Original link: b97K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4y4W2j5i4u0U0K9q4)9J5k6h3y4Z5k6h3y4C8M7r3!0A6L8Y4c8Q4x3X3g2U0L8$3#2Q4x3V1j5J5x3o6t1H3i4K6u0r3K9r3!0%4i4K6u0V1N6r3!0Q4x3X3c8V1k6g2)9J5k6r3!0T1k6Y4g2K6j5$3q4@1k6g2)9J5k6r3q4Q4x3X3c8Z5N6h3N6W2i4K6u0V1j5i4g2@1L8$3W2@1i4K6u0V1M7$3y4J5K9i4m8@1i4K6u0V1K9h3&6Q4x3X3c8D9k6i4y4K6i4K6u0V1N6r3S2S2L8W2)9J5k6s2c8%4L8#2)9J5k6r3#2A6L8Y4g2@1k6i4y4Q4x3V1j5`.

Imagine this scenario: you’re researching a malware sample which starts its execution with unpacking the archive (usually RAR or ZIP one) which came with a suspicious email and launching an AutoIT script stored inside the archive. You start analyzing this script and get stuck: its size is more than 150MB! What do you do?

Clearly, you need to de-obfuscate the script. We’ll show you how to do it in less than 2 minutes.

The following tools are required:

• AutoIT installer
• AutoIT decompiler

The decompiler can process executables which have an embedded AutoIT script inside. But it can’t do anything with external scripts.

To use a decompiler, a standalone AutoIT script has to be embedded inside the executable so the decompiler can be further applied. To do so, let us use the Aut2Exe Converter:

After the conversion is complete, there is a fully working executable which is approximately 155 times smaller than the original obfuscated one:

Instead of writing scripts to manually de-obfuscate the script, let the converter do the entire job and produce clear byte-code in the output.

The next step is to put the executable inside the decompiler and get the clear-text script:

The script file without all the junk is approximately 2800 times smaller than its obfuscated counterpart:

Now the script can be analyzed further.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课