May 28, 2015 If your script was compiled without password and uses AutoIt 3.2.5.1 or older then use the decompiler you get with AutoIt, 'AutoIt3ExtrasExe2AutExe2Aut.exe'. If you used a newer version, or had a password, then you wont get any help here. There's a search in the upper right, search for decompilation and you will see what I mean. Informatie (ENG) Exe2Aut is designed to be the easiest to use and most versatile decompiler for compiled AutoIt3 scripts one could think of. Simply drag and drop the executable onto Exe2Aut’s main window and the source script will be displayed.
Decompile HWIDGEN
There are several tools, scripts and resources avlb. on how-to decompile AHK/EXE programs.
Decompiler for AHK scripts are
- ShatterIt
- IronAHK
- Opening the .exe via Notepad++/Visual Core (if it is not obfuscated) and check the end of the file, which should be more or less in plain text.
- exe2ahk - Drag & drop hwidgen.exe ahk-file to convert it to the real .ahk script.
- There are plenty other 'ideas' and instructions avbl. on YouTube.
.EXE to .AHK
In earlier 'dumpster Inc.' (hwidgen) versions you could simply use, exe2ahk.exe (direct download link) in order to decompile it. It's a small command line utility to reveal the .AHK scripts out of an compiled .EXE. Simply rename
hwid.kms38.gen.mk6.exe
to hwid.kms38.gen.mk6
and try it.Instruction which worksm on newer HWIDGEN versions too
The user Uberi, provides a real nice solution which works with AutoHotKey and AutoIT (AutoIT itself has a function to decompile executables btw).
- Download the latest HWIDGEN, unpack it into a folder.
- Install AutoHotKey (or AutoIT) (if not already installed).
- Ensure you download the mentioned payload (.dll files) aka
payload.dll
andpayload64.dll
. - Now that we have HWIDGEN, the decompiler (including the needed .dll files), place every file into the same folder.
- Since we have compiled the decompiler script, we can just double-click on it which will then store the output into the same folder.
Obfuscation (encryption)
Slave is not stupid and I assume he will obfuscate his (next) source code with some anti-decompiler tricks or/and encrypt new releases.
![Exe Exe](/uploads/1/2/5/8/125846481/518152516.png)
![Autoit Autoit](http://securingtomorrow.mcafee.com/wp-content/uploads/2012/08/AutoIt-1.png)
I already can address this and say that anti-decompiler scripts and 'encryption' tricks are very ineffective on AHK scripts.
In case this ever happens, and slave still refuses to open the code, I'll not going to update this guide here to avoid making it easier for him to build 'anti-decompiling' strategies and defenses. However in such a scenario I then could provide the tool(s) for decompilition itself without giving any instructions further instructions.