Comments on: RSR

By: Didier Stevens

Didier Stevens — Sun, 18 Nov 2007 20:21:42 +0000

Take a look at the update:
http://blog.didierstevens.com/2007/10/02/autoit-malware-revisited/

By: ruined

ruined — Wed, 14 Nov 2007 13:51:50 +0000

AutoIt is a interpretated language (script) so it mean that the password is stored somewhere in the interpreter slice of file. I think

ruined

By: Brian Pepin

Brian Pepin — Tue, 06 Nov 2007 13:26:56 +0000

It is still possiable to decompile autoIT scripts past version 3.2.5.1 It is done constantly in the autoit forums. However it is kept a secret and is frowned upon. A ban is in place for those who pursue the secret =\

From what I have heard, it isn’t all that hard.

ender998@hotmail.com

By: AutoIt Malware Revisited « Didier Stevens

AutoIt Malware Revisited « Didier Stevens — Tue, 02 Oct 2007 10:17:39 +0000

[...] Filed under: Malware, Reverse Engineering — Didier Stevens @ 10:17 Since I’ve blogged about malware written with the AutoIt scripting language, I got a couple of mails asking for [...]

By: Didier Stevens

Didier Stevens — Fri, 14 Sep 2007 20:03:24 +0000

> any version after 3.2.5.1 will not decompile.

Because no official decompiler is available?

By: AutoIt Member

AutoIt Member — Wed, 12 Sep 2007 08:47:07 +0000

FYI… any version after 3.2.5.1 will not decompile.

By: Didier Stevens

Didier Stevens — Fri, 10 Aug 2007 15:30:56 +0000

Haven’t researched yet how to decompile without a password, but I discovered that a compiled AutoIt script contains the MD5 hash of the password starting position 24 (an MD5 hash is 16 bytes long). That’s for an .a3x file, if you have an .EXE file, you will have to unpack it with UPX and search the compiled script at the end of the file.

You could extract the MD5 hash from the file and try to find the password, with bruteforcing, dictionary attack or rainbow tables (there are some online rainbowtable crackers, but plaintext.info seems to be out of business).

Success.

By: Ice

Ice — Fri, 10 Aug 2007 14:55:08 +0000

I really need help decompiling an AutoIt file that is screwing with my computer, but I can’t figure out how to bypass the passphrase! I’ve hex-edited the .exe and cannot find anything in particular, and Google-searching brings up nothing I can really understand.

Thanks for the help!

By: Rick

Rick — Tue, 31 Jul 2007 19:34:48 +0000

Excellent article. I had a few thoughts on this. Would the AutoIT guys really store two versions of the script in the EXE? I know this sounds the most efficient, but we all know programmers are people and they do not always follow the path of least resistance. Just storing the encrypted/compressed script and then running it on the fly would be the path I think some programmers would take.

It would be interesting to run this in a sandbox and see if the code shows up unencrypted in memory. The MD5 could just be a permissions check more than anything to see if the decompiler has the password and thereby also having the “permission” to view the code.

*I am not a programmer by trade so this may all seem like complete gibberish to you pro’s.

Keep up the great work!

By: www.andrewhay.ca » Suggested Blog Reading - Tuesday/Wednesday July 24th/25th, 2007

Wed, 25 Jul 2007 21:50:31 +0000

[...] Really Simple Reversing (RSR) – This is quite cool. This is an example of Really Simple Reversing of a piece of malware. It’s written in the AutoIt scripting language and compiled to an EXE. [...]