0

This is a question from someone clueless about disassembly and decompiling in general, so bear with me. I am curious to know if executable file extensions (for example, listed in http://pcsupport.about.com/od/tipstricks/a/execfileext.htm ) can be disassembled into assembly language so then I can analyze opcode patterns across files.

My logic is that once all these different file extensions are in opcode form, they are all on the same level, regardless of language barriers, etc, so it would be easier to analyze them.

How feasible is this?

EDIT: Example. I have an .exe file and an .app file. If I disassembled both, could I compare them across opcode on the same OS? If not, how about executable files from the same OS. For example, for all executable files on Windows, if I disassembled both, could I compare opcode across each?

EDIT2: How will obfuscators affect my efforts?

jeffrey
  • 3,196
  • 7
  • 26
  • 44
  • What do you mean by "decompiling an extension"? The extension is simply a part of a file name, a hint, a convention. It's basically a string that starts with a dot. You don't decompile it. You decompile the file itself. And yes, that's possible, there are tons of disassemblers available out there. – The Paramagnetic Croissant Oct 23 '14 at 18:19
  • I apologize, I meant "disassembled", not "decompiled". What I meant to say is that if I had an .exe file and an .app file, can I disassemble both into universal opcode format? – jeffrey Oct 23 '14 at 18:21

1 Answers1

1

In short, no.

The problem is that there is no practical universal instruction set. In practice, every computer architecture has its own instruction set (or sometimes several instruction sets). A native executable format like .exe is compiled to the machine's instruction set, which will differ based on the ISA targeted.

I'm not familiar with the .app format, but it appears to be some sort of archive containing executable code. So if you have an exe and app targeting the same ISA, you could conceivably diassemble and compare.

Obfuscation makes things much harder because it is difficult to get a reliable disassembly, let alone deal with stuff like self modifying code.

Antimony
  • 37,781
  • 10
  • 100
  • 107
  • Thanks. As for obfuscation, while this would make it much harder to evaluate the logic of the application, if you are just doing static analysis between the two (benign vs malicious classification), obfuscation shouldn't really matter? – jeffrey Oct 24 '14 at 03:29
  • Obfuscation makes classification harder if there's a chance that benign software is using the same obfuscation. One of many reasons you shouldn't obfuscate. – Antimony Oct 24 '14 at 07:16