Skip to content

nazywam/AutoIt-Ripper

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 1 tag
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
autoit_ripper
 
 
img
 
 
.gitignore
 
 
LICENSE
 
 
MANIFEST.in
 
 
README.md
 
 
autoit_rule.yar
 
 
requirements.txt
 
 
setup.py
 
 
AutoIt-Ripper What is this References Supported AutoIt versions Ready: Unknown: Installation Running Format documentation (In progress) AU3 header Differences between v3.00 and v3.26+

README.md

AutoIt-Ripper

What is this

This is a short python script that allows for extraction of "compiled" AutoIt scripts from PE executables.

References

This script is heavily based on 3 resources, definitely check them out if you want to dig a bit deeper into AutoIt stuff:

Supported AutoIt versions

Ready:

  • EA05 AutoIt3.00
  • EA06 AutoIt3.26

Unknown:

  • JB01 AutoHotKey
  • JB01 AutoIT2

Installation

python3 -m pip install autoit-ripper

or, if you'd like to install the version from sources:

git clone https://github.com/nazywam/AutoIt-Ripper.git
cd AutoIt-Ripper
pip install .

Running

From a python script:

from autoit_ripper import extract, AutoItVersion

with open("sample.exe", "rb") as f:
    file_content = f.read()

# EA05 for v3.00+, EA06 for v3.26+
# Omitting `version` or passing None will try both versions
content_list = extract(data=file_content, version=AutoItVersion.EA06)

From the commandline:

autoit-ripper sample.exe out_directory

Help message:

autoit-ripper --help
usage: autoit-ripper [-h] [--verbose] [--ea {EA05,EA06,guess}] file output_dir

positional arguments:
  file                  input binary
  output_dir            output directory

optional arguments:
  -h, --help            show this help message and exit
  --verbose, -v
  --ea {EA05,EA06,guess}
                        extract a specific version of AutoIt script (default: guess)

Format documentation

(In progress)

AU3 header

Field Length encryption (EA05) encryption (EA06) Notes
"FILE" 4 MT(0x16FA) LAME(0x18EE) static string
flag 4 xor(0x29BC) xor(0xADBC)
auto_str flag (* 2) MT(0xA25E + flag) LAME(0xB33F + flag) UTF-8/UTF-16
path_len 4 xor(0x29AC) xor(0xF820)
path path_len (* 2) MT(0xF25E + path_len) LAME(0xF479 + path_len) Path of the compiled script
compressed 1 None None is the script compressed
data_size 4 xor(0x45AA) xor(0x87BC) compressed data size
code_size 4 xor(0x45AA) xor(0x87BC) uncompressed data size
crc 4 xor(0xC3D2) xor(0xA685) compressed data crc checksum
creation date 4 None None file creation date (high)
creation date 4 None None file creation date (low)
last update date 4 None None last edit date (high)
last update date 4 None None last edit date (low)
data data_size MT(checksum + 0x22af) LAME(0x2477) script data

Differences between v3.00 and v3.26+

v3.00 v3.26
Code storage greped by magic "SCRIPT" resource (/greped by magic?)
String encoding UTF-8 UTF-16
Encryption xor/custom MT19937 xor/LAME crypt
Code encryption key dynamic static
Compression yes yes
Code "compilation" no yes
Magic EA05 EA06

About

Extract AutoIt scripts embedded in PE binaries

Topics

malware extraction autoit

Resources

Readme

License

MIT license
Activity

Stars

137 stars

Watchers

9 watching

Forks

29 forks
Report repository

Releases 1

1.1.1 - better late than never Latest
Oct 24, 2023

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages