Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Complete decompilation of an AutoIt *.exe application
04-29-2020, 11:02 PM (This post was last modified: 04-29-2020 11:15 PM by Nehril.)
Post: #1
Complete decompilation of an AutoIt *.exe application
HI !
First, I apologize for my English : I'm French x) But I'll do my best, I promise ! Wink

Let's begin. I found a nice bot on a navigators game. It works, pretty good I admit, but the thing is that it have some ergonomics issues, scripts error and the bests features aren't not free (of course.)... SO, I challenged myself to crack it, at least to keep the paying features.
BUT during this looooong work, that I will detail you soon, I found something even stronger than just keeping the paying features and I'm reeeeaaaaly close to reach it but I don't understand what's wrong and it's very frustrating T.T

If you don't see the link with the topic of the thread, don't worry, you'll see it soon.
In order for you to have as much elements as possible, I will give you all te issues and steps I've been trough until now. And then I will tell you what my objectives are. It's a big post and I already apologize for this, but I hope it will be complete and that you could help me (and I will try to make this long post as readable as possible.)

Let's go !

----------------------------------------------------------------------------------------------------------------------------------------------
I. DISCOVERING
  1. I'm not at all an expert of disassembly language, but I know 1 thing : to crack a software, you have first to use PeId in order to know if it's packed or not. And don't make fun of me, but I was sure it wasn't packed because this useful software (I'm ironical) has real ergonomic problem :

    [Image: 200429044328850479.png]
    So, I concluded that the file I was about to crack wasn't packed.
    [Image: 200429044328781973.png]
    And I struggled for 3 days because I shouldn't look at the principal text box but at this little one Angry Here is the ergonomic problem I'm talking about.
     
  2. So, I tried to use my current debugger, OLLYDBG, and here's what happened when I tried to run the program:

    [Image: 200429044329165878.png]
     
  3. I googled the error , and I discovered the anti-debug trick "IsDebuggerPresent" and I found a way to bypass it but only blurry instructions : "force to jump somewhere else","patch it like you would do with..." ... So I was stuck.
     
  4. But, before this, I made research about how to create my own bot and I often saw AutoIt and it ringed a bell :

    [Image: 200429044329358606.png]

So I made my research about "How to bypass" but specifically for AutoIt... And I discovered that theses files could be DECOMPILLED and I could get the SOURCE CODE *o*. So I totally put the "old school crack way" apart in order to focus on the decompilation of my file.


II. EXE2AUT
  1. I found 2 version of Exe2Aut : one in a "kit" (almost official, I guess), and an "independent" one.

    [Image: 200429044329606966.png]
     
  2. I tried to innocently decompile my exe with both and I get 2 errors.

    [Image: 200429044329864102.png]
     
    I focused on the first program (Exe2Aut Independent) because the error were more mysterious to me (yes, that's not rational x)). I found, after digging the whole internet I finally find a Korean article that talks about this error and propose an explanation to it : this site tells us that the problem could be caused by tu "Requested Privilege Level" and, indeed, the exe had a "AsInvoker" Requested Privilege Level.
    Code:
    <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
    (Which is Higher than Administrator but it doesn't matter fort the rest)
     
  3. In order to bypass it I ran a VM on [Image: mini_200429044330114718.png]*XP jingle* because the notion that causes the problem doesn't exist on this version of Windows. So I tried the independent Exe2Aut and see:

    [Image: mini_200429044330363123.png]
    No error ! Success ?...Cool

    [Image: 200429044330619864.png]
    ...But the file is emptyDodgy
Come back to the beginning... But during my research I often saw poeple evoking "MyAut2exe"...

III. MYAUT2EXE 1/2
  1. So I downloaded 2 versions of it : v1.8.0 (Alpha) and v2.10
     
  2. I tried both on W10 :
     
    a. 1.8 alpha
     
    Exclamation [Log: myExeToAut 1.8 Alpha W10.log]
     
     
    b. 2.10
     
    Exclamation [Log: myExeToAut 2.10 W10.log]
     
     
  3. Then I tried on win XP : Same results...
So I rechecked the assembly code and... I saw UPX sections...


IV. UNPACK
  1. And, after almost 3 days I realized that the exe was packed. (I LOVE MY LIFE, OKAY ? XD)
     
  2. Then I look for the UPX unpacker and I tried to use it on W10 and surprisingly it didn't work :

    [Image: 200429044330877778.png]
    The error was
    predictable (see II. 3.), but who knows ? It could have worked !

     
  3. Anyway, to fix this I ran to the holy [Image: mini_200429044330114718.png]*XP jingle* VM and it worked pretty well :

    [Image: 200429044331130949.png]
GREAT : let's go back to MyAut2Exe now !


V. MYAUT2EXE 2/2
  1. So I transferred the unpacked file to my W10 desktop and I tried both MyAut2Exe, and here's my results :

    a. v1.8 Alpha : Error

    [Image: 200429044331382406.png]
    Exclamation [Log: MyAut2Exe 1.8 Alpha W10 After unpack.log]
     
     
    b. v2.10 : Error in the middle, maybe the end, of the execution

    [Image: 200429044331639860.png]
    (I didn't see anything about this error on internet during my researches, by the way.)
     
    BUT IT WORKED !

    [Image: 200429044331896856.png]
    Exclamation [Logs: MyAutToExe 2.10 AfterUnPack (1).log; MyAutToExe 2.10 AfterUnPack (2).log]
     
     
  2. I was pretty excited : to me, my work was done ! But when I opened the script, it was IMPOSSIBLE TO READ (I mean the script was horrible and it's complexe to be written by human hand) : I understood the file was "crypted" (Obfuscated).
    Code:
    Global $A62B7904A56 = A0F0000073B($CW[1]), $A50B7A02A23 = A0F0000073B($CW[2]), $A48DB003A1B = A0F0000073B($CW[1007]), $A57DB204D15 = A0F0000073B($CW[1008]), $A06DB40202A = A0F0000073B($CW[1009]), $A2BDB604C57 = A0F0000073B($CW[1010]), $A5FDB803901 = A0F0000073B($CW[1011]), $A13DBA0431F = A0F0000073B($CW[1012]), $A47DBC05130 = A0F0000073B($CW[1013]), $A5ADBE0584B = A0F0000073B($CW[1014]), $A4AEB00202C = A0F0000073B($CW[1015]), $A1AEB201029 = A0F0000073B($CW[1016]), $A0AEB400818 = A0F0000073B($CW[1017]), $A15EB604501 = A0F0000073B($CW[1018]), $A46EB805509 = A0F0000073B($CW[1019]), $A27EBA05319 = A0F0000073B($CW[1020]), $A2CEBC0013C = A0F0000073B($CW[1021]), $A40EBE00C18 = A0F0000073B($CW[1022]), $A3EFB002E0D = A0F0000073B($CW[1023]), $A4FFB200B18 = A0F0000073B($CW[1024]), $A29FB400E0A = A0F0000073B($CW[1025]), $A5AFB602533 = A0F0000073B($CW[1026]), $A59FB800B07 = A0F0000073B($CW[1027]), $A11FBA0294C = A0F0000073B($CW[1028]), $A30FBC0323F = A0F0000073B($CW[1029]), $A2FFBE00C0B = A0F0000073B($CW[1030]), $A1F0C002609 = A0F0000073B($CW[1031]), $A1A0C20023F = A0F0000073B($CW[1032]), $A1C0C40353A = A0F0000073B($CW[1033]), $A310C601F09 = A0F0000073B($CW[1034]), $A470C802A50 = A0F0000073B($CW[1035]), $A0E0CA05247 = A0F0000073B($CW[1036]), $A090CC0241C = A0F0000073B($CW[1037]), $A5B0CE0550A = A0F0000073B($CW[1038]), $A111C00372C = A0F0000073B($CW[1039]), $A171C204E06 = A0F0000073B($CW[1040]), $A241C40632B = A0F0000073B($CW[1041]), $A421C602A23 = A0F0000073B($CW[1042]), $A2B1C806255 = A0F0000073B($CW[1043]), $A091CA03E31 = A0F0000073B($CW[1044]), $A611CC03F42 = A0F0000073B($CW[1045]), $A3C1CE05714 = A0F0000073B($CW[1046]), $A252C005119 = A0F0000073B($CW[1047]), $A452C201A35 = A0F0000073B($CW[1048]), $A1D2C406232 = A0F0000073B($CW[1049]), $A542C604B11 = A0F0000073B($CW[1050]), $A0D2C805A22 = A0F0000073B($CW[1051]), $A402CA05933 = A0F0000073B($CW[1052]), $A142CC00660 = A0F0000073B($CW[1053]), $A482CE00548 = A0F0000073B($CW[1054]), $A143C002A39 = A0F0000073B($CW[1055]), $A403C203219 = A0F0000073B($CW[1056]), $A493C402950 = A0F0000073B($CW[1057]), $A043C601608 = A0F0000073B($CW[1058]), $A043C80475B = A0F0000073B($CW[1059])
    Just a little quote: this the definition of ONE VARIABLE.Dodgy

    But I thought, and that's what supposed to happen, I could recompile the script : but nope. I got error of syntax or all this sh*t...
(3. I found another version of MyAut2Exe called "myaut_contrib-master dmod 2.12" and tested it : Same result but the executable look more recent so I used it for the next tests:
Exclamation [Logs: MyAut2Exe my contrib after unpack (1).log; MyAut2Exe my contrib after unpack (2).log])
  1. Sorry for this:
  2. the color balise
  3. does'nt work on lists
  4. So I first MANUALLY fixed the errors in the script (YES, you well reed: MANUALLY), then I found Tidy and Au3Stripper tools, used it to correct most of the errors, and clear manually what's left... And when I tried to build the script... I got this :

    [Image: 200429044332149008.png]
    I was kind of confused because MyAut2exe didn't tell me anything about theses files...

    1. the color balise
    2. does'nt work on lists
    3. the color balise
    4. does'nt work on lists
    5. So I looked inside the log, who knows ? And... Surprise :

      Code:
      === > Processing FILE: #57
      0021CF0B -> ResType: FILE
      0021CF2F -> SrcFile_FileInst: destroy/Spot.bmp
      0021CFA7 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\destroy\Spot.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021CFA8 -> IsCompressed: True  (01)
      0021CFAC -> ScriptSize Compressed: 000000C4  Decimal:196  0 B
      0021CFB0 -> ScriptSize UnCompressed(used to seek to next file): 000000C6  Decimal:198  0 B
      0021CFB4 -> ADLER32 CRC of unencrypted script data: 5E595B12
      0021CFC4 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8049905  14.8.2017 10:4:2 [784]
          pLastWrite   :  01D212411E700E00  19.9.2016 6:43:24 [0]
      0021CFC4 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\FileWithInvalidName_0039.pak
      Expanding script data to "FileWithInvalidName_0039.bmp" at C:\Users\matth\Desktop\After\
      Setting Creation and LastWrite time for: FileWithInvalidName_0039.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #58
      0021D08C -> ResType: FILE
      0021D0B0 -> SrcFile_FileInst: destroy/Base.bmp
      0021D128 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\destroy\Base.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021D129 -> IsCompressed: False  (00)
      0021D12D -> ScriptSize Compressed: 000000C2  Decimal:194  0 B
      0021D131 -> ScriptSize UnCompressed(used to seek to next file): 000000C2  Decimal:194  0 B
      0021D135 -> ADLER32 CRC of unencrypted script data: 418E3F4F
      0021D145 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8049905  14.8.2017 10:4:2 [784]
          pLastWrite   :  01D212411E700E00  19.9.2016 6:43:24 [0]
      0021D145 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      Saving script to "FileWithInvalidName_003A.bmp" at C:\Users\matth\Desktop\After\
      Setting Creation and LastWrite time for: FileWithInvalidName_003A.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #59
      0021D20B -> ResType: FILE
      0021D239 -> SrcFile_FileInst: destroy/destroyok.bmp
      0021D2BB -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\destroy\destroyok.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021D2BC -> IsCompressed: True  (01)
      0021D2C0 -> ScriptSize Compressed: 00000096  Decimal:150  0 B
      0021D2C4 -> ScriptSize UnCompressed(used to seek to next file): 000000A6  Decimal:166  0 B
      0021D2C8 -> ADLER32 CRC of unencrypted script data: F36A2F96
      0021D2D8 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8049905  14.8.2017 10:4:2 [784]
          pLastWrite   :  01D212411E700E00  19.9.2016 6:43:24 [0]
      0021D2D8 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\FileWithInvalidName_003B.pak
      Expanding script data to "FileWithInvalidName_003B.bmp" at C:\Users\matth\Desktop\After\
      Setting Creation and LastWrite time for: FileWithInvalidName_003B.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #60
      0021D372 -> ResType: FILE
      0021D3A6 -> SrcFile_FileInst: destroy/Nearest Port.bmp
      0021D42E -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\destroy\Nearest Port.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021D42F -> IsCompressed: True  (01)
      0021D433 -> ScriptSize Compressed: 00000066  Decimal:102  0 B
      0021D437 -> ScriptSize UnCompressed(used to seek to next file): 0000006E  Decimal:110  0 B
      0021D43B -> ADLER32 CRC of unencrypted script data: A2181883
      0021D44B -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8049905  14.8.2017 10:4:2 [784]
          pLastWrite   :  01D212411E700E00  19.9.2016 6:43:24 [0]
      0021D44B -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\FileWithInvalidName_003C.pak
      Expanding script data to "FileWithInvalidName_003C.bmp" at C:\Users\matth\Desktop\After\
      Setting Creation and LastWrite time for: FileWithInvalidName_003C.bmp
      Write data in textbox

      As you can read, the files as been saved as "FileWithInvalidName_00**.bmp" which you can see here:

      [Image: 200429044332404576.png]

      And what's even weider is the fact that, just before, another similar error appeared...

      Code:
      === > Processing FILE: #17
      0021988B -> ResType: FILE
      002198B1 -> SrcFile_FileInst: npc\starget1.bmp
      00219929 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\starget1.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021992A -> IsCompressed: True  (01)
      0021992E -> ScriptSize Compressed: 00000072  Decimal:114  0 B
      00219932 -> ScriptSize UnCompressed(used to seek to next file): 0000007A  Decimal:122  0 B
      00219936 -> ADLER32 CRC of unencrypted script data: CBFA2837
      00219946 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A82AAF0A  14.8.2017 10:4:3 [34]
          pLastWrite   :  01D212414E1F1600  19.9.2016 6:44:44 [0]
      00219946 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\starget1.pak
      Expanding script data to "starget1.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: starget1.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #18
      002199BC -> ResType: FILE
      002199E2 -> SrcFile_FileInst: npc\starget2.bmp
      00219A5A -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\starget2.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219A5B -> IsCompressed: True  (01)
      00219A5F -> ScriptSize Compressed: 00000060  Decimal:96  0 B
      00219A63 -> ScriptSize UnCompressed(used to seek to next file): 0000006A  Decimal:106  0 B
      00219A67 -> ADLER32 CRC of unencrypted script data: 519B1AAA
      00219A77 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A82AAF0A  14.8.2017 10:4:3 [34]
          pLastWrite   :  01D212414E1F1600  19.9.2016 6:44:44 [0]
      00219A77 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\starget2.pak
      Expanding script data to "starget2.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: starget2.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #19
      00219ADB -> ResType: FILE
      00219B01 -> SrcFile_FileInst: npc\starget3.bmp
      00219B79 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\starget3.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219B7A -> IsCompressed: False  (00)
      00219B7E -> ScriptSize Compressed: 000000AE  Decimal:174  0 B
      00219B82 -> ScriptSize UnCompressed(used to seek to next file): 000000AE  Decimal:174  0 B
      00219B86 -> ADLER32 CRC of unencrypted script data: 610B0D61
      00219B96 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A82AAF0A  14.8.2017 10:4:3 [34]
          pLastWrite   :  01D212414E1F1600  19.9.2016 6:44:44 [0]
      00219B96 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      Saving script to "starget3.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: starget3.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #20
      00219C48 -> ResType: FILE
      00219C6E -> SrcFile_FileInst: npc\starget4.bmp
      00219CE6 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\starget4.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219CE7 -> IsCompressed: True  (01)
      00219CEB -> ScriptSize Compressed: 0000005E  Decimal:94  0 B
      00219CEF -> ScriptSize UnCompressed(used to seek to next file): 00000066  Decimal:102  0 B
      00219CF3 -> ADLER32 CRC of unencrypted script data: 81B32327
      00219D03 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A82AAF0A  14.8.2017 10:4:3 [34]
          pLastWrite   :  01D212414E1F1600  19.9.2016 6:44:44 [0]
      00219D03 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\starget4.pak
      Expanding script data to "starget4.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: starget4.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #21
      00219D65 -> ResType: FILE
      00219D85 -> SrcFile_FileInst: npc\black.bmp
      00219DF7 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\black.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219DF8 -> IsCompressed: True  (01)
      00219DFC -> ScriptSize Compressed: 00000030  Decimal:48  0 B
