Reverse autoit

12/07/2015 18:48 fairylovehn127#1
I have a dll which compiled by autoit.
How can i decompile it.Some one told me to use exe2aut, but exe2aut just accept .exe
Anyone can help?
Thanks
12/07/2015 19:11 warfley#2
As far as i know you can't even create shared libs in autoit, so either this isn't a dll or its not written in autoit
12/07/2015 19:17 Shadow992#3
Quote:
Originally Posted by warfley View Post
As far as i know you can't even create shared libs in autoit, so either this isn't a dll or its not written in autoit
It could be some kind of pseudo dll.
For example you could embed the AutoIt-Interpreter into some real DLL.
This real DLL then executes the embeded interpreter and says which function to call.

However this is really stupid and pain to implement. So I guess warfley is right.
12/07/2015 19:21 fairylovehn127#4
I dont know.When i drag dll file into autoit compiler, it runs.[Only registered and activated users can see links. Click Here To Register...]
12/07/2015 19:29 Shadow992#5
Quote:
Originally Posted by fairylovehn127 View Post
I dont know.When i drag dll file into autoit compiler, it runs.[Only registered and activated users can see links. Click Here To Register...]
What about uploading file so we can analyse it?
Otherwise it is a guessing game what it is.
12/07/2015 19:35 fairylovehn127#6
It's a auto application run with bluestack.
It compile with cwautocomp. If i have a code which is generated by exe2aut tool.I can bypass login screen.
12/07/2015 19:38 Shadow992#7
Quote:
Originally Posted by fairylovehn127 View Post
It's a auto application run with bluestack.
It compile with cwautocomp. If i have a code which is generated by exe2aut tool.I can bypass login screen.
For me it looks like neither "ISDLL.dll" (too small) nor "ImageSearchDLL.dll" (I know this DLL) is an AutoIt-Dll.
12/07/2015 19:43 fairylovehn127#8
ImageSearchDLL.dll is not a module search of autoit.It is a main application.
ISDLL is a imagesearchdll lol
Drag it into alz.exe(autoit compiler) and script was excuted
12/07/2015 21:07 Shadow992#9
Quote:
Originally Posted by fairylovehn127 View Post
ImageSearchDLL.dll is not a module search of autoit.It is a main application.
ISDLL is a imagesearchdll lol
Drag it into alz.exe(autoit compiler) and script was excuted
You are totaly right this DLL is a AutoIt-File.
For me it looks like an AutoIt file where the interpreter were removed.
So just embed it into a real interpreter again.

This file also had some "invalid" characters which may cause problems. I removed now all invalid characters and also tested the script. it runs for me.
The problem ist: It is obfuscated...
I tried my general Deobfuscator but because this Deobfuscator is very buggy and unstable it was not able to deobfuscate script. You have to do the work by hand I guess. :D

The result is appended.
12/08/2015 04:21 fairylovehn127#10
Quote:
Originally Posted by Shadow992 View Post
You are totaly right this DLL is a AutoIt-File.
For me it looks like an AutoIt file where the interpreter were removed.
So just embed it into a real interpreter again.

This file also had some "invalid" characters which may cause problems. I removed now all invalid characters and also tested the script. it runs for me.
The problem ist: It is obfuscated...
I tried my general Deobfuscator but because this Deobfuscator is very buggy and unstable it was not able to deobfuscate script. You have to do the work by hand I guess. :D

The result is appended.
How can you reverse it to .au3.
I'm kindly to know :)
12/08/2015 11:19 Shadow992#11
Quote:
Originally Posted by fairylovehn127 View Post
How can you reverse it to .au3.
I'm kindly to know :)
As explained, all you have to do is to re-embed the AutoIt-File into an interpreter.
So just compile a really small script by yourself, remove all except the interpreter and then embed the given AutoIt-File (in your case "ImageSearchDLL.dll").
In reality this file is not a real DLL but it was just named that way.
12/08/2015 16:44 fairylovehn127#12
Can you capture picture or guide me step by step to do this
Thanks :d
12/08/2015 17:01 Shadow992#13
Quote:
Originally Posted by fairylovehn127 View Post
Can you capture picture or guide me step by step to do this
Thanks :d
Not really because this is nothing big nor is it something that can be used every time. Whenever you have some kind of protected Au3 file you have to know the basic structure of the exe file otherwise it is nearly impossible to get anything right by guessing.

So what you are asking for is something like:
Could you explain me how you calculate "1+1"?
Then if I explain how to do this calculation (e.g. by counting fingers) you know how you can add 1 and 1 but you do not know how you can add 1 and 2 without understanding what an addition is.

So if you want to understand how re-embeding the compiled AutoIt-Code works, you have to understand how AutoIt in general is working and how the file structure looks like.

There is no sense in explaining how you can do it in this specific case (especially because it really is not more than re-embeding the compiled source) because this will only work for this file (and maybe very few others) but will not help you in general.

And explaining every anti-decompiling thing that can be applied is like explaining how to add numbers from 0 to Infinity.
So in general not manageable.
If you really want to know how this works you have to investigate some timein understanding Au3-Structure (good starting points are open source decompiler) and getting envolved in some basic ASM-Knowledge to analyze the interpreter.
There is no other way I see.