search

nazywam / AutoIt-Ripper

Extract AutoIt scripts embedded in PE binaries
MIT License
160 stars 31 forks source link

Check for incorrect macros #26

Closed nazywam closed 6 months ago

nazywam commented 7 months ago

sha256: a88f3328e72764b960d6705b8d1a1d8de8558b7b63ae90d64585afde37160208

"error": [
    "Traceback (most recent call last):\n",
    "  File \"/usr/local/lib/python3.9/site-packages/karton/core/karton.py\", line 181, in internal_process\n    self.process(self.current_task)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/karton/autoit_ripper/autoit_ripper_karton.py\", line 50, in process\n    resources = extract(data=sample.content, version=AutoItVersion.EA06)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 206, in extract\n    return unpack_ea06(data)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 190, in unpack_ea06\n    parsed_data = parse_all(stream, AutoItVersion.EA06)\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 142, in parse_all\n    return list(\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/autoit_unpack.py\", line 123, in parse_au3_header\n    yield (\"script.au3\", deassemble_script(dec_data).encode())\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/opcodes.py\", line 141, in deassemble_script\n    line_items.append(OPCODES[opcode](stream))\n",
    "  File \"/usr/local/lib/python3.9/site-packages/autoit_ripper/opcodes.py\", line 92, in <lambda>\n    0x32: lambda x: \"@\" + MACROS_INVERT_CASE[x.get_xored_string()],\n",
    "KeyError: 'GUI_DRAGFILE'\n"
],
gdesmar commented 6 months ago

I got the same error with the key being EXITCODE, EXITMETHOD and TRAY_ID. (and GUI_CTRLID but you got that one!) Sadly, I can only share the hash for the TRAY_ID one: c982a5d47606ddca1416655a81de6ddc4c55e01f9f573144a1ddcf9fc621081e And the GUI_CTRLID if it can be of any value: 1540f371332a603b98bf9816bce30ee0b9d0e3f49a6d68791375c83bc332b1c2 I was currently silencing that error but I can enable logging and keep an eye out if it can help!

gdesmar commented 6 months ago

I just saw #32 which should handle those cases. Thank you for the fixes!