Exe To Autoit Script Converter Tool
Every once in a while, someone posts an interesting challenge concerning protected or obfuscated AutoIt scripts. Today I'd like to show some basic approaches to AutoIt deobfuscation. As a target I'll use a very simple protection called AutoGuardIt and the crackme from. If you don't have access to Tuts4You, here is the alternative download link: In general, there is nothing hard in decompiling AutoIt scripts.
Drag racing hack and csr exe to autoit script converter download exe to autoit script converter download racing hack -, this eternity warriors hack has been thoroughly tested too by.vshost32 exe free download When i create and compile a hello world application in c#, i get three.Download rockman exe – dennoujuu.
The Autoit script interpreter is designed in such a way that it's really easy to convert P-Code back to the script form. There's also a tidy.exe utility which takes ugly hand-written script and reformats it to make it really pretty. All of this makes writing deobfuscators much easier because you can start with well-formatted AutoIt script and your deobfuscator can consist of simple regexps and string replaces. It will not be very pretty code but it will work. While I was preparing this blog post, SmilingWolf came up with a written in Python. It's a nice solution but it doesn't explain how or why it works. So, in this article I will explain how the protection works, show the basic techniques and sample source code to defeat each of the protection steps.
Making a full-featured deobfuscator is left as an exercise for the reader. Required tools.
C# compiler. All my examples were tested under Visual Studio 2010 but any recent version should do.
MyAutToExe. I'm using my personal modification of myAutToExe. You can download it from Bitbucket:. Tool for testing regexps. I'm using.
Some brains. You can't become a reverser if you can't think for yourself. Decompiling the script There are 2 public tools for extracting compiled AutoIt script: MyAutToExe and Exe2Aut. Exe2Aut uses dynamic approach for obtaining script - it runs the file and gets decrypted and decompressed script from process memory. That's usually the easiest way but you really don't want to run the malware on your computer. MyAutToExe uses static approach - it analyzes file and tries to locate, decrypt and decompress the script on its own.
That's more safe approach but it's easier to defeat using different packers, modified script markers and so on. To extract script from this crackme, I used my own MyAutToExe (see 'Required tools' section above). Analyzing the obfuscation Once the script is extracted and decompiled, it looks quite strange and unreadable.
$ VIRTUALMACHINESAFECRITICALEX &= BinaryToString ( '0x616E646F6D363552616E646F6D216E646F6D323452616E646F6D216E646F6D333152616E646F6D2339616E646F6D353752616E646F6D2E646F6D353052616E646F6D2D2052616E646F6D393652616E646F6D2E646F6D363552616E646F6D2031616E646F6D313852616E646F6D23616E646F6D313552616E646F6D2E646F6D343852616E646F6D2231616E646F6D383052616E646F6D28616E646F6D303252616E646F6D2E646F6D373752616E646F6D20436872' ). $ VIRTUALMACHINESAFECRITICALEX &= BinaryToString ( '0x2852616E646F6D343452616E646F6D22616E646F6D383752616E646F6D202D222852616E646F6D303652616E646F6D22616E646F6D353852616E646F6D2C20312852616E646F6D313552616E646F6D2D2052616E646F6D363252616E646F6D2E646F6D303152616E646F6D2637616E646F6D313152616E646F6D2E646F6D363552616E646F6D2C20312852616E646F6D343752616E646F6D216E646F6D393252616E646F6D22616E646F6D383752616E646F6D22616E646F6D383552616E646F6D2C20312852616E' ). $ VIRTUALMACHINESAFECRITICALEX &= BinaryToString ( '0x646F6D323152616E646F6D2C20312852616E646F6D353252616E646F6D2D2052616E646F6D323252616E646F6D2E646F6D383452616E646F6D22616E646F6D373452616E646F6D2E646F6D353352616E646F6D22616E646F6D313052616E646F6D216E646F6D363652616E646F6D2037616E646F6D313252616E646F6D2E646F6D353552616E646F6D22616E646F6D363952616E646F6D273429' ). $ = 727533448. Akeems - Yes, I'm trying the AutoIt crackme from Tuts4You thread.
I tried both your modified MyAutToExe, and the one from SmilingWolf's 'solution' zip, and both have the same problem. I thought it may be my VB6 package, but I tried a few different ones, and got the same problem. I did get a bit further using another pre-compiled (and probably modified) myAutToExe 2.09. When I run ObfuscatedFile.exe through it, it actually recognizes it as a Modified Script Type 3.2.5+, but when I click Yes for AutoIt Script, it starts looking at the pData, seems to find the beginning of it, tries, 'Decrypting script data.' , then just gives me an, 'Out of memory' error, stops, and spits out the log. Musou meaning. Let me know if there's more I can give you to help reproduce the issue.
I'm perfectly happy using these tools (if they worked.) but I'd also be interested in learning how to extract the obfuscated script blob from memory using a debugger like x64dbg or something, if that's easier (then I wouldn't have to rely on these tools, or, perhaps, write my own tool instead of relying on a modified version of an ancient VB6 tool =). Kao - Well, learning how to build proper EXE file would certainly help.
MyAutToExe relies on external DLLs, so quite likely it will not work from within VB6. One thing I didn't mention is that crackme is packed with UPX. You do know that you should unpack UPX first, right? If you wish to extract tokens from running process memory (myAutToExe calls it.tok file), try this: 1) load file in Olly; 2) unpack UPX; 3) find the sequence of bytes '81 E2 FF FF 01 00 88 04 0A'. There should be just one occurrence in main module. That's function 'JB01Decompress::DecompressLoopEA05'.
Find the end of the function (around 0xA0 bytes further).
Exe To Autoit Script Converter Toolbox
I hope this isn't against the rules somehowBut you were too lazy to find out what the rules actually said before posting the links to decompilers. I ought to ban you permanently, but I will limit the sanction to 1 calendar month. Any further offence of any kind from you will lead to your immediate and permanent removal from the community - I hope that is quite clear. Cookies, Please read the (there is also a link at bottom right of each page) before posting again - you are allowed one free bust and you have just used yours.
Compiled Autoit Script
Thread obviously locked.