Script para decodificar arquivos .vbe | Script to decode .vbe files

Analisando um malware recebido por e-mail me deparei com um script VBA codificado, sendo assim busquei um script para decodificar e poder realizar a análise do mesmo, segue abaixo o script criado por Jean-Luc Antoine, podendo ser localizado em http://www.interclasse.com/scripts/decovbe.php During a malware analisis i had to try to decrypt an VBA Script, so looking for on internet i found this script bellow. This script was written by Jean-Luc Antoine

'===============================================================================
'===============================================================================
'  SCRIPT........:  scriptDecode.vbs	
'  VERSION.......:  1.5
'  DATE..........:  11/22/2003
'  AUTHOR........:  Jean-Luc Antoine
'  LINK..........:  http://www.interclasse.com/scripts/decovbe.php
'  ALTERED BY....:  Joe Glessner
'  DESCRIPTION...:  Decodes scripts encoded with screnc.exe. Usable with 
'                   Wscript by dragging an encoded script onto this one. If done
'                   this way, only the first 100 lines (or so) of the script 
'                   will be displayed.
'                   If run using Cscript.exe the entire output will be 
'                   displayed.
'                   This script can be used to output the decoded script to a 
'                   file using Cscript.exe by calling it with the following
'                   syntax:
'
'              cscript [Path]\scriptDecoder.vbs [Path]\<filename> >> output.txt 
'
'===============================================================================
'===============================================================================
'**Start Encode**

'===============================================================================
'#  START <CODE>
'===============================================================================
option explicit

    '---------------------------------------------------------------------------
	'#  Declare variables
	'---------------------------------------------------------------------------
    Dim oArgs, NomFichier

	'---------------------------------------------------------------------------
	'#  Check Arguments
	'---------------------------------------------------------------------------
	NomFichier=""
	Set oArgs = WScript.Arguments
	Select Case oArgs.Count
	Case 0 'No Arg, popup a dialog box to choose the file
		NomFichier=BrowseForFolder("Choose an encoded file", &H4031, &H0011)
	Case 1
		If Instr(oArgs(0),"?")=0 Then '-? ou /? => aide
			NomFichier=oArgs(0)
		End If
	Case Else
		WScript.Echo "Too many parameters"
	End Select
	Set oArgs = Nothing

	'---------------------------------------------------------------------------
	'#  Decode the file and output the results
	'---------------------------------------------------------------------------
    If NomFichier<>"" Then
        Dim fso
        Set fso=WScript.CreateObject("Scripting.FileSystemObject")
        If fso.FileExists(NomFichier) Then
            Dim fic,contenu
            Set fic = fso.OpenTextFile(NomFichier, 1)
            Contenu=fic.readAll
            fic.close
            Set fic=Nothing
    
            Const TagInit="#@~^" '#@~^awQAAA==
            Const TagFin="==^#~@" '& chr(0)
            Dim DebutCode, FinCode
            Do
                FinCode=0
                DebutCode=Instr(Contenu,TagInit)
                If DebutCode>0 Then
                    If (Instr(DebutCode,Contenu,"==")-DebutCode)=10 Then 
                        'If "==" follows the tag
                        FinCode=Instr(DebutCode,Contenu,TagFin)
                        If FinCode>0 Then
                            Contenu=Left(Contenu,DebutCode-1) & _
                            Decode(Mid(Contenu,DebutCode+12,FinCode-DebutCode-12-6)) & _
                            Mid(Contenu,FinCode+6)
                        End If
                    End If
                End If
            Loop Until FinCode=0
            WScript.Echo Contenu
        Else
            WScript.Echo Nomfichier & " not found"
        End If
        Set fso=Nothing
    Else
        WScript.Echo "Please give a filename"
        WScript.Echo "Usage : " & wscript.fullname  & " " & WScript.ScriptFullName & _
         " <filename>"
    End If

'===============================================================================
'#  Functions
'===============================================================================
    '---------------------------------------------------------------------------
	'#  Name................:  Decode()
	'#  Use.................:  Decode(Chaine)
	'#  Purpose.............:  Reverse the encoding done by screnc.exe.
	'---------------------------------------------------------------------------
    Function Decode(Chaine)
        Dim se,i,c,j,index,ChaineTemp
        Dim tDecode(127)
        Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132"
        Set se=WSCript.CreateObject("Scripting.Encoder")
        For i=9 to 127
            tDecode(i)="JLA"
        Next
        For i=9 to 127
            ChaineTemp=Mid(se.EncodeScriptFile(".vbs",string(3,i),0,""),13,3)
            For j=1 to 3
                c=Asc(Mid(ChaineTemp,j,1))
                tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1)
            Next
        Next
        'Next line we correct a bug, otherwise a ")" could be decoded to a ">"
        tDecode(42)=Left(tDecode(42),1) & ")" & Right(tDecode(42),1)
        Set se=Nothing
        Chaine=Replace(Replace(Chaine,"@&",chr(10)),"@#",chr(13))
        Chaine=Replace(Replace(Chaine,"@*",">"),"@!","<")
        Chaine=Replace(Chaine,"@$","@")
        index=-1
        For i=1 to Len(Chaine)
            c=asc(Mid(Chaine,i,1))
            If c<128 Then index=index+1 
            If (c=9) or ((c>31) and (c<128)) Then
                If (c<>60) and (c<>62) and (c<>64) Then
                    Chaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison, _
                     (index mod 64)+1,1),1) & Mid(Chaine,i+1)
                End If
            End If
        Next
        Decode=Chaine
    End Function

    '---------------------------------------------------------------------------
    '#  Name................:  BrowseForFolder()
	'#  Use.................:  BrowseForFolder(ByVal pstrPrompt, ByVal 
    '#                             pintBrowseType, ByVal pintLocation)
    '#  Purpose.............:  Locate the encoded script using Shell.Application
	'---------------------------------------------------------------------------
    Function BrowseForFolder(ByVal pstrPrompt, ByVal pintBrowseType, ByVal pintLocation)
        Dim ShellObject, pstrTempFolder, x
        Set ShellObject=WScript.CreateObject("Shell.Application")
        On Error Resume Next
        Set pstrTempFolder=ShellObject.BrowseForFolder(&H0,pstrPrompt,pintBrowseType,pintLocation)
        BrowseForFolder=pstrTempFolder.ParentFolder.ParseName(pstrTempFolder.Title).Path
        If Err.Number<>0 Then BrowseForFolder=""
        Set pstrTempFolder=Nothing
        Set ShellObject=Nothing
    End Function
    
'===============================================================================
'#  END </CODE>
'===============================================================================
Helvio Junior

Helvio Junior

Especialista em Segurança Ofensiva e Análise de Malwares em SafeTrend
Especialista em Segurança Ofensiva e pesquisador independente de Malwares.
Helvio Junior
0 respostas

Deixe uma resposta

Want to join the discussion?
Feel free to contribute!

Deixe uma resposta

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *