Decompiler view
The decompiler view is accessed using the F4 shortcut. This view displays a high-level representation of the current file. Its content depend on the file type of the analyzed file:
for x86/x64 programs, the decompiled C source code of the current function is displayed
for AutoIT .tok files, the AutoIT detokenized script is displayed
for OLE/CFB documents, the VBA macro source code is displayed
for Excel Biff8/Biff12 streams, the XLM macros are displayed, as well as cell values
for MSI installer, the content of the MSI tables is dumped
From a user interface point of view, the decompiler view can be one of two different views, which are shown below.
Table of Contents
C decompiler
If you are analyzing a x86 or x64 program, Malcat offers C-source function decompilation based on the Sleigh decompiler. In this mode, the decompiler works on a function per function basis and you to be located within an identified function. If you are outside the scope of a function, you’ll first need to jump to one, either by hitting f or F, or by clicking on any of the identified function in the Functions tab left of the window.
Decompiled C code view
The view will display the C-code reconstruction of the current function. Most function names and strings are clickable:
clicked function names will bring you to the decompilation of the clicked function.
clicked strings or pointers will bring you to the address using the best-suited view.
Also any symbol defined in Malcat should be transposed to the decompiled C code. In the same vein, Malcat’s identified constants (cf. Known patterns identification) are also used and a C comment will be added next to the identified constant in the C code listing. This comes handy when facing obfuscated shellcodes for instance.
Note
In some case, Malcat and the sleigh decompiler disagree regarding Functions recovery. In such cases, you will see some function calls whose name is prefixed with code_ and won’t be clickable. We are working on the issue.
Beside these integration, you are facing a very standard view which has the usual shortcuts:
Shortcut |
Action |
|---|---|
LeftClick |
Go to data/function |
Backspace |
Go back |
f or F |
Goto next/previous Function |
← |
Scroll left |
→ |
Scroll right |
↑ |
Scroll up one line |
↓ |
Scroll down one line |
Home |
Goto top of function |
End |
Goto end of function |
PageUp |
Goto back one page |
PageDown |
Display next page |
Ctrl+G |
Goto address (opens a dialog) |
Script decompiler
For other file types, mainly AutoIT .tok scripts, MSI installers, OLE documents and BIFF8/12 Workbooks, the decompiler view is a simple text control showing the decrypted/reconstructed scripts found in the current file. This view mode is global: you don’t need to be located within a function for it to work.
A detokenized malicious AutoIT script
Also while there is syntax highlighting in this mode, the view is not interactive: no clickable labels or methods. In the future, you will be able to use the Transform dialog on the recovered text (for deobfuscation for instance), but that’s it. You just have access to the usual text control shortcuts:
Shortcut |
Action |
|---|---|
← |
Scroll left |
→ |
Scroll right |
↑ |
Scroll up one line |
↓ |
Scroll down one line |
Home |
Goto top of function |
End |
Goto end of function |
PageUp |
Goto back one page |
PageDown |
Display next page |