I found and fixed one of these locally, but haven't committed the fix. The error ClamAV gave when scanning 77e123e86f43095f4e33a5cadce0fed4bdd9060f78088b3195ca41455e802f71 is as follows:
clamscan --debug --verbose --leave-temps 77e123e86f43095f4e33a5cadce0fed4bdd9060f78088b3195ca41455e802f71
...
LibClamAV debug: autoit: found unknown op (57)
LibClamAV debug: autoit: decompilation aborted - partial script may exist
LibClamAV debug: autoit: script extracted to /tmp/clamav-238b9ca9e2f2440cba18c150e382a87f.tmp/autoit.001
After comparing the output from autoit.001 to the output from the Exe2Aut decompiler output for the same file, it looked like ClamAV didn't support extracting the ternary operators ('?' and ':'). The fix is:
diff --git a/libclamav/autoit.c b/libclamav/autoit.c
index 8d9da58e0..82288fe0b 100644
--- a/libclamav/autoit.c
+++ b/libclamav/autoit.c
@@ -503,7 +503,7 @@ static int ea06(cli_ctx *ctx, const uint8_t *base, char *tmpd) {
unsigned int files=0;
char tempfile[1024];
const char prefixes[] = { '\0', '\0', '@', '$', '\0', '.', '"', '#' };
- const char *opers[] = { ",", "=", ">", "<", "<>", ">=", "<=", "(", ")", "+", "-", "/", "*", "&", "[", "]", "==", "^", "+=", "-=", "/=", "*=", "&=" };
+ const char *opers[] = { ",", "=", ">", "<", "<>", ">=", "<=", "(", ")", "+", "-", "/", "*", "&", "[", "]", "==", "^", "+=", "-=", "/=", "*=", "&=", "?", ":" };
struct UNP UNP;
fmap_t *map = *ctx->fmap;
@@ -856,6 +856,8 @@ static int ea06(cli_ctx *ctx, const uint8_t *base, char *tmpd) {
case 0x54: /* /= */
case 0x55: /* *= */
case 0x56: /* &= */
+ case 0x57: /* ? */
+ case 0x58: /* : */
if (UNP.cur_output+4 >= UNP.csize) {
uint8_t *newout;
UNP.csize += 512;
From analyzing with 10,000 scripts from VirusTotal there are more of these that we need to investigate and support:
found unknown op (0)
found unknown op (84)
found unknown op (a5)
found unknown op (63)
found unknown op (1)