Improved AutoIt3 Decompiler / myAutToExe Decompiler

[aguilar]

Magnifico trabajo, hace tiempo estoy usando la versión de myAutToExe Decompiler 2.8 build 125.

Desconocía por que me estaba fallando la ultima versión 2.9 build 138, al tratar de descompilar mientras que la versión 2.8 build 125 lo hacia muy bien.

Me he dado cuenta que el problema viene del Tidy.exe

Si alguien tiene algún problema al tratar de descompilar que descargue esta versión del Tidy y lo descomprima en el directorio del myAutToExe sustituyendo los archivos y compruebe si con el cambio le trabaja como debe.

Danny_NL puede que el problema que expones también venga a partir del Tidy.

Salu2
Wonderful work, I'm using the long version of myAutToExe Decompiler 2.8 build 125.

Know that I was failing the last version 2.9 build 138, when trying to decompile while version 2.8 build 125 did it very well.

I noticed that the problem comes from Tidy.exe

If anyone has a problem when trying to decompile to download this version of Tidy and unzip into the directory of files replacing myAutToExe and see if the change works as it should.

Danny_NL may also expose the problem comes from Tidy.

Code: Select all

http://www.megaupload.com/?d=GDN6X7RO

Greetings

[ironarmor]

Dear Cw2k, It is an real cool program! Thank for your hard work.
But I meet an strange problem, I use autoit 3.3.2
And compile the example script calculator.au3 to calculator1.a3x.

I use myAutToExe2_09_AutoIt3_Decompiler_opensource to decompile it.
It can't be decompiled.

I use windows 2003 chinese locale(936), and attach two a3x file.

could you help me to find the problem?

Code: Select all

myAut2Exe >The Open Source AutoIT/AutoHotKey script decompiler< 2.9 build(138)
================================================================================
Unpacking: C:\Documents and Settings\Administrator\桌面\tmp\calculator1.a3x
00000000 -> Testing for AutoIT3.26 Script...
Script Type 3.2.5+ found.
AlternativeSigScan for 'FILE'-signature in au3-body...
Scanning for FILE-(old)signature: FF 6D 00 00    m 
...not found.
Scanning for FILE-(new)signature: 6B 43 00 52    kC R
...not found.
'FILE'-signature not found. Please enter start of script manually.
===============================================================================
Trying to DeTokenise: C:\Documents and Settings\Administrator\桌面\tmp\calculator1.a3x
STOPPED!!! Required FileExtension for Tokenfiles: '.tok .mem'
Rename this file manually to show that this should be detokenied.
===============================================================================
Trying to DeObfuscate : C:\Documents and Settings\Administrator\桌面\tmp\calculator1.a3x
Saving Logdata to : C:\Documents and Settings\Administrator\桌面\tmp\calculator1_myExeT



[freeze_love]

....
Download Version 2.9 of myAutToExe ( from http://myAutToExe.tk)
Admin Note: *Link update on 21.04.2008*
added a doc on how to deobfucated on 21.01.2009

It doesn't work. You can see this picture:


Pl help me how to fix this error. I've used Windows 7 Ultimate.

[cw2k]

Add the file(Colours Chooser.exe) here - so I can check it.
However beside testing I guess again that it might work on my PC - while it fails on PC's with other CodePage(Language) settings. I'm using the VB-Function StrConv() that really helped to speed up decryption by 4x - but created that problems with being somehow codepage depended.
decompile.bas

Code: Select all

...
              ' ==> Decrypt scriptdata
               Dim StrCharPos&, tmpBuff() As Byte
               tmpBuff = StrConv(.mvardata, vbFromUnicode, LocaleID_ENG)
...

So plz post ya country settings. You may try to change them temporarily to 'german' and try it then again.
Or just installation VB6 portable and debug the code yaself.

[DJBLADE17]

running into some trouble
i am new to this so i could be missing some simple steps
i have this autoit.exe file im trying to decompile
the program is a older version that i can decomplie
but it has a update icon to update to newest version
when i update it i cant decompile it gives me this error
Scanning for FILE-(old)signature: FF 6D B0 CE ÿm°Î
Invalid InputData - StringEncryption length(766662566) is bigger than the file Value must between '0' and '229533' !
where do i begin to trouble shoot this. or any ideas for some good reading material
thanks!

