0

Some friend gave me a program he bought years ago. There is not much to look at except for an executable and a useless readme file (really nothing worth sharing and I'm not allowed to share the .exe-file). Unfortunately we can't get a hold of the initial developer either. When the program was given to me, I was told that it was written in python. So I attempted decompiling the .exe with various libs I found googling. None of them seemed to work but Pydecipher had following output in its logfile:

2021-05-17 08:26:34,828: [*] Unpacking /home/me/Repos/myrepo/executable.exe
2021-05-17 08:26:34,828: [*] Checking PortableExecutable magic for file executable.exe
2021-05-17 08:26:46,090: [*] Determined executable.exe type to be PortableExecutable
2021-05-17 08:26:46,090: [*] This PE had the following VersionInfo resource: {
    "CompanyName": "Node.js",
    "ProductName": "Node.js",
    "FileDescription": "Node.js: Server-side JavaScript",
    "FileVersion": "10.21.0",
    "ProductVersion": "10.21.0",
    "OriginalFilename": "node.exe",
    "InternalName": "node",
    "LegalCopyright": "Copyright Node.js contributors. MIT license."
}
2021-05-17 08:26:46,267: [+] Dumped this PE's overlay data to pydecipher_output_executable/overlay_data
2021-05-17 08:26:56,782: [*] Found the following strings (and their surrounding bytes, for context) in this PE, which may indicate the version of Python used to freeze the executable:
[('1.0', 'tial-scale=1.0, minimum-scale=1.0,
...

I found this thread where the most useful answers were

Short answer. If you’re good enough.

and

I believe the js code must be in there somewhere. meaning you could try to use unix command strings to extract it

Unix-commands didn't quite help me so far. So first of all, can I rely on the assumption that I'm dealing with NodeJS? And if so, what are steps I could take in order to recover the code? Is it even possible?

UPDATE

It certainly was written in NodeJS

AndyW
  • 482
  • 7
  • 19
  • 1
    From the reddit thread you found, also relevant: "*Would depend on loads of things, e.g how it was compiled, what it was made with etc*". **If** this is in fact a packaged node.js application, then usually it would contain the js code alongside the node engine executable, as well as a tiny wrapper to execute it. – Bergi May 17 '21 at 13:12
  • What means "it would usually contain the js code alongside the node engine executable"? Like I said there is only the .exe-file. .exe-files are binaries, right? How could it contain JS? Do I need to decompile first in order to filter out JS-parts? – AndyW May 18 '21 at 09:52
  • Binaries still contain data - it could be zipped js files, or some other encoding. – Bergi May 18 '21 at 11:13
  • sry wasn't quite accurate. Of course binaries contain data and possibly JS. What would be steps I can take to decode? – AndyW May 18 '21 at 11:55
  • 1
    Make a good guess, use a reverse engineering suite that makes guesses for you, and/or load the program into a debugger to see what it is doing. – Bergi May 18 '21 at 12:01
  • @AndyW Did you got solution of how to get js files from .exe file? Please share – Lalith kumar Jan 01 '22 at 09:44
  • 1
    @Lalithkumar Yes I did find a solution. Unfortunately there is no better answer than what people wrote here already. You need to "reverse engineer". I did that by letting the program run for a week, in order to monitor the requests it is producing. With their payloads I was able to understand the workflow of the program. From that I rewrote the program. There is no easy solution i.e. using a tool. – AndyW Jan 05 '22 at 12:04

1 Answers1

1

I'm not sure you can completely rely on fact that it's a Node.js based app, until you check with various tools. I personally like that answer here: Is it possible to "decompile" a Windows .exe? Or at least view the Assembly? that suggests PEiD for checking.

Also, if that executable is visual one (has UI, window) and uses Node.js, there is a high chance it was made with NodeWebkit or Electron. So you can dig in that direction, how to decompile NodeWebkit exe or decompile Electron exe

steppefox
  • 1,784
  • 2
  • 14
  • 19