Improved AutoIt3 Decompiler / myAutToExe Decompiler

[cw2k]

So what is it about?
Well it will extract the AutoIt3-script(*.au3) from any AutoIt3-Installations(*.exe)
--> http://www.autoitscript.com/autoit3/
To see if some file is a AutoIt3-Installations watch the file properties version information.

Yeah i know there is also a decompiler included in AutoIT3. But this has some minor improvements.
So What has improved?

Basically it has full support for AutoIT v3.2.6 files that the normal exeaut3 don't support because it uses tokens.

and according to 'old' files:
Just of the case you forgot to check the 'allow decompilation checkbox' or the pass phrase and to make things easier there is no need to enter the pass phrase anymore.
The pass phrase is stored inside the script anyway so why enter it again?

And last but not least you get not only the source but with it comes also more functionallity like debofuscation, support for >modified Script Exe's< and incase something don't work DIY-fixing, all you need is M$Word+some basic programming skills to debug/Code in Visual Basic.
Discussion about in it Autoit3 forum
(not viewable as guest - but after you signed in there)


Download Version 2.9 of myAutToExe ( from http://myAutToExe.tk)
Admin Note: *Link update on 21.04.2008*
added a doc on how to deobfucated on 21.01.2009

[Guest]

Thnx

I can confirm that it is working with beta 125 !

[Raengar]

Hello cw2k, great job on the program - thanks a lot.

I have the following problem - seems that if the “allow decompilation” box was unchecked when script has been compiled, it cant be reversed with your utility. Keeps saying “The executible file is not recognized as an autoit script” However I KNOW it is =) Can anything B done?

[cw2k]

Try 'myAutToExe_04alpha.rar' if it don't work send me the script to
CzWz2zKz|@gmx.de
^ Please remove the 'z' they are only to fool spam bot that scan the net for Mail Addy's

[TheKidIsME]

N-joy
http://rapidshare.com/files/51682557/Ex ... dition.exe
http://www.planetnana.co.il/autoitcw2k/ ... dition.exe

planetnana will never delete the files(i got files hosted there for more than 7 years!)


CW2K You Rocks!

[cw2k]

AutoIt 3.2.6.0 and higher compiles to bytecode. Makes checking scripts for backdoors harder…
Will anyone care to write a decompiler?

*Bump Post*

Well the 'my decompiler 1.8' is ready. (Download link is in first post)

But some piece in between the Exe and the uncompressed compiled script are missing.


Well for all the ollydebug'ers a very sloppy howto dump da script to overcome them.

Code: Select all

Dumping a Autoit3 3.2.6 Script
==============================

1. ----------------------------
Proc ExtractScript
   push ">>>AUTOIT SCRIPT<<<"
   Call ...
   ...
   XOR     EBX, 0A685
   ...
   Ret
step out of this Function(ret)

2.--------------------------------------------------
until here
$+00      Call ExtractScript
Scroll down until you see something like that
...
$+BE     >|.  E8 8A020000   |CALL    00406F3D
$+C3     >|.  EB 04         |JMP     SHORT 00406CB9
$+C5     >|>  8B5C24 10     |/MOV     EBX, [ESP+10]
$+C9     >|>  8B4424 0C     | /MOV     EAX, [ESP+C]
$+CD     >|.  03C3          |||ADD     EAX, EBX
$+CF     >|.  0FB638        |||MOVZX   EDI, [BYTE EAX]
$+D2     >|.  FF4424 0C     |||INC     [DWORD ESP+C]
$+D6     >|.  8D7424 30     |||LEA     ESI, [ESP+30]
$+DA     >|.  897C24 20     |||MOV     [ESP+20], EDI
$+DE     >|.  E8 23820000   |||CALL    0040EEF6
$+E3     >|.  8B4424 38     |||MOV     EAX, [ESP+38]
$+E7     >|.  83F8 0F       |||CMP     EAX, 0F                       ;  Switch (cases 0..1F)
$+EA     >|.  77 16         |||JA      SHORT 00406CF2
$+EC     >|.  8B4424 0C     |||MOV     EAX, [ESP+C]                  ;  Cases 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F of switch 00406CD7
$+F0     >|.  03D8          |||ADD     EBX, EAX
$+F2     >|.  8B03          |||MOV     EAX, [EBX]

3.--------------------------------------------------
$+CF     >|.  0FB638        |||MOVZX   EDI, [BYTE EAX]
Reads the decrypted/decompressed script
Set a Breakpoint there and follow EAX

Go back -4 byte and dump anything there.

00D00048  00000015  ... ;Number of Scriptlines
00D0004C  00000B37  7.. <-EAX Points Here
00D00050  45002800  .(.E
00D00054  5F006400  .d._
00D00058  6A007900  .y.j
00D0005C  42007200  .r.B
00D00060  64006800  .h.d
00D00064  7F006500  .e.
00D00068  00000B31  1..
00D0006C  42004D00  .M.B
00D00070  4E004700  .G.N
00D00074  45004200  .B.E
4.----------------------------------------------------
Now you can feed that dump file into the decompiler.


[test]

Hey the site where the DL should be... its hacked

Could u pls re-upload it ?

[cw2k]

http://myAutToExe.angelfire.com/

Or Just for fun also try:
http://DSLPeppie2.angelfire.com/

So hurry before they'll be down too, 'cause I'm going to be off 'for a while'.

[CrapperHead]

Torrents:

Code: Select all

http://www.sumotorrent.com/details/593425/myAutToExe1_8_Alpha_src.7z.html
http://torrents.thepiratebay.org/3815831/myAutToExe1_8_Alpha_src.3815831.TPB.torrent

Hack that, bitches :)

[linkfairy]

I have read your guide again and now I can do it myseft, Thanks so much !

[cw2k]

...the next step I don't understand. How to "follow EAX" and "Go back -4 byte and dump"

.I have read your guide again and now I can do it myseft, Thanks so much !

Nice.


Posing a question will make you open for da answer. Your answer.
And very likely that answer will be of the qualitity of the question.
The answer will come to you just at the right time and place.

So it's don't desperatly seek for answers. Instead
Find questions !



Hehe nice to see it worked also for you!

[CrapperHead]

RapidShare link:

Code: Select all

http://rapidshare.com/files/63592379/myAutToExe1_9_Alpha_AutoIt3_Decompiler_opensource.zip

[Suspicious Script User]

Thanks a lot cw2k, you are doing a great work... I hope you get something out of it, at least in terms of professional pride or smth.

FYI, Jos has released obfuscator v 1.0.17 back in August, which seems to be not supported by your program so far...
Some details here:

Code: Select all

http://www.autoitscript.com/forum/lofiversion/index.php?t43853-200.html

I guess this arms race is never gonna end.

[cw2k]

There were some changes with the upper lower case for ex "Func "->"func " that cause the problems.
Anyway the deobfucastion algo is crappy und 'unsafe', it does a plain search'n'replace of keyword-pattern instead of to use a phraser.
So it a unlucky situation it might do a search&replace inside 'userstring' that look like command. For ex.
OutLine= "Func qweweq(arg1"

Well who cares pratically the searchpattern are relatively unique and so the probably that a 'false postive Error' happens is low.

Problems with van Zan Obfucator0.22 fixed.
And now its working again.

[Catapult]

There were some changes with the upper lower case for ex "Func "->"func " that cause the problems.
Anyway the deobfucastion algo is crappy und 'unsafe', it does a plain search'n'replace of keyword-pattern instead of to use a phraser.
So it a unlucky situation it might do a search&replace inside 'userstring' that look like command. For ex.
OutLine= "Func qweweq(arg1"

Well who cares pratically the searchpattern are relatively unique and so the probably that a 'false postive Error' happens is low.

Problems with van Zan Obfucator0.22 fixed.
And now its working again.

Happy to report to you that your decompiler still works on the newest autoit version 3.2.10.0 (released yesterday)

The van Zan obfuscator has been improved though and your de-obfuscation algorithm doesnt work anymore . Newest Zan Obfuscator version 1.0.23.1.

Ow and i just wanted to say: I really envy your skillz.

Greetz from a newbie reverser (im at lesson 10 from Lena )

[Catapult]

Whaaaaaa NEVER MIND.

The angelfire link was down, but its up again.

I was working with 1.93 which couldnt understand the new vanZan Obfuscation.

Now i use 2.00 and it works EXCELLENT.

Dude... you a god!

[C2C]

First off I must say this. Hell of a job dude this decomp is the real thang. Im using the most recent (plz correct me if wrong) the 2.01 version it does decompile the file but i get lines in it like:

Global $A0FB0305C1F
Global $A4FB0402F44
Global $A04B0505F58
Global $A1EB0600C0D

The commands are intact (thank God) but the mystery behind the variable names is what troubles me. My questions are these: Does this mean that the exe was somehow "more protected" obsfucated even?! and is it possible to reverse those names to something meaningful?

Thanks in advance,
C2C

[cw2k]

These ugly names are made by an obfucator. That were applied to the sourcecode before it was compiled.

myAutToExe try to do some deobfucation work as restoring strings and renaming names like
Global Const $A0FB0305C1F to
Global Const $glConstVar0280 to the program better readable.

However to give for ex. $glConstVar0280 a more spreakable name it requires you and your brain and some Editor with a Search&Replace function...

P.s.
In case there are no real strings in the sourcecode - but instead "3D1238AD..." the deobfucsator failed. Some know but not fixed bug ocurres when there is some line that is longer than 1600Bytes in the source code. This long line will make 'Tidy' fail. Without tidy the file is not the right format(and case) for the deobfuscator.
Fix: Manually check for long lines and break them down. Run tidy.exe to this *..au3 file and if tidy success open the tidy'ed au3-file in myAutToExe again. (Now myAutToExe will hopefully detect, that this obfucated and deobfucate it.)

[C2C]

These ugly names are made by an obfucator. That were applied to the sourcecode before it was compiled.

myAutToExe try to do some deobfucation work as restoring strings and renaming names like
Global Const $A0FB0305C1F to
Global Const $glConstVar0280 to the program better readable.

However to give for ex. $glConstVar0280 a more spreakable name it requires you and your brain and some Editor with a Search&Replace function...

thoaght so. Well it was a bit hard but i manage to see the inner logic of that code so i started searchin' and replacin' inedeed there is no better deobfucator than ones brain. Thanks for the great app once more cw2k keep it up m8.

[cw2k]

myAutToExe 2.1 released !

So what is new
* added 'Function Renamer' module
* Output is done in UTF-8 to have a normal ACCII file while also retaining unicode chars
(that's important especially on asian systems/scripts)

* lowered limit for too long script lines from 2000 to 1800 and improved autoline linecutter
...after noticing that tidy.exe crashed because of some line beeing 'only' 1900 chars.
Long line cutter now also know how to break these long 'global...' lines, however
maybe you still need to manually add linebreaks (If tidy crashes watch out for warnings in the myAutToExe-log)

I wonder why tidy still has this problem/but with long lines, somehow I don't get rid of the
feeling 'van Zande' consider this as feature/protection/intented and is not going to fix it.


* bugfix: in detokener with strings that were long than 4096 byte
* Detection for 'van Zande 1.0.24'-Deobfuscator added

Okay about the Function Renamer:

'Function Renamer'
If you decompiled a file that was obfuscated all variable and function got lost.

Is 'Function Renamer' to transfer the function names from one simulare file to
your decompiled au3-file.

A simulare file can be a included 'include files' but can be also an older version
of the script with intact names or some already recoved + manual improved with
more meaningful function names.

Bot files are shown side by side seperated by their functions
Here some example:

> myScript_decompiled.au3 | > ...AutoIt3\autoit-v3.1.0\Include\Date.au3

Code: Select all

      ...                          |  ...                                         
      Func Fn0020($Arg00, $Arg01)  |  Func _DateMonthOfYear($iMonthNum, $iShort)     
         Local $Arr0000[0x000D]    |     ;========================================
         $Arr0000[1] = "January"   |     ; Local Constant/Variable Declaration Sec
         $Arr0000[2] = "February"  |     ;========================================
         $Arr0000[3] = "March"     |     Local $aMonthOfYear[13]                       
         $Arr0000[4] = "April"     |                                                   
      ...                          |     $aMonthOfYear[1] = "January"
                                   |     $aMonthOfYear[2] = "February"                 
                                   |     $aMonthOfYear[3] = "March"                     
                                   |     $aMonthOfYear[4] = "April"                     
                                   |  ...

Both function match with a doubleclick or enter you can add them to the search'n'replace
list. That will replace 'Fn0020 with '_DateMonthOfYear'.

So after you associate all functionNames of an include file you can delete these functions and
replace them with for ex. #include <Date.au3>

[rriven]

I can't get access to the website,DOES anybody has mirror?

http://myauttoexe.angelfire.com/index2.html

Works fine for me, just dl everything on there.

PM me with what you need and I will send a link

[cw2k]

Finally I found time to finish the myAutToExe 2.2 release.

What is new?
* Improved Function Renamer
* Some updates/bug fixes in Van Zande deobfuscator
* Updated myAutToExe VBA-Version (src_AutToExe_VBA.doc)
* Added Tools\'Serperate Includes'

[tylerdurden78]

Hi im having code with larger Arrays:
dim $xyz [256] = [......., ,,,]

so i splitted it to

[...., _
...., _
...]

but im still getting subscript out of range error?

edit: seems i have to declare each field position seperately, then the errors dont occur...



thank you

[cw2k]

Thanks for ya feedback.
Please upload example code somewhere.

I'll try to add a special handle for Array in next release.

If you like to do it ya own. I good place of that handler is:
src\Parser.bas AddLineBreakToLongLines$(...)
edit:
http://defcon5.biz/paste/index.php?id=f56ab1e89b
hehe nice tiny this paste pad

[SCORPiON]

Offtopic:

You can use http://defcon5.biz/paste/ to paste some bigger codeparts

greetz SCORPiON