I noticed the file is packed with UPX:
I unpacked it with with
I noticed that it has AuotIt script in the resources:
I opened it in Resource Hacker:
And saved it using
Action > Save Resource to a *.bin file... as a
a3x file (because of its header
A3 48 4B).
This is a compiled version of AutoiIt script so I needed to use the program Exe2Auth program in order to view it as AutoIt script which is more readable.
The problem is that Exe2Auth support only 32 bit files:
I followed the instructions by hexacorn:
- Download 32-bit AuotIt and unpack it
autoit-v184.108.40.206.zip\Aut2Exe\AutoItSC.binto the folder where the 64-bit compiled AutoIt resides
- Installed Strawberry perl for windows and saved hexacorn perl script:
use warnings;my $f=shift || die ("Gimme a file name!");print STDERR "Processing '$f':\n";
print STDERR "- Reading 'AutoItSC.bin'\n";
read F,my $a, -s 'AutoItSC.bin';
close F;print STDERR "- Reading '$f'\n";
read F,my $d, -s $f;
close F;print STDERR "- Looking for the script\n";
my $pd=(pos $d)-16;
print STDERR "- Script found @ ".sprintf("%08lX",$pd)."\n";
print STDERR "- Creating 32-bit version '$f.a32.exe'\n";
print F $a.substr($d,$pd,length($d)-$pd);
print STDERR "- Script not found !\n";
Drop the new extracted 32 bit AutoIt script file to Exe2Auth:
De-obfuscating the script
When I opened the script I noticed it is obfuscated. I started to de-obfuscate it and I wrote a script the does it and you can find the full de-obfuscated version here. After that I had a clear version of it and it was time to start and understand it.
I renamed the obfuscated function
cryptoFunc because it had number of crypto function in the bottom but the interesting part of this function is actually in the beginning where it call
GetComputerNameAFunc() to retrieve the computer name of the computer the program is running on and later to the function
aregtfdcyni, which I renamed to
modifyComputerNameStruct, that receives the computer name in hexadecimal.
But why there is a call to
GetComputerNameAFunc(), it doesn’t make sense. This crack me will be run on different computer with different names, something is weird and I needed to figure it out.
Understanding the modifyComputerNameStruct function
The function starts by creating (
installRandomFileName()) BMP file named
It then opens the file, and reads it content to a struct that build from two section. One is 54 bytes and the second is the rest of the file (file size minus 54).
There is a loop that runs over the computer name characters and on each character it read byte from the second section of the BMP struct. Let’s check the BMP file:
Notice to the marked area (the area after the 54 index). Some bytes are
0xFE. The difference is in the LSB bit:
0xFF: 1111 1111
0xFE: 1111 1110
Convert the code to Python
To find the correct computer name, we converted the AutoIt function to Python:
import osbmpFile = r'C:\tmp\flare2020\6\sprite.bmp'
bmpSize = os.path.getsize(bmpFile)
with open(bmpFile, 'rb') as f:
bmpContent = f.read()
count = 0
computerArray = 
for i in range(0,20):
newComputerName = ''
newComputerNameArray = 
bmpContent = bmpContent[54:]
numStr = ''
for i in range(0,len(computerArray)):
num = computerArray[i]
for j in range(6,0,-1):
num += (bmpContent[count] & 1) << j
count += 1
num += (bmpContent[count] & 1) << 0
count += 1
numStr += chr(num)
result = (num >> 1) + ((num & 1) << 7)
newComputerName += chr((num >> 1) + ((num & 1) << 7))
newComputerNameArray.append((num >> 1) + ((num & 1) << 7))
print('Result: ', numStr)>>> Result: aut01tfan1999
The hidden computer name is
I was lazy so I changed the VMware computer name to
Which after decode it with QR I got: