Wartool Crack



  • So Easy It Feels Like Playing A Video Game. (Easy To Use – Drag and Drop Visual Editor) It’s never been easier to get what you want from a landing page creator just select the elements you want to use by clicking on them, drop them where you want them to appear and viola!
  • So I totally put the 'old school crack way' apart in order to focus on the decompilation of my file. I found 2 version of Exe2Aut: one in a 'kit' (almost official, I guess), and an 'independent' one. I tried to innocently decompile my exe with both and I get 2 errors.
Thread Rating:
  • 0 Vote(s) - 0 Average

Wartool Premium Crack

Complete decompilation of an AutoIt *.exe application
04-29-2020, 11:02 PM (This post was last modified: 04-29-2020 11:15 PM by Nehril.)
Complete decompilation of an AutoIt *.exe application
HI !
First, I apologize for my English : I'm French x) But I'll do my best, I promise !
Let's begin. I found a nice bot on a navigators game. It works, pretty good I admit, but the thing is that it have some ergonomics issues, scripts error and the bests features aren't not free (of course.)... SO, I challenged myself to crack it, at least to keep the paying features.
BUT during this looooong work, that I will detail you soon, I found something even stronger than just keeping the paying features and I'm reeeeaaaaly close to reach it but I don't understand what's wrong and it's very frustrating T.T
If you don't see the link with the topic of the thread, don't worry, you'll see it soon.
In order for you to have as much elements as possible, I will give you all te issues and steps I've been trough until now. And then I will tell you what my objectives are. It's a big post and I already apologize for this, but I hope it will be complete and that you could help me (and I will try to make this long post as readable as possible.)
Let's go !
----------------------------------------------------------------------------------------------------------------------------------------------
I. DISCOVERING
  1. I'm not at all an expert of disassembly language, but I know 1 thing : to crack a software, you have first to use PeId in order to know if it's packed or not. And don't make fun of me, but I was sure it wasn't packed because this useful software (I'm ironical) has real ergonomic problem :
    So, I concluded that the file I was about to crack wasn't packed.
    And I struggled for 3 days because I shouldn't look at the principal text box but at this little one Here is the ergonomic problem I'm talking about.
  2. So, I tried to use my current debugger, OLLYDBG, and here's what happened when I tried to run the program:
  3. I googled the error , and I discovered the anti-debug trick 'IsDebuggerPresent' and I found a way to bypass it but only blurry instructions : 'force to jump somewhere else','patch it like you would do with...' ... So I was stuck.
  4. But, before this, I made research about how to create my own bot and I often saw AutoIt and it ringed a bell :

So I made my research about 'How to bypass' but specifically for AutoIt... And I discovered that theses files could be DECOMPILLED and I could get the SOURCE CODE *o*. So I totally put the 'old school crack way' apart in order to focus on the decompilation of my file.
II. EXE2AUT
  1. I found 2 version of Exe2Aut : one in a 'kit' (almost official, I guess), and an 'independent' one.
  2. I tried to innocently decompile my exe with both and I get 2 errors.
    I focused on the first program (Exe2Aut Independent) because the error were more mysterious to me (yes, that's not rational x)). I found, after digging the whole internet I finally find a Korean article that talks about this error and propose an explanation to it : this site tells us that the problem could be caused by tu 'Requested Privilege Level' and, indeed, the exe had a 'AsInvoker' Requested Privilege Level.
    <requestedExecutionLevel level='asInvoker' uiAccess='false'></requestedExecutionLevel>
    (Which is Higher than Administrator but it doesn't matter fort the rest)
  3. In order to bypass it I ran a VM on *XP jingle* because the notion that causes the problem doesn't exist on this version of Windows. So I tried the independent Exe2Aut and see:
    No error ! Success ?...
    ...But the file is empty
Come back to the beginning... But during my research I often saw poeple evoking 'MyAut2exe'...
III. MYAUT2EXE 1/2
  1. So I downloaded 2 versions of it : v1.8.0 (Alpha) and v2.10
  2. I tried both on W10 :
    a. 1.8 alpha
    [Log: myExeToAut 1.8 Alpha W10.log]
    b. 2.10
    [Log: myExeToAut 2.10 W10.log]
  3. Then I tried on win XP : Same results...
So I rechecked the assembly code and... I saw UPX sections...
IV. UNPACK
  1. And, after almost 3 days I realized that the exe was packed. (I LOVE MY LIFE, OKAY ? XD)
  2. Then I look for the UPX unpacker and I tried to use it on W10 and surprisingly it didn't work :
    The error was
    predictable (see II. 3.), but who knows ? It could have worked !