[AMGarkin]

Ok I found the problem in source code. It is very simple... The const LocaleID_ENG is German LCID (1031). I changed it to 1055 (Turkish). LCID list -> http://support.microsoft.com/?kbid=221435. Now it works. Also, the 0 and 1024 LCID's work too.

Thanks for the feedback ! Till I found I real fix, I'll but it this into readme.

I had the same issue on my Windows (czech locale - 1029), so I tried to find some universal solution. I'm not a programmer, my solution probably is not the best, but it works for me.

In "lib\Helper.bas" I have replaced:

Code: Select all

Public Const LocaleID_ENG = 1031

with:

Code: Select all

Private Declare Function GetThreadLocale Lib "KERNEL32" () As Long

and added the following function to the very end of file:

Code: Select all

Public Function LocaleID_ENG() As Long
    LocaleID_ENG = GetThreadLocale()
End Function

[AMGarkin]

There is a small glitch when using myAutToExe 2.9 from command line as shows this portion of log:

Code: Select all

===============================================================================
Testing for Scripts that were obfuscate by 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.15 [July 1, 2007]' or 'EncodeIt 2.0'
===============================================================================
Trying to DeObfuscate : botvec.au3
Deobfuscating van Zande 1.0.15...
TBL seperator string: T9I
Okay. Obfucated script loaded and displayed.
Extracting TBLFileName from Script.
Loading StringTBLFileName: \895790356984.au3.tbl...
Can't open \895790356984.au3.tbl for read access. File not found
Saving Logdata to : botvec_myExeToAut.log

When program is started manually everything works correctly:

Code: Select all

===============================================================================
Testing for Scripts that were obfuscate by 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.15 [July 1, 2007]' or 'EncodeIt 2.0'
===============================================================================
Trying to DeObfuscate : C:\MyTempDir\botvec.au3
Deobfuscating van Zande 1.0.15...
TBL seperator string: T9I
Okay. Obfucated script loaded and displayed.
Extracting TBLFileName from Script.
Loading StringTBLFileName: C:\MyTempDir\895790356984.au3.tbl...
5081 strings found.
Restoring StringNames in ...


[cw2k]

In "lib\Helper.bas" I have replaced:

Code: Select all

Public Const LocaleID_ENG = 1031

with:

Code: Select all

Private Declare Function GetThreadLocale Lib "KERNEL32" () As Long

and added the following function to the very end of file:

Code: Select all

Public Function LocaleID_ENG() As Long
    LocaleID_ENG = GetThreadLocale()
End Function

Thanks for that - well that'll be a real fix a little more simplified it'll be the same as just leaving out the LCID parameter of StrConv and replace

Code: Select all

               tmpBuff = StrConv(.mvardata, vbFromUnicode, LocaleID_ENG)


with

Code: Select all

               tmpBuff = StrConv(.mvardata, vbFromUnicode)

According to the doc StrConv then just uses the actual Local Country ID.
However leaving out that it'll bring me back to the starting point were I just used StrConv without the LCID parameter and doing so will make the chinese ppl unhappy, were the decompiler will not work, or not correctly decompile scripts with chinese strings.

Oh dear the whole topic makes me a quite unhappy.
The two question about that are:
First is how to test & detect country problems?
Second how to fix them?

Maybe some can help or maybe I'll something about it in net.

[Rugburned]

I have a script in .exe form I'd like decompiled. The original coder died and I'd like to get the source code. Anyone here able to do that for me? I'd try but I'm sure I'll screw it up.

http://www.filefront.com/15683931/Buffv2322.exe

[AMGarkin]

I have a script in .exe form I'd like decompiled. The original coder died and I'd like to get the source code. Anyone here able to do that for me? I'd try but I'm sure I'll screw it up.

http://www.filefront.com/15683931/Buffv2322.exe

It's really easy, just download myAutToExe and drag&drop your file into the main program window.

Decompiled script: http://www.pastebin.cz/32929

[NSSoft]

Thank you for great tool. I try to decompile file in attachment but fail. It originally packed with UPX, so I included both original and unpacked versions. Im not familiar with AutoIT runtime to fast analize it's script and extract overlay, maybe you can help me.

I know this is really AutoIT. I get memdump for process but fail to recover script too.

