Yet Another Update for AutoIT cracking

13 09 2006

UPDATE: New link for the file below: http://www.monkey-tech.com/files/AutoIt%203-Dec.zip

I’ve been hopelessly trying to figure out how to bypass the pass-phrase for AutoIT v. 3.2.0.1. One of our readers Daniel kindly posted a link to ANITWPA (http://antiwpa.org.ru/), where they already did this. I downloaded the “improved” decompiler and it worked great. Here’s link to one of their mirrors (I couldn’t get to the original site):

http://www.thisispain.com/antiwpa/Others/tmp/AutoIt%203-Decompiler%20CW2K-Edition%20+%20Improved%20Version.zip

Basically, they bypass the passphrase altogether. I managed to get to the point in OllyDbg (great tool, BTW, I’ll post some OllyDbg things I recently learned soon) where I found out that:

  • The passphrase used for “encrypting” is stored in the file as an MD5 hash.
  • The resulting .exe file is UPXed.
  • To find the MD5, first use the upx.exe provided by autoit (\autoit-v3.2.0.1\Aut2Exe\upx.exe) to decompress the .exe:
    • Open a command prompt and use upx.exe with the “-d” switch:
    • EXAMPLE: upx -d mytestfile.exe
    • More about UPX can be found here: http://en.wikipedia.org/wiki/UPX
  • This will decompress “mytestfile.exe” – it almost doubles in size.
  • The MD5 hash of the passphrase is found at offset 0x0005d618 in the decompressed file (you can use hiew or any binary file viewer – even OllyDbg!).
  • When you run the exe2aut to “decrypt” the file, it will take the passphrase you enter and convert it to MD5. There is also some XORing going on. This is where I’m weak right now.
  • At some point, it will open the EXE and do…something. This is where I was stuck.

I’ll examine the AutoIt3-Decompiler from CW2K to see if I can learn anything from them. If anyone has info on how they did it, please post a comment. From what I can see, it seems like they just “patched” the original AutoIT decompiler, probably to skip the whole checking of passphrases or fill in the MD5 passphrase from the one in the file.

Why am I doing this? Why do I care? Two reasons:

  1. To emphasise that people should NOT store passwords or sensitive information in their AutoIT scripts.
  2. To quote from the readme file in the “improved” decompiler above:

Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark.

 

Advertisements




awk Talk

31 07 2006

Why I love awk:

{ 
key=$1"_"$3"_"$4"_"$5; 
if(!(x[key"-begin"])) { 
        x[key"-begin"] = x[key"-c"] = x[key"-end"]=$6; 
} else { 
        x[key"-c"]=x[key"-c"]" "$6; 
        x[key"-end"]=$6; 
} 
} END { for(item in x) { 
                if(match(item,"begin")) { 
                        split(item,y,"-"); 
                        split(x[y[1]"-begin"],t1,":"); 
                        split(x[y[1]"-end"],t2,":"); 
                        tim1=t1[1]*3600 + t1[2]*60 + t1[3]; 
                        tim2=t2[1]*3600 + t2[2]*60 + t2[3]; 
                        if((tim2 - tim1) >= 1800) { 
                                split(y[1],z,"_"); 
                                print z[1]" "z[2]" "z[3]" "z[4] " = " x[y[1]"-c"] 
                        } 
        } 
} 
}

This awk lines above takes a large file (i.e. 68000 lines) with lines that consist of:SIP SP P DIP DP TIME

SIP = Source IP
SP = Source Port
P = Protocol
DIP = Destination IP
DP = Destination Port
TIME = Time of event (HH:MM:SS.MS)

And it:

  1. Builds a pseudo multi-dimensional array (awk doesn’t do “true” multidimensional arrays) with TIME as the value and SIP_P_DIP_DP as the key.
  2. Checks the array and calculates the start time and end time and excludes events that don’t last at least 30 minutes (1800 seconds).
  3. Prints out matching lines with in this format:
          SIP P DIP DP = <Start Time> <Middle Time> … <Middle Time> <End Time>
            * – this also reduces the data set to 1620 lines, since invalid groups are eliminated and the relevant lines are collapsed into a single line.

AND it runs at ridiculous speed.  Maybe on a faster box it would be ludicrous speed, but on my test box (rather old), it does this in about 2.25 seconds.  Rather fast if you consider the job, I think.

Other tests:

Data Set Size / Time = Rate
67,741 / 2.25s = 30,107.10/sec
556,834 / 29.12s = 19,122.05/sec
1,117,668 / 91.95s = 12,111.67/sec





Update to AutoIT Passphrase Info

25 07 2006

I got a couple of questions in the comment box about the AutoIT passphrases.  Here’s an update/clarficiation:

  • The debugger must be attached prior to entering a dummy passphrase, then paused after the error message comes up (at least for ollydbg).
  • This does not seem to work with AutoIt version 3.x.  (Thanks Greg).  It does work on AutoIt version 2.x.




Cracking AutoIT Encryption Passphrases

16 07 2006

Auto IT (http://www.autoitscript.com) is a Windows utility that administrators can use to automate certain tasks, especially those that they have to do on multiple machines (i.e. PC Rollouts). It’s basically just a scripting language. When deploying PCs or performing administrative tasks, an administrator will usually hardcode their passwords into the script so they don’t have to enter it all the time.In order to prevent your passwords from being discovered by curious users, you can “compile” your Auto IT script and encrypt it using a secret passphrase. Auto IT provides a de-compiler for undoing the encryption, but you need to provide that passphrase.

About a year ago, I came across some malware that utilized an Auto IT script that was compiled and encrypted. In order to find out exactly what the malware did, I had to crack open the script. Using the Auto IT de-compiler and a debugger (i.e. OllyDbg), it’s fairly straightforward to find the passphrase:

  1. Launch the de-compiler (Exe2Aut) and attach to it using the debugger.
  2. Choose the Auto IT file to de-compile.
  3. Enter anything for the passphrase.
  4. When you get the error message about entering the wrong passphrase, go to the debugger and pause the process.
  5. Check the stack and you should find the correct passphrase in the stack (in my tests, I”ve found it at location 0012F6BC in the stack). OllyDbg will show this in ASCII.

Once you have the passphrase, enter it into the Auto IT de-compiler and you get the Auto IT source script and you can find exactly what code is doing.

** NOTE: The author of AutoIT has said that their “encryption” is really more of an “encoding” because it’s not secure — so, DO NOT put in Domain Passwords or anything of value in your AutoIT script. A better hacker would surely write a separate program for extracting the passphrase from compiled AutoIT scripts. But in this case that would be overkill considering how easy it is to find the passphrase.