how Exe2Aut and other decompilers works?

02/02/2014 20:24 GGili#1
Hello,

I want to know some useful information about how Exe2Aut and other decompilers works.

this is my question:
1) how Exe2Aut and other decompilers know if the exe is a compiled autoit script?
1.1) Is it looking for string like "au3" , "autoit" in some area of the exe?
if so then what string it is looking?
1.2) Is it looking for some binary data in the exe that identify the script as autoit exe?
1.3) Does it checks if the script is autoit by checking data structure of the binary or some thing like this? if so then what can i do to hide the structure?
1.4) Is it use other technique I have not mentioned? If yes then please tell me the other techniques ..

I'd love to get information about it.

If I'm not clear then I'm sorry.
English it's not my original language ..


Thanks for helpers!
02/02/2014 20:41 YatoDev#2
Quote:
Originally Posted by GGili View Post
Hello,

I want to know some useful information about how Exe2Aut and other decompilers works.

this is my question:
1) how Exe2Aut and other decompilers know if the exe is a compiled autoit script?
1.1) Is it looking for string like "au3" , "autoit" in some area of the exe?
if so then what string it is looking?
1.2) Is it looking for some binary data in the exe that identify the script as autoit exe?
1.3) Does it checks if the script is autoit by checking data structure of the binary or some thing like this? if so then what can i do to hide the structure?
1.4) Is it use other technique I have not mentioned? If yes then please tell me the other techniques ..

I'd love to get information about it.

If I'm not clear then I'm sorry.
English it's not my original language ..


Thanks for helpers!
It doesnt know if its a autoit exe and its not needed to know
02/02/2014 20:45 GGili#3
Quote:
Originally Posted by »FlutterShy™ View Post
It doesnt know if its a autoit exe and its not needed to know
so i think it must be 1.3

what can i do to change the exe so the decompiler will not know how to translate the the binary data to text(in this case the script) ?
02/02/2014 22:43 Shadow992#4
Quote:
Originally Posted by GGili View Post
so i think it must be 1.3

what can i do to change the exe so the decompiler will not know how to translate the the binary data to text(in this case the script) ?
It is nothing you mentioned if we are talking about Links decompiler aka Exe2Aut.
He uses some type of code injection/hooking to get the decrypted autoit script in ram. It is really hard to make a good protection against these "attacks" because no matter what protector/packer you use it will be easy to crack. It is an AutoIt specific feature to write the complete source into ram and parse it token by token. This means it is not possible to use some generic tools and hope that your autoit file never will be decompiled.
Even if you use specific tools (like mine) Exe2Aut is able to decompile it in most cases. So best way to protect your scripts is using an obfuscator (but not the standard one the standard one gets cracked/deobfuscated too).

I suggest "AutoIt-Obfuscator written in C++" (may be because its my work. :D):
[Only registered and activated users can see links. Click Here To Register...]
02/02/2014 23:26 GGili#5
Quote:
Originally Posted by Shadow992 View Post
It is nothing you mentioned if we are talking about Links decompiler aka Exe2Aut.
He uses some type of code injection/hooking to get the decrypted autoit script in ram. It is really hard to make a good protection against these "attacks" because no matter what protector/packer you use it will be easy to crack. It is an AutoIt specific feature to write the complete source into ram and parse it token by token. This means it is not possible to use some generic tools and hope that your autoit file never will be decompiled.
Even if you use specific tools (like mine) Exe2Aut is able to decompile it in most cases. So best way to protect your scripts is using an obfuscator (but not the standard one the standard one gets cracked/deobfuscated too).

I suggest "AutoIt-Obfuscator written in C++" (may be because its my work. :D):
[Only registered and activated users can see links. Click Here To Register...]
Okay.
This is new to me ..

I'm glad I know this forum.

So that means there will always be a security hole if it works that way.
But I can live with it if I will create enough good security ..

My searches, I found that using other packers can prevent decompilation.
in some places people recommended to combine multiple packers.

can you give me recommendation about multiple packers that can combine together?

Quote:
So best way to protect your scripts is using an obfuscator (but not the standard one the standard one gets cracked/deobfuscated too).
on this way I've worked and been developed.
i obfuscated the script and i developed special protection ..
the protection is that the script checks if he has modified before and if so,
If the script will not compiled then the script will destroy itself slowly (per session script will delete itself some line of code).
In addition, the script will close the SciTE in this case.

If the script is compiled, the script will not work properly and will give errors.

What do you say about that? is this is good protection?

but i used the standard obfuscator. Maybe I'll use yours ..
02/02/2014 23:48 Shadow992#6
Quote:
Originally Posted by GGili View Post
Okay.
This is new to me ..

I'm glad I know this forum.

So that means there will always be a security hole if it works that way.
But I can live with it if I will create enough good security ..

My searches, I found that using other packers can prevent decompilation.
in some places people recommended to combine multiple packers.

can you give me recommendation about multiple packers that can combine together?
At the moment there is no real packer that defeats Aut2Exe.

Quote:
Originally Posted by GGili View Post
on this way I've worked and been developed.
i obfuscated the script and i developed special protection ..
the protection is that the script checks if he has modified before and if so,
If the script will not compiled then the script will destroy itself slowly (per session script will delete itself some line of code).
In addition, the script will close the SciTE in this case.

If the script is compiled, the script will not work properly and will give errors.

What do you say about that? is this is good protection?

but i used the standard obfuscator. Maybe I'll use yours ..
This is always a good try but the most important thing is to use a good obfuscator otherwise the work is useless.

Edit:
Also have a look ath that thread:
[Only registered and activated users can see links. Click Here To Register...]