Cracking AutoIT Encryption Passphrases

16 07 2006

Auto IT (http://www.autoitscript.com) is a Windows utility that administrators can use to automate certain tasks, especially those that they have to do on multiple machines (i.e. PC Rollouts). It’s basically just a scripting language. When deploying PCs or performing administrative tasks, an administrator will usually hardcode their passwords into the script so they don’t have to enter it all the time.In order to prevent your passwords from being discovered by curious users, you can “compile” your Auto IT script and encrypt it using a secret passphrase. Auto IT provides a de-compiler for undoing the encryption, but you need to provide that passphrase.

About a year ago, I came across some malware that utilized an Auto IT script that was compiled and encrypted. In order to find out exactly what the malware did, I had to crack open the script. Using the Auto IT de-compiler and a debugger (i.e. OllyDbg), it’s fairly straightforward to find the passphrase:

  1. Launch the de-compiler (Exe2Aut) and attach to it using the debugger.
  2. Choose the Auto IT file to de-compile.
  3. Enter anything for the passphrase.
  4. When you get the error message about entering the wrong passphrase, go to the debugger and pause the process.
  5. Check the stack and you should find the correct passphrase in the stack (in my tests, I”ve found it at location 0012F6BC in the stack). OllyDbg will show this in ASCII.

Once you have the passphrase, enter it into the Auto IT de-compiler and you get the Auto IT source script and you can find exactly what code is doing.

** NOTE: The author of AutoIT has said that their “encryption” is really more of an “encoding” because it’s not secure — so, DO NOT put in Domain Passwords or anything of value in your AutoIT script. A better hacker would surely write a separate program for extracting the passphrase from compiled AutoIT scripts. But in this case that would be overkill considering how easy it is to find the passphrase.

Advertisements

Actions

Information

16 responses

24 07 2006
sex

You refer to a ‘debugger’ but which one do you mean? Softice or similar or a specific one.

Thx

25 07 2006
obijuan

I use ollyDegbug (http://www.ollydbg.de/) myself. Just about any debugger that will show you the stack will do. Good luck!

25 07 2006
Greg

perhaps i am not seeing it, olly has 4 differnt windows that open by default, when i perform the above instructions i see nothing that could be the passphrase on the file. i can see where my incorrect passphrase is located in the lower right default window. i tried looking on the same line as you indicated but found nothing useful there. any further insight would be most helpful.

25 07 2006
obijuan

Hi Greg,

In the default windows, the stack would be the lower-right window. I just tried it on version 3.x of AutoIT and I don’t see the passphrase either. This must have been fixed. I verified that it works on version 2.x though. I wrote this post over a year ago (but posted recently on this site). Thanks for the follow up, I’ll post an update.

17 08 2006
lex

also looking forward to an updated guide ๐Ÿ™‚

30 08 2006
http://blog.d00meR.de » Blog Archive » Cracking AutoIT Encryption Passphrases

[…] Gesagt getan, direkt nach einer Anleitung gesucht zum reversen der Binarys und schwupps, obijuan hats gepostet: “Cracking AutoIT Encryption Passphrases“. Nach einer halben Stunde rumprobieren und wundern warum das mit meinen Files nicht geht, fiel mir dann im File auf das das nur bis Version 2.6x geht […]

13 09 2006
d00meR

Hi, nice guide.

The author of AutoIT fixed this “major problem” in version 3.x but ANITWPA (http://antiwpa.org.ru/) found out a way to bypass it ๐Ÿ˜‰ Maybe they`ll share their knowledge with us, i will mail them in the afternoon and publish their answer here.

Greetings from germany, Daniel

13 09 2006
obijuan

GrรผรŸe, Daniel! Thanks for the link — I’ve been messing with OllyDbg to try and bypass the new MD5 hashing they did on the passphrase. My cracking skills are very limited, and it seems <email removed> already bypassed it! I’ll write another update.

Danke!

14 09 2006
d00meR

Greetings back again,
After reading the readme :), CW2K posted the bypassing way in asm style in it. Unfortunately my asm is evil :/ but maybe other asm skilled geeks can use it ๐Ÿ˜‰

10 10 2006
CW2K

Greeting. Nice discussion. ๐Ÿ˜€
Well my email is still working. So feel free me to mail.

12 01 2007
AutoIT v3 Decompiler | monkey tech dot com

[…] I wrote about in the past, AutoIT is often used by malware writers to package their evil.  AutoIT is […]

7 08 2007
cw2k

myExe2Aut – Open Source Autoit Script Decompiler 1.7

*new*
added Deobfuscator for
‘Jos van der Zande AutoIt3 Source Obfuscator v1.0.14 [June 16, 2007]’ ,
‘Jos van der Zande AutoIt3 Source Obfuscator v1.0.15 [July 1, 2007]’ and
‘EncodeIt 2.0’

Support for old Au3 Versions and Hacked/(Protected) Au3-Exe

Split includes from decompiled Au3

Lookup for common MD5-Passwordhashes -> Password

Download:
http://t-line.net.ua/antiwpa/Other/tmp
http://rtn.kilu.net/antiwpa/Other/tmp

20 08 2007
zmnoor@msn.com

it doesnt work in win xp media centre

17 07 2008
Sauer

Any news?

16 07 2012
Fjodor Michajlowitsch Dostojewski

just use the one that’s on http://exe2aut.com it decompiles even those scripts which are protected by passphrases without even knowing them

18 10 2015
Makulaj82

Someone mention this on reddit https://www.stringencrypt.com/autoit-encryption/ looks pretty sharp

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: