MS Script Encoder Decoded
Written by: Christoph Wille
Translated by: Bernhard Spuida
First published: 11/23/2001
Viewed 49462 times. Â 45 ratings, avg. grade 2.09
In the article Obfuscating ASP Scripts I demonstrated how ASP scripts can be rendered unreadable by means of the MS Script Encoder. I also said that this will only work as a defense against the average user, but not against a determined attacker who really wants to get at the source code. To emphasize this warning, today I will present a tool for inverting this code obfuscation.
Same as the author of the tool I want to say beforehand that the purpose of this tool is intended to be nothing more than a demonstration of the in the end useless encoding of the MS Script Encoder. That its intended use does not lie in cracking other's source code ought to be obvious (and that I as the author of the article am not responsible for your actions either).
Script Encoder Revisited
To start with as a warm up exercise, let's look at the Script Encoder and its use (Download). Here we have my example file to be encoded (sample.asp):
<% @Language="VBScript" %> <% Option Explicit Response.Buffer = True Dim nVar, strVar, i nVar = 10 strVar = "Hello World" For i=1 To nVar Response.Write strVar Response.Write " " Next Response.End %>
Let us assume that this is worthy enough of protection to not let anybody with physical access to the file on the Web server read it. Therefore I would encode it in this manner:
screnc /l VBScript sample.asp encoded.asp
Execution of this command returns the encoded file encoded.asp (I word wrapped the second line for reasons of legibility):
<% @Language="VBScript.Encode" %> <%#@~^3gAAAA==@#@&r2DkKxPA6ask1kO@#@&@#@&]/wKU/RA!WW+MP{PPD;n@#@&9ks ~xjl.S,/Y.#mDSPb@#@&@#@& .mDP{P8T@#@&/ODjl.~{PJ_nV^WPqG.V9J@#@&@#@ &oGMPr'8~KKPU#mD@#@&~,In/aG /ncMkYPkODjl.@#@&P~]/wKU/RMrO+,J@!4.@*E@#@ &1n6D@#@&"+d2Kx/n Ax[@#@&CDoAAA==^#~@%>
This is sufficiently unreadable for someone who is not inclined to invest quite some time in decoding it.
Call in the Windows Script Decoder!
Did I just write something about 'investing quite some time'? Well, if that someone does know what tools are available on the Internet (and Crackers tend to have this kind of knowledge), then 'quite some time' gets reduced to 'a few seconds'. The tool I am talking about is the Windows Script Decoder. Using it is (unfortunately) just as simple as using the Script Encoder is:
scrdec13.exe encoded.asp decoded.asp
And indeed - the output is an (almost) identical Script:
<% @Language="VBScript.Encode" %> <% Option Explicit Response.Buffer = True Dim nVar, strVar, i nVar = 10 strVar = "Hello World" For i=1 To nVar Response.Write strVar Response.Write " " Next Response.End %>
By 'almost' I mean to say that we still have to manually replace VBScript.Encode by VBScript. Other than that, we now have the original source code at hand.
Conclusion
This article serves as a warning that using the Script Encoder can only be a measure protecting us from naive customers. A determined attacker will in the worst case (from his view) smile mildly at encoded files. This yet again proves the point that as far as 'security technologies' go, it always is recommended to be informed about what tools the other side has at its disposition for circumventing them.
links relacionados:
http://www.virtualconspiracy.com/index.php?page=scrdec/download