首页
社区
课程
招聘
[转帖]How to de-obfuscate a huge AutoIT script in less than two minutes
发表于: 2020-3-13 14:35 4063

[转帖]How to de-obfuscate a huge AutoIT script in less than two minutes

2020-3-13 14:35
4063

Original link: https://research.checkpoint.com/2020/how-to-de-obfuscate-a-huge-autoit-script-in-less-than-two-minutes/

 

Imagine this scenario: you’re researching a malware sample which starts its execution with unpacking the archive (usually RAR or ZIP one) which came with a suspicious email and launching an AutoIT script stored inside the archive. You start analyzing this script and get stuck: its size is more than 150MB! What do you do?

 

img

 

Clearly, you need to de-obfuscate the script. We’ll show you how to do it in less than 2 minutes.

 

img

 

The following tools are required:

The decompiler can process executables which have an embedded AutoIT script inside. But it can’t do anything with external scripts.

 

To use a decompiler, a standalone AutoIT script has to be embedded inside the executable so the decompiler can be further applied. To do so, let us use the Aut2Exe Converter:

 

img

 

After the conversion is complete, there is a fully working executable which is approximately 155 times smaller than the original obfuscated one:

 

img

 

Instead of writing scripts to manually de-obfuscate the script, let the converter do the entire job and produce clear byte-code in the output.

 

The next step is to put the executable inside the decompiler and get the clear-text script:

 

img

 

The script file without all the junk is approximately 2800 times smaller than its obfuscated counterpart:

 

img

 

Now the script can be analyzed further.


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 2510
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2020-3-13 17:59
1
雪    币: 83
活跃值: (1092)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
3
不错
2020-3-14 01:38
0
游客
登录 | 注册 方可回帖
返回
//