Decompilation Program

Need a tool? Ask here if someone knows one that does what you need, or maybe someone can even write you one.
Post Reply
ramiia
Corporal
Posts: 129
Joined: Mon Jul 16, 2007 11:23 pm
Location: Sampo 69

Decompilation Program

Post by ramiia » Tue Jun 28, 2011 6:30 am

First, Great idea on having a tool request page...now I can evade Mr. Google eh? or not... /sob

anyway, there was this program I downloaded for my wimax modem but I need to know first if it is safe and doesnt send any key inputs to someone else's email address, thus, I request for a decompilation tool and a tutorial too if ok.

thanks by advance

--regards to all

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Decompilation Program

Post by Cool_Fire » Wed Jun 29, 2011 3:28 am

You could use IDA or Ollydbg. But neither are specifically easy programs, and it'll require a bit of knowledge about ASM to be able to deduce anything at all.

I'd suggest IDA, and then seeing what kind of ASM code would be expected when there's a keyboard hook.
A freeware version is available here:
http://www.hex-rays.com/idapro/idadownfreeware.htm

Alternatively, if it's written in some .NET language, decompiling to actual code is quite possible.
Just two examples"
http://www.remotesoft.com/salamander/
http://reflector.red-gate.com/download. ... AsUpdate=1
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

psilocybin
Sargeant at Arms
Posts: 191
Joined: Tue Feb 17, 2009 5:27 am

Re: Decompilation Program

Post by psilocybin » Wed Jun 29, 2011 4:11 pm

if you're concerned about it sending information, wouldn't it be easier to use a sniffer (eg wireshark)? otherwise, there's boomerang. I've never tried it before, so I can't vouch for it. there's a good chance that the output from boomerang isn't much better than that of IDA, so you might have to learn assembly after all.

ramiia
Corporal
Posts: 129
Joined: Mon Jul 16, 2007 11:23 pm
Location: Sampo 69

Re: Decompilation Program

Post by ramiia » Wed Jun 29, 2011 10:39 pm

I got a course in assembly way back in college, I still remember the basics so I guess I can start with IDA, with regards to wireshark, well its a bit complicated without proper tut on hand--like which packet/protocol should I watch

psilocybin
Sargeant at Arms
Posts: 191
Joined: Tue Feb 17, 2009 5:27 am

Re: Decompilation Program

Post by psilocybin » Thu Jun 30, 2011 1:36 am

I dunno. wireshark's not that complicated if you know a little about networking and tinker with it a bit. I would probably just start a capture and start eliminating things that I know aren't malicious until I'm left with a small amount of packets (you can use netstat to get the process ID associated with a certain port and tasklist to get the process using that ID). you might want to start by looking at connected ports that you already know are fine and filter those out. after that it's a lot of sifting and reading. if it connects to a mailserver you can try filtering for mailserver protocols. it's a bit of work, but it might be less work than reverse engineering the program.

of course, your best option might be to run it in a debugger and hooking calls that are used to send information over the internet. you could write a little subroutine to log the information being sent and dump it to a file, then inject that code into the running process. I would write the subroutine in C and open that up in a disassembler, then copy paste that function in either a code injector (that you would probably also have to write) or just inject it in manually through the debugger (I know for a fact that ollydbg supports this). or you could try hooking things that hook into the keyboard as cool fire said, but there are several ways to hook into the keyboard so that isn't a cake walk either. this approach might save you some time if you do it right, but it could also be a headache, especially if you aren't already familiar with any of these techniques.

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Decompilation Program

Post by Cool_Fire » Thu Jun 30, 2011 4:54 am

Using wireshark is a legit approach, but it's not as thorough as decompiling it. It might only be a few packets in 24 hours, so it'd be quite hard to spot. Plus it might be encrypted, making it even harder to spot.

Besides all that, decompiling with IDA is a very useful skill ;)

Long story short: You can use wireshark, which will be easier, but not bulletproof.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply