Sign in to follow this  
Followers 0
Robinson1

Undocumented FileInstall() parameter

11 posts in this topic

#1 ·  Posted (edited)

Probably you all know about FileInstall()

Include and install a file with the compiled script

Syntax: FileInstall ( "source", "dest" [, flag] )
Well I discovered some undocumented function I'd like to share here.

To extract the main script itself use ">AUTOIT SCRIPT<" or ">AUTOIT UNICODE SCRIPT<" for Source

depending to if you're using compiled to ANSI or UNICODE.

Example code:

;For ANSI scripts
FileInstall(">AUTOIT SCRIPT<",  "Test.au3", 1)

;For UNICODE scripts
FileInstall(">AUTOIT UNICODE SCRIPT<",  "Test.au3", 1)
Edited by Robinson1

Share this post


Link to post
Share on other sites



Hmm... well, it worked:

; Test_2.au3 
FileInstall(">AUTOIT UNICODE SCRIPT<", @ScriptDir & "\TestAutoIt.au3")
MsgBox(64, "Done.", "Done.")oÝ÷ Ø*&¦)^w­©Þ®º+ºÈ§«¨¶@Q3M =9mªê-nëp¢¹w­«¨¶@Q3MCHàÄH$H=9mªê-N¨ºÚnµø¥z§z¶­yÜ!zr+jx­Á«zË@ºÚµ«·jëh×6; <AUT2EXE VERSION: 3.2.4.9>
; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: C:\Program Files\AutoIt3\Scripts\Test_2.au3>
; ----------------------------------------------------------------------------
FileInstall(">AUTOIT UNICODE SCRIPT<", @ScriptDir & "\TestAutoIt.au3")
MsgBox(64, "Done.", "Done.")
; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: C:\Program Files\AutoIt3\Scripts\Test_2.au3>
; ----------------------------------------------------------------------------

I've never tried to find that functionality, so I don't don't know if it's really 'undocumented'.

:whistle:


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

Please clarify if I understood you correctly:

You bundled the source code with the compiled code during the compile phase using the documented command 'FileInstall' as it was documented - great!

Nothing surprising here...

Edited by Confuzzled

Share this post


Link to post
Share on other sites

Please clarify if I understood you correctly:

You bundled the source code with the compiled code during the compile phase using the documented command 'FileInstall' as it was documented - great!

Nothing surprising here...

A couple points:

1. You can't help but "bundle the source code", and there is no compiled code from your script in an AutoIt executable. The only compiled code in there is the AutoIt interpreter, which was written and compiled from C++. Your script source, with the #include'd file's text, and a compressed copy of any FileInstall() sources are simply packaged with the interpreter. At run time, the interpreter executes the functions called in the script. Outside of some basic and necessarily weak encryption if you select the "no de-compile" option, and some text substitution if you run the Obfuscator, your source text is fully present inside the 'compiled' AutoIt script. (Perl2Exe does the same thing for 'compiling' Perl scripts.)

2. It looks to me like Robinson1 has found something interesting in the parameters ">AUTOIT SCRIPT<" and ">AUTOIT UNICODE SCRIPT<". Those literal strings would not be acceptable source parameters for the FileInstall() function outside of some special keyword handling.

3. Achieving what you describe -- getting the original .au3 file's source text -- requires a different function, because you have to pass the literal path to the source file. You can't use @ScriptFullPath, for example. But this is the only way to get the original unmodified script, without the #include's written in, etc. The keywords Robinson1 described write out what it looks like after all the includes and substitutions are complete.

4. I wonder if it writes it out after decryption (probably does).

5. I wonder how Robinson1 found these keywords.

:whistle:


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites

I was wondering that point #5 myself. Congratulations on finding it, but I wonder why it is there.

Share this post


Link to post
Share on other sites

I was wondering that point #5 myself. Congratulations on finding it, but I wonder why it is there.

As you probably know a 'compiled script' is nothing more than the interpreter + EXEARC archive, that contains the compressed script + all fileinstall() files.

When compiling all includes + the script itself are merged together to the so called mainscript and store under the name ">AUTOIT UNICODE SCRIPT<" inside the EXEARC archive.

After that the script is searched for FileInstall() commands and listed source files are add to the archive under the full sourcename as well. For Example in the script there is

FileInstall("C:\test.bmp", "D:\mydir\test.bmp")
the data of test.bmp will be stored in the EXEARC archive under the name "C:\test.bmp".

The following demo-script will list all files that are stored inside an EXEARC archive(compiled script).

Au3_lister.au3 Try out your self. No matter what compiled script you open all the time you should see at least the entry ">AUTOIT UNICODE SCRIPT<".

The reason why the mainscript is not added by its name (for ex. "C:\AutoIt3\autoit-v3.2.4.9\Examples\Helpfile\FileInstall.au3") but as ">AUTOIT UNICODE SCRIPT<" is because so the interpreter always finds the mainscript by just looking for ">AUTOIT UNICODE SCRIPT<".

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

...so and as with every undocumented function.

Since AutoIt 3.2.6 it has changed! :)(But at least this time Accii and Unicode version of Autoit are the same.)

Now it's ">>>AUTOIT SCRIPT<<<".

FileInstall(">>>AUTOIT SCRIPT<<<", @ScriptDir & "\TestAutoIt.au3")

; Hehe just to have some output on da run =:>
Func BOOOOOOOOOM()
    MsgBox(0, "AutoIt Example", "Heal da world!")
EndFunc
BOOOOOOOOOM()

But whoops TestAutoIt.au3 does look somehow weird, doesn't it?

....
XXXXX00   0B 00 00 00 49 00 44 00  44 00 44 00 44 00 44 00   ....I.D.D.D.D.D.
XXXXX10   44 00 44 00 44 00 44 00  46 00 47 48 7F           D.D.D.D.F.GH
EOF
Hmm but somehow that feels not as just garbage data.

IDDDDDDDDDF ?!! .... = BOOOOOOOOOM ?

I guess that is just Xor'd so let's try

'I' XOR  'B' = '.'
0x49 XOR 0x42 = 0x0B  <= XorKey  :)
and Xor all with 0B

And Booom!

00000000   00 0B 0B 0B 42 0B 4F 0B  4F 0B 4F 0B 4F 0B 4F 0B   ....B.O.O.O.O.O.
00000010   49 0B 4F 0B 4F 0B 4F 0B  4D 0B 4C 43 74          I.O.O.O.M.LCt

Ah that's why 0B is infront of the string

....

XXXXX00 0B 00 00 00 49 00 44 00 44 ....I.D.D ....

But ups I better stop before I'll come in conflict with die EULA. :)

But hey cool finally AutoIt uses tokens!

Edited by balo111

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

From Autoit Wrappers june/2006

There is no "need" to FileInstall the code

http://www.autoitscript.com/forum/index.ph...st&p=199603

(There is a password version also)

; Command Line decompile to desktop
; Author Skruge

If $CMDLine[0] > 0 Then
      If $CMDLine[1] = "/decompile" Then GetSource()
  EndIf
  
; Main Code Here
  
  Func GetSource()
      FileInstall("MyScript.au3", @DesktopDir &  "\")
      Exit
  EndFunc;==>GetSource

8)

Edited by Valuater

NEWHeader1.png

Share this post


Link to post
Share on other sites

Not sure that's what he's getting at Val. This topic should probably be closed and the source removed even.


Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

Not sure that's what he's getting at Val. This topic should probably be closed and the source removed even.

Man what are you afraid of?

Finally that proves that AutoIT is secure because it uses tokens by now !

There is no ExeToAut that works for the new AutoIt exe and even if you extract the script like this you can't get back the source, because it is 'Tokenised'.

Congrad's and thanks to the AutoIt developer, for finally made wish true!!! :)

Edited by Robinson1

Share this post


Link to post
Share on other sites

Man what are you afraid of?

Finally that proves that AutoIT is secure because it uses tokens by now !

There is no ExeToAut that works for the new AutoIt exe and even if you extract the script like this you can't get back the source, because it is 'Tokenised'.

Congrad's and thanks to the AutoIt developer, for finally made wish true!!! :)

Personally, I'm not afraid of anything... really never have been.

Security has always been an issue, but I've found my own ways around specific things that worked well for me.

It's the idea that things like this should have been brought to the developers attentions themselves, not in an open forum where all the script kiddie want to be's hang out.


Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0