| Analisando um malware recebido por e-mail me deparei com um script VBA codificado, sendo assim busquei um script para decodificar e poder realizar a análise do mesmo, segue abaixo o script criado por Jean-Luc Antoine, podendo ser localizado em http://www.interclasse.com/scripts/decovbe.php | During a malware analisis i had to try to decrypt an VBA Script, so looking for on internet i found this script bellow. This script was written by Jean-Luc Antoine | | — | — |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
'===============================================================================
'===============================================================================
' SCRIPT........: scriptDecode.vbs
' VERSION.......: 1.5
' DATE..........: 11/22/2003
' AUTHOR........: Jean-Luc Antoine
' LINK..........: http://www.interclasse.com/scripts/decovbe.php
' ALTERED BY....: Joe Glessner
' DESCRIPTION...: Decodes scripts encoded with screnc.exe. Usable with
' Wscript by dragging an encoded script onto this one. If done
' this way, only the first 100 lines (or so) of the script
' will be displayed.
' If run using Cscript.exe the entire output will be
' displayed.
' This script can be used to output the decoded script to a
' file using Cscript.exe by calling it with the following
' syntax:
'
' cscript [Path]\scriptDecoder.vbs [Path]\<filename> >> output.txt
'
'===============================================================================
'===============================================================================
'**Start Encode**
'===============================================================================
'# START <CODE>
'===============================================================================
option explicit
'---------------------------------------------------------------------------
'# Declare variables
'---------------------------------------------------------------------------
Dim oArgs, NomFichier
'---------------------------------------------------------------------------
'# Check Arguments
'---------------------------------------------------------------------------
NomFichier=""
Set oArgs = WScript.Arguments
Select Case oArgs.Count
Case 0 'No Arg, popup a dialog box to choose the file
NomFichier=BrowseForFolder("Choose an encoded file", &H4031, &H0011)
Case 1
If Instr(oArgs(0),"?")=0 Then '-? ou /? => aide
NomFichier=oArgs(0)
End If
Case Else
WScript.Echo "Too many parameters"
End Select
Set oArgs = Nothing
'---------------------------------------------------------------------------
'# Decode the file and output the results
'---------------------------------------------------------------------------
If NomFichier<>"" Then
Dim fso
Set fso=WScript.CreateObject("Scripting.FileSystemObject")
If fso.FileExists(NomFichier) Then
Dim fic,contenu
Set fic = fso.OpenTextFile(NomFichier, 1)
Contenu=fic.readAll
fic.close
Set fic=Nothing
Const TagInit="#@~^" '#@~^awQAAA==
Const TagFin="==^#~@" '& chr(0)
Dim DebutCode, FinCode
Do
FinCode=0
DebutCode=Instr(Contenu,TagInit)
If DebutCode>0 Then
If (Instr(DebutCode,Contenu,"==")-DebutCode)=10 Then
'If "==" follows the tag
FinCode=Instr(DebutCode,Contenu,TagFin)
If FinCode>0 Then
Contenu=Left(Contenu,DebutCode-1) & _
Decode(Mid(Contenu,DebutCode+12,FinCode-DebutCode-12-6)) & _
Mid(Contenu,FinCode+6)
End If
End If
End If
Loop Until FinCode=0
WScript.Echo Contenu
Else
WScript.Echo Nomfichier & " not found"
End If
Set fso=Nothing
Else
WScript.Echo "Please give a filename"
WScript.Echo "Usage : " & wscript.fullname & " " & WScript.ScriptFullName & _
" <filename>"
End If
'===============================================================================
'# Functions
'===============================================================================
'---------------------------------------------------------------------------
'# Name................: Decode()
'# Use.................: Decode(Chaine)
'# Purpose.............: Reverse the encoding done by screnc.exe.
'---------------------------------------------------------------------------
Function Decode(Chaine)
Dim se,i,c,j,index,ChaineTemp
Dim tDecode(127)
Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132"
Set se=WSCript.CreateObject("Scripting.Encoder")
For i=9 to 127
tDecode(i)="JLA"
Next
For i=9 to 127
ChaineTemp=Mid(se.EncodeScriptFile(".vbs",string(3,i),0,""),13,3)
For j=1 to 3
c=Asc(Mid(ChaineTemp,j,1))
tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1)
Next
Next
'Next line we correct a bug, otherwise a ")" could be decoded to a ">"
tDecode(42)=Left(tDecode(42),1) & ")" & Right(tDecode(42),1)
Set se=Nothing
Chaine=Replace(Replace(Chaine,"@&",chr(10)),"@#",chr(13))
Chaine=Replace(Replace(Chaine,"@*",">"),"@!","<")
Chaine=Replace(Chaine,"@$","@")
index=-1
For i=1 to Len(Chaine)
c=asc(Mid(Chaine,i,1))
If c<128 Then index=index+1
If (c=9) or ((c>31) and (c<128)) Then
If (c<>60) and (c<>62) and (c<>64) Then
Chaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison, _
(index mod 64)+1,1),1) & Mid(Chaine,i+1)
End If
End If
Next
Decode=Chaine
End Function
'---------------------------------------------------------------------------
'# Name................: BrowseForFolder()
'# Use.................: BrowseForFolder(ByVal pstrPrompt, ByVal
'# pintBrowseType, ByVal pintLocation)
'# Purpose.............: Locate the encoded script using Shell.Application
'---------------------------------------------------------------------------
Function BrowseForFolder(ByVal pstrPrompt, ByVal pintBrowseType, ByVal pintLocation)
Dim ShellObject, pstrTempFolder, x
Set ShellObject=WScript.CreateObject("Shell.Application")
On Error Resume Next
Set pstrTempFolder=ShellObject.BrowseForFolder(&H0,pstrPrompt,pintBrowseType,pintLocation)
BrowseForFolder=pstrTempFolder.ParentFolder.ParseName(pstrTempFolder.Title).Path
If Err.Number<>0 Then BrowseForFolder=""
Set pstrTempFolder=Nothing
Set ShellObject=Nothing
End Function
'===============================================================================
'# END </CODE>
'===============================================================================