Threaded Mode | Linear Mode

Unc3nZureD · (This post was last modified: 02-06-2013 06:50 PM by Unc3nZureD.)

I'm trying to learn decompiling autoit scripts with more or less success. I can easily extract the a3x, after this using myAutToExe it's easy to get the script. The only problem comes when I try to decompile a script compiled with Au3Camo

It uses some kinda "fuzzier" which makes the a3x itself different, not even readable for the basic stub. How could I reverse it to source?

Unc3nZureD · 02-06-2013, 06:50 PM

Could you help me?

***cw2k*** · 02-16-2013, 06:31 AM

in MyAut2Exe try the new functions
[More Options >>]
[GetCamo's]
This uses some RegExp pattern to grab the needed camo vectors from the Au3-exe-stub.
^- Note that this function only works if the target is unpacked.
So if it's packed with Upx or other packer just unpack or dump the Exe from memory(via LordPE or Procdump).
The dump don't need to be runable or contain the script.
Just use the dump file to get the camo vectors and then select the real script file.

Unc3nZureD · 02-19-2013, 06:19 PM

A guys sent me a script which is protected. I tried to decompile it, here's the result:

- It was protected with AsPack [--- Successfully unpacked---]
- Found the a3x (basic place - overlay)
- the a3x works with the stub, but not with the original one. I've got no idea how to decrypt it.

Here's the file. I hope you can deal with it Smile

If so, please help me how you did it Smile

Thanks!
http://www41.zippyshare.com/v/10804315/file.html

***cw2k*** · (This post was last modified: 02-21-2013 06:24 PM by cw2k.)

Decompiled Wink

See attachment for MyAuT2Exe setting.

Well the GetCamo's function is not perfect.
And don't come along well with !Au3 Version 3.3.9.4.
I'll try to improve the search patterns.

So be a little critical about results and may delete 'strange' values to restore the Au3-defaults.

Original script:
http://blackscripts.net/index.php?/topic...or-script/