任培成的收藏夹

Hi!

In the last 2-3 days a few encrypted (Microsoft VBScript.Encode / 
JScript.Encode) HTML "exploits" were released. Some of them are simply 
trojans and not demo exploits at all. I've released this piece of code 
(attached) under GPL to decrypt such files, so you would be able to check 
the content before you execute the code. For this, I have written a simple 
Pascal program to undo the "protection" of the script files. It took me 5 
minutes to analyse the encrypted files, 10 to write this program and 20 
minutes to test it. What a bad encryption! However, it does not support 
unicode HTML files yet...

Details (how to use the encryption):
http://www.mcpmag.com/columns/article.asp?EditorialsID=522

Microsoft description of the script encoding features:
http://msdn.microsoft.com/library/en-us/script56/html/seconscriptencoderoverview.asp

cheers,
Andreas


VBS_DEC.PAS ->

program vbs_dec;  { Decrypts encrypted VBScript and JScript programs }
                   { Copyright (c) 09/2003 Andreas Marx / 
http://www.av-test.org/ }

const itab : array[0..63] of byte = ( {table order}
       $00,$02,$01,$00,$02,$01,$02,$01,$01,$02,$01,$02,$00,$01,$02,$01,
       $00,$01,$02,$01,$00,$00,$02,$01,$01,$02,$00,$01,$02,$01,$01,$02,
       $00,$00,$01,$02,$01,$02,$01,$00,$01,$00,$00,$02,$01,$00,$01,$02,
       $00,$01,$02,$01,$00,$00,$02,$01,$01,$00,$00,$02,$01,$00,$01,$02);

       dectab : array[0..2,0..$7f] of byte = ( {table to decrypt}
      ($00,$01,$02,$03,$04,$05,$06,$07,$08,$57,$0A,$0B,$0C,$0D,$0E,$0F,
       $10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$1A,$1B,$1C,$1D,$1E,$1F,
       $2E,$47,$7A,$56,$42,$6A,$2F,$26,$49,$41,$34,$32,$5B,$76,$72,$43,
       $38,$39,$70,$45,$68,$71,$4F,$09,$62,$44,$23,$75,$3C,$7E,$3E,$5E,
       $FF,$77,$4A,$61,$5D,$22,$4B,$6F,$4E,$3B,$4C,$50,$67,$2A,$7D,$74,
       $54,$2B,$2D,$2C,$30,$6E,$6B,$66,$35,$25,$21,$64,$4D,$52,$63,$3F,
       $7B,$78,$29,$28,$73,$59,$33,$7F,$6D,$55,$53,$7C,$3A,$5F,$65,$46,
       $58,$31,$69,$6C,$5A,$48,$27,$5C,$3D,$24,$79,$37,$60,$51,$20,$36),

      ($00,$01,$02,$03,$04,$05,$06,$07,$08,$7B,$0A,$0B,$0C,$0D,$0E,$0F,
       $10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$1A,$1B,$1C,$1D,$1E,$1F,
       $32,$30,$21,$29,$5B,$38,$33,$3D,$58,$3A,$35,$65,$39,$5C,$56,$73,
       $66,$4E,$45,$6B,$62,$59,$78,$5E,$7D,$4A,$6D,$71,$3C,$60,$3E,$53,
       $FF,$42,$27,$48,$72,$75,$31,$37,$4D,$52,$22,$54,$6A,$47,$64,$2D,
       $20,$7F,$2E,$4C,$5D,$7E,$6C,$6F,$79,$74,$43,$26,$76,$25,$24,$2B,
       $28,$23,$41,$34,$09,$2A,$44,$3F,$77,$3B,$55,$69,$61,$63,$50,$67,
       $51,$49,$4F,$46,$68,$7C,$36,$70,$6E,$7A,$2F,$5F,$4B,$5A,$2C,$57),

      ($00,$01,$02,$03,$04,$05,$06,$07,$08,$6E,$0A,$0B,$0C,$06,$0E,$0F,
       $10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$1A,$1B,$1C,$1D,$1E,$1F,
       $2D,$75,$52,$60,$71,$5E,$49,$5C,$62,$7D,$29,$36,$20,$7C,$7A,$7F,
       $6B,$63,$33,$2B,$68,$51,$66,$76,$31,$64,$54,$43,$3C,$3A,$3E,$7E,
       $FF,$45,$2C,$2A,$74,$27,$37,$44,$79,$59,$2F,$6F,$26,$72,$6A,$39,
       $7B,$3F,$38,$77,$67,$53,$47,$34,$78,$5D,$30,$23,$5A,$5B,$6C,$48,
       $55,$70,$69,$2E,$4C,$21,$24,$4E,$50,$09,$56,$73,$35,$61,$4B,$58,
       $3B,$57,$22,$6D,$4D,$25,$28,$46,$4A,$32,$41,$3D,$5F,$4F,$42,$65));

var infile,
     outfile  : file of byte;
     pos, res : byte;

begin
   writeln;
   writeln('VBS_DEC (c) Andreas Marx 09/2003 (http://www.av-test.org/)');
   writeln('Usage: VBS_DEC infile outfile');
   writeln;

   assign(infile,paramstr(1)); reset(infile);
   assign(outfile,paramstr(2)); rewrite(outfile);

   res:=0; {find start marker (search for "#@~^")}
   repeat
     while not eof(infile) and (res<>ord('#')) do read(infile,res);
     if not eof(infile) then begin
       read(infile,res);
       if res=ord('@') then begin
         read(infile,res);
         if res=ord('~') then begin
           read(infile,res);
           if res=ord('^') then res:=255;
          end else res:=0;
       end else res:=0;
     end else res:=0;
   until eof(infile) or (res=255);

   if res=0 then begin
     writeln('Error: Input file or start marker not found.'); exit;
   end;

   {jump to start of the encrypted code (do not search for "==")}
   seek(infile,filepos(infile)+8);

   pos:=0; {decrypt encrypted block}
   while not eof(infile) do begin

     read(infile,res); {read encrypted char}

     if res=ord('^') then begin {found end marker? (search for "^#~@")}
       read(infile,res);
       if res=ord('#') then begin
         read(infile,res);
         if res=ord('~') then begin
           read(infile,res);
           if res=ord('@') then begin
             exit;
           end else begin
             seek(infile,filepos(infile)-4);
             read(infile,res);
           end;
         end else begin
           seek(infile,filepos(infile)-3);
           read(infile,res);
         end;
       end else begin
         seek(infile,filepos(infile)-2);
         read(infile,res);
       end;
     end;

     if ord(res)<$80 then begin {encrypted?}
       res:=dectab[itab[pos],res];
       if res=$ff then begin {special char}
         read(infile,res);
         case res of
           $26 : res:=$0a;
           $23 : res:=$0d;
           $2a : res:=$3e;
           $21 : res:=$3c;
           $24 : res:=$40;
         end;
       end;
     end;

     write(outfile,res);

     pos:=(pos+1) mod 64;
   end;

   close(outfile); close(infile);
end.
-- 
Andreas Marx <amarx at gega-it.de>, http://www.av-test.org/
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Phone: +49 (0)391 6075466, Fax: +49 (0)391 6075469