Decompiler view

The decompiler view is accessed using the F4 shortcut. This view displays a high-level representation of the current file. Its content depend on the file type of the analyzed file:

  • for x86/x64 programs, the decompiled C source code of the current function is displayed

  • for AutoIT .tok files, the AutoIT detokenized script is displayed

  • for OLE/CFB documents, the VBA macro source code is displayed

  • for Excel Biff8/Biff12 streams, the XLM macros are displayed, as well as cell values

  • for MSI installer, the content of the MSI tables is dumped

From a user interface point of view, the decompiler view can be one of two different views, which are shown below.

Table of Contents

C decompiler

If you are analyzing a x86 or x64 program, Malcat offers C-source function decompilation based on the Sleigh decompiler. In this mode, the decompiler works on a function per function basis and you to be located within an identified function. If you are outside the scope of a function, you’ll first need to jump to one, either by hitting f or F, or by clicking on any of the identified function in the Functions tab left of the window.

../../_images/decomp1.png

Decompiled C code view

The view will display the C-code reconstruction of the current function. Most function names and strings are clickable:

  • clicked function names will bring you to the decompilation of the clicked function.

  • clicked strings or pointers will bring you to the address using the best-suited view.

Also any symbol defined in Malcat should be transposed to the decompiled C code. In the same vein, Malcat’s identified constants (cf. Known patterns identification) are also used and a C comment will be added next to the identified constant in the C code listing. This comes handy when facing obfuscated shellcodes for instance.

Note

In some case, Malcat and the sleigh decompiler disagree regarding Functions recovery. In such cases, you will see some function calls whose name is prefixed with code_ and won’t be clickable. We are working on the issue.

Beside these integration, you are facing a very standard view which has the usual shortcuts:

Shortcut

Action

LeftClick

Go to data/function

Backspace

Go back

f or F

Goto next/previous Function

Scroll left

Scroll right

Scroll up one line

Scroll down one line

Home

Goto top of function

End

Goto end of function

PageUp

Goto back one page

PageDown

Display next page

Ctrl+G

Goto address (opens a dialog)

Script decompiler

For other file types, mainly AutoIT .tok scripts, MSI installers, OLE documents and BIFF8/12 Workbooks, the decompiler view is a simple text control showing the decrypted/reconstructed scripts found in the current file. This view mode is global: you don’t need to be located within a function for it to work.

../../_images/decomp2.png

A detokenized malicious AutoIT script

Also while there is syntax highlighting in this mode, the view is not interactive: no clickable labels or methods. In the future, you will be able to use the Transform dialog on the recovered text (for deobfuscation for instance), but that’s it. You just have access to the usual text control shortcuts:

Shortcut

Action

Scroll left

Scroll right

Scroll up one line

Scroll down one line

Home

Goto top of function

End

Goto end of function

PageUp

Goto back one page

PageDown

Display next page