Skip to main content

Extract AutoIt scripts embedded in PE binaries

Project description

AutoIt-Ripper

What is this

This is a short python script that allows for extraction of "compiled" AutoIt scripts from PE executables.

References

This script is heavily based on 3 resources, definitely check them out if you want to dig a bit deeper into AutoIt stuff:

Supported AutoIt versions

Ready:

  • EA05 AutoIt3.00
  • EA06 AutoIt3.26

Unknown:

  • JB01 AutoHotKey
  • JB01 AutoIT2

Installation

python3 -m pip install autoit-ripper

or, if you'd like to install the version from sources:

git clone https://github.com/nazywam/AutoIt-Ripper.git
cd AutoIt-Ripper
pip install .

Running

From a python script:

from autoit_ripper import extract, AutoItVersion

with open("sample.exe", "rb") as f:
    file_content = f.read()

# EA05 for v3.00+, EA06 for v3.26+
# Omitting `version` or passing None will try both versions
content_list = extract(data=file_content, version=AutoItVersion.EA06)

From the commandline:

autoit-ripper sample.exe out_directory

Help message:

autoit-ripper --help
usage: autoit-ripper [-h] [--verbose] [--ea {EA05,EA06,guess}] file output_dir

positional arguments:
  file                  input binary
  output_dir            output directory

optional arguments:
  -h, --help            show this help message and exit
  --verbose, -v
  --ea {EA05,EA06,guess}
                        extract a specific version of AutoIt script (default: guess)

Format documentation

(In progress)

AU3 header

Field Length encryption (EA05) encryption (EA06) Notes
"FILE" 4 MT(0x16FA) LAME(0x18EE) static string
flag 4 xor(0x29BC) xor(0xADBC)
auto_str flag (* 2) MT(0xA25E + flag) LAME(0xB33F + flag) UTF-8/UTF-16
path_len 4 xor(0x29AC) xor(0xF820)
path path_len (* 2) MT(0xF25E + path_len) LAME(0xF479 + path_len) Path of the compiled script
compressed 1 None None is the script compressed
data_size 4 xor(0x45AA) xor(0x87BC) compressed data size
code_size 4 xor(0x45AA) xor(0x87BC) uncompressed data size
crc 4 xor(0xC3D2) xor(0xA685) compressed data crc checksum
creation date 4 None None file creation date (high)
creation date 4 None None file creation date (low)
last update date 4 None None last edit date (high)
last update date 4 None None last edit date (low)
data data_size MT(checksum + 0x22af) LAME(0x2477) script data

Differences between v3.00 and v3.26+

v3.00 v3.26
Code storage greped by magic "SCRIPT" resource (/greped by magic?)
String encoding UTF-8 UTF-16
Encryption xor/custom MT19937 xor/LAME crypt
Code encryption key dynamic static
Compression yes yes
Code "compilation" no yes
Magic EA05 EA06

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

autoit-ripper-1.1.2.tar.gz (15.0 kB view details)

Uploaded Source

File details

Details for the file autoit-ripper-1.1.2.tar.gz.

File metadata

  • Download URL: autoit-ripper-1.1.2.tar.gz
  • Upload date:
  • Size: 15.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.10.12

File hashes

Hashes for autoit-ripper-1.1.2.tar.gz
Algorithm Hash digest
SHA256 f811d60e47957b0a11520687967e53ca86a3a42bc98a8c02882d9d158ca9d4c0
MD5 953f7fb1d290b57dae9590fc037c9a00
BLAKE2b-256 786daba885809c8c836bcfad6d5d7252a80a8e48a3cb5ea67abe2a19a7237e80

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page