#can you decompile an application?

trying to decompile an application file my friend sent me haha

You can, but you'll first have to figure out what kind of an application it is

PEiD or Detect-It-Easy for analysis to start off

@paper spoke And for the love of god, don't download the executable on a system it can run on

huh? what does that mean?

Don't download it on a Windows machine, if it's a Windows executable

That is how you get viruses and accounts stolen

What should i download it on?

Linux VM for example

i have kali linux?

That works

what do i do now after i have the file downloaded there?

Analyze it using PEiD or Detect-It-Easy

And, no need to ping me every single time

oops sorry

i'll do that right now

https://github.com/horsicq/Detect-It-Easy

how do i unzip that on kali linux?

it's so strange.

Which one did you download?

i pressed the code and downloaded the ZIP file

was that wrong

https://github.com/horsicq/Detect-It-Easy/blob/master/docs/BUILD.md

You're gonna have to build it yourself in that case

what should i do now that i'm on that page?

Kali is based on Debian

So follow the Debian instructions

the "how to build on linux based on debian"?

Is there anything else on that page that mentions Debian?

haha no

i'll do the instructions right now thank you

how do i fix this? if possible

Maybe try running the actual command that comes after the :?

what?

bash -x build_dpkg.sh

there we go!

how did you fix that?

Fix what?

i'm so confused, lol.

You copypasted WAY more than the command that you needed to

how you made the command work

oh i just pasted in the exact command it said

What you tried to use as a command: Run build script: bash -x build_dpkg.sh

What the actual command is: bash -x build_dpkg.sh

OH!

i'm an idiot hahahah

no wonder it didnt work!

Also

Wanted to ask

Your friend just randomly sent you an executable file?

With no message along with it?

He wanted to show me something lol.

Online friend so obviously it was weird

Yeah, that's a virus 100%

I opened the file in notebook++ and it was weird as hell

Yeah, Notepad++ can not read binary

Oh

You can't open any executable with NP++

let me get a screenshot

it was WEIRd

It shows every single executable as a garbled mess of random characters

Yeah, that's entirely normal for an executable

Notepad++ is a text editor

Oh I thought it was weird

You can't use it to view any data

So it’s useless?

Try to open literally any executable with Notepad and you'll have that same thing

I see

I’ll be back in a few minutes thank you for helping

It's like trying to open an image with a text editor

It's not going to work

Yeah

Also

Did the "friend" send a message like

"Test out my game" with the random executable?

more of "check this out, i made this"

Yeah, you don' goofed up when you downloaded it on Windows

That is a token stealer

It's a virus from your "friend" who got their account grabbed by similar virus

windows virus protection gave me a warning

and it didn't open

Yeah, cause it is a literal virus

yes

I've seen dozens of those

They're all packed token stealers

No point in trying to disassemble it

i just wanna see what's inside for my curiosity

I'm gonna be brutally honest here, then

I feel like you don't have the skillset or patience to do that

aaa

?

They're packed using UPX or similar packers

Those require serious reverse engineering skills, and there are no tools that can do it with a press of a button

You have to manually analyze and reverse engineer the files

Replace the [Version] with the filename you got after the other steps

Or the die_[Version].deb

Should be in the folder release

Name of the file I want to decompile?

Name of the Detect-It-Easy deb file you just created using the other steps

ah

As I said, that should be in the release folder you have

That folder should be in another folder named DIE-engine

"sudo dpkg -i release/die_[die_3.08_Kali_2022.4_amd64].deb"?

or should i get rid of the []

What is the filename you have?

Is it: die_[die_3.08_Kali_2022.4_amd64].deb

oops

Or die_die_3.08_Kali_2022.4_amd64.deb?

die_3.08_Kali_2022.4_amd64.deb

Then you replace the die_[Version].deb with that

okay, it ran the command

Now you find the executable file

And hit "scan" after that

the executable is a .rar (i needed to extract it to turn it into an executable)

Then you extract it and find the .exe file

kali linux just pops up saying this when i try

"could not open"

"archive type not supported"

okay, i have it as an exe

i just used an online converter, lol.

"converter"?

So you didn't extract the file?

Dude, I'm gonna be honest

no..?

am i just an idiot

If simple things like this are causing you this much trouble

You will not be able to reverse engineer the executable

No way

And I'm not paid enough, or have enough time to walk you through that entire process

you're paid here?

I'm not

okay

i'm just extracting it online now

I feel like this would go much easier if you gave me the link to the executable

okay

link? or file

You'd have to copy the download link for the file from the original message

okay i'll find it now

Right-click the file in the messages, and press "Copy Link" button

Paste that here

I'll nuke the message once I got it copied

that?

Yup

okay

Whoops

Could you paste that here again?

Was too quick with the link

Didn't get it into my VM

Yeah

@cosmic marsh !

sorry for the ping haha

Thanks

Be right back

That was longer than expected

Did it work for ya?

Building Detect It Easy rn

Okay, thanks!

Decompiling atm

It's a fancy cookie grabber

Lol, well

It's a pasta token stealer from github

"woooo"

Not gonna link the source here

@paper spoke Gonna decompile and nuke the webhook from that stealer

Where?

Just woke up haha

I'm not gonna give you the source code

You don't need to have the raw code for a malicious piece of software

why did I send it to you aa

I just wanted to see what was inside the file ok

It's a token stealer

A malware

For discord?

It rips your browser passwords/cookies/tokens, and Discord tokens

And sends them to a Discord server, using a webhook

Oh

And, there's no way I'm giving someone the source codes for a malware

I have zero idea how you're going to use them, no matter what you tell me about it, so I'm not gonna do it

I don't know your motives, but wanting to disassemble a virus this desperately to "see what's inside it" very heavily implies that you want to use the code yourself to create your own malware

Ohhh

I didn’t even know it was malware lol

Okie dokie

What did you think it was after I literally told you it was malware multiple times?

Before I created this thread I mean

Ain't nobody gonna send you random executables with a "Hey I made this, check it out" message along with them if it isn't a virus

That is literally one of the most known ways to spread malware on Discord

True ig

I'm not sure what you expected it to be other than malware

Especially after your Windows Defender blocked it?

I mean, if you want all your accounts stolen, feel free to download the file again, make an exception for it through your antivirus, and run it if you don't think it's malware

Or toss it into any.run or VirusTotal, or any other sandboxing service to see that it's a malware

You wouldn't click suspicious links either, yeah?
Why would you download suspicious executables that randomly get sent to you with literally zero information?