![[Release] Shadow's General Deobfuscator](https://www.elitepvpers.com/forum/iconimages/autoit/release-shadows-general-deobfuscator_ltr.gif){kind=small}
There are so many public and unpublic obfuscators in the internet and most of them are really easy to crack even for programs.
There are also some deobfuscators but most of them are only working for one special obfuscator and that is the reason why I decided to make a deobfuscator which may work for the most obfuscators.
The reason why this deobfuscator may work for many obfuscators is the way it parsers the autoit file. This deobfuscator is a selfwritten autoit-interpreter. So it interprets the script like autoit, line for line and finds out which variables with static content can be replaced and which not.
It is actually just an alpha version but I am still releasing it because my time is at the moment very limited and I do not want that this project disappears in the deep of my computer.
The complete deobfuscator is written in C/C++ and in the attached file you will be able to find the source-code too.
At some points I made some strange things e.g. sorting an integer array instead of an string array through I have to process with the string array further.
Most of these things I have done are for performance. So now my script is able to parse and interpret an autoit script with 11.000 lines in around 10-30 sec.
That sounds really fast and yes it is fast but there is a little problem.
Let us use an example to explain the problem:
Obfuscated-Code:
PHP Code:
$var=10
$var2=Execute("$var+10")
$var3=Execute("$var2+10")
Line 1: Nothing to do
Line 2: Interpret Execute(...
Line 3: Interpret Execute(...
New Code:
PHP Code:
$var=10
$var2=$var+10
$var3=$var2+10
Now the second walk through starts.
My deobfuscator now tries to find functions which can be replaced by their code.
In our case deobfuscator did not find anything.
So walk through 3 starts. In this walk through deobfuscator tries to remove variables which can be replaced:
PHP Code:
$var=10
$var2=$var+10
$var3=$var2+10
PHP Code:
$var=10
$var2=10+10
$var3=$var2+10
Now we start again at pass #1 where we interpret the autoit-code and our code then gets to:
PHP Code:
$var=10
$var2=20
$var3=$var2+10
Now we have to interpret again and then we get:
PHP Code:
$var=10
$var2=20
$var3=30
Because it have to solve the problems above by interpreting and replacing again and again. I also added some little things which will make it possible to just do fewer interprets and replaces but the problem consists.
So now my deobfuscator needs around 10 passes to deobfuscate most obfuscators but this is bad for performance. We remember 1 pass through 11.000 lines lasts around 10-20 seconds. If we now have to walk through around 10 times then we are getting around 100-300 seconds for deobfuscating a script which is around 11.000 lines long.
In some future updates (when I have got more time) I will update this deobfuscator and solve this problem.
At the moment this deobfuscator is not very good in deobfuscating because it is also not able to interpret selfmade functions. But this will all be added, for now deobfuscator may be only useful for researching and deobfuscating little and easy scripts.
If you are having any obfuscated scripts which do not use my obfuscators nor the autoit obfuscator, please send me some obfuscated code of them. I need them for analysing and optimizing my script.
Feel free to use the code in parts or full for your own projects or change the source code of deobfuscator. But please if you are going to release your project mention my name and my project.
I compiled this .exe with linux and Wine. I hope it will work for Windows. :/
If not then you have to recompile the source by yourself. I used GNU GCC Compiler.
Changelog (German):
