lisp>> AutoIt-Ripper>> 返回
项目作者: nazywam

项目描述 :
Extract AutoIt scripts embedded in PE binaries
高级语言: Python
项目地址: git://github.com/nazywam/AutoIt-Ripper.git
创建时间: 2020-03-18T21:59:30Z
项目社区:https://github.com/nazywam/AutoIt-Ripper
开源协议:MIT License
下载


AutoIt-Ripper

What is this

This is a short python script that allows for extraction of “compiled” AutoIt scripts from PE executables.

References

This script is heavily based on 3 resources, definitely check them out if you want to dig a bit deeper into AutoIt stuff:

Supported AutoIt versions

Ready:

  • EA05 AutoIt3.00
  • EA06 AutoIt3.26

Unknown:

  • JB01 AutoHotKey
  • JB01 AutoIT2

Installation

  1. python3 -m pip install autoit-ripper

or, if you’d like to install the version from sources:

  1. git clone https://github.com/nazywam/AutoIt-Ripper.git
  2. cd AutoIt-Ripper
  3. pip install .

Running

From a python script:

  1. from autoit_ripper import extract, AutoItVersion
  3. with open("sample.exe", "rb") as f:
  4.     file_content = f.read()
  6. # EA05 for v3.00+, EA06 for v3.26+
  7. # Omitting `version` or passing None will try both versions
  8. content_list = extract(data=file_content, version=AutoItVersion.EA06)

From the commandline:

  1. autoit-ripper sample.exe out_directory

Help message:

  1. autoit-ripper --help
  2. usage: autoit-ripper [-h] [--verbose] [--ea {EA05,EA06,guess}] file output_dir
  4. positional arguments:
  5.   file                  input binary
  6.   output_dir            output directory
  8. optional arguments:
  9.   -h, --help            show this help message and exit
  10.   --verbose, -v
  11.   --ea {EA05,EA06,guess}
  12.                         extract a specific version of AutoIt script (default: guess)

Format documentation

(In progress)

AU3 header

Field Length encryption (EA05) encryption (EA06) Notes
“FILE” 4 MT(0x16FA) LAME(0x18EE) static string
flag 4 xor(0x29BC) xor(0xADBC)
auto_str flag (* 2) MT(0xA25E + flag) LAME(0xB33F + flag) UTF-8/UTF-16
path_len 4 xor(0x29AC) xor(0xF820)
path path_len (* 2) MT(0xF25E + path_len) LAME(0xF479 + path_len) Path of the compiled script
compressed 1 None None is the script compressed
data_size 4 xor(0x45AA) xor(0x87BC) compressed data size
code_size 4 xor(0x45AA) xor(0x87BC) uncompressed data size
crc 4 xor(0xC3D2) xor(0xA685) compressed data crc checksum
creation date 4 None None file creation date (high)
creation date 4 None None file creation date (low)
last update date 4 None None last edit date (high)
last update date 4 None None last edit date (low)
data data_size MT(checksum + 0x22af) LAME(0x2477) script data

Differences between v3.00 and v3.26+

v3.00 v3.26
Code storage greped by magic “SCRIPT” resource (/greped by magic?)
String encoding UTF-8 UTF-16
Encryption xor/custom MT19937 xor/LAME crypt
Code encryption key dynamic static
Compression yes yes
Code “compilation” no yes
Magic EA05 EA06