EXE2AHK

Post your working scripts, libraries and tools
garry
Posts: 1722
Joined: 22 Dec 2013, 12:50

EXE2AHK

12 Nov 2018, 10:07

modified = 20181203 - automatically remove some few characters after LastLine / added description
----------------------------------------------------------------------------
How to use = Drag&Drop an xy.exe ( compiled ahk binary ) convert to " a_now_xy.ahk " ( readable text )
- see https://autohotkey.com/boards/viewtopic.php?f=9&t=29172 ---
- from user's : nnnik / just me / Gucky_87 ... etc
----------------------------------------------------------------------------
see also / to better protect your ahk-script :
AHK source code Encryptor By FeiYue
https://autohotkey.com/boards/viewtopic ... 28&t=42494
start 'FeiYue's script , drag&drop your xy.ahk, get xy-encoded.ahk


----------------------------------------------------------------------------
( tried this , maybe can be better done )
( in compiled ahk script are the comments removed )

Code: Select all

/*
modified = 20181203  - automatically remove some few characters after LastLine
created  = 20181112
Name     = exe2ahk_convert   
----------------------------------------------------------------------------
How to use   = Drag&Drop an xy.exe ( compiled ahk ) convert to  " a_now_xy.ahk "
- see  https://autohotkey.com/boards/viewtopic.php?f=9&t=29172 ---
- from user's : nnnik / just me /  Gucky_87 ...
----------------------------------------------------------------------------
NOTES=
  - comments are lost
  - the compiled ahk-xy.exe is not UTF-8 (?)
----------------------------------------------------------------------------
*/
;---------------------------------------------------------------------------
#Warn
#NoEnv
SendMode,Input
SetWorkingDir, %A_ScriptDir%
SetTitleMatchMode,2
SetBatchLines, -1
FileEncoding, UTF-8
editorx1 =%a_programfiles%\Notepad++\notepad++.exe
filename1=Drag&Drop XY.EXE-file (ahk) to convert a_now_xy.ahk ( remove manually at LastLine the last few characters )
extensions:="exe" ;- < extensions

;---------------
Gui,2:default
GUI,2:+AlwaysOnTop
Gui,2: -DPIScale
SS_REALSIZECONTROL := 0x40
Gui,2:Font,s14 ,Lucida console
Gui,2:Color,Black
Gui,2:Color, ControlColor, Black
Gui,2:Add,Edit, x5 y10 w1280 h200 cGray vFilepath,
GUI,2:show , x20 y200 w1300 h290 ,%filename1%
return
2Guiclose:
exitapp
;=========================================
2GuiDropFiles:
GuiControl,2:,filepath
Loop, parse, A_GuiEvent, `n
{
SplitPath,a_loopfield, name, dir, ext, name_no_ext, drive
if ext in %extensions%
  {
  GuiControl,2:,Filepath,%A_LoopField%
  gosub,run1
  }
}
return
;-----------------------------------  
run1:
Gui,2:submit,nohide
SplitPath,filepath, name, dir, ext, name_no_ext, drive
newfile := a_scriptdir . "\" . a_now . "_" . name_no_ext . ".ahk"
  
cStr :="<COMPILER"
strencoding=
fileObj2 := scanFileForString( filePath, cStr, strEncoding )
if isObject( fileObj2 )
  {
  aah:=fileObj2.Read()
  loop,parse,aah,`n,`r
    {
    c:= a_loopfield
    if c=
      continue
    StringGetPos,P1,c,`> 
    break
    }
  p1:=(p1+1)
  stringtrimleft,c2,aah,P1        ;- some binary characters left 
  ;----------------------------  
  fx=%a_scriptdir%\test58.txt
  ifexist,%fx%
    filedelete,%fx%
  fileappend,%c2%,%fx%,UTF-8
  ;OEMCP := DllCall("GetOEMCP", "UInt")
  ;FileRead,aaz, *P%OEMCP% %fx%
  FileRead,aaz,  *P65001 %fx%       ;-read as UTF-8 ( but compiled script isn't (?) )
  FileRead,aaz,%fx%
  filedelete,%fx%
  ;------------------------
  StringGetPos, P2, aaz, `n, R1     ;- get position from LastLine
  StringTrimLeft,LastLine, aaz,%p2%
  newlastline:=""
  loop,parse,lastline               ;- remove the last characters from LastLine which usually begins with 'P'
    {
	x:=a_loopfield
	if (x="P")
	    break
	NewLastLine .= x
	}
  StringLeft,aaz,aaz,P2             ;- remove LastLine and replace with 'newlastline'
  fileappend,%aaz%%NewLastLine%`r`n;================= END SCRIPT ===================`r`n,%newfile%,UTF-8
  ;------------------------
  ifexist,%editorx1%
  run,%editorx1% "%newfile%"
  else
  run,notepad "%newfile%"
  aah=
  aaz=
  return  
  }
return  
;-----------------------------------  
scanFileForString( filePath, searchString, stringEncoding = "UTF-8" )
{
	VarSetCapacity( pBin, StrPut( searchString, stringEncoding ) * ( ( stringEncoding = "UTF-16" || stringEncoding = "cp1200" ) ? 2 : 1 ), 0 )
	searchBinaryLength := StrPut( searchString, &pBin, strLen( searchString ), stringEncoding ) * ( ( stringEncoding = "UTF-16" || stringEncoding = "cp1200" ) ? 2 : 1 )
	return scanFileForBinary( filePath, pBin, searchBinaryLength, stringEncoding )
}
scanFileForBinary( filePath, byref searchBinary, searchBinarylength, fileEncoding = "UTF-8" )
{
	if !FileExist( filePath )
		return
	Offset := 0
	fileObj := fileOpen( filePath, "r" )
	Loop
	{
		if ( fileObj.ReadUChar() = numGet( searchBinary, Offset, "UChar" ) )
		{
			Offset++
			if ( Offset = searchBinarylength )
			{
				fileObj.pos -= Offset
				return fileObj
			}
		} else if ( offset )
			fileObj.pos -= ( Offset - 1 ), Offset := 0
	}Until fileObj.AtEOF
}
return
;=================== END script exe2ahk ==========================================
AHK source code Encryptor By FeiYue
https://autohotkey.com/boards/viewtopic ... 28&t=42494
when compile FeiYue's xy-encoded.ahk > xy-encoded.exe and then use exe2ahk > you get xy-encoded.ahk again but you don't see the understandable source
short , FeiYue's script seems protected , you can't change it
Example : start this script (xy.ahk) and click button to start link to feiyue's script
start 'FeiYue's script , drag&drop your xy.ahk, get xy-encoded.ahk

Code: Select all

#NoEnv
#NoTrayIcon
#SingleInstance force
s=
s.="u4105957551u1664783769u302272433u3617706743u2723639953u42613"
s.="82992u236786073u11533420u2257073979u3688155385u2515987797u33"
s.="20702031u3200729149u3033717368u673603469u2160101244u18611295"
s.="43u3086375289u3381628729u800863623u1193713769u3556266240u157"
s.="1479361u3074389548u2178282451u2299034137u2474702685u39635559"
s.="99u3951100437u2570528232u2463202485u2941174652u2872522463u18"
s.="33421529u1459084225u776461975u2705591617u1203191856u35549119"
s.="77u29985388u2531261803u2646340537u2022654309u609936751u24898"
s.="45485u2634088664u4032058589u3462492924u1903244407u429737657u"
s.="3943192393u2578624551u2549548313u1180245984u2922638225u14180"
s.="75948u2188170499u1220665305u2910794605u1738894015u1940085701"
s.="u2099056712u1678595589u2154929404u4202758159u2149057049u3333"
s.="533137u3964547639u3460124913u660157456u3824568121u118734188u"
s.="73880731u1472565113u435784565u1996641679u2529076637u10109681"
s.="20u3300970541u1748587900u3044938663u1660411129u2023411289u28"
s.="58892999u4004158921u1892110272u2133149665u1707396396u2725935"
s.="667u1861517209u1527072381u1437480927u1871525237u669500584u35"
s.="19734869u1278630012u2974846783u243236441u4138586081u21452379"
s.="75u1833555105u3573551088u2886324361u963021676u431221195u1847"
s.="644217u638985861u2123617455u2802340685u3367904920u961407101u"
s.="397824252u1297296599u2304636217u3853237353u1966964839u215541"
s.="3881u2179421344u1944896305u931738924u4163100771u3631255129u2"
s.="384232077u4280663295u1227800357u3702071048u1801681573u895285"
s.="500u4126249327u2392301977u1304000241u3277254007u3419416401u3"
s.="181196240u717548249u205884268u3380255995u897650681u145261915"
s.="7u1018587855u3588557053u4080320504u2571923149u2804650108u273"
s.="9669511u602795641u284171897u424888327u2197402665u1438118528u"
s.="1005030017u126436396u833472659u2786130201u3030109853u5755384"
s.="63u1591145941u2173583464u27268085u135011964u785524895u346904"
s.="3417u2599389953u2320606231u1368897793u1912214448u1622915369u"
s.="3654995308u277967147u1613048761u2063026085u1611091695u326028"
s.="2541u3892117848u3346912541u3067453692u2095482935u2995774137u"
s.="3798749321u2726048423u3810674905u3700300896u1315202513u38191"
s.="49356u3598522563u1622505945u2485922989u3856807743u1043573381"
s.="u937049032u884678725u1624649980u3833523919u78859033u42067563"
s.="69u4137689783u1841766833u1001990288u4067714425u939024748u196"
s.="1601627u349242489u3431772085u3172894991u3920852573u318816914"
s.="4u68426605u299441276u3653270375u1173548025u1953823641u893811"
s.="271u3326745737u3004719680u1000256545u1121883180u387462899u33"
s.="09848729u3628558269u4111763551u3428131125u1961434152u1482553"
s.="749u2142394748u2325991167u2773783385u2598499361u340411991u11"
s.="22363489u961780592u2590284745u3961054828u346010507u341958072"
s.="9u3799421125u3716892719"
Ahk=
Exec(s, Ahk)
ExitApp
Exec(str, Ahk="", arg="") {
  static WriteFile, f1, f2, f3, f4, f5
  s:=RegExReplace(str,"\s"), StrReplace(s,"u","",size)
  VarSetCapacity(str,(size+1)*4,0), s:=Trim(s,"u")
  Loop, Parse, s, u
    NumPut(A_LoopField,str,(A_Index-1)*4,"uint")
  ;-----------------------------
  Ptr:=A_PtrSize ? "UPtr":"UInt"
  Ahk:=Ahk ? Ahk : A_IsCompiled  ? A_ScriptDir "\AutoHotkey.exe" : A_AhkPath
  IfNotExist, %Ahk%
  {
    MsgBox, 4096, Error!, `n`nCan't Find: %Ahk% !`n`n
    return, 0
  }
  name:="\\.\pipe\AHK" . A_TickCount
  Loop, 2
    if (p%A_Index% := DllCall("CreateNamedPipe","str",name,"uint",2
    ,"uint",0,"uint",255,"uint",0,"uint",0,Ptr,0,Ptr,0))=-1
      return, 0
  EnvSet, AhkPath, %A_ScriptFullPath%
  Run, %Ahk% "%name%" %arg%
  DllCall("ConnectNamedPipe",Ptr,p1,Ptr,0)
  DllCall("CloseHandle",Ptr,p1)
  DllCall("ConnectNamedPipe",Ptr,p2,Ptr,0)
  if !WriteFile
  {
    x32:="5589E583EC58C744240800000000C744240400100000C70"
    . "424000000008B450CFFD08945F08B452483C001C1E00289442"
    . "408C7442404000000008B45F08904248B4510FFD08945ECC74"
    . "5D407000000C745D80D000000C745DC11000000C745E013000"
    . "000C745F400000000EB268B45F483E0038945E88B45E88B448"
    . "5D469D0830000008B45F401C28B45E8895485D48345F401837"
    . "DF46376D4C745F400000000EB5A8B45F483E0038945E88B45E"
    . "88B4485D469D0830000008B45F401C28B45E8895485D48B45F"
    . "48D1485000000008B452001D08B108B45E88B4485D431D0894"
    . "5E48B45F48D1485000000008B45EC01D08B55E4C1CA0889108"
    . "345F4018B45F43B4524729E8B45F48D1485000000008B45EC0"
    . "1D0C700000000008B452483C0018D148500000000C74424100"
    . "00000008B45288944240C895424088B45EC894424048B451C8"
    . "904248B4508FFD08B45EC89442408C7442404000000008B45F"
    . "08904248B4514FFD08B45F08904248B4518FFD0B800000000C"
    . "9C22400909090"
    x64:="554889E54883EC6048894D10488955184C8945204C894D2"
    . "8488B451841B800000000BA00100000B900000000FFD048894"
    . "5F08B454883C0018D148500000000488B4DF0488B45204189D"
    . "0BA00000000FFD0488945E8C745D007000000C745D40D00000"
    . "0C745D811000000C745DC13000000C745FC00000000EB268B4"
    . "5FC83E0038945E48B45E48B4485D069D0830000008B45FC01C"
    . "28B45E4895485D08345FC01837DFC6376D4C745FC00000000E"
    . "B608B45FC83E0038945E48B45E48B4485D069D0830000008B4"
    . "5FC01C28B45E4895485D08B45FC488D148500000000488B454"
    . "04801D08B108B45E48B4485D031D08945E08B45FC488D14850"
    . "0000000488B45E84801D08B55E0C1CA0889108345FC018B45F"
    . "C3B454872988B45FC488D148500000000488B45E84801D0C70"
    . "0000000008B454883C001448D1485000000004C8B4550488B5"
    . "5E8488B4D3848C744242000000000488B45104D89C14589D0F"
    . "FD0488B55E8488B4DF0488B45284989D0BA00000000FFD0488"
    . "B55F0488B45304889D1FFD0B8000000004883C4605DC39090"
    hex:=A_PtrSize=8 ? x64:x32
    VarSetCapacity(WriteFile, len:=StrLen(hex)//2)
    Loop, % len
      NumPut("0x" SubStr(hex,2*A_Index-1,2),WriteFile,A_Index-1,"char")
    DllCall("VirtualProtect",Ptr,&WriteFile,Ptr,len,"uint",0x40,Ptr "*",0)
    kernel32:=DllCall("GetModuleHandle", "Str","kernel32", Ptr)
    f=WriteFile,HeapCreate,HeapAlloc,HeapFree,HeapDestroy
    For i,v in StrSplit(f, ",")
      f%i%:=DllCall("GetProcAddress", Ptr,kernel32, "AStr",v, Ptr)
  }
  DllCall(&WriteFile, Ptr,f1, Ptr,f2, Ptr,f3, Ptr,f4, Ptr,f5
  , Ptr,p2, Ptr,&str, "uint",size, "uint*",0)
  DllCall("CloseHandle",Ptr,p2)
  return, 1
}

Last edited by garry on 06 Dec 2018, 02:17, edited 5 times in total.
User avatar
joedf
Posts: 6875
Joined: 29 Sep 2013, 17:08
Facebook: J0EDF
Google: +joedf
GitHub: joedf
Location: Canada, Quebec
Contact:

Re: EXE2AHK

13 Nov 2018, 02:42

Interesting simpler version. :+1:
There’s also the powerful payload method that you probably know about already... but here it is for reference:
https://www.autohotkey.com/joe_df/autoh ... ompiler.7z

Forum topic (original): https://autohotkey.com/board/topic/8298 ... hod/page-1

But I don’t have the payload source code...
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500 @ 3.00 GHz, 16GB DDR4 3200 MHz, NVIDIA GTX 1060 6GB | [About Me] | [ASPDM - StdLib Distribution]
[Populate the AHK MiniCity!] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library] | [About the AHK Foundation]
garry
Posts: 1722
Joined: 22 Dec 2013, 12:50

Re: EXE2AHK

13 Nov 2018, 03:34

@joedf, thank you
I see the files 'payload.dll' and 'payload64.dll'
after convert is the folder 'ExtractionTemp' empty
Message after trying convert the file Info_.exe :
<Recover Source for C:\Users\GARRY\Desktop\Info_.exe>
<Starting file analysis...>
<Readed 1098240 bytes from file.>
<Seems to be a valid PE File.>
<Searching for 3E 00 41 00 48 00 4B 00 20 00 57 00 49 00 54 00 48 00 20 00 49 00 43 00 4F 00 4E 00 3C 00 in 1098240bytes.>
<Found Resource-Name @923280>
<Patching Resource-Name...>
<PatchBinary: Written 30 bytes.>
<Patched successfull>
<Injecting payload...>
<Target Application is 64bit.>
<TimeoutException: File was not present whithin the expected time.>
<Missing: D:\M_DOWNLOADS\AHK_decompiler\ExtractionTemp\patched-uncompiled.ahk>
<Script could not be extracted.>
User avatar
joedf
Posts: 6875
Joined: 29 Sep 2013, 17:08
Facebook: J0EDF
Google: +joedf
GitHub: joedf
Location: Canada, Quebec
Contact:

Re: EXE2AHK

13 Nov 2018, 11:41

Hmmm, weird... It has rarely failed me ... :think:
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500 @ 3.00 GHz, 16GB DDR4 3200 MHz, NVIDIA GTX 1060 6GB | [About Me] | [ASPDM - StdLib Distribution]
[Populate the AHK MiniCity!] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library] | [About the AHK Foundation]
balintx
Posts: 2
Joined: 11 Nov 2018, 11:01

Re: EXE2AHK

24 Nov 2018, 06:23

Same in VBScript:

Code: Select all

' Check the arguments passed

If WScript.Arguments.Length <> 1 Then
    MsgBox "Usage: " & WScript.ScriptName & " <ahk_file.exe>"
	WScript.Quit
End If

myFile = readBinary(WScript.Arguments(0))
start = InStr(myFile, "<COMPILER")

If Start = 0 Then
	MsgBox WScript.Arguments(0) & " does not look like an AHK compiled program"
	WScript.Quit
End If

entry_point = InStr(start, myFile, ">") + 1

If entry_point = 1 Then
	MsgBox WScript.Arguments(0) & " does not look like an AHK compiled program"
	WScript.Quit
End If

null_byte = InStr(entry_point, myFile, Chr(0))

If null_byte = 0 Then
	MsgBox WScript.Arguments(0) & " null byte not found, output is possibly garbage"
	null_byte = Len(myFile)
End If

' MsgBox "The binary " & WScript.Arguments(0) & " is " & Len(myFile) & " bytes long. Entry point at byte " & entry_point & " and exit point at byte " & null_byte

script = Mid(myFile, entry_point, null_byte - entry_point)

outFile = WScript.Arguments(0) & ".extracted.ahk"
writeText outFile, script

MsgBox "Written " & null_byte - entry_point & " bytes to " & outFile

Function readBinary(strPath)

	On Error Resume Next
	
    Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject")
    Dim oFile: Set oFile = oFSO.GetFile(strPath)

    With oFile.OpenAsTextStream()
        readBinary = .Read(oFile.Size)
        .Close
    End With

End Function

Function writeText(strPath, strText)

    Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject")
	Dim oFile: Set oFile = oFSO.CreateTextFile(strPath, True)
	
	oFile.Write strText
	oFile.Close

End Function
garry
Posts: 1722
Joined: 22 Dec 2013, 12:50

Re: EXE2AHK

03 Dec 2018, 09:43

@balintx, thank you for the VBS example ( never tried yet )
made small modification above to remove the few last characters after LastLine
and added example to AHK source code Encryptor from user 'FeiYue'
https://autohotkey.com/boards/viewtopic ... 28&t=42494
SOTE
Posts: 472
Joined: 15 Jun 2015, 06:21

Re: EXE2AHK

03 Dec 2018, 13:57

garry wrote:
03 Dec 2018, 09:43
@balintx, thank you for the VBS example ( never tried yet )
made small modification above to remove the few last characters after LastLine
and added example to AHK source code Encryptor from user 'FeiYue'
https://autohotkey.com/boards/viewtopic ... 28&t=42494
This is a good example of using FeiYue's Encryptor, but it's a bit confusing as to the goal.

For example, the title is EXE2AHK. So with your original script it's understood as a decompiler of AutoHotkey.

You then created an impressive uncommented encoded script example, using Encryptor, that goes to the FeiYue link. However, you are not decrypting or decoding the contents of that script, though you can decompile if it's a normally compiled .exe.

It would probably be best if you explained the purpose of your example script or why you linked to FeiYue's Encryptor, so that people can more clearly understand how the 2 different scripts are related.
garry
Posts: 1722
Joined: 22 Dec 2013, 12:50

Re: EXE2AHK

03 Dec 2018, 17:42

when compile FeiYue's xy-encoded.ahk > xy-encoded.exe and then use exe2ahk > you get xy-encoded.ahk again but you don't see the understandable source
short , FeiYue's script seems protected , you can't change it
elmo
Posts: 92
Joined: 09 Oct 2013, 09:08

Re: EXE2AHK

03 Dec 2018, 18:42

garry,

Sounds like you have a good grasp on this. May we trouble you to outline the steps to use the software. Thanks.
Last edited by elmo on 03 Dec 2018, 22:41, edited 1 time in total.
SOTE
Posts: 472
Joined: 15 Jun 2015, 06:21

Re: EXE2AHK

03 Dec 2018, 21:43

Garry, you explained and demonstrated your point. Thanks. And it's probably good that people understand what EXE2AHK can or can't do.
Last edited by SOTE on 04 Dec 2018, 15:21, edited 1 time in total.
User avatar
joedf
Posts: 6875
Joined: 29 Sep 2013, 17:08
Facebook: J0EDF
Google: +joedf
GitHub: joedf
Location: Canada, Quebec
Contact:

Re: EXE2AHK

04 Dec 2018, 10:15

interesting... I would like to see what the encryption method is, or do we have to reverse engineer it from the MCode...?
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500 @ 3.00 GHz, 16GB DDR4 3200 MHz, NVIDIA GTX 1060 6GB | [About Me] | [ASPDM - StdLib Distribution]
[Populate the AHK MiniCity!] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library] | [About the AHK Foundation]
SOTE
Posts: 472
Joined: 15 Jun 2015, 06:21

Re: EXE2AHK

05 Dec 2018, 23:33

joedf wrote:
04 Dec 2018, 10:15
interesting... I would like to see what the encryption method is, or do we have to reverse engineer it from the MCode...?
Joedf, refer to Feiyue's post, as he's the creator. https://autohotkey.com/boards/viewtopic.php?t=42494
User avatar
joedf
Posts: 6875
Joined: 29 Sep 2013, 17:08
Facebook: J0EDF
Google: +joedf
GitHub: joedf
Location: Canada, Quebec
Contact:

Re: EXE2AHK

06 Dec 2018, 11:05

Thanks.
feiyue wrote:
07 Mar 2018, 11:18
@guest3456, I've changed the script to English, but I don't want to repeat it to the "Scripts And Functions" forum.
If I provide the C source code for the machine code, the Encryptor is cracked. :beer:
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500 @ 3.00 GHz, 16GB DDR4 3200 MHz, NVIDIA GTX 1060 6GB | [About Me] | [ASPDM - StdLib Distribution]
[Populate the AHK MiniCity!] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library] | [About the AHK Foundation]

Return to “Scripts and Functions”

Who is online

Users browsing this forum: AviationGuy, blue83, DuyMinh and 63 guests