Sign in to follow this  
Followers 0
gerwim

Decompile AutoIT

9 posts in this topic

#1 ·  Posted (edited)

Hi there,

When using the obfuscator, my project is marked by 13 AV's as a virus (according to VirusTotal). When I'm not using it, it's only marked by 3 (which is OK, those AV's are not popular at all).

However, using this my project can be decompiled quite easily (although -snipped- failed todo so, for some reason -- I don't know why though - something about detokenising).

So, what are the alternatives? Are AutoIT scripts that easily decoded?

Thanks in advance

Edited by SmOke_N

Share this post


Link to post
Share on other sites



gerwim,

You are treading on very dangerous ground here. :graduated:

Please read these 2 entries in the FAQ and then the Forum Rules. :)

If you search the forum these very questions have been asked and answered many, many, many times. ;)

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

Well I'm not asking on how-to decompile. I'm just having issues why obfuscating my code will mark it as a virus. I don't want to use that obfuscator, since I don't want my users to think it might possibly be a virus.

Are there any other obfuscators (not the one in scite).?

Share this post


Link to post
Share on other sites

gerwin,

I say again: :graduated:

If you search the forum these very questions have been asked and answered many, many, many times

The Search box is at top right.

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

Thank you for pointing me out where the search box is, however, there is still no post which says how this can be done, except the fact that that guy didn't obfuscate but saved his data in a encrypted dat file.

Share this post


Link to post
Share on other sites

gerwim,

there is still no post which says how this can be done

Then you have your answer. :graduated:

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

gerwim, the obfuscator has a few options. If you "tone it down" to use more simple obfuscation (only variable and function names changed), stripping comments, and compacting your code (removing double newlines), then I think you'll have less of a problem with AV marking your script.

Share this post


Link to post
Share on other sites

Or you might try to not use UPX to compress the code. In SciTE press Ctrl+F7 and then uncheck "Use UPX" on the AutoIt3 / Aut2Exe tab.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Or you could go the prefered route and just notify the AV companies that it's a false positive.

That can be a pain in the arse to keep up with but eventually the companies involved do start to pay attention to the method they use to detect a virus in a compiled AI script.

I should look at the next update to see what has been changed but the last time I looked they had 40 new AutoIt scripts within 2 months that were definitely a virus so I don't blame them for being a bit cautious nor do I want to see them relax the rules. Just checking a bit deeper is a better alternative although we will still be plagued with the occasional file being improperly flagged.


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0