  3. Anyway, to fix this I ran to the holy *XP jingle* VM and it worked pretty well :
GREAT : let's go back to MyAut2Exe now !
V. MYAUT2EXE 2/2
  1. So I transferred the unpacked file to my W10 desktop and I tried both MyAut2Exe, and here's my results :
    a. v1.8 Alpha :Error
    [Log: MyAut2Exe 1.8 Alpha W10 After unpack.log]
    b. v2.10 :Error in the middle, maybe the end, of the execution
    (I didn't see anything about this error on internet during my researches, by the way.)
    BUT IT WORKED !
    [Logs: MyAutToExe 2.10 AfterUnPack (1).log; MyAutToExe 2.10 AfterUnPack (2).log]
  2. I was pretty excited : to me, my work was done ! But when I opened the script, it was IMPOSSIBLE TO READ (I mean the script was horrible and it's complexe to be written by human hand) : I understood the file was 'crypted'(Obfuscated).
    Global $A62B7904A56 = A0F0000073B($CW[1]), $A50B7A02A23 = A0F0000073B($CW[2]), $A48DB003A1B = A0F0000073B($CW[1007]), $A57DB204D15 = A0F0000073B($CW[1008]), $A06DB40202A = A0F0000073B($CW[1009]), $A2BDB604C57 = A0F0000073B($CW[1010]), $A5FDB803901 = A0F0000073B($CW[1011]), $A13DBA0431F = A0F0000073B($CW[1012]), $A47DBC05130 = A0F0000073B($CW[1013]), $A5ADBE0584B = A0F0000073B($CW[1014]), $A4AEB00202C = A0F0000073B($CW[1015]), $A1AEB201029 = A0F0000073B($CW[1016]), $A0AEB400818 = A0F0000073B($CW[1017]), $A15EB604501 = A0F0000073B($CW[1018]), $A46EB805509 = A0F0000073B($CW[1019]), $A27EBA05319 = A0F0000073B($CW[1020]), $A2CEBC0013C = A0F0000073B($CW[1021]), $A40EBE00C18 = A0F0000073B($CW[1022]), $A3EFB002E0D = A0F0000073B($CW[1023]), $A4FFB200B18 = A0F0000073B($CW[1024]), $A29FB400E0A = A0F0000073B($CW[1025]), $A5AFB602533 = A0F0000073B($CW[1026]), $A59FB800B07 = A0F0000073B($CW[1027]), $A11FBA0294C = A0F0000073B($CW[1028]), $A30FBC0323F = A0F0000073B($CW[1029]), $A2FFBE00C0B = A0F0000073B($CW[1030]), $A1F0C002609 = A0F0000073B($CW[1031]), $A1A0C20023F = A0F0000073B($CW[1032]), $A1C0C40353A = A0F0000073B($CW[1033]), $A310C601F09 = A0F0000073B($CW[1034]), $A470C802A50 = A0F0000073B($CW[1035]), $A0E0CA05247 = A0F0000073B($CW[1036]), $A090CC0241C = A0F0000073B($CW[1037]), $A5B0CE0550A = A0F0000073B($CW[1038]), $A111C00372C = A0F0000073B($CW[1039]), $A171C204E06 = A0F0000073B($CW[1040]), $A241C40632B = A0F0000073B($CW[1041]), $A421C602A23 = A0F0000073B($CW[1042]), $A2B1C806255 = A0F0000073B($CW[1043]), $A091CA03E31 = A0F0000073B($CW[1044]), $A611CC03F42 = A0F0000073B($CW[1045]), $A3C1CE05714 = A0F0000073B($CW[1046]), $A252C005119 = A0F0000073B($CW[1047]), $A452C201A35 = A0F0000073B($CW[1048]), $A1D2C406232 = A0F0000073B($CW[1049]), $A542C604B11 = A0F0000073B($CW[1050]), $A0D2C805A22 = A0F0000073B($CW[1051]), $A402CA05933 = A0F0000073B($CW[1052]), $A142CC00660 = A0F0000073B($CW[1053]), $A482CE00548 = A0F0000073B($CW[1054]), $A143C002A39 = A0F0000073B($CW[1055]), $A403C203219 = A0F0000073B($CW[1056]), $A493C402950 = A0F0000073B($CW[1057]), $A043C601608 = A0F0000073B($CW[1058]), $A043C80475B = A0F0000073B($CW[1059])
    Just a little quote: this the definition of ONE VARIABLE.
    But I thought, and that's what supposed to happen, I could recompile the script : but nope. I got error of syntax or all this sh*t...
(3. I found another version of MyAut2Exe called 'myaut_contrib-master dmod 2.12' and tested it : Same result but the executable look more recent so I used it for the next tests:
[Logs: MyAut2Exe my contrib after unpack (1).log; MyAut2Exe my contrib after unpack (2).log])
  1. Sorry for this:
  2. the color balise
  3. does'nt work on lists
  4. So I first MANUALLY fixed the errors in the script (YES, you well reed: MANUALLY), then I found Tidy and Au3Stripper tools, used it to correct most of the errors, and clear manually what's left... And when I tried to build the script... I got this :
    I was kind of confused because MyAut2exe didn't tell me anything about theses files...
    1. the color balise
    2. does'nt work on lists
    3. the color balise
    4. does'nt work on lists
    5. So I looked inside the log, who knows ? And... Surprise :
      > Processing FILE: #57
      0021CF0B -> ResType: FILE
      0021CF2F -> SrcFile_FileInst: destroy/Spot.bmp
      0021CFA7 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1destroySpot.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021CFA8 -> IsCompressed: True (01)
      0021CFAC -> ScriptSize Compressed: 000000C4 Decimal:196 0 B
      0021CFB0 -> ScriptSize UnCompressed(used to seek to next file): 000000C6 Decimal:198 0 B
      0021CFB4 -> ADLER32 CRC of unencrypted script data: 5E595B12
      0021CFC4 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8049905 14.8.2017 10:4:2 [784]
      pLastWrite : 01D212411E700E00 19.9.2016 6:43:24 [0]
      0021CFC4 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfterFileWithInvalidName_0039.pak
      Expanding script data to 'FileWithInvalidName_0039.bmp' at C:UsersmatthDesktopAfter
      Setting Creation and LastWrite time for: FileWithInvalidName_0039.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #58
      0021D08C -> ResType: FILE
      0021D0B0 -> SrcFile_FileInst: destroy/Base.bmp
      0021D128 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1destroyBase.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021D129 -> IsCompressed: False (00)
      0021D12D -> ScriptSize Compressed: 000000C2 Decimal:194 0 B
      0021D131 -> ScriptSize UnCompressed(used to seek to next file): 000000C2 Decimal:194 0 B
      0021D135 -> ADLER32 CRC of unencrypted script data: 418E3F4F
      0021D145 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8049905 14.8.2017 10:4:2 [784]
      pLastWrite : 01D212411E700E00 19.9.2016 6:43:24 [0]
      0021D145 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      Saving script to 'FileWithInvalidName_003A.bmp' at C:UsersmatthDesktopAfter
      Setting Creation and LastWrite time for: FileWithInvalidName_003A.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #59
      0021D20B -> ResType: FILE
      0021D239 -> SrcFile_FileInst: destroy/destroyok.bmp
      0021D2BB -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1destroydestroyok.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021D2BC -> IsCompressed: True (01)
      0021D2C0 -> ScriptSize Compressed: 00000096 Decimal:150 0 B
      0021D2C4 -> ScriptSize UnCompressed(used to seek to next file): 000000A6 Decimal:166 0 B
      0021D2C8 -> ADLER32 CRC of unencrypted script data: F36A2F96
      0021D2D8 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8049905 14.8.2017 10:4:2 [784]
      pLastWrite : 01D212411E700E00 19.9.2016 6:43:24 [0]
      0021D2D8 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfterFileWithInvalidName_003B.pak
      Expanding script data to 'FileWithInvalidName_003B.bmp' at C:UsersmatthDesktopAfter
      Setting Creation and LastWrite time for: FileWithInvalidName_003B.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #60
      0021D372 -> ResType: FILE
      0021D3A6 -> SrcFile_FileInst: destroy/Nearest Port.bmp
      0021D42E -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1destroyNearest Port.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021D42F -> IsCompressed: True (01)
      0021D433 -> ScriptSize Compressed: 00000066 Decimal:102 0 B
      0021D437 -> ScriptSize UnCompressed(used to seek to next file): 0000006E Decimal:110 0 B
      0021D43B -> ADLER32 CRC of unencrypted script data: A2181883
      0021D44B -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8049905 14.8.2017 10:4:2 [784]
      pLastWrite : 01D212411E700E00 19.9.2016 6:43:24 [0]
      0021D44B -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfterFileWithInvalidName_003C.pak
      Expanding script data to 'FileWithInvalidName_003C.bmp' at C:UsersmatthDesktopAfter
      Setting Creation and LastWrite time for: FileWithInvalidName_003C.bmp
      Write data in textbox

      As you can read, the files as been saved as 'FileWithInvalidName_00**.bmp' which you can see here:
      And what's even weider is the fact that, just before, another similar error appeared...
      > Processing FILE: #17
      0021988B -> ResType: FILE
      002198B1 -> SrcFile_FileInst: npcstarget1.bmp
      00219929 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcstarget1.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021992A -> IsCompressed: True (01)
      0021992E -> ScriptSize Compressed: 00000072 Decimal:114 0 B
      00219932 -> ScriptSize UnCompressed(used to seek to next file): 0000007A Decimal:122 0 B
      00219936 -> ADLER32 CRC of unencrypted script data: CBFA2837
      00219946 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A82AAF0A 14.8.2017 10:4:3 [34]
      pLastWrite : 01D212414E1F1600 19.9.2016 6:44:44 [0]
      00219946 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcstarget1.pak
      Expanding script data to 'starget1.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: starget1.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #18
      002199BC -> ResType: FILE
      002199E2 -> SrcFile_FileInst: npcstarget2.bmp
      00219A5A -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcstarget2.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219A5B -> IsCompressed: True (01)
      00219A5F -> ScriptSize Compressed: 00000060 Decimal:96 0 B
      00219A63 -> ScriptSize UnCompressed(used to seek to next file): 0000006A Decimal:106 0 B
      00219A67 -> ADLER32 CRC of unencrypted script data: 519B1AAA
      00219A77 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A82AAF0A 14.8.2017 10:4:3 [34]
      pLastWrite : 01D212414E1F1600 19.9.2016 6:44:44 [0]
      00219A77 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcstarget2.pak
      Expanding script data to 'starget2.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: starget2.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #19
      00219ADB -> ResType: FILE
      00219B01 -> SrcFile_FileInst: npcstarget3.bmp
      00219B79 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcstarget3.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219B7A -> IsCompressed: False (00)
      00219B7E -> ScriptSize Compressed: 000000AE Decimal:174 0 B
      00219B82 -> ScriptSize UnCompressed(used to seek to next file): 000000AE Decimal:174 0 B
      00219B86 -> ADLER32 CRC of unencrypted script data: 610B0D61
      00219B96 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A82AAF0A 14.8.2017 10:4:3 [34]
      pLastWrite : 01D212414E1F1600 19.9.2016 6:44:44 [0]
      00219B96 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      Saving script to 'starget3.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: starget3.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #20
      00219C48 -> ResType: FILE
      00219C6E -> SrcFile_FileInst: npcstarget4.bmp
      00219CE6 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcstarget4.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219CE7 -> IsCompressed: True (01)
      00219CEB -> ScriptSize Compressed: 0000005E Decimal:94 0 B
      00219CEF -> ScriptSize UnCompressed(used to seek to next file): 00000066 Decimal:102 0 B
      00219CF3 -> ADLER32 CRC of unencrypted script data: 81B32327
      00219D03 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A82AAF0A 14.8.2017 10:4:3 [34]
      pLastWrite : 01D212414E1F1600 19.9.2016 6:44:44 [0]
      00219D03 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcstarget4.pak
      Expanding script data to 'starget4.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: starget4.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #21
      00219D65 -> ResType: FILE
      00219D85 -> SrcFile_FileInst: npcblack.bmp
      00219DF7 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcblack.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219DF8 -> IsCompressed: True (01)
      00219DFC -> ScriptSize Compressed: 00000030 Decimal:48 0 B
      00219E00 -> ScriptSize UnCompressed(used to seek to next file): 000000C6 Decimal:198 0 B
      00219E04 -> ADLER32 CRC of unencrypted script data: 000A0A63
      00219E14 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8284DA9 14.8.2017 10:4:3 [18]
      pLastWrite : 01D2124146F80800 19.9.2016 6:44:32 [0]
      00219E14 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcblack.pak
      Expanding script data to 'black.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: black.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #22
      00219E48 -> ResType: FILE
      00219E66 -> SrcFile_FileInst: npcblue.bmp
      00219ED6 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcblue.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219ED7 -> IsCompressed: True (01)
      00219EDB -> ScriptSize Compressed: 00000042 Decimal:66 0 B
      00219EDF -> ScriptSize UnCompressed(used to seek to next file): 000001B6 Decimal:438 0 B
      00219EE3 -> ADLER32 CRC of unencrypted script data: DAA610A8
      00219EF3 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8284DA9 14.8.2017 10:4:3 [18]
      pLastWrite : 01D2124146F80800 19.9.2016 6:44:32 [0]
      00219EF3 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcblue.pak
      Expanding script data to 'blue.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: blue.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #23
      00219F39 -> ResType: FILE
      00219F5F -> SrcFile_FileInst: npcktarget1.bmp
      00219FD7 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcktarget1.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      00219FD8 -> IsCompressed: True (01)
      00219FDC -> ScriptSize Compressed: 0000007A Decimal:122 0 B
      00219FE0 -> ScriptSize UnCompressed(used to seek to next file): 0000007E Decimal:126 0 B
      00219FE4 -> ADLER32 CRC of unencrypted script data: A9F23023
      00219FF4 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8284DA9 14.8.2017 10:4:3 [18]
      pLastWrite : 01D21241495A6200 19.9.2016 6:44:36 [0]
      00219FF4 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcktarget1.pak
      Expanding script data to 'ktarget1.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: ktarget1.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #24
      0021A072 -> ResType: FILE
      0021A098 -> SrcFile_FileInst: npcktarget2.bmp
      0021A110 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcktarget2.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A111 -> IsCompressed: True (01)
      0021A115 -> ScriptSize Compressed: 00000042 Decimal:66 0 B
      0021A119 -> ScriptSize UnCompressed(used to seek to next file): 0000004E Decimal:78 0 B
      0021A11D -> ADLER32 CRC of unencrypted script data: 3196148D
      0021A12D -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8284DA9 14.8.2017 10:4:3 [18]
      pLastWrite : 01D21241495A6200 19.9.2016 6:44:36 [0]
      0021A12D -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcktarget2.pak
      Expanding script data to 'ktarget2.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: ktarget2.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #25
      0021A173 -> ResType: FILE
      0021A199 -> SrcFile_FileInst: npcktarget3.bmp
      0021A211 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcktarget3.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A212 -> IsCompressed: True (01)
      0021A216 -> ScriptSize Compressed: 0000004E Decimal:78 0 B
      0021A21A -> ScriptSize UnCompressed(used to seek to next file): 00000056 Decimal:86 0 B
      0021A21E -> ADLER32 CRC of unencrypted script data: 29AE1A0E
      0021A22E -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8284DA9 14.8.2017 10:4:3 [18]
      pLastWrite : 01D21241495A6200 19.9.2016 6:44:36 [0]
      0021A22E -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcktarget3.pak
      Expanding script data to 'ktarget3.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: ktarget3.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #26
      0021A280 -> ResType: FILE
      0021A2A6 -> SrcFile_FileInst: npcktarget4.bmp
      0021A31E -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcktarget4.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A31F -> IsCompressed: True (01)
      0021A323 -> ScriptSize Compressed: 00000042 Decimal:66 0 B
      0021A327 -> ScriptSize UnCompressed(used to seek to next file): 0000004E Decimal:78 0 B
      0021A32B -> ADLER32 CRC of unencrypted script data: 0FE012A2
      0021A33B -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8284DA9 14.8.2017 10:4:3 [18]
      pLastWrite : 01D21241495A6200 19.9.2016 6:44:36 [0]
      0021A33B -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcktarget4.pak
      Expanding script data to 'ktarget4.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: ktarget4.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #27
      0021A381 -> ResType: FILE
      0021A3B9 -> SrcFile_FileInst: npcNumberAttackedNPC.bmp
      0021A443 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcNumberAttackedNPC.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A444 -> IsCompressed: True (01)
      0021A448 -> ScriptSize Compressed: 0000002E Decimal:46 0 B
      0021A44C -> ScriptSize UnCompressed(used to seek to next file): 0000005A Decimal:90 0 B
      0021A450 -> ADLER32 CRC of unencrypted script data: DA380A6E
      0021A460 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A82AAF0A 14.8.2017 10:4:3 [34]
      pLastWrite : 01D2ACCD7C5887C7 3.4.2017 22:56:10 [161]
      0021A460 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcNumberAttackedNPC.pak
      Expanding script data to 'NumberAttackedNPC.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: NumberAttackedNPC.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #28
      0021A492 -> ResType: FILE
      0021A4B2 -> SrcFile_FileInst: npc1conf.bmp
      0021A524 -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npc1conf.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A525 -> IsCompressed: True (01)
      0021A529 -> ScriptSize Compressed: 00000058 Decimal:88 0 B
      0021A52D -> ScriptSize UnCompressed(used to seek to next file): 00000066 Decimal:102 0 B
      0021A531 -> ADLER32 CRC of unencrypted script data: 5B671D91
      0021A541 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A8284DA9 14.8.2017 10:4:3 [18]
      pLastWrite : 01D2124146F80800 19.9.2016 6:44:32 [0]
      0021A541 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpc1conf.pak
      Expanding script data to '1conf.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: 1conf.bmp
      Write data in textbox
      -------------------------------------------------------------------------------
      > Processing FILE: #29
      0021A59D -> ResType: FILE
      0021A5C3 -> SrcFile_FileInst: npcredstick.bmp
      0021A63B -> CompiledPathName: D:ProgrammingMyProjectsAutoItSBot 0.1npcredstick.bmp
      WARNING: unknown SrcFile_FileInst(should something like >AUTOIT SCRIPT< or >AUTOHOTKEY SCRIPT<)!
      0021A63C -> IsCompressed: True (01)
      0021A640 -> ScriptSize Compressed: 0000002C Decimal:44 0 B
      0021A644 -> ScriptSize UnCompressed(used to seek to next file): 0000004A Decimal:74 0 B
      0021A648 -> ADLER32 CRC of unencrypted script data: C1010A21
      0021A658 -> FileTime (number of 100-nanosecond intervals since January 1, 1601)
      pCreationTime: 01D314E4A82AAF0A 14.8.2017 10:4:3 [34]
      pLastWrite : 01D212414BBCBC00 19.9.2016 6:44:40 [0]
      0021A658 -> Begin of script data
      Decrypting script data...
      Calculating ADLER32 checksum from decrypted scriptdata
      OK.
      JB LZSS Signature:EA06
      Compressed scriptdata written to C:UsersmatthDesktopAfternpcredstick.pak
      Expanding script data to 'redstick.bmp ' at C:UsersmatthDesktopAfternpc
      Setting Creation and LastWrite time for: redstick.bmp
      Write data in textbox

      But the files have been well created and in the right folder:
    6. Anyway, I restored them (Just renamed and moved into a created folder called 'destroy' as the msgBox expected) and compiled the script. When I ran the .exe... The loading screen of the orignal application APPEARED ! I was sure I finally reached my objective... And instantly after that :
      Too easy...
    7. WELL, I searched inside the script and guess what ? NO IDEA of which error it's talking about. And what's even weider is that when I run 'checkProdSyntax' : tons of errors appears !! And most of them were impossible to fix/to know if we fixed correctly. (For example, when 2 variables are stick :'$Blablablab$lmaolmaoLmao'. Do I have to slip them ? separate them with a ','? a '&' ?...)
    8. AND, after fixing parenthesis error (and don't ask me HOW, I don't have a f*cking idea even after doing it 3 times...), got this:
      So... Well I was lost, I didn't know what to do...
      I found a fourth MyAut2Exe version which is the last one : v2.15. it gave me different results in the code, but the errors were even bigger than before, maybe because it tried to deobfuscate even if the code wasn't really made for this or something else... but I think I should use this one when everything will be fixed.

    I was totally desperate and, just to see, I did something totally 'current' but with a looooot of consequences...
    VI. DAF*CK ?!
    1. On my XP VM, I right clicked on the .au3 file, and click on 'run script': WORST IDEA. When I did this, the loading wheel appeared on my cursors and then... nothing.
      I wait a bit : nothing, so i double clicked on the compiled exe: the loading wheel reappeared on my cursor and then... Nothing.
      I opened the task manager, looked for the processus and retry to open the file : the process appeared and then disappeared without running.
      So I right clicked, selected : 'run as...' and... this appeared :
    2. I first thought that it was just a bug and I tried to open the original exe, the one I didn't touch : SAME symptoms...
    3. And I then thought it was because of XP... So I did the same on my W10... Guess what ? Impossible to run the script nor the compiled by myself nor the original file. (but noway to see message as in Win XP. I think it's because in later versions, 'running as...' has been replaced by 'running as admin' etc.)
    I now need to to run a W7 VM to run those exe files... And I made a save state before trying to reproduce this bug : I reproduced it, but thanks to my safe state, I went back and I can open those exe files.
    This last error is totally illogical to me...
    ----------------------------------------------------------------------------------------------------------------------------------------------
    Now that all the thing I been trough until now, I'm asking for your help for thoses reasons:
    1. Fix the last problem.
    2. Do a complete decompilation of the files.
      Thanks for reading me,and thanks by advance for the one who will help me !
      Here are the file I'm talking about. For your safety, because I can't be sure if it's really safe, I recommand you to test the file in a VM (because it's detected as trojan, but it's not ... But can't guarantee it sooooo)

Features The registration identity is auto-generated by the program based on the phone number. The optional (and highly recommended) password field is used as salt when generating the identity. This will generate a unique identity hash which cannot be replicated unless you know the password.

Wartool Crack
Post: #2
RE: Complete decompilation of an AutoIt *.exe application
Sorry to quadruple post, but I still need your help.
Post: #3
RE: Complete decompilation of an AutoIt *.exe application
You did it well
anyway for the problem of
I'm having an issue with an executable file I'm not able to decode it
and after what I saw in internet this line protect your file from Exe2Aut !
My question is there is anyway to get the file source code ?

Wartool Crackeado

Post: #4
RE: Complete decompilation of an AutoIt *.exe application
(05-04-2020 12:10 PM)x00x_Team Wrote: You did it well
anyway for the problem of
I'm having an issue with an executable file I'm not able to decode it
and after what I saw in internet this line protect your file from Exe2Aut !
My question is there is anyway to get the file source code ?

Did you try to do as I did ?... because at the IV. I tried something and it goes better for me... try this ?
Post: #5
RE: Complete decompilation of an AutoIt *.exe application
Up ! Still need help ^^
11-19-2020, 09:34 PM (This post was last modified: 11-19-2020 10:19 PM by cw2k.)
RE: Complete decompilation of an AutoIt *.exe application
Wow, je suis très impressionné.
Vous semblez vraiment déterminé.
C'est bon. Donc le reste en anglais...
You came quit far with decompiling that s-bot.
Well that Van-Zande-Obfuscated script can be really scary
Global $A62B7904A56 = A0F0000073B($CW[1]), $A50B7A02A23 = ...

Well that obfuscation needs to be removed before you can proceed. To way to keep it or run tidy on it just mess up thing..
Well MATE also has some deobfuscation handler that mostly supports Van-Zande.
Just drag the obfuscated *.au3 into MATE. Most it also needs a *.tbl file that should have been extracted. Well MATE will try to find the pattern that shows file is obfuscation and de obfuscation is.
However - as ever- things can go wrong don't work / needs help.
So for that I highly recommend that you get the VB6 portable and run the MATE source code files inside the VB6 IDE. Here you can debug.
Hints:
Mostly press SHIFT+F8 to step over functions, only press F8 to step into function when you've a good reason.
SHIFT+F9 and varname is good to see in the watches/local windows its values...
However first of all a share the link to the target
or upload the target and share the link
so other ppl like me for example can try as well.
See why it is not working...
About 'old' Version
v1.8.0 (Alpha) - no comment
v2.10 STOP - Encountered. Well there was somehow left some handwritten breakpoint in the source. In the VB6 IDE it stop and you can just resume. In the exe a Stop is deadly.
However that stops are there for reason and means something is not done or needs 'manually fixing'
V2.12 myaut_contrib-master dmod that leaks the support for the Autoit ternary operator [ Example: (a4) ? 'Okay' : 'No'] and are likely to fail at new scripts that uses that function.
Hmm that reminds me to finally put the new version to git.

2.15 Detokeniser: Added support for tokenised commands (cmd opcodes 0x0 and 0x1)
BugFix TmpFile handling - opening a *.tok-file with option 'delete tmpfiles checked', deletes it
HexToBin
: mod/special build for string deobfucation for the '7 Knights Script'
2.14 Speed up Detokeniser
Tools
/Function Renamer: Now adds variables and inner functions when
adding a
function
Minor other GUI bugfixes / enhancements
Wartool deobfuscator
2.13 Added UPX unpacker
Added support
for ternary operator [ Example: (a4) ? 'Okay' : 'No']
Speed up scan for script start
Bugfix scan
for script start
updated tidy
updated LZSS
.exe to handle early EOFs
bugfix path to Winhex was not set
/ various fixes in whapi.dll
Minor other bugfixes
/ enhancements


User(s) browsing this thread: 1 Guest(s)
Contact Us | Homepage | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication