SHARE
TWEET

AutoIt Deobfuscator

a guest Aug 26th, 2012 745 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import sys, re, os
  2. from sys import argv
  3.  
  4. def Decode(tmpString):
  5.         string = ''
  6.         for byte in range(len(tmpString)/2):
  7.                 string += chr(int(tmpString[byte*2:byte*2 + 2],16))
  8.         return string
  9.  
  10. def deobfuscate(auFile, tblFile, separator, decodeFuncName):
  11.         s = open(tblFile).read()
  12.         t = open(auFile).read()
  13.         l = s.split(separator)
  14.         i=1
  15.         for c in l:
  16.                 reStr = '(\$[A-Z,0-9]{11}) = %s\(\$OS\[%d\]\)' % (decodeFuncName, i)
  17.                 matchObj = re.search(reStr,t)
  18.                 if matchObj is None:
  19.                         continue
  20.                 tmp = matchObj.group(1)
  21.                 tmpStr = '"' + Decode(c) + '"'
  22.                 t = t.replace(tmp, tmpStr)
  23.                 i+=1
  24.         return t
  25.  
  26. if __name__ == '__main__':
  27.         if len(argv) < 6:
  28.                 print "Usage:  %s auPath tblPath separator decodeFuncName outputPath" % os.path.split(argv[0])[-1]
  29.                 print 'Sample: %s test.au3 jguyxxkdfgiuru84.au3.tbl oB8CO A5F00005963 new.au3' % os.path.split(argv[0])[-1]
  30.                 sys.exit(1)
  31.  
  32.         tmp = deobfuscate(argv[1], argv[2], argv[3], argv[4])
  33.         open(argv[5],'wb').write(tmp)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top