      00219E00 -> ScriptSize UnCompressed(used to seek to next file): 000000C6  Decimal:198  0 B
      00219E04 -> ADLER32 CRC of unencrypted script data: 000A0A63
      00219E14 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8284DA9  14.8.2017 10:4:3 [18]
          pLastWrite   :  01D2124146F80800  19.9.2016 6:44:32 [0]
      00219E14 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\black.pak
      Expanding script data to "black.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: black.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #22
      00219E48 -> ResType: FILE
      00219E66 -> SrcFile_FileInst: npc\blue.bmp
      00219ED6 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\blue.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219ED7 -> IsCompressed: True  (01)
      00219EDB -> ScriptSize Compressed: 00000042  Decimal:66  0 B
      00219EDF -> ScriptSize UnCompressed(used to seek to next file): 000001B6  Decimal:438  0 B
      00219EE3 -> ADLER32 CRC of unencrypted script data: DAA610A8
      00219EF3 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8284DA9  14.8.2017 10:4:3 [18]
          pLastWrite   :  01D2124146F80800  19.9.2016 6:44:32 [0]
      00219EF3 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\blue.pak
      Expanding script data to "blue.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: blue.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #23
      00219F39 -> ResType: FILE
      00219F5F -> SrcFile_FileInst: npc\ktarget1.bmp
      00219FD7 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\ktarget1.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219FD8 -> IsCompressed: True  (01)
      00219FDC -> ScriptSize Compressed: 0000007A  Decimal:122  0 B
      00219FE0 -> ScriptSize UnCompressed(used to seek to next file): 0000007E  Decimal:126  0 B
      00219FE4 -> ADLER32 CRC of unencrypted script data: A9F23023
      00219FF4 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8284DA9  14.8.2017 10:4:3 [18]
          pLastWrite   :  01D21241495A6200  19.9.2016 6:44:36 [0]
      00219FF4 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\ktarget1.pak
      Expanding script data to "ktarget1.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: ktarget1.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #24
      0021A072 -> ResType: FILE
      0021A098 -> SrcFile_FileInst: npc\ktarget2.bmp
      0021A110 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\ktarget2.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A111 -> IsCompressed: True  (01)
      0021A115 -> ScriptSize Compressed: 00000042  Decimal:66  0 B
      0021A119 -> ScriptSize UnCompressed(used to seek to next file): 0000004E  Decimal:78  0 B
      0021A11D -> ADLER32 CRC of unencrypted script data: 3196148D
      0021A12D -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8284DA9  14.8.2017 10:4:3 [18]
          pLastWrite   :  01D21241495A6200  19.9.2016 6:44:36 [0]
      0021A12D -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\ktarget2.pak
      Expanding script data to "ktarget2.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: ktarget2.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #25
      0021A173 -> ResType: FILE
      0021A199 -> SrcFile_FileInst: npc\ktarget3.bmp
      0021A211 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\ktarget3.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A212 -> IsCompressed: True  (01)
      0021A216 -> ScriptSize Compressed: 0000004E  Decimal:78  0 B
      0021A21A -> ScriptSize UnCompressed(used to seek to next file): 00000056  Decimal:86  0 B
      0021A21E -> ADLER32 CRC of unencrypted script data: 29AE1A0E
      0021A22E -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8284DA9  14.8.2017 10:4:3 [18]
          pLastWrite   :  01D21241495A6200  19.9.2016 6:44:36 [0]
      0021A22E -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\ktarget3.pak
      Expanding script data to "ktarget3.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: ktarget3.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #26
      0021A280 -> ResType: FILE
      0021A2A6 -> SrcFile_FileInst: npc\ktarget4.bmp
      0021A31E -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\ktarget4.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A31F -> IsCompressed: True  (01)
      0021A323 -> ScriptSize Compressed: 00000042  Decimal:66  0 B
      0021A327 -> ScriptSize UnCompressed(used to seek to next file): 0000004E  Decimal:78  0 B
      0021A32B -> ADLER32 CRC of unencrypted script data: 0FE012A2
      0021A33B -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8284DA9  14.8.2017 10:4:3 [18]
          pLastWrite   :  01D21241495A6200  19.9.2016 6:44:36 [0]
      0021A33B -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\ktarget4.pak
      Expanding script data to "ktarget4.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: ktarget4.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #27
      0021A381 -> ResType: FILE
      0021A3B9 -> SrcFile_FileInst: npc\NumberAttackedNPC.bmp
      0021A443 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\NumberAttackedNPC.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A444 -> IsCompressed: True  (01)
      0021A448 -> ScriptSize Compressed: 0000002E  Decimal:46  0 B
      0021A44C -> ScriptSize UnCompressed(used to seek to next file): 0000005A  Decimal:90  0 B
      0021A450 -> ADLER32 CRC of unencrypted script data: DA380A6E
      0021A460 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A82AAF0A  14.8.2017 10:4:3 [34]
          pLastWrite   :  01D2ACCD7C5887C7  3.4.2017 22:56:10 [161]
      0021A460 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\NumberAttackedNPC.pak
      Expanding script data to "NumberAttackedNPC.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: NumberAttackedNPC.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #28
      0021A492 -> ResType: FILE
      0021A4B2 -> SrcFile_FileInst: npc\1conf.bmp
      0021A524 -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\1conf.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A525 -> IsCompressed: True  (01)
      0021A529 -> ScriptSize Compressed: 00000058  Decimal:88  0 B
      0021A52D -> ScriptSize UnCompressed(used to seek to next file): 00000066  Decimal:102  0 B
      0021A531 -> ADLER32 CRC of unencrypted script data: 5B671D91
      0021A541 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A8284DA9  14.8.2017 10:4:3 [18]
          pLastWrite   :  01D2124146F80800  19.9.2016 6:44:32 [0]
      0021A541 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\1conf.pak
      Expanding script data to "1conf.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: 1conf.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      === > Processing FILE: #29
      0021A59D -> ResType: FILE
      0021A5C3 -> SrcFile_FileInst: npc\redstick.bmp
      0021A63B -> CompiledPathName: D:\Programming\MyProjects\AutoIt\SBot 0.1\npc\redstick.bmp
                  WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A63C -> IsCompressed: True  (01)
      0021A640 -> ScriptSize Compressed: 0000002C  Decimal:44  0 B
      0021A644 -> ScriptSize UnCompressed(used to seek to next file): 0000004A  Decimal:74  0 B
      0021A648 -> ADLER32 CRC of unencrypted script data: C1010A21
      0021A658 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
          pCreationTime:  01D314E4A82AAF0A  14.8.2017 10:4:3 [34]
          pLastWrite   :  01D212414BBCBC00  19.9.2016 6:44:40 [0]
      0021A658 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
         OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:\Users\matth\Desktop\After\npc\redstick.pak
      Expanding script data to "redstick.bmp " at C:\Users\matth\Desktop\After\npc\
      Setting Creation and LastWrite time for: redstick.bmp
      Write data in textbox

