Decompile Windows Executable
I am helping out a friend in dealing with a software issue. He has a Windows machine that on startup executes a .exe file which we have been able to deconstruct into its corresponding .bat file. The execution of that file is expected.
Jul 26, 2018 Yes, you can decompile the.exe file and get the source code in three ways as I know (and maybe possible in other ways too:) ) Here is a step by step way to. Decompilers: Disassembly is simply this: a program reads through the binary (the machine code), replacing the op-codes with their equivalent assembly language commands, and outputs the result as a text file. It's important to understand this; if your computer can read the binary, then you can read the binary too. Only meant for windows. A quite nascent tool as compared to others. ALSO READ-: Click to view Beginner-friendly x64dbg Reverse Engineering tutorial. VB Decompiler. It is the exe decompiler for Visual Basic applications & disassembler for Visual Studio.NET apps. VB Decompiler can recover the lost source code of your Visual Basic applications.
In the .bat file, we see that it calls two other .exe files. They are called myScript5.exe and f11.exe. We are not able to decompile either .exe file as we don't know what language they were originally written in, and no .bat file appears in our temp folder when we execute them.
We know what f11.exe does, at least on the surface. We are pretty certain that it simulates an F11 keypress, essentially blowing up the current window into full screen mode.
We are not able to figure out what myScript5.exe does, except that it changes his mouse pointer to the 'loading' icon; clicking anywhere reverts the mouse into the regular icon.
Both .exe files have a green square icon with a white Comic Sans 'H'. Would anyone know how we can try to decompile myScript5.exe, or if anyone is familiar with the icon I described? I personally think that both .exe files were downloaded from a website that publishes utility applications (such as blowing up a window into full screen mode).
Any help is greatly appreciated. Thanks!
Decompile Windows Executable Version
2 Answers
The icon you describe sounds exactly like a compiled AutoHotkey script:
I have not tried it, but there appears to be a utility to decompile an EXE back to an AHK file. See here: https://autohotkey.com/board/topic/26196-how-can-i-convert-my-autohotkeyexe-file-back-to-ahk-file/
How To Decompile A Program
Direct link to utility download: http://www.autohotkey.com/download/Exe2Ahk.exe
EDIT: I just tried decompiling using the Exe2Ahk utility and it did not work for me.However, I was able to extract the script from an AHK-compliled EXE file using the freeware Resource Hacker:
Overview:
Resource Hacker™ is a resource editor for 32bit and 64bit Windows® applications. It's both a resource compiler (for .rc files), and a decompiler - enabling viewing and editing of resources in executables (.exe; *.dll; .scr; etc) and compiled resource libraries (.res, *.mui). While Resource Hacker™ is primarily a GUI application, it also provides many options for compiling and decompiling resources from the command-line.
Open the EXE file in Resource Hacker, and you should see the script under the RCData
folder:
It depends on the type of your executable.
When it is a .NET assembly then you have an easy task. There are several decompilers available, e.g. ILSpy
How To Decompile Windows Executable
However, other types are very difficult to decompile and most likely you will not manage it. If the program was compiled from VB6, Pascal/Delphi, C++, etc. then you are lost.
Not the answer you're looking for? Browse other questions tagged windowsbatch-filedecompile or ask your own question.
For 0.7.1.0 on Windows 10 Was curious about decompiling an old device from the late 1990's... M68K with 512KB ROM code compiled from C and quite likely in a VxWork OS, dumped from EEPROM to a binary file of the same size. The Scanner function works well for recursively finding procedures as absolute and relative addressed calls. However, after performing that step, I ultimately had better results with this raw binary format searching for procedures throughout the ROM with good accuracy with the pattern matching for 4E 56 00 00 as the beginning of the procedures, followed by searches for the link instruction: 4E 56 FF, 4E 56 FE, 4E 56 FD, 4E 56 FC, 4E 56 FB, and finally 4E 56 FA. This found 95% of all executable code in the entire 512KB space. Next came strings. The string search is rudimentary and I did not find any difference between UTF-8 and the 16 bit BE and LE selections. In any case I was searching for UTF-8 zero-terminated 'C' style strings. The procedure here was to search for 25 character or more strings first, then 20 character, 10 character, 6 character, and finally 3 character (tedious). Many zero terminated strings were completely missed, so I'm guessing this is a work in progress. The rest of the strings I marked manually as 'sz' type, which was tedious but oddly satisfying. Marking Types: this version of Decompiler seems to not support any other type than character. If I try any other type, the types are saved to the .dcproject file, but the Serializer complains when the .dcproject is read back into Decompiler: unsupported type (or some other error like that), and the Globals list is truncated at the first occurrence of the error. I'm hoping the 0.8.0.0 or later version is due for a release here soon. I see there is some recent work done on it. The GUI is clunky, and crashes easily, but once I found the pitfalls, I could avoid them and avoid crashes. SAVE often, make frequent backups of the .dcproject file, be prepared to manually edit the .dcproject file if you Mark any type other than char or zero terminated char string. Keyboard shortcuts to often used commands would be nice, such as: Mark Type, because mouse-clicking dropdown menus repeatedly is painful. Great project! We need these tools to help preserve old proprietary technology as time marches on.
Constant updates, awesome support.
Decompiler works fine.