.I recently read a post in [irc-security] where they had an AutoIT executable doing bot stuff (yes, it was a bot). So anyway, it reminded me of something I did a few months back, wherein I was checking a file which was, yep, an AutoIT exec, and i needed to know what it was doing. The easiest way of course, was to get the original script.
Anway, enough of the background stuff, after a few F2's, F9's, F8's, F7's, CTRL-L's, CTRL-B's, here's what i came up with (I used OllyDbg btw):
1. For starters, AutoIT executables are UPX-packed, so we have to get into the unpacked version in memory. UPX is fairly easy, after loading the file in OllyDBG, breakpoint at the last JMP instruction (i have screenshots but then i don't know how to post it hehehe), something like:
CALL ...
POPAD
JMP xxxxx
00
00
00
...
Then F8 to go into the unpacked version.
2. Next up, we have to locate winMain, which can easily be done via IDAPro, in this case, WinMain is the first CALL after the call to GetModuleHandleA. F2, F9, then F7.
3. After F7ing, there are 6 CALLs before the RETN. F2 on the 5th CALL, F9, then F7.
4. In the next series of instructions find the first JMP, then the first CALL after the JMP. Again, F2, F9, F7.
5. Next, find the CALL right before the RETN. (at this point, i think doing a right-click Analyze-Code, or opening the un-UPX'd file in IDA is quite useful so as not to get lost in the text hehehe). F2, F9, F7.
6. Finally, in OllyDbg (if your screen is big enough) you should see something like:
PUSH <xxx> ASCII ">AUTOIT SCRIPT<"
CALL <xxx>
TEST EAX, EAX
or, if you don't see the ">AUTOIT SCRIPT<" text, find these series of instructions:
PUSH
LEA
LEA
PUSH
PUSH
CALL <-- Call to load the original script into memory!
TEST
F2 on the CALL, F9, F8. Check ECX register.
This works on the latest downloadable AutoIT, with or without the "Decompile" option checked (regardless of whether a password is required or not)
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}