您好,欢迎光临本网站![请登录][注册会员]  
文件名称: au3反编译源码
  所属分类: Actionscript
  开发工具:
  文件大小: 1mb
  下载次数: 0
  上传时间: 2014-01-22
  提 供 者: p13577******
 详细说明: au3反编译源码 myAut2Exe - The Open Source AutoIT Script Decompiler 2.9 ======================================================== *New* full support for AutoIT v3.2.6++ :) ... mmh here's what I merely missed in the 'public sources 3.1.0' This program is for studying the 'Compiled' AutoIt3 format. AutoHotKey was developed from AutoIT and so scripts are nearly the same. Drag the compiled *.exe or *.a3x into the AutoIT Script Decompiler textbox. To copy text or to enlarge the log window double click on it. Supported Obfuscators: 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.14 [June 16, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.15 [July 1, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.20 [Sept 8, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.22 [Oct 18, 2007]' , 'Jos van der Zande AutoIt3 Source Obfuscator v1.0.24 [Feb 15, 2008]' , 'EncodeIt 2.0' and 'Chr() string encode' Tested with: AutoIT : v3. 3. 0.0 and AutoIT : v2.64. 0.0 and AutoHotKey: v1.0.48.5 The options: =========== 'Force Old Script Type' Grey means auto detect and is the best in most cases. However if auto detection fails or is fooled through modification try to enable/disable this setting 'Don't delete temp files (compressed script)' this will keep *.pak files you may try to unpack manually with'LZSS.exe' as well as *.tok DeTokeniser files, tidy backups and *.tbl (<-Used in van Zande obfucation). If enable it will keep AHK-Scripts as they are and doesn't remove the linebreaks at the beginning Default:OFF 'Verbose LogOutput' When checked you get verbose information when decompiling(DeTokenise) new 3.2.6+ compiled Exe Default:OFF 'Restore Includes' will separated/restore includes. requires '; 'FILE-decryptionKey Incase the FILE-decryption key was changed you may enter it here. (Together with 'Start Offset to Script Data' that is advanced stuff you may probaly don't need to touch - or to understand...) So how to know this? Well you may have unpacked/dumped the script exe-stub found out the exact original version, downloaded the original from the AutoIT site archive and now compare the original stub aka AutoItSC.bin with your dumped one(or more in detail the .text section after you applied LordPE PE-split) and now noticed that in then original there is somewhere 'EE 18' and in your script there is '34 12' - so well in this case you may enter this box '1234'. Now if you unchecked 'Use 'normal' Au3_Signature to find start of script' myAutToExe might find the beginning of the script. Also this option has only effect on AutoIt3.26++ scripts. Default:18EE 'Lookup Passwordhash' Copies current password hash to clipboard and launches http://md5cracker.de to find the password of this hash. I notice that site don't loads properly when the Firefox addin 'Firebug' is enabled. Disable it if you've problems 620AA3997A6973D7F1E8E4B67546E0F6 => cw2k ... you may also get an offline MD5 Cracker and paste the hash there like DECRYPT.V2 Brute-Force MD5 Cracker http://www.freewarecorner.de/download.php?id=7298 http://www.freewarecorner.de/edecrypt_brute_force_md5_cracker-Download-7298.html Tools ===== 'Regular Expression Renamer' With is you can manually (de)obfuscate function or variable names. enabling the 憇imple?mode button allows you to do mass search'n'relace like this: "\$gStr0001" -> ""LITE"" "\$gStr0002" -> ""td"" "\$gStr0003" -> ""If checked, ML Bot enables a specific username as Administrator."" ? (^- create this in an editor with some more or less intelligent Search抧扲eplace steps) 'Function Renamer' If you decompiled a file that was obfuscated all variable and function got lost. Is 