I was just wondering if it is safe to open a suspicious ( not a known virus ) file in a decompiler. Has anyone done it?
If you do it in a Virtual Machine, you should be fine. All my decompiling tools are in a VM Ware Win XP image. Take a snapshot image first so you can always revert. Programs like Olly Debug, run the code but stop at the OEP of the program, so if there is bad code before the OEP, then that would be run. IDA analyses the code first and then you must run it. Sometimes looking at the code is not enough, you must run the program and watch the values that go through. Though, a lot of times there are anti-debugger mechanisms in the code. You need to use anti-anti-debugger plugins to get them to work. There are some static decompilers that just decompile the code, but there are still tricks that hide the code from decompiling, and in order to see teh original code, you must run the program in a decompiler. You need to unpack the original code and that usually involves running in one way or another. So, it really is still dangerous, unless the code is not packed, but then you still may not see what is fully going on.
Thanks. I downloaded a free copy of IDA seems like at least 2 years ago. I know next to nothing about decompiling. I just got a hankering to learn a little bit more about how to do it safely. If you can recommend any free resources on the net, thanks. I’ll check IDA for new stuff, and Olly Debug. Virtual Machine- don’t know, never done it. I do have a few old hard drives I could blank and use only for this purpose. Would that be a good first step?
Reversing is a very complex subject. Someone has created a set of tutorials for newbies in the subject. It does get very advanced. They will teach you all about packers, that I mentioned before, and how to unpack. It’s all about what to look for when trying to reverse something. Then once you figure out what the code is doing, then you can figure out if it’s malicious or malign. It’s not for the faint of heart, though. I really do recommend putting Windows XP in a Virtual Machine, like VirtualBox (just don’t run anti-virus on it since they mess up the reversing tools). Anyways, for most tools, you need a 32 bit environment. The tools get confused and don’t work right on 64 bit OS. I know … I tried. Anyways, once you watch the tutorials, you will learn all about imports, exports, and the OEP and how to find them. Download the complete set:
You will learn everything you need to know to get started and what tools to use. Then from there, you should be able to find where to go next. All the tools should be on that site as well.
Good luck. Reversing malware can be a challenge, but fun and rewarding at the same time. I find it interesting. Oh, it helps to know ASM.
Absolutely fantastic. I downloaded the latest ADI and Olly Debug. I downloaded the tuts4you complete set 140 MB at 800 KB/sec. Took 2 minutes. I like that. I haven’t looked at the file yet. I hope it is primarily text and not video. Much more content. Now I have to sit my ■■■■ down and do some serious reading. I will Google search Virtual Box next.