Navigation

>> Home
 
ASP.NET (13)
Security (5)
"Classic" ASP (2)
C# (1)
VB.NET (1)
ASP and Flash (1)
 
About Us
 
Chinese Content German Content

 

MS Script Encoder Decoded

Written by: Christoph Wille
Translated by: Bernhard Spuida
First published: 11/23/2001

In the article Obfuscating ASP Scripts I demonstrated how ASP scripts can be rendered unreadable by means of the MS Script Encoder. I also said that this will only work as a defense against the average user, but not against a determined attacker who really wants to get at the source code. To emphasize this warning, today I will present a tool for inverting this code obfuscation.

Same as the author of the tool I want to say beforehand that the purpose of this tool is intended to be nothing more than a demonstration of the in the end useless encoding of the MS Script Encoder. That its intended use does not lie in cracking other's source code ought to be obvious (and that I as the author of the article am not responsible for your actions either).

Script Encoder Revisited

To start with as a warm up exercise, let's look at the Script Encoder and its use (Download). Here we have my example file to be encoded (sample.asp): 

<% @Language="VBScript" %>
<%
Option Explicit

Response.Buffer = True
Dim nVar, strVar, i

nVar = 10
strVar = "Hello World"

For i=1 To nVar
  Response.Write strVar
  Response.Write "<br>"
Next
Response.End
%>

Let us assume that this is worthy enough of protection to not let anybody with physical access to the file on the Web server read it. Therefore I would encode it in this manner: 

screnc /l VBScript sample.asp encoded.asp

Execution of this command returns the encoded file encoded.asp (I word wrapped the second line for reasons of legibility): 

<% @Language="VBScript.Encode" %>
<%#@~^3gAAAA==@#@&r2DkKxPA6ask1kO@#@&@#@&]/wKU/RA!WW+MP{PPD;n@#@&9ks
    ~xjl.S,/Y.#mDSPb@#@&@#@&        .mDP{P8T@#@&/ODjl.~{PJ_nV^WPqG.V9J@#@&@#@
    &oGMPr'8~KKPU#mD@#@&~,In/aG        /ncMkYPkODjl.@#@&P~]/wKU/RMrO+,J@!4.@*E@#@
    &1n6D@#@&"+d2Kx/n Ax[@#@&CDoAAA==^#~@%>

This is sufficiently unreadable for someone who is not inclined to invest quite some time in decoding it.

Call in the Windows Script Decoder!

Did I just write something about 'investing quite some time'? Well, if that someone does know what tools are available on the Internet (and Crackers tend to have this kind of knowledge), then 'quite some time' gets reduced to 'a few seconds'. The tool I am talking about is the Windows Script Decoder. Using it is (unfortunately) just as simple as using the Script Encoder is: 

scrdec13.exe encoded.asp decoded.asp

And indeed - the output is an (almost) identical Script: 

<% @Language="VBScript.Encode" %>
<%
Option Explicit

Response.Buffer = True
Dim nVar, strVar, i

nVar = 10
strVar = "Hello World"

For i=1 To nVar
  Response.Write strVar
  Response.Write "<br>"
Next
Response.End
%>

By 'almost' I mean to say that we still have to manually replace VBScript.Encode by VBScript. Other than that, we now have the original source code at hand.

Conclusion

This article serves as a warning that using the Script Encoder can only be a measure protecting us from naive customers. A determined attacker will in the worst case (from his view) smile mildly at encoded files. This yet again proves the point that as far as 'security technologies' go, it always is recommended to be informed about what tools the other side has at its disposition for circumventing them.

Downloading the Code

Click here to start the download.

Links

A mathematical paper demonstrating the impossibility of code obfuscation
Obfuscated-HTML De-obfuscation Tools
Script Encoder
Script Encoder Documentation
Windows Script Decoder

©2000-2004 AspHeute.com
All rights reserved. The content of these pages is copyrighted.
All content and images on this site are copyright. Reuse (even parts) needs our written consent.