It contains following strings:

> This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support

> <assemblyIdentity type="win32" processorArchitecture="*" version="3.0.0.0" name="AutoIt3" />
<description>AutoIt v3</description>

Thank you in advance for any help/hint

[NSSoft]

AMGarkin helped me to solve all problems with my decompilation. Thank you for help.

[ddarek]

Since 2.07 build 106 which works fantastic till today (always), every single build after that shows
nomatter what exe file I try to decompile

and after that as below

Anyone can answer me what is wrong/good with latest builds
Why 2.07.106 works and others not ?

(Exe file is being ezly decompiled with 2.07 and stucks with latest builds)

[biocore]

Thank you for great tool. I try to decompile file in attachment but fail. It originally packed with UPX, so I included both original and unpacked versions. Im not familiar with AutoIT runtime to fast analize it's script and extract overlay, maybe you can help me.

I know this is really AutoIT. I get memdump for process but fail to recover script too.

It contains following strings:

> This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support

> <assemblyIdentity type="win32" processorArchitecture="*" version="3.0.0.0" name="AutoIt3" />
<description>AutoIt v3</description>

Thank you in advance for any help/hint

I have the same problem as you have with a script could you tell me how you solved it ?

[jeviduty]

Here is a challenge,

http://www.autohotkey.com/forum/topic49952.html

[SUIBOM]

Here is a challenge,

http://www.autohotkey.com/forum/topic49952.html

And so it begins, thanks for playing project mobius dude, you took your time.

cw2k would lol hard at my implementation, there truly is no challenge, and the information is for the asking anyway.

Love your work.

[cw2k]

Here is a challenge,

http://www.autohotkey.com/forum/topic49952.html

Just for being curious I had a look this.
Wow nice program - clear and well documented. Unfortunately it's without source.
Anyway I had a quick view into it's modification it applies to an AHKExe when compiling.
Here's the paper:
http://myauttoexe.angelfire.com/Doc/Dec ... cripts.htm
(Oh dear the Word tries crap - a gif with transparency; seem that this converter has never heard anything about png )
or see the attached pdf or
http://myauttoexe.angelfire.com/Doc/Dec ... cripts.doc
for better quality.

Hmm the myAutToExe could be improved to better come along with HKCamo. Without the need to go into the source code and 'adjust' things there. However AHK is not so widely used so that it makes sense to make the code more flexible and intelligent. On the other side you pay off comfort with complexity; a lose of simplicity and easy to read and maintain code and of course time you'll need to implement and test new functionality.

[ecrito]

since last version it looks scripts encoded with armadillo can't be decompiled even if u dump before with ollydbg.

can someone would have a look to this script and tell me if the problem is on my own ? cheers

[cw2k]

Okay that's the full package:
*LinkRemove on request*/Hydra.zip
... and some other urls:
*LinkRemove on request*/HydraPro.zip
*LinkRemove on request*/HydraLite.zip
or just
*LinkRemove on request*/
to see it all!

Here you'll find how to do extracting the *.a3x files yourself:
*LinkRemove on request*/Dumping_OverlayData_of_Armadillo.htm
Section: >Dumping OverlayData of Armadillo/Themida with Winhex<

Beside this inline dumping also works well. Just run the Au3 exe with the following parameters:

Code: Select all

hydr.exe /AutoIt3ExecuteLine "FileWrite('Dump.dmp', FileRead(FileOpen(@AutoItExe,16),FileGetSize(@AutoItExe)))"


Run these *.a3x directly in AutoIt - or load them into the decompiler...wait... and get out da *.au3
Hydrav1.0.4.0.a3x
HydraProv1.0.4.0.a3x
*Attachment removed*

P.s. ...and Yep the packer is again the good old Armadildo.


Admin note: Got some mail from Romania. RobnTara aka Weyland or Webber the author of this proggie's contacted me - telling me that he's a hard time...
Well I back it all up so if you need any of that SnG Hydra FT UB BoDog Cake poker crap for educational studies send me a PM.

[NewEraCracker]

Your tools are pretty good.

I unpacked a few viruses designed in autoit on a Virtual Machine and sent them to Avira.

