Full Disclosure mailing list archives
VBScript/JScript.Encode Decoder
From: Andreas Marx <amarx () gega-it de>
Date: Tue, 16 Sep 2003 14:40:20 +0200
Hi!In the last 2-3 days a few encrypted (Microsoft VBScript.Encode / JScript.Encode) HTML "exploits" were released. Some of them are simply trojans and not demo exploits at all. I've released this piece of code (attached) under GPL to decrypt such files, so you would be able to check the content before you execute the code. For this, I have written a simple Pascal program to undo the "protection" of the script files. It took me 5 minutes to analyse the encrypted files, 10 to write this program and 20 minutes to test it. What a bad encryption! However, it does not support unicode HTML files yet...
Details (how to use the encryption): http://www.mcpmag.com/columns/article.asp?EditorialsID=522 Microsoft description of the script encoding features: http://msdn.microsoft.com/library/en-us/script56/html/seconscriptencoderoverview.asp cheers, Andreas VBS_DEC.PAS -> program vbs_dec; { Decrypts encrypted VBScript and JScript programs }{ Copyright (c) 09/2003 Andreas Marx / http://www.av-test.org }
const itab : array[0..63] of byte = ( {table order}
$00,$02,$01,$00,$02,$01,$02,$01,$01,$02,$01,$02,$00,$01,$02,$01,
$00,$01,$02,$01,$00,$00,$02,$01,$01,$02,$00,$01,$02,$01,$01,$02,
$00,$00,$01,$02,$01,$02,$01,$00,$01,$00,$00,$02,$01,$00,$01,$02,
$00,$01,$02,$01,$00,$00,$02,$01,$01,$00,$00,$02,$01,$00,$01,$02);
dectab : array[0..2,0..$7f] of byte = ( {table to decrypt}
($00,$01,$02,$03,$04,$05,$06,$07,$08,$57,$0A,$0B,$0C,$0D,$0E,$0F,
$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$1A,$1B,$1C,$1D,$1E,$1F,
$2E,$47,$7A,$56,$42,$6A,$2F,$26,$49,$41,$34,$32,$5B,$76,$72,$43,
$38,$39,$70,$45,$68,$71,$4F,$09,$62,$44,$23,$75,$3C,$7E,$3E,$5E,
$FF,$77,$4A,$61,$5D,$22,$4B,$6F,$4E,$3B,$4C,$50,$67,$2A,$7D,$74,
$54,$2B,$2D,$2C,$30,$6E,$6B,$66,$35,$25,$21,$64,$4D,$52,$63,$3F,
$7B,$78,$29,$28,$73,$59,$33,$7F,$6D,$55,$53,$7C,$3A,$5F,$65,$46,
$58,$31,$69,$6C,$5A,$48,$27,$5C,$3D,$24,$79,$37,$60,$51,$20,$36),
($00,$01,$02,$03,$04,$05,$06,$07,$08,$7B,$0A,$0B,$0C,$0D,$0E,$0F,
$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$1A,$1B,$1C,$1D,$1E,$1F,
$32,$30,$21,$29,$5B,$38,$33,$3D,$58,$3A,$35,$65,$39,$5C,$56,$73,
$66,$4E,$45,$6B,$62,$59,$78,$5E,$7D,$4A,$6D,$71,$3C,$60,$3E,$53,
$FF,$42,$27,$48,$72,$75,$31,$37,$4D,$52,$22,$54,$6A,$47,$64,$2D,
$20,$7F,$2E,$4C,$5D,$7E,$6C,$6F,$79,$74,$43,$26,$76,$25,$24,$2B,
$28,$23,$41,$34,$09,$2A,$44,$3F,$77,$3B,$55,$69,$61,$63,$50,$67,
$51,$49,$4F,$46,$68,$7C,$36,$70,$6E,$7A,$2F,$5F,$4B,$5A,$2C,$57),
($00,$01,$02,$03,$04,$05,$06,$07,$08,$6E,$0A,$0B,$0C,$06,$0E,$0F,
$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$1A,$1B,$1C,$1D,$1E,$1F,
$2D,$75,$52,$60,$71,$5E,$49,$5C,$62,$7D,$29,$36,$20,$7C,$7A,$7F,
