3

I'm trying to decompile an unknown Win32 executable using ILSpy. However, it only answers by giving me the useless message: This file does not contain a managed assembly.

I have also tried to use other tools like dotPeek64 and Teleirik without success. Virustotal tell me that it is using: 

[+] COMCTL32.dll
[+] ComMgr.dll
[+] KERNEL32.dll
[+] MSVCP90.dll
[+] MSVCR90.dll
[+] OLEAUT32.dll
[+] SHLWAPI.dll
[+] USER32.dll
[+] mfc90.dll

I'm pretty sure it is made with .NET, since this XML is present in the code:

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
  <dependency>
    <dependentAssembly>
      <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="removed"></assemblyIdentity>
    </dependentAssembly>
  </dependency>
  <dependency>
    <dependentAssembly>
      <assemblyIdentity type="win32" name="Microsoft.VC90.MFC" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="removed"></assemblyIdentity>
    </dependentAssembly>
  </dependency>
</assembly>

Also note that I'm using Win8 and do not have VS installed. So my questions are:

  1. What do I need to do to resolve the above error?
  2. What am I missing if anything?
  3. How can I check if I have those *.dll's listed?

EDIT: I'm now thinking it was made with plain C++...

not2qubit
  • 145
  • 1
  • 1
  • 10

1 Answers1

3

This looks like a Win32 executable, .NET executables typically imports _CorExeMain from mscoree.dll. You can use an identification tool like PEiD or Detect It Easy to confirm it.

ekse
  • 2,208
  • 13
  • 19
  • It is a Wn32 exec, but it's probably not a .NET as I first thought, but plain C++. Then what to do? – not2qubit Feb 06 '17 at 14:36
  • @not2qubit use appropriate tools, like IDA pro – Paweł Łukasik Feb 07 '17 at 08:46
  • @PawełŁukasik Because that's a $2000+ piece of software. Surely there must be some free alternatives, that is also capable of decompiling unmanaged Win32 code into C-like code. – not2qubit Feb 07 '17 at 13:23
  • @not2qubit 30 seconds with search: http://reverseengineering.stackexchange.com/questions/1817/is-there-any-disassembler-to-rival-ida-pro – Paweł Łukasik Feb 07 '17 at 13:37
  • @PawełŁukasik I know of all those and more, but I explicitly need a decompiler. As the tools I already mentioned doesn't seem to be able to handle (decompile) anything not made with .NET, I guess I can assume they are useless for my case. – not2qubit Feb 07 '17 at 15:28
  • but it looks like your application is not .NET if it were then ILSpy would handle it. – Paweł Łukasik Feb 07 '17 at 16:02