Script-kb1 Decode vbe files

From JBKB

Jump to: navigation, search

Decode VBE
Decode VBE

Version: 1.0.2
Difficult level: 2/5
Status: Tested and working.

Background

Microsoft provide since 2003 a tool screnc.exe (http://www.microsoft.com/downloads/details.aspx?FamilyID=e7877f67-c447-4873-b1b0-21f0626a6329&DisplayLang=en) to encode a ASP or VBS file.
It seems that it dangerously been a tool for Network Administrators to think they can encrypt their vbs script to hide administrator password when using runas and alike.
Microsoft say themselves that this tool should not be used for that

"Script Encoder is a simple command-line tool that enables script designers to encode their final script so that Web hosts and Web clients cannot view or modify their source. Note that this encoding only prevents casual viewing of your code; it will not prevent the determined hacker from seeing what you've done and how."

The file extension of a decoded VBS file is .vbe.

Decode a vbe file

To decode a vbe file you only need to run this script (copy and paste it to notepad and save it as for example decrypt.vbs) below with the vbe file you want to decode as argument, don't forget the path to both the script and the source vbe file you want to decode and you will have the file in clear text.

This script seems to be done by a French speaking person, NomFichier (NameFile).

option explicit
Dim oArgs, NomFichier
'Optional argument : the encoded filename
NomFichier=""
Set oArgs = WScript.Arguments
Select Case oArgs.Count
Case 0 'No Arg, popup a dialog box to choose the file
	NomFichier=BrowseForFolder("Choose an encoded file", &H4031, &H0011)
Case 1
	If Instr(oArgs(0),"?")=0 Then '-? ou /? => aide
		NomFichier=oArgs(0)
	End If
Case Else
	WScript.Echo "Too many parameters"
End Select
Set oArgs = Nothing 

If NomFichier<>"" Then
	Dim fso
	Set fso=WScript.CreateObject("Scripting.FileSystemObject")
	If fso.FileExists(NomFichier) Then
		Dim fic,contenu
		Set fic = fso.OpenTextFile(NomFichier, 1)
		Contenu=fic.readAll
		fic.close
		Set fic=Nothing

		Const TagInit="#@~^" '#@~^awQAAA==
		Const TagFin="==^#~@" '& chr(0)
		Dim DebutCode, FinCode
		Do
			FinCode=0
			DebutCode=Instr(Contenu,TagInit)
			If DebutCode>0 Then
				If (Instr(DebutCode,Contenu,"==")-DebutCode)=10 Then 'If "==" follows the tag
					FinCode=Instr(DebutCode,Contenu,TagFin)
					If FinCode>0 Then
						Contenu=Left(Contenu,DebutCode-1) & _
						Decode(Mid(Contenu,DebutCode+12,FinCode-DebutCode-12-6)) & _
						Mid(Contenu,FinCode+6)
 					End If
				End If
			End If
		Loop Until FinCode=0
		WScript.Echo Contenu
	Else
		WScript.Echo Nomfichier & " not found"
	End If
	Set fso=Nothing
Else
	WScript.Echo "Please give a filename"
	WScript.Echo "Usage : " & wscript.fullname  & " " & WScript.ScriptFullName & " <filename>"
End If

Function Decode(Chaine)
	Dim se,i,c,j,index,ChaineTemp
	Dim tDecode(127)
	Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132" 

	Set se=WSCript.CreateObject("Scripting.Encoder")
	For i=9 to 127
		tDecode(i)="JLA"
	Next
	For i=9 to 127
		ChaineTemp=Mid(se.EncodeScriptFile(".vbs",string(3,i),0,""),13,3)
		For j=1 to 3
			c=Asc(Mid(ChaineTemp,j,1))
			tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1)
		Next
	Next
	'Next line we correct a bug, otherwise a ")" could be decoded to a ">"
	tDecode(42)=Left(tDecode(42),1) & ")" & Right(tDecode(42),1)
	Set se=Nothing 

	Chaine=Replace(Replace(Chaine,"@&",chr(10)),"@#",chr(13))
	Chaine=Replace(Replace(Chaine,"@*",">"),"@!","<")
	Chaine=Replace(Chaine,"@$","@")
	index=-1
	For i=1 to Len(Chaine)
		c=asc(Mid(Chaine,i,1))
		If c<128 Then index=index+1
		If (c=9) or ((c>31) and (c<128)) Then
			If (c<>60) and (c<>62) and (c<>64) Then
				Chaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison,(index mod 64)+1,1),1) & Mid(Chaine,i+1)
			End If
		End If
	Next
	Decode=Chaine
End Function

Function BrowseForFolder(ByVal pstrPrompt, ByVal pintBrowseType, ByVal pintLocation)
	Dim ShellObject, pstrTempFolder, x
	Set ShellObject=WScript.CreateObject("Shell.Application")
	On Error Resume Next
	Set pstrTempFolder=ShellObject.BrowseForFolder(&H0,pstrPrompt,pintBrowseType,pintLocation)
	BrowseForFolder=pstrTempFolder.ParentFolder.ParseName(pstrTempFolder.Title).Path
	If Err.Number<>0 Then BrowseForFolder=""
	Set pstrTempFolder=Nothing
	Set ShellObject=Nothing
End Function

40 Rating: 2.9/5 (132 votes cast)

Personal tools