$6B,$63,$33,$2B,$68,$51,$66,$76,$31,$64,$54,$43,$3C,$3A,$3E,$7E,
$FF,$45,$2C,$2A,$74,$27,$37,$44,$79,$59,$2F,$6F,$26,$72,$6A,$39,
$7B,$3F,$38,$77,$67,$53,$47,$34,$78,$5D,$30,$23,$5A,$5B,$6C,$48,
$55,$70,$69,$2E,$4C,$21,$24,$4E,$50,$09,$56,$73,$35,$61,$4B,$58,
$3B,$57,$22,$6D,$4D,$25,$28,$46,$4A,$32,$41,$3D,$5F,$4F,$42,$65));
var infile,
outfile : file of byte;
pos, res : byte;
begin
writeln;
writeln('VBS_DEC (c) Andreas Marx 09/2003 (http://www.av-test.org)');
writeln('Usage: VBS_DEC infile outfile');
writeln;
assign(infile,paramstr(1)); reset(infile);
assign(outfile,paramstr(2)); rewrite(outfile);
res:=0; {find start marker (search for "#@~^")}
repeat
while not eof(infile) and (res<>ord('#')) do read(infile,res);
if not eof(infile) then begin
read(infile,res);
if res=ord('@') then begin
read(infile,res);
if res=ord('~') then begin
read(infile,res);
if res=ord('^') then res:=255;
end else res:=0;
end else res:=0;
end else res:=0;
until eof(infile) or (res=255);
if res=0 then begin
writeln('Error: Input file or start marker not found.'); exit;
end;
{jump to start of the encrypted code (do not search for "==")}
seek(infile,filepos(infile)+8);
pos:=0; {decrypt encrypted block}
while not eof(infile) do begin
read(infile,res); {read encrypted char}
if res=ord('^') then begin {found end marker? (search for "^#~@")}
read(infile,res);
if res=ord('#') then begin
read(infile,res);
if res=ord('~') then begin
read(infile,res);
if res=ord('@') then begin
exit;
end else begin
seek(infile,filepos(infile)-4);
read(infile,res);
end;
end else begin
seek(infile,filepos(infile)-3);
read(infile,res);
end;
end else begin
seek(infile,filepos(infile)-2);
read(infile,res);
end;
end;
if ord(res)<$80 then begin {encrypted?}
res:=dectab[itab[pos],res];
if res=$ff then begin {special char}
read(infile,res);
case res of
$26 : res:=$0a;
$23 : res:=$0d;
$2a : res:=$3e;
$21 : res:=$3c;
$24 : res:=$40;
end;
end;
end;
write(outfile,res);
pos:=(pos+1) mod 64;
end;
close(outfile); close(infile);
end.
--
Andreas Marx <amarx () gega-it de>, http://www.av-test.org
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Phone: +49 (0)391 6075466, Fax: +49 (0)391 6075469
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- VBScript/JScript.Encode Decoder Andreas Marx (Sep 16)
- Re: VBScript/JScript.Encode Decoder Cael Abal (Sep 16)
- Re: VBScript/JScript.Encode Decoder Andreas Marx (Sep 16)
- Re: VBScript/JScript.Encode Decoder morning_wood (Sep 18)
- Re: VBScript/JScript.Encode Decoder Jordan Wiens (Sep 18)
- Re: VBScript/JScript.Encode Decoder Cael Abal (Sep 18)
- Re: VBScript/JScript.Encode Decoder Valdis . Kletnieks (Sep 18)
- <Possible follow-ups>
- VBScript/JScript.Encode Decoder Helmut Hauser (Sep 16)
- RE: VBScript/JScript.Encode Decoder David Vincent (Sep 18)
- Re: VBScript/JScript.Encode Decoder Cael Abal (Sep 16)