Auto IT (http://www.autoitscript.com) is a Windows utility that administrators can use to automate certain tasks, especially those that they have to do on multiple machines (i.e. PC Rollouts). It’s basically just a scripting language. When deploying PCs or performing administrative tasks, an administrator will usually hardcode their passwords into the script so they don’t have to enter it all the time.In order to prevent your passwords from being discovered by curious users, you can “compile” your Auto IT script and encrypt it using a secret passphrase. Auto IT provides a de-compiler for undoing the encryption, but you need to provide that passphrase.
About a year ago, I came across some malware that utilized an Auto IT script that was compiled and encrypted. In order to find out exactly what the malware did, I had to crack open the script. Using the Auto IT de-compiler and a debugger (i.e. OllyDbg), it’s fairly straightforward to find the passphrase:
- Launch the de-compiler (Exe2Aut) and attach to it using the debugger.
- Choose the Auto IT file to de-compile.
- Enter anything for the passphrase.
- When you get the error message about entering the wrong passphrase, go to the debugger and pause the process.
- Check the stack and you should find the correct passphrase in the stack (in my tests, I”ve found it at location 0012F6BC in the stack). OllyDbg will show this in ASCII.
Once you have the passphrase, enter it into the Auto IT de-compiler and you get the Auto IT source script and you can find exactly what code is doing.
** NOTE: The author of AutoIT has said that their “encryption” is really more of an “encoding” because it’s not secure — so, DO NOT put in Domain Passwords or anything of value in your AutoIT script. A better hacker would surely write a separate program for extracting the passphrase from compiled AutoIT scripts. But in this case that would be overkill considering how easy it is to find the passphrase.
You refer to a ‘debugger’ but which one do you mean? Softice or similar or a specific one.
Thx
I use ollyDegbug (http://www.ollydbg.de/) myself. Just about any debugger that will show you the stack will do. Good luck!
perhaps i am not seeing it, olly has 4 differnt windows that open by default, when i perform the above instructions i see nothing that could be the passphrase on the file. i can see where my incorrect passphrase is located in the lower right default window. i tried looking on the same line as you indicated but found nothing useful there. any further insight would be most helpful.
Hi Greg,
In the default windows, the stack would be the lower-right window. I just tried it on version 3.x of AutoIT and I don’t see the passphrase either. This must have been fixed. I verified that it works on version 2.x though. I wrote this post over a year ago (but posted recently on this site). Thanks for the follow up, I’ll post an update.
also looking forward to an updated guide
[...] Gesagt getan, direkt nach einer Anleitung gesucht zum reversen der Binarys und schwupps, obijuan hats gepostet: “Cracking AutoIT Encryption Passphrases“. Nach einer halben Stunde rumprobieren und wundern warum das mit meinen Files nicht geht, fiel mir dann im File auf das das nur bis Version 2.6x geht [...]
Hi, nice guide.
The author of AutoIT fixed this “major problem” in version 3.x but ANITWPA (http://antiwpa.org.ru/) found out a way to bypass it
Maybe they`ll share their knowledge with us, i will mail them in the afternoon and publish their answer here.
Greetings from germany, Daniel
Grüße, Daniel! Thanks for the link — I’ve been messing with OllyDbg to try and bypass the new MD5 hashing they did on the passphrase. My cracking skills are very limited, and it seems <email removed> already bypassed it! I’ll write another update.
Danke!
Greetings back again,
, CW2K posted the bypassing way in asm style in it. Unfortunately my asm is evil :/ but maybe other asm skilled geeks can use it 
After reading the readme
Greeting. Nice discussion.
Well my email is still working. So feel free me to mail.
[...] I wrote about in the past, AutoIT is often used by malware writers to package their evil. AutoIT is [...]
myExe2Aut – Open Source Autoit Script Decompiler 1.7
*new*
added Deobfuscator for
‘Jos van der Zande AutoIt3 Source Obfuscator v1.0.14 [June 16, 2007]‘ ,
‘Jos van der Zande AutoIt3 Source Obfuscator v1.0.15 [July 1, 2007]‘ and
‘EncodeIt 2.0′
Support for old Au3 Versions and Hacked/(Protected) Au3-Exe
Split includes from decompiled Au3
Lookup for common MD5-Passwordhashes -> Password
Download:
http://t-line.net.ua/antiwpa/Other/tmp
http://rtn.kilu.net/antiwpa/Other/tmp
it doesnt work in win xp media centre
Any news?