阅读新闻

VBScript/JScript.Encode Decoder

[日期:2006-03-17] 来源:  作者: [字体: ]

[Full-Disclosure] VBScript/JScript.Encode Decoder

Andreas Marx amarx at gega-it.de
Tue Sep 16 13:40:20 BST 2003


Hi!

In the last 2-3 days a few encrypted (Microsoft VBScript.Encode / 
JScript.Encode) HTML "exploits" were released. Some of them are simply 
trojans and not demo exploits at all. I've released this piece of code 
(attached) under GPL to decrypt such files, so you would be able to check 
the content before you execute the code. For this, I have written a simple 
Pascal program to undo the "protection" of the script files. It took me 5 
minutes to analyse the encrypted files, 10 to write this program and 20 
minutes to test it. What a bad encryption! However, it does not support 
unicode HTML files yet...

Details (how to use the encryption):
http://www.mcpmag.com/columns/article.asp?EditorialsID=522

Microsoft description of the script encoding features:
http://msdn.microsoft.com/library/en-us/script56/html/seconscriptencoderoverview.asp

cheers,
Andreas


VBS_DEC.PAS ->

program vbs_dec;  { Decrypts encrypted VBScript and JScript programs }
                   { Copyright (c) 09/2003 Andreas Marx / 
http://www.av-test.org/ }

const itab : array[0..63] of byte = ( {table order}
       $00,$02,$01,$00,$02,$01,$02,$01,$01,$02,$01,$02,$00,$01,$02,$01,
       $00,$01,$02,$01,$00,$00,$02,$01,$01,$02,$00,$01,$02,$01,$01,$02,
       $00,$00,$01,$02,$01,$02,$01,$00,$01,$00,$00,$02,$01,$00,$01,$02,
       $00,$01,$02,$01,$00,$00,$02,$01,$01,$00,$00,$02,$01,$00,$01,$02);

       dectab : array[0..2,0..$7f] of byte = ( {table to decrypt}
      ($00,$01,$02,$03,$04,$05,$06,$07,$08,$57,$0A,$0B,$0C,$0D,$0E,$0F,
       $10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$1A,$1B,$1C,$1D,$1E,$1F,
       $2E,$47,$7A,$56,$42,$6A,$2F,$26,$49,$41,$34,$32,$5B,$76,$72,$43,
       $38,$39,$70,$45,$68,$71,$4F,$09,$62,$44,$23,$75,$3C,$7E,$3E,$5E,
       $FF,$77,$4A,$61,$5D,$22,$4B,$6F,$4E,$3B,$4C,$50,$67,$2A,$7D,$74,
       $54,$2B,$2D,$2C,$30,$6E,$6B,$66,$35,$25,$21,$64,$4D,$52,$63,$3F,
       $7B,$78,$29,$28,$73,$59,$33,$7F,$6D,$55,$53,$7C,$3A,$5F,$65,$46,
       $58,$31,$69,$6C,$5A,$48,$27,$5C,$3D,$24,$79,$37,$60,$51,$20,$36),

      ($00,$01,$02,$03,$04,$05,$06,$07,$08,$7B,$0A,$0B,$0C,$0D,$0E,$0F,
       $10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$1A,$1B,$1C,$1D,$1E,$1F,
       $32,$30,$21,$29,$5B,$38,$33,$3D,$58,$3A,$35,$65,$39,$5C,$56,$73,
       $66,$4E,$45,$6B,$62,$59,$78,$5E,$7D,$4A,$6D,$71,$3C,$60,$3E,$53,
       $FF,$42,$27,$48,$72,$75,$31,$37,$4D,$52,$22,$54,$6A,$47,$64,$2D,
       $20,$7F,$2E,$4C,$5D,$7E,$6C,$6F,$79,$74,$43,$26,$76,$25,$24,$2B,
       $28,$23,$41,$34,$09,$2A,$44,$3F,$77,$3B,$55,$69,$61,$63,$50,$67,
       $51,$49,$4F,$46,$68,$7C,$36,$70,$6E,$7A,$2F,$5F,$4B,$5A,$2C,$57),

      ($00,$01,$02,$03,$04,$05,$06,$07,$08,$6E,$0A,$0B,$0C,$06,$0E,$0F,
       $10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$1A,$1B,$1C,$1D,$1E,$1F,
       $2D,$75,$52,$60,$71,$5E,$49,$5C,$62,$7D,$29,$36,$20,$7C,$7A,$7F,
       $6B,$63,$33,$2B,$68,$51,$66,$76,$31,$64,$54,$43,$3C,$3A,$3E,$7E,
       $FF,$45,$2C,$2A,$74,$27,$37,$44,$79,$59,$2F,$6F,$26,$72,$6A,$39,
       $7B,$3F,$38,$77,$67,$53,$47,$34,$78,$5D,$30,$23,$5A,$5B,$6C,$48,
       $55,$70,$69,$2E,$4C,$21,$24,$4E,$50,$09,$56,$73,$35,$61,$4B,$58,
       $3B,$57,$22,$6D,$4D,$25,$28,$46,$4A,$32,$41,$3D,$5F,$4F,$42,$65));

var infile,
     outfile  : file of byte;
     pos, res : byte;

begin
   writeln;
   writeln('VBS_DEC (c) Andreas Marx 09/2003 (http://www.av-test.org/)');
   writeln('Usage: VBS_DEC infile outfile');
   writeln;

   assign(infile,paramstr(1)); reset(infile);
   assign(outfile,paramstr(2)); rewrite(outfile);

   res:=0; {find start marker (search for "#@~^")}
   repeat
     while not eof(infile) and (res<>ord('#')) do read(infile,res);
     if not eof(infile) then begin
       read(infile,res);
       if res=ord('@') then begin
         read(infile,res);
         if res=ord('~') then begin
           read(infile,res);
           if res=ord('^') then res:=255;
          end else res:=0;
       end else res:=0;
     end else res:=0;
   until eof(infile) or (res=255);

   if res=0 then begin
     writeln('Error: Input file or start marker not found.'); exit;
   end;

   {jump to start of the encrypted code (do not search for "==")}
   seek(infile,filepos(infile)+8);

   pos:=0; {decrypt encrypted block}
   while not eof(infile) do begin

     read(infile,res); {read encrypted char}

     if res=ord('^') then begin {found end marker? (search for "^#~@")}
       read(infile,res);
       if res=ord('#') then begin
         read(infile,res);
         if res=ord('~') then begin
           read(infile,res);
           if res=ord('@') then begin
             exit;
           end else begin
             seek(infile,filepos(infile)-4);
             read(infile,res);
           end;
         end else begin
           seek(infile,filepos(infile)-3);
           read(infile,res);
         end;
       end else begin
         seek(infile,filepos(infile)-2);
         read(infile,res);
       end;
     end;

     if ord(res)<$80 then begin {encrypted?}
       res:=dectab[itab[pos],res];
       if res=$ff then begin {special char}
         read(infile,res);
         case res of
           $26 : res:=$0a;
           $23 : res:=$0d;
           $2a : res:=$3e;
           $21 : res:=$3c;
           $24 : res:=$40;
         end;
       end;
     end;

     write(outfile,res);

     pos:=(pos+1) mod 64;
   end;

   close(outfile); close(infile);
end.
-- 
Andreas Marx <amarx at gega-it.de>, http://www.av-test.org/
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Phone: +49 (0)391 6075466, Fax: +49 (0)391 6075469




Full-Disclosure is hosted and sponsored by Secunia.


阅读:
录入:admin

评论 】 【 推荐 】 【 打印
上一篇:JavaScript经典论坛
下一篇:Microsoft Windows Scripting Encoder加密算法的研究
相关新闻      
本文评论
发表评论


点评: 字数
姓名:

  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款