The analysis of AutoIt and code formatting of the script _autoit

The recent focus on a wave of autoit malicious script to see a few more samples of this kind. The AutoIt script is a plaintext script with a ". Au3" extension, but the virus author naturally does not release the plaintext script. So naturally it used the AutoIt's Au2exe tool:

You can see that AutoIt allows users to compile AU3 plaintext scripts into exe files or a3x files. EXE file from needless to repeat, is that we are familiar with the PE file, but if compiled into EXE file, then lost the AutoIt script in the field of malware advantage (understand nature, do not elaborate), so the majority of the current capture of malicious samples is to compile the script into a3x files.

More on the internet is the exe2au3 of the reverse compiler tool (it is said that the earlier version of the AutoIt is the tool, and later did not bring), but a few, are very upright--really can only decompile exe file, and the a3x file expressed weakness. Finally found a tool called the Autoit3 Decompiler gui (http://www.jb51.net/softs/390596.html):

With this tool, you can easily decompile the a3x file into a au3 plaintext script. but--Why does everything always have a but--decompile the script to look at some worry mulberry ...

In this code format ... Dozens of line also can endure, one hundred or two hundred line already is the upper limit ... Malicious code is still thousands of lines, looking at the big head ah ... In the spirit of Maito, decisively wrote an automatic format script (by Python), posted and shared with you.

Description: Do not know much about AutoIt, only for the script I have seen, do a more crude and violent formatting work just

#!/usr/bin/env python2.7 #-*-coding:utf-8-*-= ';.
/sample.au3 '; _au3_out = ';.
/format.au3 '; _indent = '; '; * 4 def au3formater (line, indent): line = Line.strip (). lower () next_indent = Indent if (Line.startswith ('; end '; ) or Line.startswith ('; until ';) or line in ('; Next ';, '; Wend ';)): indent-= 1 Next_indent-= 1 Elif lin E.startswith ('; if ';) and line.endswith ('; then ';): next_indent = 1 elif (Line.startswith ('; Func ';) or Line.sta Rtswith ('; for ';) or line.startswith ('; select ';) or line.startswith ('; switch ';) or line.startswith (';  ;) or line = = ';d o ';): next_indent + 1 elif line.startswith (' Else ';) or line.startswith ('; case ';): Indent 
    -= 1 New_line = _indent * INDENT + line return new_line, Next_indent def Main (): With open (_au3, '; R ';) as FP: With the open (_au3_out, '; W ';) as Fpw:indent = 0 line = Fp.readline () while Line:new_line, in Dent = Au3formater (line, inDent) Fpw.write (';%s\n ';% new_line) line = Fp.readline () if __name__ = = '; __main__ ';: Main () 

When the format is complete, it's much more comfortable to look at (unsure whether it's my own OCD ...). ）：

Of course, that is to look more comfortable, even in plain text script, thousands of lines of code looks very worried Mulberry