Extract AutoIt scripts embedded in PE binaries

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for nazywam from gravatar.com nazywam

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License
  • Author: nazywam
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

AutoIt-Ripper

What is this

This is a short python script that allows for extraction of "compiled" AutoIt scripts from PE executables.

References

This script is heavily based on 3 resources, definitely check them out if you want to dig a bit deeper into AutoIt stuff:

Supported AutoIt versions

Ready:

  • EA05 AutoIt3.00
  • EA06 AutoIt3.26
  • JB01 AutoHotKey v1

Unknown:

  • JB01 AutoIT2

Installation

python3 -m pip install autoit-ripper

or, if you'd like to install the version from sources:

git clone https://github.com/nazywam/AutoIt-Ripper.git
cd AutoIt-Ripper
pip install .

Running

From a python script:

from autoit_ripper import extract, AutoItVersion

with open("sample.exe", "rb") as f:
    file_content = f.read()

# EA05 for v3.00+, EA06 for v3.26+
# Omitting `version` or passing None will try both versions
content_list = extract(data=file_content, version=AutoItVersion.EA06)

From the commandline:

autoit-ripper sample.exe out_directory

Help message:

autoit-ripper --help
usage: autoit-ripper [-h] [--verbose] [--ea {EA05,EA06,guess}] file output_dir

positional arguments:
  file                  input binary
  output_dir            output directory

optional arguments:
  -h, --help            show this help message and exit
  --verbose, -v
  --ea {EA05,EA06,JB01,guess}
                        extract a specific version of AutoIt script (default: guess)

Format documentation

(In progress)

AU3 header

Field Length encryption (EA05) encryption (EA06) Notes
"FILE" 4 MT(0x16FA) LAME(0x18EE) static string
flag 4 xor(0x29BC) xor(0xADBC)
auto_str flag (* 2) MT(0xA25E + flag) LAME(0xB33F + flag) UTF-8/UTF-16
path_len 4 xor(0x29AC) xor(0xF820)
path path_len (* 2) MT(0xF25E + path_len) LAME(0xF479 + path_len) Path of the compiled script
compressed 1 None None is the script compressed
data_size 4 xor(0x45AA) xor(0x87BC) compressed data size
code_size 4 xor(0x45AA) xor(0x87BC) uncompressed data size
crc 4 xor(0xC3D2) xor(0xA685) compressed data crc checksum
creation date 4 None None file creation date (high)
creation date 4 None None file creation date (low)
last update date 4 None None last edit date (high)
last update date 4 None None last edit date (low)
data data_size MT(checksum + 0x22af) LAME(0x2477) script data

Differences between v3.00 and v3.26+

v3.00 v3.26
Code storage greped by magic "SCRIPT" resource (/greped by magic?)
String encoding UTF-8 UTF-16
Encryption xor/custom MT19937 xor/LAME crypt
Code encryption key dynamic static
Compression yes yes
Code "compilation" no yes
Magic EA05 EA06

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for nazywam from gravatar.com nazywam

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License
  • Author: nazywam
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

1.2.0

1.1.2

1.1.1

1.1.0

1.0.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

autoit_ripper-1.2.0.tar.gz (17.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

autoit_ripper-1.2.0-py3-none-any.whl (17.9 kB view details)

Uploaded Python 3

File details

Details for the file autoit_ripper-1.2.0.tar.gz.

File metadata

  • Download URL: autoit_ripper-1.2.0.tar.gz
  • Upload date:
  • Size: 17.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for autoit_ripper-1.2.0.tar.gz
Algorithm Hash digest
SHA256 20e9c38820db143a4f976e2a165a04304fdbd2a1cf1ab26079fde40bad70a479
MD5 490d562cfe0939e0c0ede000dd891bc5
BLAKE2b-256 fdab2da52a8ff422a6bc3c6538b45889f6c207a60c7737cc4ab1bb5fdadc02fb

See more details on using hashes here.

File details

Details for the file autoit_ripper-1.2.0-py3-none-any.whl.

File metadata

  • Download URL: autoit_ripper-1.2.0-py3-none-any.whl
  • Upload date:
  • Size: 17.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for autoit_ripper-1.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e43fddb7d8eb2e985dffb7952bd1102b77d85a9a4467c1821ecefd8f416b45ce
MD5 5ef4034dc9afc8d1b2953602c43ded3a
BLAKE2b-256 65801c6111b41b00fb2bebb874c723c7aefae35b579aef42097dc62e54df9c9f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page