Cracking AutoIT Encryption Passphrases

16 07 2006

Auto IT ( is a Windows utility that administrators can use to automate certain tasks, especially those that they have to do on multiple machines (i.e. PC Rollouts). It’s basically just a scripting language. When deploying PCs or performing administrative tasks, an administrator will usually hardcode their passwords into the script so they don’t have to enter it all the time.In order to prevent your passwords from being discovered by curious users, you can “compile” your Auto IT script and encrypt it using a secret passphrase. Auto IT provides a de-compiler for undoing the encryption, but you need to provide that passphrase.

About a year ago, I came across some malware that utilized an Auto IT script that was compiled and encrypted. In order to find out exactly what the malware did, I had to crack open the script. Using the Auto IT de-compiler and a debugger (i.e. OllyDbg), it’s fairly straightforward to find the passphrase:

  1. Launch the de-compiler (Exe2Aut) and attach to it using the debugger.
  2. Choose the Auto IT file to de-compile.
  3. Enter anything for the passphrase.
  4. When you get the error message about entering the wrong passphrase, go to the debugger and pause the process.
  5. Check the stack and you should find the correct passphrase in the stack (in my tests, I”ve found it at location 0012F6BC in the stack). OllyDbg will show this in ASCII.

Once you have the passphrase, enter it into the Auto IT de-compiler and you get the Auto IT source script and you can find exactly what code is doing.

** NOTE: The author of AutoIT has said that their “encryption” is really more of an “encoding” because it’s not secure — so, DO NOT put in Domain Passwords or anything of value in your AutoIT script. A better hacker would surely write a separate program for extracting the passphrase from compiled AutoIT scripts. But in this case that would be overkill considering how easy it is to find the passphrase.




16 responses

24 07 2006

You refer to a ‘debugger’ but which one do you mean? Softice or similar or a specific one.


25 07 2006

I use ollyDegbug ( myself. Just about any debugger that will show you the stack will do. Good luck!

25 07 2006

perhaps i am not seeing it, olly has 4 differnt windows that open by default, when i perform the above instructions i see nothing that could be the passphrase on the file. i can see where my incorrect passphrase is located in the lower right default window. i tried looking on the same line as you indicated but found nothing useful there. any further insight would be most helpful.

25 07 2006

Hi Greg,

In the default windows, the stack would be the lower-right window. I just tried it on version 3.x of AutoIT and I don’t see the passphrase either. This must have been fixed. I verified that it works on version 2.x though. I wrote this post over a year ago (but posted recently on this site). Thanks for the follow up, I’ll post an update.

17 08 2006

also looking forward to an updated guide ๐Ÿ™‚

30 08 2006 » Blog Archive » Cracking AutoIT Encryption Passphrases

[…] Gesagt getan, direkt nach einer Anleitung gesucht zum reversen der Binarys und schwupps, obijuan hats gepostet: “Cracking AutoIT Encryption Passphrases“. Nach einer halben Stunde rumprobieren und wundern warum das mit meinen Files nicht geht, fiel mir dann im File auf das das nur bis Version 2.6x geht […]

13 09 2006

Hi, nice guide.

The author of AutoIT fixed this “major problem” in version 3.x but ANITWPA ( found out a way to bypass it ๐Ÿ˜‰ Maybe they`ll share their knowledge with us, i will mail them in the afternoon and publish their answer here.

Greetings from germany, Daniel

13 09 2006

GrรผรŸe, Daniel! Thanks for the link — I’ve been messing with OllyDbg to try and bypass the new MD5 hashing they did on the passphrase. My cracking skills are very limited, and it seems <email removed> already bypassed it! I’ll write another update.


14 09 2006

Greetings back again,
After reading the readme :), CW2K posted the bypassing way in asm style in it. Unfortunately my asm is evil :/ but maybe other asm skilled geeks can use it ๐Ÿ˜‰

10 10 2006

Greeting. Nice discussion. ๐Ÿ˜€
Well my email is still working. So feel free me to mail.

12 01 2007
AutoIT v3 Decompiler | monkey tech dot com

[…] I wrote about in the past, AutoIT is often used by malware writers to package their evil.  AutoIT is […]

7 08 2007

myExe2Aut – Open Source Autoit Script Decompiler 1.7

added Deobfuscator for
‘Jos van der Zande AutoIt3 Source Obfuscator v1.0.14 [June 16, 2007]’ ,
‘Jos van der Zande AutoIt3 Source Obfuscator v1.0.15 [July 1, 2007]’ and
‘EncodeIt 2.0’

Support for old Au3 Versions and Hacked/(Protected) Au3-Exe

Split includes from decompiled Au3

Lookup for common MD5-Passwordhashes -> Password


20 08 2007

it doesnt work in win xp media centre

17 07 2008

Any news?

16 07 2012
Fjodor Michajlowitsch Dostojewski

just use the one that’s on it decompiles even those scripts which are protected by passphrases without even knowing them

18 10 2015

Someone mention this on reddit looks pretty sharp

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: