SkillAgentSearch skills...

MyAut2Exe

myAut2Exe - The Open Source AutoIT Script Decompiler

GenerateConvertImprove

Install / Use

/learn @fossabot/MyAut2Exe
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

FOSSA Status

myAut2Exe - The Open Source AutoIT Script Decompiler 2.12

New full support for AutoIT v3.2.6++ :)

... mmh here's what I merely missed in the 'public sources 3.1.0' This program is for studying the 'Compiled' AutoIt3 format.

AutoHotKey was developed from AutoIT and so scripts are nearly the same.

Drag the compiled *.exe or *.a3x into the AutoIT Script Decompiler textbox. To copy text or to enlarge the log window double click on it.

Supported Obfuscators: 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.14 [June 16, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.15 [July 1, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.20 [Sept 8, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.22 [Oct 18, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.24 [Feb 15, 2008]' , 'EncodeIt 2.0' and 'Chr() string encode'

Tested with: AutoIT : v3. 3. 6.1 AutoIT : v3. 3. 0.0 and AutoIT : v2.64. 0.0 and AutoHotKey: v1. 0.48.5

The Options

'GetCamo's' It'll use RegExp to grab the needed camo vectors from the Au3-exe-stub. ^- Note that this function only works if the target is unpacked. So if it's packed with Upx or another packer just unpack or dump the Exe from memory (via LordPE or Procdump). The dump doesn't need to be runable or contain the script. Just use the dump file to get the camo vectors and then select the real script file.

'Force Old Script Type' Grey means auto detect and is the best in most cases. However if auto detection fails or is fooled through modification try to enable/disable this setting

'Don't delete temp files (compressed script)' this will keep *.pak files you may try to unpack manually with'LZSS.exe' as well as *.tok DeTokeniser files, tidy backups and *.tbl (<-Used in van Zande obfucation).

If enable it will keep AHK-Scripts as they are and doesn't remove the linebreaks at the beginning Default:OFF

'Verbose LogOutput' When checked you get verbose information when decompiling(DeTokenise) new 3.2.6+ compiled Exe

  If greyed the detokeniser will show and extra window with colored output.
  ^- I really don't recommand to enable this
  Alpha, slow, useless and will stop at 32768 item due to some stupid VB-Limitation.
  (I stop developing this - well it was thought as a tokeneditor and module for other projects as for the 
  ioncube decompiler - to make some small changes to the php bytecode - and write them back ...)

Default:OFF

'Restore Includes' will separated/restore includes. requires ';<AUT2EXE INCLUDE-START' comment to be present in the script to work Default:ON

'Use 'normal' Au3_Signature to find start of script' Will uses the normal 16-byte start signature to detect the start of a script often this signature was modified or is used for a fake script that is just attached to distract & mislead a decompiler. When off it scans for the 'FILE' as encrypted text to find the start of a script Default:OFF

'Start Offset to Script Data' Here you can manually specify the offset were the script starts. Normally you should leave that field blank so myAutToExe does that job for you.

(Indeep that option is pretty useless. The only case it can usefull is if there are multiple fake scripts. A la "Hacker. Nice try, but wrong :)" + You know the exact ScriptOffset and so you can directly extract it without the longer way with these *.stub or *.overlay files) Default:<empty>

Options in the 'ScriptStart' frame These settings are more or less important to find the start of script. You can set 'Start Offset to Script Data' to manually override this settings.

Options in the 'ScriptBody XORKey's' frame These are really essential for decrypting the script. Of course changing them out of the blue makes no sense. Incase the script+interpreter was treated by AutoIt3Camo or other 'custom modifications' changing these value might be necessary. Incase you know(or guessed) the exact AutoIT version you may compare the original interpreter stub 'Aut2Exe\AutoItSC.bin' with the one from script. When you see in the Compare differences like in the original there is a 'PUSH 18EE' and in the script it's 'PUSH 254F194' then it's probably good to change the standard value from 18EE to 254F194. (And to do this for the other values as well) to get the script decrypted finally decompiled. More details in the AutoIt3Camo-sections

'FILE-decryptionKey Incase the FILE-decryption key was changed you may enter it here. (Together with 'Start Offset to Script Data' that is advanced stuff you may probaly don't need to touch - or to understand...) So how to know this? Well you may have unpacked/dumped the script exe-stub found out the exact original version, downloaded the original from the AutoIT site archive and now compare the original stub aka AutoItSC.bin with your dumped one(or more in detail the .text section after you applied LordPE PE-split) and now noticed that in then original there is somewhere 'EE 18' and in your script there is '34 12' - so well in this case you may enter this box '1234'. Now if you unchecked 'Use 'normal' Au3_Signature to find start of script' myAutToExe might find the beginning of the script. Also this option has only effect on AutoIt3.26++ scripts. Default:18EE

'Lookup Passwordhash' Copies current password hash to clipboard and launches http://md5cracker.de to find the password of this hash.