      But the files have been well created and in the right folder:

      [Image: 200429044332663774.png]
       
       
    6. Anyway, I restored them (Just renamed and moved into a created folder called "destroy" as the msgBox expected) and compiled the script. When I ran the .exe... The loading screen of the orignal application APPEARED ! I was sure I finally reached my objective... And instantly after that :

      [Image: 200429044332909747.png]
      Too easy... Dodgy
       
       
    7. WELL, I searched inside the script and guess what ? NO IDEA of which error it's talking about. And what's even weider is that when I run "checkProdSyntax" : tons of errors appears !! And most of them were impossible to fix/to know if we fixed correctly. (For example, when 2 variables are stick :"$Blablablab$lmaolmaoLmao". Do I have to slip them ? separate them with a ","? a "&" ?...)
       
    8. AND, after fixing parenthesis error (and don't ask me HOW, I don't have a f*cking idea even after doing it 3 times...), got this:

      [Image: 200429044333169797.png]
      So... Well I was lost, I didn't know what to do...

      IdeaI found a fourth MyAut2Exe version which is the last one : v2.15. it gave me different results in the code, but the errors were even bigger than before, maybe because it tried to deobfuscate even if the code wasn't really made for this or something else... but I think I should use this one when everything will be fixed.
     
    I was totally desperate and, just to see, I did something totally "current" but with a looooot of consequences...


    VI. DAF*CK ?!
    1. On my XP VM, I right clicked on the .au3 file, and click on "run script": WORST IDEA. When I did this, the loading wheel appeared on my cursors and then... nothing.
      I wait a bit : nothing, so i double clicked on the compiled exe: the loading wheel reappeared on my cursor and then... Nothing.
      I opened the task manager, looked for the processus and retry to open the file : the process appeared and then disappeared without running.
      So I right clicked, selected : "run as..." and... this appeared :

      [Image: 200429044333419754.png]
       
    2. I first thought that it was just a bug and I tried to open the original exe, the one I didn't touch : SAME symptoms...
       
    3. And I then thought it was because of XP... So I did the same on my W10... Guess what ? Impossible to run the script nor the compiled by myself nor the original file. (but noway to see message as in Win XP. I think it's because in later versions, "running as..." has been replaced by "running as admin" etc.)
    Exclamation I now need to to run a W7 VM to run those exe files... And I made a save state before trying to reproduce this bug : I reproduced it, but thanks to my safe state, I went back and I can open those exe files.


    This last error is totally illogical to me...
    ----------------------------------------------------------------------------------------------------------------------------------------------

    Now that all the thing I been trough until now, I'm asking for your help for thoses reasons:
    1. Fix the last problem.
       
    2. Do a complete decompilation of the files.
       
      Thanks for reading me,and thanks by advance for the one who will help me !

      Here are the file I'm talking about. For your safety, because I can't be sure if it's really safe, I recommand you to test the file in a VM (because it's detected as trojan, but it's not ... But can't guarantee it sooooo)
Find all posts by this user
Quote this message in a reply
05-03-2020, 11:13 AM
Post: #2
RE: Complete decompilation of an AutoIt *.exe application
Sorry to quadruple post, but I still need your help.
Find all posts by this user
Quote this message in a reply
05-04-2020, 12:10 PM
Post: #3
RE: Complete decompilation of an AutoIt *.exe application
You did it well Big Grin

anyway for the problem of
[Image: 200429044330619864.png]

I'm having an issue with an executable file I'm not able to decode it
and after what I saw in internet this line protect your file from Exe2Aut !
My question is there is anyway to get the file source code ?

