Reverse autoit

fairylovehn127 · 12/07/2015, 18:48

I have a dll which compiled by autoit.
How can i decompile it.Some one told me to use exe2aut, but exe2aut just accept .exe
Anyone can help?
Thanks

warfley · 12/07/2015, 19:11

As far as i know you can't even create shared libs in autoit, so either this isn't a dll or its not written in autoit

Shadow992 · 12/07/2015, 19:17

Quote:

Originally Posted by warfley

As far as i know you can't even create shared libs in autoit, so either this isn't a dll or its not written in autoit

It could be some kind of pseudo dll.
For example you could embed the AutoIt-Interpreter into some real DLL.
This real DLL then executes the embeded interpreter and says which function to call.

However this is really stupid and pain to implement. So I guess warfley is right.

fairylovehn127 · 12/07/2015, 19:21

I dont know.When i drag dll file into autoit compiler, it runs.

Shadow992 · 12/07/2015, 19:29

Quote:

Originally Posted by fairylovehn127

I dont know.When i drag dll file into autoit compiler, it runs.

What about uploading file so we can analyse it?
Otherwise it is a guessing game what it is.

fairylovehn127 · 12/07/2015, 19:35

It's a auto application run with bluestack.
It compile with cwautocomp. If i have a code which is generated by exe2aut tool.I can bypass login screen.

Shadow992 · 12/07/2015, 19:38

Quote:

Originally Posted by fairylovehn127

It's a auto application run with bluestack.
It compile with cwautocomp. If i have a code which is generated by exe2aut tool.I can bypass login screen.

For me it looks like neither "ISDLL.dll" (too small) nor "ImageSearchDLL.dll" (I know this DLL) is an AutoIt-Dll.

fairylovehn127 · 12/07/2015, 19:43

ImageSearchDLL.dll is not a module search of autoit.It is a main application.
ISDLL is a imagesearchdll lol
Drag it into alz.exe(autoit compiler) and script was excuted

Shadow992 · 12/07/2015, 21:07

Quote:

Originally Posted by fairylovehn127

ImageSearchDLL.dll is not a module search of autoit.It is a main application.
ISDLL is a imagesearchdll lol
Drag it into alz.exe(autoit compiler) and script was excuted

You are totaly right this DLL is a AutoIt-File.
For me it looks like an AutoIt file where the interpreter were removed.
So just embed it into a real interpreter again.

This file also had some "invalid" characters which may cause problems. I removed now all invalid characters and also tested the script. it runs for me.
The problem ist: It is obfuscated...
I tried my general Deobfuscator but because this Deobfuscator is very buggy and unstable it was not able to deobfuscate script. You have to do the work by hand I guess.

The result is appended.

fairylovehn127 · 12/08/2015, 04:21

Quote:

Originally Posted by Shadow992

You are totaly right this DLL is a AutoIt-File.
For me it looks like an AutoIt file where the interpreter were removed.
So just embed it into a real interpreter again.

This file also had some "invalid" characters which may cause problems. I removed now all invalid characters and also tested the script. it runs for me.
The problem ist: It is obfuscated...
I tried my general Deobfuscator but because this Deobfuscator is very buggy and unstable it was not able to deobfuscate script. You have to do the work by hand I guess.

The result is appended.

How can you reverse it to .au3.
I'm kindly to know

Shadow992 · 12/08/2015, 11:19

Quote:

Originally Posted by fairylovehn127

How can you reverse it to .au3.
I'm kindly to know

As explained, all you have to do is to re-embed the AutoIt-File into an interpreter.
So just compile a really small script by yourself, remove all except the interpreter and then embed the given AutoIt-File (in your case "ImageSearchDLL.dll").
In reality this file is not a real DLL but it was just named that way.

fairylovehn127 · 12/08/2015, 16:44

Can you capture picture or guide me step by step to do this
Thanks :d

Shadow992 · 12/08/2015, 17:01

Quote:

Originally Posted by fairylovehn127

Can you capture picture or guide me step by step to do this
Thanks :d

Not really because this is nothing big nor is it something that can be used every time. Whenever you have some kind of protected Au3 file you have to know the basic structure of the exe file otherwise it is nearly impossible to get anything right by guessing.

So what you are asking for is something like:
Could you explain me how you calculate "1+1"?
Then if I explain how to do this calculation (e.g. by counting fingers) you know how you can add 1 and 1 but you do not know how you can add 1 and 2 without understanding what an addition is.

So if you want to understand how re-embeding the compiled AutoIt-Code works, you have to understand how AutoIt in general is working and how the file structure looks like.

There is no sense in explaining how you can do it in this specific case (especially because it really is not more than re-embeding the compiled source) because this will only work for this file (and maybe very few others) but will not help you in general.

And explaining every anti-decompiling thing that can be applied is like explaining how to add numbers from 0 to Infinity.
So in general not manageable.
If you really want to know how this works you have to investigate some timein understanding Au3-Structure (good starting points are open source decompiler) and getting envolved in some basic ASM-Knowledge to analyze the interpreter.
There is no other way I see.