I notice that site don't loads properly when the Firefox addin 'Firebug' is enabled. Disable it if you've problems 620AA3997A6973D7F1E8E4B67546E0F6 => cw2k

... you may also get an offline MD5 Cracker and paste the hash there like DECRYPT.V2 Brute-Force MD5 Cracker http://www.freewarecorner.de/download.php?id=7298 http://www.freewarecorner.de/edecrypt_brute_force_md5_cracker-Download-7298.html

Tools

'Regular Expression Renamer' With is you can manually (de)obfuscate function or variable names.

 enabling the �simple� mode button allows you to do mass search'n'relace like this:
"\$gStr0001" -> ""LITE""
"\$gStr0002" -> ""td""
"\$gStr0003" -> ""If checked, ML Bot enables a specific username as Administrator.""
�
(^- create this in an editor with some more or less intelligent Search�n�Replace steps)

'Function Renamer' If you decompiled a file that was obfuscated all variable and function got lost.

  Is 'Function Renamer' to transfer the function names from one simulare file to
  your decompiled au3-file.

  A simulare file can be a included 'include files' but can be also an older version
  of the script with intact names or some already recoved + manual improved with
  more meaningful function names.

  Bot files are shown side by side seperated by their functions
  Here some example:

  > myScript_decompiled.au3    | > ...AutoIt3\autoit-v3.1.0\Include\Date.au3
  ...                          |  ...
  Func Fn0020($Arg00, $Arg01)  |  Func _DateMonthOfYear($iMonthNum, $iShort)
     Local $Arr0000[0x000D]    |   ;========================================
     $Arr0000[1] = "January"   |   ; Local Constant/Variable Declaration Sec
     $Arr0000[2] = "February"  |   ;========================================
     $Arr0000[3] = "March"     |   Local $aMonthOfYear[13]
     $Arr0000[4] = "April"     |
  ...                          |   $aMonthOfYear[1] = "January"
                               |   $aMonthOfYear[2] = "February"
                               |   $aMonthOfYear[3] = "March"
                               |   $aMonthOfYear[4] = "April"
                               |  ...
  Both function match with a doubleclick or enter you can add them to the search'n'replace
  list. That will replace 'Fn0020 with '_DateMonthOfYear'.

  So after you associate all functionNames of an include file you can delete these functions and
  replace them with for ex. #include <Date.au3>

  Hint for best matching of includes look at the version properties of the au3.exe
  download/install(unpack) that version from

  http://www.autoitscript.com/autoit3/files/beta/autoit/
  and
  http://www.autoitscript.com/autoit3/files/archive/autoit/

  and use the include from there.

'Seperate includes of *.au3' Good for already decompiled *.au3

'GetAutoItVersion'

CommandLine

Ah yes to open a file you may also pass it via command line like this myAutToExe.exe "C:\Program Files\Example.exe" -> myAutToExe.exe "%1" So you may associate exe file with myAutToExe.exe to decompile them with a right click.

To run myAutToExe from other tools these options maybe helpful options: /q will quit myAutToExe when it is finished /s [required /q to be enable] RunSilent will completly hide myAutToExe

The myAutToExe 'FileZoo'

*.stub incase there is data before a script it's saved to a *.stub file *.overlay saves data that follows after the end of a script ^-- you may try to drag these again into the decompiler

*.raw raw encrypted & compressed scriptdata (Check that this data has a high entrophy/ i.e. look chaotic) *.pak decrypted put packed dat (use LZSS.exe to unpack this) *.tok AutoIt Tokenfile (use myAutToExe to transform this into an au3 File)

*.au3
*.tbl Contains ScriptStrings - Goes together with an VanZande-obfucated script.

Files

myAutToExe.exe Compiled (pCode) VB6-Exe data\RanRot_MT.dll RanRot & Mersenne Twister pRandom G

fossabot

View profile

View on GitHub
GitHub Stars84
CategoryDevelopment
Updated3mo ago
Forks13
fossabot/myAut2Exe

Languages

Visual Basic

Security Score

92/100

Audited on Dec 19, 2025

No findings