{"id":2766,"date":"2015-01-08T13:05:26","date_gmt":"2015-01-08T13:05:26","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2766"},"modified":"2023-06-03T22:08:58","modified_gmt":"2023-06-03T22:08:58","slug":"decompiling-compiled-autoit-scripts-64-bit-take-two","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/01\/08\/decompiling-compiled-autoit-scripts-64-bit-take-two\/","title":{"rendered":"Decompiling compiled AutoIT scripts (64-bit), take two"},"content":{"rendered":"<p>A while ago I posted a short description on <a title=\"Decompiling compiled AutoIT scripts (64-bit)\" href=\"https:\/\/www.hexacorn.com\/blog\/2014\/11\/28\/decompiling-compiled-autoit-scripts-64-bit\/\">how to decompile 64-bit autoit scripts<\/a>. Someone pinged me asking on how to actually do it, so I thought it will be handy to simply write a script to do the dirty work for us.<\/p>\n<ul>\n<li>Download 32-bit AutoIt (older version has the 32-bit stub separately, so it&#8217;s handy to use it)\n<ul>\n<li><a class=\"moz-txt-link-freetext\" href=\"https:\/\/www.autoitscript.com\/autoit3\/files\/archive\/autoit\/autoit-v3.2.8.1.zip\">https:\/\/www.autoitscript.com\/autoit3\/files\/archive\/autoit\/autoit-v3.2.8.1.zip<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Unpack it<\/li>\n<li>You will find the 32-bit stub here:\n<ul>\n<li>autoit-v3.2.8.1.zip\\Aut2Exe\\AutoItSC.bin<\/li>\n<\/ul>\n<\/li>\n<li>Copy it to the folder where your 64-bit compiled autoit executable resides<\/li>\n<li>Now you have to build a 32-bit executable using the autoit script blob you need to extract from the 64-bit executable\n<ul>\n<li>you can do it manually, or<\/li>\n<li>you can run the perl script below (what it does it extracts the autoit script blob from the 64-bit autoit executable and builds the 32-bit equivalent using the AutoItSC.bin stub mentioned above which is 32-bit); the created file will have a file name:\n<ul>\n<li>\n<pre>&lt;filename&gt;.a32.exe<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Now you can download the Decompiler for AutoIt script from <a class=\"moz-txt-link-freetext\" href=\"https:\/\/exe2aut.com\/?download\">https:\/\/exe2aut.com\/?download<\/a><\/li>\n<li>Drop it into some virtual environment (VMWare\/VirtualBox\/Virtual PC)<\/li>\n<li>Drop your newly created 32-bit executable into exe2aut decompiler<\/li>\n<li>It should decrypt the script for you<\/li>\n<\/ul>\n<p>And the 64-to-32 conversion script is shown below (call it autoit64to32.pl or whatever and run perl autoit64to32.pl &lt;64-bit exe&gt;):<\/p>\n<pre>use strict;\r\nuse warnings;\r\n\r\nmy $f=shift || die (\"Gimme a file name!\");\r\n\r\nprint STDERR \"Processing '$f':\\n\";\r\nprint STDERR \"- Reading 'AutoItSC.bin'\\n\";\r\nopen F,\"&lt;AutoItSC.bin\";\r\nbinmode F;\r\nread F,my $a, -s 'AutoItSC.bin';\r\nclose F;\r\n\r\nprint STDERR \"- Reading '$f'\\n\";\r\nopen F,\"&lt;$f\";\r\nbinmode F;\r\nread F,my $d, -s $f;\r\nclose F;\r\n\r\nprint STDERR \"- Looking for the script\\n\";\r\nif ($d=~\/\\xA3\\x48\\x4B\\xBE\\x98\\x6C\\x4A\\xA9\\x99\\x4C\\x53\\x0A\\x86\\xD6\\x48\\x7D\/sg)\r\n{\r\n\u00a0\u00a0 my $pd=(pos $d)-16;\r\n\u00a0\u00a0 print STDERR \"- Script found @ \".sprintf(\"%08lX\",$pd).\"\\n\";\r\n\u00a0\u00a0 print STDERR \"- Creating 32-bit version '$f.a32.exe'\\n\";\r\n\u00a0\u00a0 open F,\"&gt;$f.a32.exe\";\r\n\u00a0\u00a0 binmode F;\r\n\u00a0\u00a0 print F $a.substr($d,$pd,length($d)-$pd);\r\n\u00a0\u00a0 close F;\r\n}\r\nelse\r\n{\r\n\u00a0\u00a0 print STDERR \"- Script not found !\\n\";\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>A while ago I posted a short description on how to decompile 64-bit autoit scripts. Someone pinged me asking on how to actually do it, so I thought it will be handy to simply write a script to do the &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/01\/08\/decompiling-compiled-autoit-scripts-64-bit-take-two\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[112,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2766"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2766"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2766\/revisions"}],"predecessor-version":[{"id":2771,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2766\/revisions\/2771"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2766"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2766"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}