liquidzyklon Posted December 31, 2004 Share Posted December 31, 2004 (edited) Ok, I am going to start off clean here. This program is NOT mine, but I was stupid enough to run it on my computer. First, I downloaded this program thinking it was something else (a hack for a game). Of course I did the usual anti-virus check for this file, along with UPX extraction and rescanning it. I was too careless and didn't notice it was an Autoit Script. I ran the program, computer shutdown. I started computer again, it booted up until the screen that shows "Windows is Starting up..." and then computer goes to "Windows is Shutting down" screen. There is no time to type in password or have any user intervention to prevent this (at least not to my knowledge). I am running WindowsXP SP2 with NAV. I know its against the rule to decompile a program, but since this program messed up my computer I really need help from someone who can decompile it. I'm not here to steal his code, but I need to know how to resolve this issue. I need to know what kind of modification this script did to my computer. I have spent 5 hours looking online for help and found a few leads, but none of them can help me resolve this issue. I will provide the link to the EXE, but a mod should remove it for the safety of others. I just need someone to decompile it and guide me to fixing my computer The file is located: <link removed> Edited December 31, 2004 by Jon Link to comment Share on other sites More sharing options...
Insolence Posted December 31, 2004 Share Posted December 31, 2004 I think you can start up in safe mode and fix the registry there? It adds a value to the RunOnce field (I think) inside your registry. You should be thankful all it's doing is shutting it down, thank god it didn't run silently and steal your stuff "I thoroughly disapprove of duels. If a man should challenge me, I would take him kindly and forgivingly by the hand and lead him to a quiet place and kill him." - Mark TwainPatient: "It hurts when I do $var_"Doctor: "Don't do $var_" - Lar. Link to comment Share on other sites More sharing options...
the_lord_mephy Posted December 31, 2004 Share Posted December 31, 2004 It probably did something like RegWrite($startupdir, yadda yadda, "myprog.exe") Shutdown(1) and then myprog.exe is saved as Shutdown(1) =\ My site for HTML Help :)[quote name='Valik' date='Oct 15 2004, 12:29 PM']Maybe nobody is an "elite uber-coder" like me because thinking is a capital offense in today's online-world?[right][snapback]36427[/snapback][/right][/quote] Link to comment Share on other sites More sharing options...
MHz Posted December 31, 2004 Share Posted December 31, 2004 This nasty executable could be doing almost anything, to do this. It seems to have passphase protection. Everyone. Do not run this to find out. Unless isolated in something like Virtual PC. Reason: It reboots almost instantly and leaves your system as described in intial post. Link to comment Share on other sites More sharing options...
Insolence Posted December 31, 2004 Share Posted December 31, 2004 That would be horrible. Safemode doesn't avoid that program from being started? "I thoroughly disapprove of duels. If a man should challenge me, I would take him kindly and forgivingly by the hand and lead him to a quiet place and kill him." - Mark TwainPatient: "It hurts when I do $var_"Doctor: "Don't do $var_" - Lar. Link to comment Share on other sites More sharing options...
Andre Posted December 31, 2004 Share Posted December 31, 2004 Hi, Perhaps useless to say, but if someone post's a new script, alway's include the source to prevent this kind of problems. Andre What about Windows without using AutoIt ?It would be the same as driving a car without an steering Wheel! Link to comment Share on other sites More sharing options...
Insolence Posted December 31, 2004 Share Posted December 31, 2004 What? It's MEANT to do that. "I thoroughly disapprove of duels. If a man should challenge me, I would take him kindly and forgivingly by the hand and lead him to a quiet place and kill him." - Mark TwainPatient: "It hurts when I do $var_"Doctor: "Don't do $var_" - Lar. Link to comment Share on other sites More sharing options...
Administrators Jon Posted December 31, 2004 Administrators Share Posted December 31, 2004 (edited) Here is the script. Pretty standard "evil" stuff. Renames a few files and adds reg Run keys. Looks to be by someone called Chong Yi. Sir, you are a twat. Hopefully you can reverse most of it, but it looks like it deleted some of the dllcache files so you will need your windows CD to replace them. I'll remove it in a few hours. Edit: removed. Edited January 1, 2005 by Jon Deployment Blog:Â https://www.autoitconsulting.com/site/blog/ SCCM SDK Programming:Â https://www.autoitconsulting.com/site/sccm-sdk/ Link to comment Share on other sites More sharing options...
SlimShady Posted December 31, 2004 Share Posted December 31, 2004 Omg that's horrible. Link to comment Share on other sites More sharing options...
liquidzyklon Posted December 31, 2004 Author Share Posted December 31, 2004 Omg, I thank you all. You are great people. I will have to spend sometime to look at the code and see what I can do.First, I am sorry for those who downloaded this program and ran it by accident. I did try to warn you guys. Very sorry.Ok, after running the program it shutdown. First of all I remember that the file was about 450 KB, so that means it's not just a few line of code and this thing must have been huge.My first attempts to fixing it was to boot up in Safe Mode, but like some of you discovered it was futile. Then, I went on the Internet to search and came up with this site: http://www.greatis.com/security/startuporder.htm which at the bottom showed the boot order. This lead me to try and disable "weird" Services and reboot. I tried that for 2 hours and was no good.My second attempt was to find the EXE that was being called upon at bootup and delete it so Windows Registry can't find it, but it seems that I can't access "Documents and Settings" folder and so on. I will have to try using Windows 2000 CD to bypass stupid WinXP security.I will try to reverse this with the code provide, but if I have any trouble I will post back. Thank you all, and have a Happy New Years. Link to comment Share on other sites More sharing options...
