ILSpy website (https://github.com/icsharpcode/ILSpy/):
ILSpy is the open-source .NET assembly browser and decompiler.
ILSpy Features
- Assembly browsing
- IL Disassembly
- Decompilation to C#
- Supports lambdas and 'yield return'
- Shows XML documentation
- Saving of resources
- Search for types/methods/properties (substring)
- Hyperlink-based type/method/property navigation
- Base/Derived types navigation
- Navigation history
- BAML to XAML decompiler
- Save Assembly as C# Project
- Find usage of field/method
- Extensible via plugins (MEF)
Update:
April 15, 2012, ILSpy 2.0 was released. New features compared with version 1.0:
- Assembly Lists
- Support for decompiling Expression trees
- Support for lifted operatores on nullables
- Decompile to Visual Basic
- Search for multiple strings separated by space (searching for "Assembly manager" in ILSpy.exe would find AssemblyListManager)
- Clicking on a local variable will highlight all other occurrences of that variable
- Ctrl+F can be used to search within the decompiled code view
Update:
- ILSpy 2.1 supports async/await decompilation