UPDATE: New link for the file below: http://www.monkey-tech.com/files/AutoIt%203-Dec.zip
I’ve been hopelessly trying to figure out how to bypass the pass-phrase for AutoIT v. 3.2.0.1. One of our readers Daniel kindly posted a link to ANITWPA (http://antiwpa.org.ru/), where they already did this. I downloaded the “improved” decompiler and it worked great. Here’s link to one of their mirrors (I couldn’t get to the original site):
Basically, they bypass the passphrase altogether. I managed to get to the point in OllyDbg (great tool, BTW, I’ll post some OllyDbg things I recently learned soon) where I found out that:
- The passphrase used for “encrypting” is stored in the file as an MD5 hash.
- The resulting .exe file is UPXed.
- To find the MD5, first use the upx.exe provided by autoit (\autoit-v3.2.0.1\Aut2Exe\upx.exe) to decompress the .exe:
- Open a command prompt and use upx.exe with the “-d” switch:
- EXAMPLE: upx -d mytestfile.exe
- More about UPX can be found here: http://en.wikipedia.org/wiki/UPX
- This will decompress “mytestfile.exe” – it almost doubles in size.
- The MD5 hash of the passphrase is found at offset 0×0005d618 in the decompressed file (you can use hiew or any binary file viewer – even OllyDbg!).
- When you run the exe2aut to “decrypt” the file, it will take the passphrase you enter and convert it to MD5. There is also some XORing going on. This is where I’m weak right now.
- At some point, it will open the EXE and do…something. This is where I was stuck.
I’ll examine the AutoIt3-Decompiler from CW2K to see if I can learn anything from them. If anyone has info on how they did it, please post a comment. From what I can see, it seems like they just “patched” the original AutoIT decompiler, probably to skip the whole checking of passphrases or fill in the MD5 passphrase from the one in the file.
Why am I doing this? Why do I care? Two reasons:
- To emphasise that people should NOT store passwords or sensitive information in their AutoIT scripts.
- To quote from the readme file in the “improved” decompiler above:
“Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.“
