Extract AutoIt scripts embedded in PE binaries
Project description
AutoIt-Ripper
What is this
This is a (semi) short python script that allows for extraction of "compiled" AutoIt scripts from PE executables.
References
This script is heavily based on 2 3 resources, definitely check them out if you want to dig a bit deeper into the whole AutoIt stuff:
- http://files.planet-dl.org/Cw2k/MyAutToExe/index.html
- https://github.com/sujuhu/autoit
- https://github.com/Cisco-Talos/clamav-devel/blob/31824a659dff37ae03e3419395bb68e659c2b165/libclamav/autoit.c
Supported AutoIt versions
Ready:
EA05
AutoIt3.00EA06
AutoIt3.26
Unknown:
JB01
AutoHotKeyJB01
AutoIT2
Installation
python3 -m pip install autoit-ripper
or, if you'd like to install the version from sources:
git clone https://github.com/nazywam/AutoIt-Ripper.git
cd AutoIt-Ripper
python3 setup.py develop
Running
From a python script:
from autoit_ripper import extract, AutoItVersion
with open("sample.exe", "rb") as f:
file_content = f.read()
# EA05 for v3.00+, EA06 for v3.26+
# Omitting `version` or passing None will try both versions
content_list = extract(data=file_content, version=AutoItVersion.EA06)
From the commandline:
python3 -m autoit-ripper sample.exe out_directory
Help message:
$ python3 -m autoit_ripper --help
usage: __main__.py [-h] [--verbose] [--ea {EA05,EA06,guess}] file output_dir
positional arguments:
file input binary
output_dir output directory
optional arguments:
-h, --help show this help message and exit
--verbose, -v
--ea {EA05,EA06,guess}
extract a specific version of AutoIt script (default:
guess)
Format documentation
(In progress)
AU3 header
Field | Length | encryption (EA05) | encryption (EA06) | Notes |
---|---|---|---|---|
"FILE" | 4 | MT(0x16FA) | LAME(0x18EE) | static string |
flag | 4 | xor(0x29BC) | xor(0xADBC) | |
auto_str | flag (* 2) | MT(0xA25E + flag) | LAME(0xB33F + flag) | UTF-8/UTF-16 |
path_len | 4 | xor(0x29AC) | xor(0xF820) | |
path | path_len (* 2) | MT(0xF25E + path_len) | LAME(0xF479 + path_len) | Path of the compiled script |
compressed | 1 | None | None | is the script compressed |
data_size | 4 | xor(0x45AA) | xor(0x87BC) | compressed data size |
code_size | 4 | xor(0x45AA) | xor(0x87BC) | uncompressed data size |
crc | 4 | xor(0xC3D2) | xor(0xA685) | compressed data crc checksum |
creation date | 4 | None | None | file creation date (high) |
creation date | 4 | None | None | file creation date (low) |
last update date | 4 | None | None | last edit date (high) |
last update date | 4 | None | None | last edit date (low) |
data | data_size | MT(checksum + 0x22af) | LAME(0x2477) | script data |
Differences between v3.00 and v3.26+
v3.00 | v3.26 | |
---|---|---|
Code storage | greped by magic | "SCRIPT" resource (/greped by magic?) |
String encoding | UTF-8 | UTF-16 |
Encryption | xor/custom MT19937 | xor/LAME crypt |
Code encryption key | dynamic | static |
Compression | yes | yes |
Code "compilation" | no | yes |
Magic | EA05 | EA06 |
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
autoit-ripper-1.0.1.tar.gz
(9.9 kB
view hashes)
Built Distribution
Close
Hashes for autoit_ripper-1.0.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 971de742a6c491579b955cb25ae1071648bc9c790f60a1e34b3843efe0d87389 |
|
MD5 | fbcd5f361680917134b584bcd1187f06 |
|
BLAKE2b-256 | 9e57d9c0bb918c016d49dd18426e626d5e0452356a06275cb81817ee12b0b4c6 |