Big Grin
Find all posts by this user
Quote this message in a reply
05-04-2020, 04:13 PM
Post: #4
RE: Complete decompilation of an AutoIt *.exe application
(05-04-2020 12:10 PM)x00x_Team Wrote:  You did it well Big Grin

anyway for the problem of
[Image: 200429044330619864.png]

I'm having an issue with an executable file I'm not able to decode it
and after what I saw in internet this line protect your file from Exe2Aut !
My question is there is anyway to get the file source code ?

Did you try to do as I did ?... because at the IV. I tried something and it goes better for me... try this ?
Find all posts by this user
Quote this message in a reply
05-08-2020, 09:12 AM
Post: #5
RE: Complete decompilation of an AutoIt *.exe application
Up ! Still need help ^^
Find all posts by this user
Quote this message in a reply
11-19-2020, 09:34 PM (This post was last modified: 11-19-2020 10:19 PM by cw2k.)
Post: #6
RE: Complete decompilation of an AutoIt *.exe application
Wow, je suis très impressionné.
Vous semblez vraiment déterminé.
C'est bon. Donc le reste en anglais...

You came quit far with decompiling that s-bot.
Well that Van-Zande-Obfuscated script can be really scary
PHP Code:
Global $A62B7904A56 A0F0000073B($CW[1]), $A50B7A02A23 = ... 

Well that obfuscation needs to be removed before you can proceed. To way to keep it or run tidy on it just mess up thing..

Well MATE also has some deobfuscation handler that mostly supports Van-Zande.
Just drag the obfuscated *.au3 into MATE. Most it also needs a *.tbl file that should have been extracted. Well MATE will try to find the pattern that shows file is obfuscation and de obfuscation is.


However - as ever- things can go wrong don't work / needs help.
So for that I highly recommend that you get the VB6 portable and run the MATE source code files inside the VB6 IDE. Here you can debug.
Hints:
Mostly press SHIFT+F8 to step over functions, only press F8 to step into function when you've a good reason.
SHIFT+F9 and varname is good to see in the watches/local windows its values...

However first of all a share the link to the target
or upload the target and share the link
so other ppl like me for example can try as well.
See why it is not working...

About 'old' Version
v1.8.0 (Alpha) - no comment
v2.10 STOP - Encountered. Well there was somehow left some handwritten breakpoint in the source. In the VB6 IDE it stop and you can just resume. In the exe a Stop is deadly.
However that stops are there for reason and means something is not done or needs 'manually fixing'
V2.12 myaut_contrib-master dmod that leaks the support for the Autoit ternary operator [ Example: (a==4) ? "Okay" : "No"] and are likely to fail at new scripts that uses that function.
Hmm that reminds me to finally put the new version to git.

PHP Code:
2.15 DetokeniserAdded support for tokenised commands (cmd opcodes 0x0 and 0x1)
     
BugFix TmpFile handling opening a *.tok-file with option 'delete tmpfiles checked'deletes it
     HexToBin
mod/special build for string deobfucation for the '7 Knights Script'

2.14 Speed up Detokeniser
     Tools
/Function RenamerNow adds variables and inner functions when
                             adding a 
function
     
Minor other GUI bugfixes enhancements     
     Wartool deobfuscator

     
2.13 Added UPX unpacker
     Added support 
for ternary operator Example: (a==4) ? "Okay" "No"]
     
Speed up scan for script start
     Bugfix scan 
for script start
     updated tidy
     updated LZSS
.exe to handle early EOFs
     bugfix path to Winhex was not set 
various fixes in whapi.dll
     Minor other bugfixes 
enhancements 
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | Homepage | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication