Microsoft is providing a scripting encoder which will obfuscate asp code in order to
'protect it from prying eyes'. Unfortunately the scheme is so utterly simple, it's
very easy to decode. Of course real security cannot be achieved with encoding alone,
but the way it is presented is a bit misleading.
This is a summary of a post I made to vuln-dev a while ago. For more information
about the scripting encoder itself see this article on msdn. You can download the encoder itself from
http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe
The encoder will translate each character in the input, to one of three
possible other characters depending on the position in the input. There
is basically a pattern which determines which of the three characters will
replace the input character at a certain position. This pattern repeats
after 64 chars. This pattern is the same for all characters. There's some
exceptions to this rule, namely \n, \r, < and > will be encoded to 2 characters
each. Also curiously enough a = at the beginning will not be encoded it seems.
This encoding is not dependant on the machine it is done
on.
That's all there is to it. So in order to write a decoder one needs to
find the pattern and the character combinations. In order to do this,
I just made a sample file like:
<%
'**Start Encode**
aaa
%>
If one encoded this, one basically knows the 3 letters a maps to. Therefore
it is easy to just to this for all ascii characters (after installing a nice
shell on windows :) ) and make a little script which will create some perl
hash, which will give me the outcome of each letter seen in the encoded string,
cause the original character is known. I couldn't find any obvious connection
between the the input character and the output, hence the table.
Next step is to extract the pattern. This is also very simple by encoding the
same file as above with a lot of a's, and then have a script dump this as an
array to include in the perl code.
With this information one can write a perl script, like the one below,
which will decode the asp file. For example the encoded file:
<%@ LANGUAGE = VBScript.Encode %>
<%'**Start Encode**#@~^JQAAAA==@#@&K4b/,k/,L!dY,/G:^?PdO!wk9~Y^?/Y@#@&FQsAAA==^#~@%>
The output of the decoder will be:
<script language="VBScript">
<%
This is just some stupid test
%>
</script>
I've tried this on some real asp code as well.
I assume that in some dll, there has to be the code to do this for you,
since IIS will run this script and I suppose it has to be decoded first.
But I'm not really a windows person. I searched the ms site, but couldn't
find anything.
If you're interested you can download the little script
I made to decode it. This is now v0.3 of the script. Please view the FAQ first if you have
any questions.
Back