Reversing AutoIT Applications

When we try to open a compiled AutoIT application in a debugger we get this error message.

Letโ€™s try to find the return address from the MessageBoxA API from the stack.

And we can clearly see that AutoIT applications by default when compiled uses the IsDebuggerPresent API as a simple anti debugging trick.

If you look at the IsDebuggerPresent API it works like this:

MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]

FS[18] segment register points to the TEB Structure. You can check these links for the TEB structure https://en.wikipedia.org/wiki/Win32_Thread_Information_Block, http://www.nirsoft.net/kernel_struct/vista/TEB.html .
In the TEB structure 0x30 contains the pointer to the PEB structure. In the PEB structure 0x2 is the BeingDebugged bit.

typedef struct _PEB {
  BYTE                          Reserved1[2];
  BYTE                          BeingDebugged;
  BYTE                          Reserved2[1];
  PVOID                         Reserved3[2];
  PPEB_LDR_DATA                 Ldr;
  PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  BYTE                          Reserved4[104];
  PVOID                         Reserved5[52];
  PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
  BYTE                          Reserved6[128];
  PVOID                         Reserved7[1];
  ULONG                         SessionId;
} PEB, *PPEB;

https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx

To bypass this trick of course you could patch the application but patching the PEB structure would be a better choice. But in this case only one check is performed. But in situations where multiple checks are performed it is always better to patch the structure. Donโ€™t forget there are lots of Olly plugins to bypass this simple trick ๐Ÿ™‚
You could either place a breakpoint in the MOV EAX,DWORD PTR DS:[EAX+30] instruction of the API and follow in dump and patch the bit or as soon you load the application the EBX register points to the PEB structure.

After that you simply change that bit to 0 or just simple fill the whole dword with 0s ๐Ÿ™‚

After that you can start debugging normally and run the app.

AutoIT executables can be decompiled back to normal AutoIT script using Exe2Aut tool http://domoticx.com/autoit3-decompiler-exe2aut/

Advertisements

3 thoughts on “Reversing AutoIT Applications

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s