Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

reverse enginnering on autohotkey executables


  • Please log in to reply
5 replies to this topic
side
  • Members
  • 168 posts
  • Last active: Nov 30 2014 03:41 PM
  • Joined: 01 Nov 2012

Hello.i compiled a script

 

(here is the source)

Check:

InputBox,pass,Password Field,Please type the password
if errorlevel
ExitApp

if (pass = "legere" )
{
    msgbox,Thanks!
    ExitApp
}
else
{
    MsgBox,Wrong password.Try again
    goto,Check
}


esc::
exitapp

and the i wanted to find the ''correct'' password through dasm/ollydbg...

i failed with both disassemblers...any idea?

thanks



G. Sperotto
  • Members
  • 539 posts
  • Last active: Jun 20 2015 04:54 PM
  • Joined: 12 Dec 2011

Hi Side.

 

There are some rather easy ways to decompile a script and/or retrieve it's source, specially if no packer/compressor has been used. AutoHotkey.exe is not really a compiler, it's an interpreter and as far as i know the AutoHotkey "compilers" out there don't actually "compile" a source, they merely merge it with a modified interpreter so that they become a single executable file.

 

So the source is usually stored as plain text in the resource section of the uncompressed executable.


"What is a suitable automation? Whatever saves your day for the greater matters."
Barcoder - Create QR Codes and other Barcodes using only Autohotkey !!


A v i
  • Members
  • 1323 posts
  • Last active: Nov 14 2015 06:56 PM
  • Joined: 30 Jan 2013

There are some rather easy ways to decompile a script and/or retrieve it's source, specially if no packer/compressor has been used. AutoHotkey.exe is not really a compiler, it's an interpreter and as far as i know the AutoHotkey "compilers" out there don't actually "compile" a source, they merely merge it with a modified interpreter so that they become a single executable file.

Exactly, try Resource hacker on ahk exe. Just open RC_DATA section and then AUTOHOTKEY_SCRIPT and get the source.
If a compressor has been used, the best method is to decompress the exe using the compressor and then throw the decompressed exe to Resource hacker.
Other good way can be 7-zipping the exe to extract underlying resources but I don't know how to proceed here.

Now a CS Undergrad. | My WebsiteAutohotkey Scripts | Softwares

Telegram me : @aviaryan


faqbot
  • Members
  • 997 posts
  • Last active:
  • Joined: 10 Apr 2012
See the two decompilers listed here https://ahknet.autoh...html#protection for AutoHotkey basic and AutoHotkey_L

A v i
  • Members
  • 1323 posts
  • Last active: Nov 14 2015 06:56 PM
  • Joined: 30 Jan 2013

See the two decompilers listed here https://ahknet.autoh...html#protection for AutoHotkey basic and AutoHotkey_L

The payload method fails with [at least] UPX. My AHK_L script compressed using UPX when dragged to Payload Decompiler by IsNull gives ---

<Recover Source for S:\Portables\AutoHotkey\My Scripts\Clipjump\Clipjump.exe>
<Starting file analysis...>
<Readed 421888 bytes from file.>
<Whatever you dragged here, this is NOT a valid PE file.>
<File seems not to be a valid compiled AHK Script or it uses an unknown protection.>

Now a CS Undergrad. | My WebsiteAutohotkey Scripts | Softwares

Telegram me : @aviaryan


kizsdet
  • Members
  • 1 posts
  • Last active: Aug 11 2015 08:20 AM
  • Joined: 10 Jun 2013

Extract using 7zip. Go to. .rsrc > rcdata and there you can find the script.