ezzetabi Posted December 31, 2004 Share Posted December 31, 2004 This is double bad: - This mean compiled files with 'No compile' tag are not sure at all. - People want giving to AutoIt a bad name. Link to comment Share on other sites More sharing options...
killaz219 Posted December 31, 2004 Share Posted December 31, 2004 Here is the script. Pretty standard "evil" stuff. Renames a few files and adds reg Run keys. Looks to be by someone called Chong Yi. Sir, you are a twat.Hopefully you can reverse most of it, but it looks like it deleted some of the dllcache files so you will need your windows CD to replace them.<{POST_SNAPBACK}>Ha, Jon you're the only one that can crack AutoIt compiled exe's Link to comment Share on other sites More sharing options...
liquidzyklon Posted December 31, 2004 Author Share Posted December 31, 2004 (edited) Alright, I managed to fix my computer and would like to share with you all. It's been a learning experience for me First, I rebooted into Recovery Console. Went to all the directories where new files were being copied. 1) C:\WINDOWS\system32\dllcache 2) C:\WINDOWS\system32\ 3) C:\WINDOWS\ Then I deleted every file that was copied by this script, including the ones in dllcache. Rebooted and I was able to logon. That was a big relief. After logon, nothing came up because explorer.exe wasn't running, but I was able to get Task Manager up with Ctrl + Alt + Del. From there I accessed regedit and did my fixing of all the added/modified registry entries. After that reboot and everything is okay. I just did a repeat check for any foreign files and foreign entries in the registry and it looks like I am all clean. I am lucky the script author didn't delete any files or that would require a little more work in restoring file from the WinXP CD. Now I can have a great New Years. [Aside]Autoit has been a powerful scripting language that I use to check my mail, and all my other lazy stuff. It's because this language is powerful, there are bound to be people who will abuse it. I am very lucky that Jon decompiled it and that helped me a lot. Regards, Derrick Shum PS: I forgot to ask one more question, the first 3 lines called to install hohoho.exe and hohoho.jpg. I am wondering was those files actually embedded into the EXE? Edited December 31, 2004 by liquidzyklon Link to comment Share on other sites More sharing options...
Einzeinbleth Posted December 31, 2004 Share Posted December 31, 2004 (edited) Stupid lamers are making destroying code and normal peoples have more work Try to install something like ad-aware or such as, and make a copy of registry .. no one know when noob will atack... EDIT: liquidzyklon, maybe that idiot who make the code named it hohoho ? And then forgot about it Edited December 31, 2004 by Einzeinbleth Link to comment Share on other sites More sharing options...
Administrators Jon Posted January 1, 2005 Administrators Share Posted January 1, 2005 This is double bad:- This mean compiled files with 'No compile' tag are not sure at all.This is always the weakness, AutoIt must be able to run it's own script so the algorithm has to be two-way. The only way to avoid would be if the script asked for a password everytime it was run (then I wouldn't be able to decompile it apart from by brute force or memory sniffing).What I _did_ want to do was the make the script just stored as tokens so that decompiling would be a nightmare (i.e. the text file for the script no longer exists) - but because lots of people wanted a decompiler, and one that gets back all the comments and formatting that isn't possible. Well, not without creating multiple modes for Aut2Exe. Deployment Blog:Â https://www.autoitconsulting.com/site/blog/ SCCM SDK Programming:Â https://www.autoitconsulting.com/site/sccm-sdk/ Link to comment Share on other sites More sharing options...
ezzetabi Posted January 1, 2005 Share Posted January 1, 2005 I see your point Jon. But still it is sad. It is maybe better removing the passphase or the decomplier... Link to comment Share on other sites More sharing options...
liquidzyklon Posted January 1, 2005 Author Share Posted January 1, 2005 I'm not sure what else you can do to make AutoIt safer. Considering AutoIt is suppose to be a powerful script language, there are bound to be people who will abuse it. Compiling the scripts allow people to use the scripts without AutoIt installed, but the passphrase is suppose to help provide the author's code. The question here is, what's the difference between a script code VS a program? For example, VBS and JaveScript, both are scripting language which are powerful as well but the code are usually seen by the user so they can use it at their own discretion. Plus those two types of script running off Windows Script so it's already universal. So maybe removing the passphrase can make AutoIt equivalent (in the sense that the code can be decompiled and perused for dangers). Link to comment Share on other sites More sharing options...
killaz219 Posted January 1, 2005 Share Posted January 1, 2005 (edited) Well, not without creating multiple modes for Aut2Exe.<{POST_SNAPBACK}>I think that is a great idea . Or maybe just the no decompile will use that mode? Edited January 1, 2005 by killaz219 Link to comment Share on other sites More sharing options...
sugi Posted January 2, 2005 Share Posted January 2, 2005 What I _did_ want to do was the make the script just stored as tokens so that decompiling would be a nightmareThe only difference would be that all of the comments would be removed. But remember: The C64 stored only tokens for it's Basic V2 language in it's 64k memory but when you entered "list" it would translate them into the readable commands everytime. So translating the scripts into tokens alone does not help at all. Link to comment Share on other sites More sharing options...
this-is-me Posted January 4, 2005 Share Posted January 4, 2005 (edited) Ha, Jon you're the only one that can crack AutoIt compiled exe's@killaz... not so... Edited January 4, 2005 by this-is-me Who else would I be? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now