Unable to unpack some AutoIt3 samples

[59e5aaf4]

https://www.sordum.org/9416/powerrun-v1-7-run-with-highest-privileges/

• $ strings -el PowerRun.exe |grep -i autoit
  AutoIt v3
  /AutoIt3OutputDebug
  /AutoIt3ExecuteLine
  /AutoIt3ExecuteScript
  AutoIt
  AutoIt3GUI
  Software\AutoIt v3\AutoIt
  AutoIt script files (*.au3, *.a3x)
  #NoAutoIt3Execute
  #OnAutoItStartRegister
  ONAUTOITEXITUNREGISTER
  ONAUTOITEXITREGISTER
  AUTOITWINSETTITLE
  AUTOITWINGETTITLE

Samples:

File: PowerRun_x64.exe │ Virustotal
MD5: 687ff0af42786f77ac2300fc532b8a44
SHA1: fc1b588d7b657639ddf5882c3de77b5cb36f6acf
SHA-256: bf10fc287e43244b4ba36a0f25aa87ea5490d7247c54b008aa23afdafc6e331b

File: PowerRun.exe │ Virustotal
MD5: ae11c0c1a0a3acbd7aa1ccffa24f31ad
SHA1: 31eca50f876f17158af43b7774a29e39f9edf1b6
SHA-256: 33ca26855c2732f0e807e1d1f11fe704efb9fbe95e67d113492cc6958986038c

The payload is very likely in the PE overlay, and it looks encrypted. There's some anti-debug at play.

[59e5aaf4]

^Doesn't work with the feature/read-overlay branch either.

$ git branch
* feature/read-overlay
  master
$ autoit-ripper /tmp/PowerRun/PowerRun.exe ./
ERROR:autoit_ripper.autoit_unpack:Couldn't find the location chunk in binary
ERROR:autoit_ripper.autoit_unpack:Couldn't find the script resource
WARNING:autoit_ripper.autoit_unpack:Couldn't get data from script resource, trying layover
ERROR:autoit_ripper.autoit_unpack:Couldn't decode the autoit script