
¿Hace scripting? Si no lo hace, debiera hacerlo.
Hay un formato especial de archivos VBScript que viene supuestamente codificado, aunque creo que el término correcto sería ofuscado. Este formato es VBE y al intentar abrir un archivo con este formato con un editor de texto común y corriente encontraremos algo parecido a esto:
Mucho contenido no se puede apreciar. Solo caracteres que, aparentemente, carecen de sentido.
Existe la forma de hacer ingeniería inversa con otro script hecho por Jean-Luc Antoine hace ya varios años atrás.
El código es:
'=============================================================================== '=============================================================================== ' SCRIPT........: scriptDecode.vbs ' VERSION.......: 1.5 ' DATE..........: 11/22/2003 ' AUTHOR........: Jean-Luc Antoine ' LINK..........: http://www.interclasse.com/scripts/decovbe.php ' ALTERED BY....: Joe Glessner ' DESCRIPTION...: Decodes scripts encoded with screnc.exe. Usable with ' Wscript by dragging an encoded script onto this one. If done ' this way, only the first 100 lines (or so) of the script ' will be displayed. ' If run using Cscript.exe the entire output will be ' displayed. ' This script can be used to output the decoded script to a ' file using Cscript.exe by calling it with the following ' syntax: ' ' cscript [Path]\scriptDecoder.vbs [Path]\La forma es guardarlo en un archivo llamado scriptDecoder.vbs y usarlo así:>> output.txt ' '=============================================================================== '=============================================================================== '**Start Encode** '=============================================================================== '# START '=============================================================================== option explicit '--------------------------------------------------------------------------- '# Declare variables '--------------------------------------------------------------------------- Dim oArgs, NomFichier '--------------------------------------------------------------------------- '# Check Arguments '--------------------------------------------------------------------------- NomFichier="" Set oArgs = WScript.Arguments Select Case oArgs.Count Case 0 'No Arg, popup a dialog box to choose the file NomFichier=BrowseForFolder("Choose an encoded file", &H4031, &H0011) Case 1 If Instr(oArgs(0),"?")=0 Then '-? ou /? => aide NomFichier=oArgs(0) End If Case Else WScript.Echo "Too many parameters" End Select Set oArgs = Nothing '--------------------------------------------------------------------------- '# Decode the file and output the results '--------------------------------------------------------------------------- If NomFichier<>"" Then Dim fso Set fso=WScript.CreateObject("Scripting.FileSystemObject") If fso.FileExists(NomFichier) Then Dim fic,contenu Set fic = fso.OpenTextFile(NomFichier, 1) Contenu=fic.readAll fic.close Set fic=Nothing Const TagInit="#@~^" '#@~^awQAAA== Const TagFin="==^#[email protected]" '& chr(0) Dim DebutCode, FinCode Do FinCode=0 DebutCode=Instr(Contenu,TagInit) If DebutCode>0 Then If (Instr(DebutCode,Contenu,"==")-DebutCode)=10 Then 'If "==" follows the tag FinCode=Instr(DebutCode,Contenu,TagFin) If FinCode>0 Then Contenu=Left(Contenu,DebutCode-1) & _ Decode(Mid(Contenu,DebutCode+12,FinCode-DebutCode-12-6)) & _ Mid(Contenu,FinCode+6) End If End If End If Loop Until FinCode=0 WScript.Echo Contenu Else WScript.Echo Nomfichier & " not found" End If Set fso=Nothing Else WScript.Echo "Please give a filename" WScript.Echo "Usage : " & wscript.fullname & " " & WScript.ScriptFullName & _ "
'===============================================================================" End If '=============================================================================== '# Functions '=============================================================================== '--------------------------------------------------------------------------- '# Name................: Decode() '# Use.................: Decode(Chaine) '# Purpose.............: Reverse the encoding done by screnc.exe. '--------------------------------------------------------------------------- Function Decode(Chaine) Dim se,i,c,j,index,ChaineTemp Dim tDecode(127) Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132" Set se=WSCript.CreateObject("Scripting.Encoder") For i=9 to 127 tDecode(i)="JLA" Next For i=9 to 127 ChaineTemp=Mid(se.EncodeScriptFile(".vbs",string(3,i),0,""),13,3) For j=1 to 3 c=Asc(Mid(ChaineTemp,j,1)) tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1) Next Next 'Next line we correct a bug, otherwise a ")" could be decoded to a ">" tDecode(42)=Left(tDecode(42),1) & ")" & Right(tDecode(42),1) Set se=Nothing Chaine=Replace(Replace(Chaine,"@&",chr(10)),"@#",chr(13)) Chaine=Replace(Replace(Chaine,"@*",">"),"@!","<") Chaine=Replace(Chaine,"@$","@") index=-1 For i=1 to Len(Chaine) c=asc(Mid(Chaine,i,1)) If c<128 data-blogger-escaped-c="" data-blogger-escaped-if="" data-blogger-escaped-index="index+1" data-blogger-escaped-or="" data-blogger-escaped-then="">31) and (c<128 data-blogger-escaped-c="" data-blogger-escaped-if="" data-blogger-escaped-then="">60) and (c<>62) and (c<>64) Then Chaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison, _ (index mod 64)+1,1),1) & Mid(Chaine,i+1) End If End If Next Decode=Chaine End Function '--------------------------------------------------------------------------- '# Name................: BrowseForFolder() '# Use.................: BrowseForFolder(ByVal pstrPrompt, ByVal '# pintBrowseType, ByVal pintLocation) '# Purpose.............: Locate the encoded script using Shell.Application '--------------------------------------------------------------------------- Function BrowseForFolder(ByVal pstrPrompt, ByVal pintBrowseType, ByVal pintLocation) Dim ShellObject, pstrTempFolder, x Set ShellObject=WScript.CreateObject("Shell.Application") On Error Resume Next Set pstrTempFolder=ShellObject.BrowseForFolder(&H0,pstrPrompt,pintBrowseType,pintLocation) BrowseForFolder=pstrTempFolder.ParentFolder.ParseName(pstrTempFolder.Title).Path If Err.Number<>0 Then BrowseForFolder="" Set pstrTempFolder=Nothing Set ShellObject=Nothing End Function '=============================================================================== '# END
cscript [Path]\scriptDecoder.vbs [Path]\
Espero que les sirva.
No hay comentarios.:
Publicar un comentario