Script para decodificar arquivos .vbe | Script to decode .vbe files
Analisando um malware recebido por e-mail me deparei com um script VBA codificado, sendo assim busquei um script para decodificar e poder realizar a análise do mesmo, segue abaixo o script criado por Jean-Luc Antoine, podendo ser localizado em http://www.interclasse.com/scripts/decovbe.php | During a malware analisis i had to try to decrypt an VBA Script, so looking for on internet i found this script bellow. This script was written by Jean-Luc Antoine |
'=============================================================================== '=============================================================================== ' SCRIPT........: scriptDecode.vbs ' VERSION.......: 1.5 ' DATE..........: 11/22/2003 ' AUTHOR........: Jean-Luc Antoine ' LINK..........: http://www.interclasse.com/scripts/decovbe.php ' ALTERED BY....: Joe Glessner ' DESCRIPTION...: Decodes scripts encoded with screnc.exe. Usable with ' Wscript by dragging an encoded script onto this one. If done ' this way, only the first 100 lines (or so) of the script ' will be displayed. ' If run using Cscript.exe the entire output will be ' displayed. ' This script can be used to output the decoded script to a ' file using Cscript.exe by calling it with the following ' syntax: ' ' cscript [Path]\scriptDecoder.vbs [Path]\<filename> >> output.txt ' '=============================================================================== '=============================================================================== '**Start Encode** '=============================================================================== '# START <CODE> '=============================================================================== option explicit '--------------------------------------------------------------------------- '# Declare variables '--------------------------------------------------------------------------- Dim oArgs, NomFichier '--------------------------------------------------------------------------- '# Check Arguments '--------------------------------------------------------------------------- NomFichier="" Set oArgs = WScript.Arguments Select Case oArgs.Count Case 0 'No Arg, popup a dialog box to choose the file NomFichier=BrowseForFolder("Choose an encoded file", &H4031, &H0011) Case 1 If Instr(oArgs(0),"?")=0 Then '-? ou /? => aide NomFichier=oArgs(0) End If Case Else WScript.Echo "Too many parameters" End Select Set oArgs = Nothing '--------------------------------------------------------------------------- '# Decode the file and output the results '--------------------------------------------------------------------------- If NomFichier<>"" Then Dim fso Set fso=WScript.CreateObject("Scripting.FileSystemObject") If fso.FileExists(NomFichier) Then Dim fic,contenu Set fic = fso.OpenTextFile(NomFichier, 1) Contenu=fic.readAll fic.close Set fic=Nothing Const TagInit="#@~^" '#@~^awQAAA== Const TagFin="==^#~@" '& chr(0) Dim DebutCode, FinCode Do FinCode=0 DebutCode=Instr(Contenu,TagInit) If DebutCode>0 Then If (Instr(DebutCode,Contenu,"==")-DebutCode)=10 Then 'If "==" follows the tag FinCode=Instr(DebutCode,Contenu,TagFin) If FinCode>0 Then Contenu=Left(Contenu,DebutCode-1) & _ Decode(Mid(Contenu,DebutCode+12,FinCode-DebutCode-12-6)) & _ Mid(Contenu,FinCode+6) End If End If End If Loop Until FinCode=0 WScript.Echo Contenu Else WScript.Echo Nomfichier & " not found" End If Set fso=Nothing Else WScript.Echo "Please give a filename" WScript.Echo "Usage : " & wscript.fullname & " " & WScript.ScriptFullName & _ " <filename>" End If '=============================================================================== '# Functions '=============================================================================== '--------------------------------------------------------------------------- '# Name................: Decode() '# Use.................: Decode(Chaine) '# Purpose.............: Reverse the encoding done by screnc.exe. '--------------------------------------------------------------------------- Function Decode(Chaine) Dim se,i,c,j,index,ChaineTemp Dim tDecode(127) Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132" Set se=WSCript.CreateObject("Scripting.Encoder") For i=9 to 127 tDecode(i)="JLA" Next For i=9 to 127 ChaineTemp=Mid(se.EncodeScriptFile(".vbs",string(3,i),0,""),13,3) For j=1 to 3 c=Asc(Mid(ChaineTemp,j,1)) tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1) Next Next 'Next line we correct a bug, otherwise a ")" could be decoded to a ">" tDecode(42)=Left(tDecode(42),1) & ")" & Right(tDecode(42),1) Set se=Nothing Chaine=Replace(Replace(Chaine,"@&",chr(10)),"@#",chr(13)) Chaine=Replace(Replace(Chaine,"@*",">"),"@!","<") Chaine=Replace(Chaine,"@$","@") index=-1 For i=1 to Len(Chaine) c=asc(Mid(Chaine,i,1)) If c<128 Then index=index+1 If (c=9) or ((c>31) and (c<128)) Then If (c<>60) and (c<>62) and (c<>64) Then Chaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison, _ (index mod 64)+1,1),1) & Mid(Chaine,i+1) End If End If Next Decode=Chaine End Function '--------------------------------------------------------------------------- '# Name................: BrowseForFolder() '# Use.................: BrowseForFolder(ByVal pstrPrompt, ByVal '# pintBrowseType, ByVal pintLocation) '# Purpose.............: Locate the encoded script using Shell.Application '--------------------------------------------------------------------------- Function BrowseForFolder(ByVal pstrPrompt, ByVal pintBrowseType, ByVal pintLocation) Dim ShellObject, pstrTempFolder, x Set ShellObject=WScript.CreateObject("Shell.Application") On Error Resume Next Set pstrTempFolder=ShellObject.BrowseForFolder(&H0,pstrPrompt,pintBrowseType,pintLocation) BrowseForFolder=pstrTempFolder.ParentFolder.ParseName(pstrTempFolder.Title).Path If Err.Number<>0 Then BrowseForFolder="" Set pstrTempFolder=Nothing Set ShellObject=Nothing End Function '=============================================================================== '# END </CODE> '===============================================================================
Últimos posts por Helvio Junior - M4v3r1ck - OSCE3 (OSEP + OSED + OSWE), OSCE, OSCP, eCXD, eMAPT, CEH (exibir todos)
- OSCE, OSED e eCXD: Certificações de desenvolvimento de Exploits - setembro 14, 2021
- Shellcoding – Encontrando endereço da função dinamicamente. Análise da biblioteca block_api - agosto 15, 2021
- OSWE – Uma história de insucessos! - dezembro 29, 2020
Deixe uma resposta
Want to join the discussion?Feel free to contribute!