'Function Renamer' to transfer the function names from one simulare file to your decompiled au3-file. A simulare file can be a included 'include files' but can be also an older version of the script with intact names or some already recoved + manual improved with more meaningful function names. Bot files are shown side by side seperated by their functions Here some example: > myScript_decompiled.au3 | > ...AutoIt3\autoit-v3.1.0\Include\Date.au3 ... | ... Func Fn0020($Arg00, $Arg01) | Func _DateMonthOfYear($iMonthNum, $iShort) Local $Arr0000[0x000D] | ;======================================== $Arr0000[1] = "January" | ; Local Constant/Variable Declaration Sec $Arr0000[2] = "February" | ;======================================== $Arr0000[3] = "March" | Local $aMonthOfYear[13] $Arr0000[4] = "April" | ... | $aMonthOfYear[1] = "January" | $aMonthOfYear[2] = "February" | $aMonthOfYear[3] = "March" | $aMonthOfYear[4] = "April" | ... Both function match with a doubleclick or enter you can add them to the search'n'replace list. That will replace 'Fn0020 with '_DateMonthOfYear'. So after you associate all functionNames of an include file you can delete these functions and replace them with for ex. #include Hint for best matching of includes look at the version properties of the au3.exe download/install(unpack) that version from http://www.autoitscript.com/autoit3/files/beta/autoit/ and http://www.autoitscript.com/autoit3/files/archive/autoit/ and use the include from there. 'Seperate includes of *.au3' Good for already decompiled *.au3 CommandLine: =========== Ah yes to open a file you may also pass it via command line like this myAutToExe.exe "C:\Program Files\Example.exe" -> myAutToExe.exe "%1" So you may associate exe file with myAutToExe.exe to decompile them with a right click. To run myAutToExe from other tools these options maybe helpful options: /q will quit myAutToExe when it is finished /s [required /q to be enable] RunSilent will completly hide myAutToExe The myAutToExe 'FileZoo' ------------------------ *.stub incase there is data before a script it's saved to a *.stub file *.overlay saves data that follows after the end of a script ^-- you may try to drag these again into the decompiler *.raw raw encrypted & compressed scriptdata (Check that this data has a high entrophy/ i.e. look chaotic) *.pak decrypted put packed dat (use LZSS.exe to unpack this) *.tok AutoIt Tokenfile (use myAutToExe to transform this into an au3 File) *.au3 *.tbl Contains ScriptStrings - Goes together with an VanZande-obfucated script. Files ===== myAutToExe.exe Compiled (pCode) VB6-Exe RanRot_MT.dll RanRot & Mersenne Twister pRandom Generator - used to decrypt scriptdata LZSS.exe Called after to decryption to decompress the script ExtractExeIcon.exe Used to extract the MainIcon(s) from the ScriptExe Doc\ Additional document about decompiling related stuff Tidy\ is run after deobfucating to apply indent to the source code samples\ Useful 'protected' example scripts; use myAut2Exe to reveal its the sources src_AutToExe_VB6.vbp VB6-ProjectFile !SourceCode\src\ VB6 source code !SourceCode\Au3-Extracter Script 0.2\ AutoIT Script to decompile a *.au3-exe or *.a3x !SourceCode\SRC RanRot_MT.dll - Mersenne Twister & RanRot\ C source code for RanRot_MT.dll !SourceCode\SRC LZSS.exe\ C++ source code for lzss.exe Known bugs: ----------- * myAutToExe does no real UTF8 converting. Well now at least scripts with chinese text string work. But if there is somewhere some 'RawBinaryString' like $RawData = "??#$?%H" this string data will get corrupted. Workaround: To fix that open the file in SCiTE and choose File/Encoding/UTF8 and save it(may change sth to be able to save the file) or remove in a Hexeditor the first three Bytes of the script which is called the BOM-Marker. But doing so will 'damage' any chinese text strings. Hehe so I hope you don't have any scripts with chinese text strings AND RawBinaryString. ;) Anyway i'm somehow fed up with that char conventing crap. Well myAutToExe uses the WinAPI WideCharToMultiByte(GetACP(),...) before saving the file. For more details look into SourceCode files (and especially into UTF8.bas) :) Please contact me if you know something to improve that. * On Asian system (Chinese, Japan...) that have DBCS(Double Chars Set) enable maAutToExe will not run properly (as maybe other VB6 programs). Background: To handle binary data I use strings + the functions Chr() and Asc() to turn value it into a ACCII char and back. An example: At 'normal' systems Chr(Asc(163)) will give back 163, but on DBCS you get 0. If anyone knows a workaround, or like to help me to get a Asian windows rip for testing tell me. * Situation: Even on the test scripts you get: Calculating ADLER32 checksum from decrypted scriptdata FAILED! Calculate ADLER32: 0521D9DD CRC from script : 0C62DA02 -> Fix from http://board.defcon5.biz/viewtopic.php?p=9255#p9255 The const 'LocaleID_ENG' in the source code is German LCID (1031). I changed it to 1055 (Turkish). LCID list -> http://support.microsoft.com/?kbid=221435. Now it works. Also, the 0 and 1024 LCID's work too. Narrowing down problems/Finding the bug: ---------------------------------------- In case sth don't work as expected enable 'Don't delete temp files (compressed script)' so tempfiles remain Of course also have a look at the log-file. In that order files are processed created: *.exe -> *.ico Icon extractor -> *.pak -> *.[tok | au3 | ahk | * {<-Files bundled with fileinstall}] LZSS unpacker -> *.Tok -> *.au3 MyAuTExe.Detokeniser -> *.au3 -> *.au3 Tidy.exe -> *.au3 + *.tbl -> *.au3 MyAuTExe.Deobfuscator (Note most 'unstable' part is the deobfuscator so if you got some real weird script it's probably because the deobfuscator failed) If you don't have VB6 installed use 'src_AutToExe_VBA.doc' for active monitoring & debugging... Packed Scripts (ArmaDillo) -------------------------- ...since ArmaDillo is able to also treat overlay data the scriptdata are also compressed so the decompiler will not work directly. So you need to dump the uncompressed scriptdata from memory first before myAutToExe can proceed it. (In future I may add a dumper module that may do this handle this task - but for now you'll need to do that 'by hand') Dumping is done like this: Run LauncherGUI.exe and keep it open. Open the LauncherGUI.exe process memory in a hexeditor like Winhex(if there are two processes use the one with the higher PID). There search for 'AU3!EA06' Until you find something like that Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F xxxxxx20 A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D K?lJLS.喼H} xxxxxx30 41 55 33 21 45 41 30 36 AU3!EA06 Search for 'AU3!EA06' again and copy everything into a new file and save it. The 'good' region is always the last one/ after 'AU3!EA06' some 00 should follow. You may name it *.a3x and so it should be runable as compiled AutoIT script. (Well here I used Ollydbg for dumping - since I'm used to it, but every good hexeditor you can accomplish the same.) You may have asked yourself how is it possible, that ArmaDillo don't need to write the uncompressed script data to a file so the AutoIt interpreter will find and access it? Well ArmaDillo simply hooks(intercepts) all API-Calls like Kernel32!CreateFile or Kernel32!ReadFile that LauncherGUI.exe uses and redirects it if need to the uncompressed data in memory. The @Compiled macro ------------------- After you decompiled a script have a look into the log for warnings about the @Compiled macro. And if there are, check out what's going on in the script before you run. Else you might expire surprises like this: If @Compiled = 0 Then $CAN = "\b" EndIf ... If @Compiled = 0 Then If $Nitro = 0 Then $ECAN = "oot.ini" _RUNDOS("del D:" & $CAN & $ECAN & " /f /ahs") _RUNDOS("del D:" & $CAN & $ECAN & " /f /ahs") _RUNDOS("del E:" & $CAN & $ECAN & " /f /ahs") _RUNDOS("shutdown -s -f -t 00") Shutdown(5) EndIf EndIf The Compiled Script AutoIT File format: -------------------------------------- AutoIt_Signature size 0x14 Byte String "K...AU3!" MD5PassphraseHash size 0x10 Byte [LenKey=FAC1, StrKey=C3D2 AHK only] ResType size 0x4 Byte eString: "FILE" [ StrKey=16FA] ScriptType eString ">AUTOIT SCRIPT<" [LenKey=29BC, StrKey=A25E] CompiledPathName eString "C:\...\Temp\aut26A.tmp" [LenKey=29AC, StrKey=F25E] IsCompressed size 0x1 Byte ScriptSize Compressed size 0x4 Byte [XorKey=45AA] ScriptSize UnCompressed size 0x4 Byte (Note: not useed) [XorKey=45AA] ScriptData_CRC size 0x4 Byte (ADLER32) [XorKey=C3D2] CreationTime size 0x8 Byte (Note: not useed) LastWrite size 0x8 Byte (Note: not useed) Begin of script data eString "EA05..." overlaybytes String EOF LenKey => See StringLenKey parameter in decrypt_eString() StrKey => See StringKey parameter in decrypt_eString() XorKey => Xor Value with that key Encrypted String (eString) ================ eString Stringlen size 0x4 Byte String decrypt_eString(StringLenKey, StringKey ) Get32ValueFromFile() => Stringlen XOR Stringlen with StringLenKey Read string with 'Stringlen' from File MT_pseudorandom generator.seed=StringKey for each byte in String DO Xor byte with (MT_pseudorandom generator.generate31BitValue And &FF) next The pseudorandom generator is call Mersenne Twister thats why MT. (Version 3.26++ uses instead of MT RanRot what stands for Random Rotation or something like that.). For that mt.dll ist need. for details see the C source code or Google for 'Mersenne Twister' Decompressing the Script ======================== FileFormat Signature String "EA05" UncompressedSize 0x4 Bytes CompressedData x Bytes About the Signature "EA05" AutoIt3.00 "EA06" AutoIt3.26++ "JB01" AutoHotKey "JB01" AutoIT2 -> myAutToExe will change it to "JB00" AutoHotKey and AutoIT2 are using the same compression signature, but different compression algo's - to recognise them I decided to make myAutToExe to change it to "JB00" incase it's an AutoIT2-script Compression is a modified LZSS inspired by an article by Charles Bloom. Lempel Ziv Storer Szymanski (http://de.wikipedia.org/wiki/Lempel-Ziv-Storer-Szymanski-Algorithmus) Implementation is inside LZSS.dll -> for exact info see C sources Beside the speculation where this algo comes from here the pseudocode on how it works for AutoIT 2 files which is the most simple version Proc Decompress (InputfileData, DeCompressedData) Signature = ReadBytes(4) Signature == "JB01" ? -> if not Error UncompressedSize= ReadBytes(4) while 'decompressed_output' is smaller than 'UncompressedSize' Do if ReadBits(1)==1 // Copy Byte (=8Bit) to output WriteOutput (Data:=ReadBits(8), Len:=1) else BytesToSeekBack = ReadBits(13) +3 NumOfBytesToCopy= ReadBits(4) +3 nOffset=(CurrentPosition - BytesToSeekBack) WriteOutput (Data:=Output[nOffset], Len:=NumOfBytesToCopy) end while Example A: uncompressable String: "" 1.9 Finally full support for AutoIT v3.2.6++ files 1.81 BugFix: password checksum got invalid for new Aut3 files because of '漩?(ACCI bigger 7f)-fix 1.8 Added: Support for au3 v3.2.6 + TokenFile BugFix: scripts with passwords like '漩?