[ecrito]

Relating to your last tutorial about cam$o

Code: Select all

Hint on finding the '9484BF97' value.
Note that this is the len of the Passphrase. Usually that value will be in a range of 0 to 255
(0x000000 00 to 0x000000 FF).
So the this last three bytes will be the same nearly all the time xx 00 00 00 .
Goto to ScriptStart +0x11 there is 'B7  BF 84 94' or '9484BFB7'. So a search for the hexstring 'BF 84 94' in the uncompressed *.ahkExe will reveal that there a 97 before them and so the Full XorKeyValue is 97 BF 84 94 -> '9484BF97'.

And well there's as well an alternative in case you somehow can't find this '9484BF97' value (or I explained it to messy)
Change the code as the following:
' ===> Get Script Password
      Dim MD5PassphraseHash As New StringReader
      If bIsOldScript Then
       ' Old AutoIT Script if branch...
       ' Move three bytes back since SubType is only 1 Byte but before we read 4 byte
         .Move -3
         'MD5PassphraseHash = GetEncryptStr(64193, 50130, File) '&HFAC1, &HC3D2
         'MD5PassphraseHash = GetEncryptStr(&H9484BF97, 50130, File) '&HFAC1, &HC3D2
     
      .Move 4
     
      Dim StrLen&
      StrLen = 32
           
      MD5PassphraseHash = DeCrypt(.FixedString(StrLen), 50130 + StrLen)
-> guess/changing the StrLen = 32 that long till it fits.



i got some difficulties to find the "H9484BF97" value.

First solution, i just don't understand it
Second solution, we got to change the strlen = 32 to what ? 64 ? 96 ? .. ?

tx

[cw2k]

...since there is AHK Version 1.4.8.5 in the FileVerinfo I just compared it with the original AHK-Interpreter stub

Code: Select all

Vergleichen der Dateien AHKVersion104805.exe und WILDFIRE.EXE
...
0004FE57: C1 E5
0004FE58: FA D5
0004FE59: 00 B8
0004FE5A: 00 9B

WILDFIRE.EXE Disasm:
00450A55    81F7 E5D5B89B   XOR     EDI, 9BB8D5E5


A search for 'FAC1' in the myAutToExe sources lead you to 'SRC\Decompile.bas'

Code: Select all

         MD5PassphraseHash = GetEncryptStr(64193, 50130, File) '&HFAC1, &HC3D2
         MD5PassphraseHashText = MD5PassphraseHash


change this to

Code: Select all

MD5PassphraseHash = GetEncryptStr(&h9BB8D5E5, 50130, File) ' '&HFAC1, &HC3D2

Note there's an ugly thing about Visual Basic and hexvalues.
So don't use &H7FFF... &hFFFF write it as decimal number instead. &h10000..&hFFFFFFFF is okay

Confirm invalid Filemarker; and an then other okay for 'JB01' et viola now it work

Code: Select all

; HotkeyCamo ~0.9.5.0>
...

wildfire -> FT Full Tilt not again another pokerbot.

[autoitdecompile]

sent PM to you

[DJBLADE17]

Can anyone help with this

http://www.megaupload.com/?d=CPVG6OTE

gives me error

Code: Select all

AlternativeSigScan for 'FILE'-signature in au3-body...
Scanning for FILE-(old)signature: FF 6D B0 CE    ÿm°Î
Invalid InputData - StringEncryption length(1307400445) is bigger than the file Value must between '0'  and '89667' !

[skyline9394]

hi all i try decompaile a exe but i got a problem it ask me TBLString
here is the log file
and i upload the file if some one can help me out

Code: Select all




myAut2Exe >The Open Source AutoIT/AutoHotKey script decompiler< 2.9 build(146)
================================================================================
Unpacking: C:\Users\Sky\Desktop\bests.exe
---> ScriptStartOffset: 00098E00
      EndOf_PE-ExeFile : 00098E00
Extracting ExeIcon/s to: "C:\Users\Sky\Desktop\bests.ico"
00098E14 -> SubType: 0x41  AU3!
~ Note:  The following offset values are were the data ends (and not were it starts) ~
00098E18 -> New tokenised AutoIt script found.
Script is password protected!
00098E28 -> Password/MD5PassphraseHash: 84C9812DD733BD0479E96D1D47364DA2
            „Ɂ-×3½yémG6M¢
MD5PassphraseHash_ByteSum: 00000000  '+ 2477' => decryption key!
------------ Processing Body -------------
=== > Processing FILE: #1
00098E2C -> ResType: FILE
00098E56 -> SrcFile_FileInst: >>>AUTOIT SCRIPT<<<
00098EAE -> CompiledPathName: C:\Users\Jay\AppData\Local\Temp\aut5AD.tmp
00098EAF -> IsCompressed: True  (01)
00098EB3 -> ScriptSize Compressed: 0006ED7A  Decimal:454010
00098EB7 -> ScriptSize UnCompressed(used to seek to next file): 002B2B53  Decimal:2829139
00098EBB -> ADLER32 CRC of unencrypted script data: 07BB53C7
00098ECB -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB2C31E2FD39E8  25.7.2010 19:45:8 [345]
    pLastWrite   :  01CB2C31E34391B8  25.7.2010 19:45:8 [806]
00098ECB -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:EA06
Compressed scriptdata written to C:\Users\Sky\Desktop\bests.pak
Expanding script data to "bests.tok" at C:\Users\Sky\Desktop\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #2
00107C49 -> ResType: FILE
00107C79 -> SrcFile_FileInst: C:\Jatagatha\Jatagatha
00107CA9 -> CompiledPathName: C:\Jatagatha\Jatagatha
00107CAA -> IsCompressed: False  (00)
00107CAE -> ScriptSize Compressed: 00000052  Decimal:82
00107CB2 -> ScriptSize UnCompressed(used to seek to next file): 00000052  Decimal:82
00107CB6 -> ADLER32 CRC of unencrypted script data: AD791C1D
00107CC6 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB267813118F40  18.7.2010 12:52:26 [804]
    pLastWrite   :  01CB210C356A3C70  11.7.2010 15:17:42 [967]
00107CC6 -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
Saving script to "Jatagatha" at C:\Users\Sky\Desktop\Jatagatha\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #3
00107D1C -> ResType: FILE
00107D50 -> SrcFile_FileInst: C:\Jatagatha\Default.sav
00107D84 -> CompiledPathName: C:\Jatagatha\Default.sav
00107D85 -> IsCompressed: True  (01)
00107D89 -> ScriptSize Compressed: 000000DC  Decimal:220
00107D8D -> ScriptSize UnCompressed(used to seek to next file): 00000153  Decimal:339
00107D91 -> ADLER32 CRC of unencrypted script data: 76296882
00107DA1 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB267813084070  18.7.2010 12:52:26 [743]
    pLastWrite   :  01CB21FDA29EA6E0  12.7.2010 20:5:54 [894]
00107DA1 -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:EA06
Compressed scriptdata written to C:\Users\Sky\Desktop\Jatagatha\Default.pak
Expanding script data to "Default.sav" at C:\Users\Sky\Desktop\Jatagatha\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #4
00107E81 -> ResType: FILE
00107EB9 -> SrcFile_FileInst: C:\Jatagatha\Handserif.ttf
00107EF1 -> CompiledPathName: C:\Jatagatha\Handserif.ttf
00107EF2 -> IsCompressed: True  (01)
00107EF6 -> ScriptSize Compressed: 0000EF0E  Decimal:61198
00107EFA -> ScriptSize UnCompressed(used to seek to next file): 00015018  Decimal:86040
00107EFE -> ADLER32 CRC of unencrypted script data: 97A8EE7D
00107F0E -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB2678130D7090  18.7.2010 12:52:26 [777]
    pLastWrite   :  01C4EF4104767000  31.12.2004 14:0:0 [0]
00107F0E -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:EA06
Compressed scriptdata written to C:\Users\Sky\Desktop\Jatagatha\Handserif.pak
Expanding script data to "Handserif.ttf" at C:\Users\Sky\Desktop\Jatagatha\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #5
00116E20 -> ResType: FILE
00116E52 -> SrcFile_FileInst: C:\Jatagatha\JATAGATHA1
00116E84 -> CompiledPathName: C:\Jatagatha\JATAGATHA1
00116E85 -> IsCompressed: False  (00)
00116E89 -> ScriptSize Compressed: 00008DE4  Decimal:36324
00116E8D -> ScriptSize UnCompressed(used to seek to next file): 00008DE4  Decimal:36324
00116E91 -> ADLER32 CRC of unencrypted script data: 21B193FC
00116EA1 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB26781312C7C0  18.7.2010 12:52:26 [812]
    pLastWrite   :  01CAD99086A3F310  11.4.2010 16:3:29 [89]
00116EA1 -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
Saving script to "JATAGATHA1" at C:\Users\Sky\Desktop\Jatagatha\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #6
0011FC89 -> ResType: FILE
0011FCBB -> SrcFile_FileInst: C:\Jatagatha\JATAGATHA2
0011FCED -> CompiledPathName: C:\Jatagatha\JATAGATHA2
0011FCEE -> IsCompressed: True  (01)
0011FCF2 -> ScriptSize Compressed: 00019E68  Decimal:106088
0011FCF6 -> ScriptSize UnCompressed(used to seek to next file): 0001C273  Decimal:115315
0011FCFA -> ADLER32 CRC of unencrypted script data: D7301620
0011FD0A -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB2678131511B0  18.7.2010 12:52:26 [827]
    pLastWrite   :  01CAD990872D6E60  11.4.2010 16:3:29 [990]
0011FD0A -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:EA06
Compressed scriptdata written to C:\Users\Sky\Desktop\Jatagatha\JATAGATHA2.pak
Expanding script data to "JATAGATHA2" at C:\Users\Sky\Desktop\Jatagatha\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #7
00139B76 -> ResType: FILE
00139BA8 -> SrcFile_FileInst: C:\Jatagatha\JATAGATHA3
00139BDA -> CompiledPathName: C:\Jatagatha\JATAGATHA3
00139BDB -> IsCompressed: True  (01)
00139BDF -> ScriptSize Compressed: 0001C5FC  Decimal:116220
00139BE3 -> ScriptSize UnCompressed(used to seek to next file): 0001EAE5  Decimal:125669
00139BE7 -> ADLER32 CRC of unencrypted script data: DC1F294F
00139BF7 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB26781317A9C0  18.7.2010 12:52:26 [844]
    pLastWrite   :  01CAD99088295A90  11.4.2010 16:3:31 [641]
00139BF7 -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:EA06
Compressed scriptdata written to C:\Users\Sky\Desktop\Jatagatha\JATAGATHA3.pak
Expanding script data to "JATAGATHA3" at C:\Users\Sky\Desktop\Jatagatha\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #8
001561F7 -> ResType: FILE
00156229 -> SrcFile_FileInst: C:\Jatagatha\JATAGATHA4
0015625B -> CompiledPathName: C:\Jatagatha\JATAGATHA4
0015625C -> IsCompressed: True  (01)
00156260 -> ScriptSize Compressed: 000007E4  Decimal:2020
00156264 -> ScriptSize UnCompressed(used to seek to next file): 00002165  Decimal:8549
00156268 -> ADLER32 CRC of unencrypted script data: 1305E862
00156278 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB26781319F3B0  18.7.2010 12:52:26 [859]
    pLastWrite   :  01CAD99088347E20  11.4.2010 16:3:31 [714]
00156278 -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:EA06
Compressed scriptdata written to C:\Users\Sky\Desktop\Jatagatha\JATAGATHA4.pak
Expanding script data to "JATAGATHA4" at C:\Users\Sky\Desktop\Jatagatha\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #9
00156A60 -> ResType: FILE
00156A92 -> SrcFile_FileInst: C:\Jatagatha\JATAGATHA5
00156AC4 -> CompiledPathName: C:\Jatagatha\JATAGATHA5
00156AC5 -> IsCompressed: True  (01)
00156AC9 -> ScriptSize Compressed: 00000824  Decimal:2084
00156ACD -> ScriptSize UnCompressed(used to seek to next file): 0000219D  Decimal:8605
00156AD1 -> ADLER32 CRC of unencrypted script data: 721D0727
00156AE1 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB2678131A8FF0  18.7.2010 12:52:26 [863]
    pLastWrite   :  01CAD990883C6D60  11.4.2010 16:3:31 [766]
00156AE1 -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:EA06
Compressed scriptdata written to C:\Users\Sky\Desktop\Jatagatha\JATAGATHA5.pak
Expanding script data to "JATAGATHA5" at C:\Users\Sky\Desktop\Jatagatha\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #10
00157309 -> ResType: FILE
0015733B -> SrcFile_FileInst: C:\Jatagatha\JATAGATHA6
0015736D -> CompiledPathName: C:\Jatagatha\JATAGATHA6
0015736E -> IsCompressed: True  (01)
00157372 -> ScriptSize Compressed: 0000182C  Decimal:6188
00157376 -> ScriptSize UnCompressed(used to seek to next file): 000018AD  Decimal:6317
0015737A -> ADLER32 CRC of unencrypted script data: 71C253DF
0015738A -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB2678131BEF80  18.7.2010 12:52:26 [872]
    pLastWrite   :  01CAD99088437240  11.4.2010 16:3:31 [812]
0015738A -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:EA06
Compressed scriptdata written to C:\Users\Sky\Desktop\Jatagatha\JATAGATHA6.pak
Expanding script data to "JATAGATHA6" at C:\Users\Sky\Desktop\Jatagatha\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #11
00158BBA -> ResType: FILE
00158BEC -> SrcFile_FileInst: C:\Jatagatha\JATAGATHA7
00158C1E -> CompiledPathName: C:\Jatagatha\JATAGATHA7
00158C1F -> IsCompressed: False  (00)
00158C23 -> ScriptSize Compressed: 0001C495  Decimal:115861
00158C27 -> ScriptSize UnCompressed(used to seek to next file): 0001C495  Decimal:115861
00158C2B -> ADLER32 CRC of unencrypted script data: E370E661
00158C3B -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB2678131D7620  18.7.2010 12:52:26 [882]
    pLastWrite   :  01CAE2155D19E850  22.4.2010 12:14:31 [765]
00158C3B -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
Saving script to "JATAGATHA7" at C:\Users\Sky\Desktop\Jatagatha\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
=== > Processing FILE: #12
001750D4 -> ResType: FILE
00175108 -> SrcFile_FileInst: JatagathaV.3.200.au3.tbl
00175186 -> CompiledPathName: C:\Users\Jay\Desktop\Other\Jatagatha\JatagathaV.3.200.au3.tbl
00175187 -> IsCompressed: True  (01)
0017518B -> ScriptSize Compressed: 0000A882  Decimal:43138
0017518F -> ScriptSize UnCompressed(used to seek to next file): 000330B6  Decimal:209078
00175193 -> ADLER32 CRC of unencrypted script data: A25EF991
001751A3 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01CB2C2C692BB798  25.7.2010 19:5:56 [484]
    pLastWrite   :  01CB2C31DB94DD28  25.7.2010 19:44:55 [917]
001751A3 -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:EA06
Compressed scriptdata written to C:\Users\Sky\Desktop\JatagathaV.3.200.au3.pak
Expanding script data to "JatagathaV.3.200.au3.tbl" at C:\Users\Sky\Desktop\
Setting Creation and LastWrite time
Write data in textbox
-------------------------------------------------------------------------------
Processing Finished!
0017FA25 -> End of script data
  FileLen: 0017FA2D  => Overlay: 00000008
  overlaybytes: 41 55 33 21 45 41 30 36   AU3!EA06
===============================================================================
Trying to DeTokenise: C:\Users\Sky\Desktop\bests.tok
00000004 -> Code Lines: 15959   0x00003E57
Keep TmpFile is unchecked => Deleting 'bests.tok'
Deleting: C:\Users\Sky\Desktop\bests.tok
Converting Unicode to UTF8, since Tidy don't support unicode.
Save/overwrite script to: C:\Users\Sky\Desktop\bests.au3
Skipping to run 'tidy\Tidy.exe' onbests.au3' to improve sourcecode readability. (Plz run it manually if you need it.)
Token expansion succeed.
===============================================================================
Testing for Scripts that were obfuscate by 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.15 [July 1, 2007]' or 'EncodeIt 2.0'
===============================================================================
Trying to DeObfuscate : C:\Users\Sky\Desktop\bests.au3
Deobfuscating van Zande 1.0.24...
Warning - using a detokenise au3-file that was not tidyed!
I didn't tested this with that Obfuscation type. If problems occure
please run tidy\tidy.exe manually on this *.au3 and then drag it into myAutToExe.
Okay. Obfucated script loaded and displayed.
Extracting TBLFileName from Script.
Loading StringTBLFileName: C:\Users\Sky\Desktop\JatagathaV.3.200.au3.tbl...
Finding TBLStringSeperator failed. Asked user and got:
Type mismatch
Saving Logdata to : C:\Users\Sky\Desktop\bests_myExeToAut.log