Obfuscating and Encoding in VBScript
I've already had a ramble explaining the advantage of using scripts (over compiled code) in certain situations, but one of the things that often put people off of them is the fact that the source code is just there for anyone to read, stored in plaintext. What if it contained someone's name, or email address, or (heaven forbid) a password for a database, and fell into the wrong hands!? Obfuscation, whilst not neccessarily the answer, can help...
Obfuscation is a technique used to discourage modification or reverse engineering of source code, accomplished by deliberately making the source code as difficult to read as possible without changing its functionality. Traditional obfuscation techniques include renaming variables to use names that are completely meaningless, or removing unnecessary white-space or line breaks (which are usually only there to make the code more readable in the first place).
For VBScript, Microsoft have provided a tool which performs obfuscation extremely effectively - a script encoder.
The encoder transforms a given VBScript or JScript file into something that's completely (human) unreadable. By all means, it looks unrunnable too. How could something like this possibly be runnable VBScript:
#@~^yQEAAA==W!x^DkKxPU+ [`UE8LmOS,AW9z#@#@&d}U~2MDKD~Ind!:nPgn6D@#@&7Gk:~/sNlP;h9Px,A^lYhlD4PLPEP PROKPJ,'PhDW9;^YbW b[N.~LPEPr~[,{@#@&idJRd,JEJ,',InaVmm+v?!8LmO~,JEEr~PrwJrJ#,'~JrJ,J~[~m@#@&7drR4KNz~rJJ~',Inw^C1+c~W9X~,JrEJBPE-rJEb,[PrEJ,JPL~m@#@&diJR0.GsPEPL~sMWh)9ND~',J~J,',{@#@&diJOM+asXDW~J,[~j!wwK.YzNNM@#@&dqkDt~Z.nmYnr(%+1YcEq?m.raY ?4n^VE*@#@&ddcI!UP;:[~,FS~:DE@#@&i2x9~ kDt@#@&7qW~v2.D*~K4+U@#@&ddjn N~',q@#@&7AVk+@#@&dij+ N~',!@#@&i2x9~q6@#@&U[P6E mOkGUV28AAA==^#~@
This is, however, perfectly runnable code just as long as you tell the scripting host that it's encoded. I challenge anybody to work out what this does just by looking at it, but in fact, if you've read any of my other posts, you'll have seen the source of this code before...
Function Send(Subject, Body)
On Error Resume Next
Dim Cmd: Cmd = BlatPath & " - -to " & ProductionAddr & " " & _
"-s """ & Replace(Subject, """", "\""") & """ " & _
"-body """ & Replace(Body, """", "\""") & """ " & _
"-from " & FromAddr & " " & _
"-replyto " & SupportAddr
With CreateObject("WScript.Shell")
.Run Cmd, 1, True
End With
If (Err) Then
Send = 1
Else
Send = 0
End If
End Function
The instructions on how to use the encoder can be found here, and renaming the .VBS file extension to .VBE tells the scripting host that it's an encoded file which allows it to run without any problems whatsoever. It will run as though you had never encoded it at all.
Evidently, this is far more effective than renaming variables or rejigging the structure of your code, but it's still not 100% hack-proof. It's encoded, after all, not encrypted. The difference being that encoded data can be recovered as long as you know how, whereas encrypted data is data that is encoded for the purpose of being shielded or protected and usually requires a method or key to recover the original data.