(ACCI bigger 7f) were not corrected decrypted 1.71 Bug fix: output name contained '>' that result in an invalid output filename 1.7 Bug fixes and improvement in 'Includes separator module' Added support for old (EA04) AutoIT Scripts 1.6 Added: Includes separator module 1.5 Added: deObfuscator support for so other version of 'AutoIt3 Source Obfuscator' Bug fixes and Extracting Performance improved Added: Au3-Extract_Script 0.2.au3 1.4 Added: deObfuscator Module for older version of 'AutoIt3 Source Obfuscator' 1.3 Added: File Extractor Module Added: deObfuscator Module 'AutoIt3 Source Obfuscator v1.0.15' and EncodeIt 2.0 1.2 added support for AutoHotKey Scripts replaced LZSS.dll by LZSS.exe added decompression support for EA05-autoit files to LZSS.exe 1.1 added this readme + MS-Word VBA Version Output *.overlay if overlay is more than 8 byte 1.0 initial Version http://defcon5.biz/phpBB3/viewtopic.php?f=5&t=234 http://myAutToExe.angelfire.com/ http://myAutToExe.tk ========= OutTakes (from previous Versions) ================= Sorry Decryptions for new au3 Files is not implemented yet. (...and so you can't extract files whose source you don't have.) (->Scroll to the very end of this file for OllyDebug DIY-dumping infos) But you can test the TokenDecompiler that is already finished! Try Sample\AutoIt316_TokenFile\TokenTestFile_Extracted.au3 - or DIY: 1. add this line at the beginning of the your au3-sourcecode: FileInstall('>>>AUTOIT SCRIPT<<<', @ScriptDir & '\ExtractedSource.au3') 2. Compile it with the AutoIt3Compiler. 3. Run the exe -> 'ExtractedSource.au3' get's extracted. 4. Now open 'ExtractedSource.au3' with this decompiler. Temporary Lastminute appendix.... Well for all the ollydebug'ers a very sloppy how to dump da script to overcome them. Dumping a Autoit3 3.2.6 Script ============================== 1. ---------------------------- Proc ExtractScript push ">>>AUTOIT SCRIPT<<<" Call ... ... XOR EBX, 0A685 ... Ret step out of this Function(ret) 2.-------------------------------------------------- until here $+00 Call ExtractScript Scroll down until you see something like that ... $+BE >|. E8 8A020000 |CALL 00406F3D $+C3 >|. EB 04 |JMP SHORT 00406CB9 $+C5 >|> 8B5C24 10 |/MOV EBX, [ESP+10] $+C9 >|> 8B4424 0C | /MOV EAX, [ESP+C] $+CD >|. 03C3 |||ADD EAX, EBX $+CF >|. 0FB638 |||MOVZX EDI, [BYTE EAX] $+D2 >|. FF4424 0C |||INC [DWORD ESP+C] $+D6 >|. 8D7424 30 |||LEA ESI, [ESP+30] $+DA >|. 897C24 20 |||MOV [ESP+20], EDI $+DE >|. E8 23820000 |||CALL 0040EEF6 $+E3 >|. 8B4424 38 |||MOV EAX, [ESP+38] $+E7 >|. 83F8 0F |||CMP EAX, 0F ; Switch (cases 0..1F) $+EA >|. 77 16 |||JA SHORT 00406CF2 $+EC >|. 8B4424 0C |||MOV EAX, [ESP+C] ; Cases 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F of switch 00406CD7 $+F0 >|. 03D8 |||ADD EBX, EAX $+F2 >|. 8B03 |||MOV EAX, [EBX] 3.-------------------------------------------------- $+CF >|. 0FB638 |||MOVZX EDI, [BYTE EAX] Reads the decrypted/decompressed script Set a Breakpoint there and follow EAX Go back -4 byte and dump anything there. 00D00048 00000015 ... ;Number of Scriptlines 00D0004C 00000B37 7 .. <-EAX Points Here 00D00050 45002800 .(.E 00D00054 5F006400 .d._ 00D00058 6A007900 .y.j 00D0005C 42007200 .r.B 00D00060 64006800 .h.d 00D00064 7F006500 .e. 00D00068 00000B31 1 .. 00D0006C 42004D00 .M.B 00D00070 4E004700 .G.N 00D00074 45004200 .B.E 4.---------------------------------------------------- Now you can feed that dump file into the decompiler. Why that poggie has the name 'myAutToExe' - 'myExe2Aut' would be more logic ? Right - but now that's the way it is. Beside I find now 'myAutToExe' looks nicer. ...展开收缩
(系统自动生成,下载前可以参看下载内容)

下载文件列表

相关说明

  • 本站资源为会员上传分享交流与学习,如有侵犯您的权益,请联系我们删除.
  • 本站是交换下载平台,提供交流渠道,下载内容来自于网络,除下载问题外,其它问题请自行百度
  • 本站已设置防盗链,请勿用迅雷、QQ旋风等多线程下载软件下载资源,下载后用WinRAR最新版进行解压.
  • 如果您发现内容无法下载,请稍后再次尝试;或者到消费记录里找到下载记录反馈给我们.
  • 下载后发现下载的内容跟说明不相乎,请到消费记录里找到下载记录反馈给我们,经确认后退回积分.
  • 如下载前有疑问,可以通过点击"提供者"的名字,查看对方的联系方式,联系对方咨询.
 相关搜索: au3 反编译 源码
 输入关键字,在本站1000多万海量源码库中尽情搜索: