Reversing AutoIT Applications

When we try to open a compiled AutoIT application in a debugger we get this error message.

View post on imgur.com

Letโ€™s try to find the return address from the MessageBoxA API from the stack.

And we can clearly see that AutoIT applications by default when compiled uses the IsDebuggerPresent API as a simple anti debugging trick.

View post on imgur.com

If you look at the IsDebuggerPresent API it works like this:

View post on imgur.com

[code language=”C”]
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]
[/code]

FS[18] segment register points to the TEB Structure. You can check these links for the TEB structure https://en.wikipedia.org/wiki/Win32_Thread_Information_Block, http://www.nirsoft.net/kernel_struct/vista/TEB.html .
In the TEB structure 0x30 contains the pointer to the PEB structure. In the PEB structure 0x2 is the BeingDebugged bit.

[code highlight=”3″ language=”C”]
typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, *PPEB;
[/code]
https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx

To bypass this trick of course you could patch the application but patching the PEB structure would be a better choice. But in this case only one check is performed. But in situations where multiple checks are performed it is always better to patch the structure. Donโ€™t forget there are lots of Olly plugins to bypass this simple trick ๐Ÿ™‚
You could either place a breakpoint in the MOV EAX,DWORD PTR DS:[EAX+30] instruction of the API and follow in dump and patch the bit or as soon you load the application the EBX register points to the PEB structure.

View post on imgur.com

After that you simply change that bit to 0 or just simple fill the whole dword with 0s ๐Ÿ™‚

View post on imgur.com

After that you can start debugging normally and run the app.

View post on imgur.com

AutoIT executables can be decompiled back to normal AutoIT script using Exe2Aut tool http://domoticx.com/autoit3-decompiler-exe2aut/

View post on imgur.com

3 thoughts on “Reversing AutoIT Applications

Leave a Reply