Official Microsoft VBE Scripts 2013

├── README.md
├── decode.vbs
└── encode.vbs


/README.md:
--------------------------------------------------------------------------------
 1 | <h1 align="center">Official Microsoft VBE Scripts 2013</h1>
 2 | 
 3 | * these VBS files are the samples for creating and decoding VBE files.
 4 | * many alternative python scripts exist which are currently maintained.
 5 | * deprecated for historical reasons has been removed from the microsoft gallery.
 6 | * logic is preserved as is, and can be used to recreate it in a modern language.
 7 | * intended for the purposes of malware analysis, in the form of VBE files. 
 8 | 
 9 | #### source:
10 | https://web.archive.org/web/20200319003957/https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c/file/93875/1/Code.zip
11 | 


--------------------------------------------------------------------------------
/decode.vbs:
--------------------------------------------------------------------------------
  1 | Option Explicit
  2 | 
  3 | Const BIF_NEWDIALOGSTYLE = &H40
  4 | Const BIF_NONEWFOLDERBUTTON = &H200
  5 | Const BIF_RETURNONLYFSDIRS = &H1
  6 | 
  7 | Const FOR_READING = 1
  8 | Const FOR_WRITING = 2
  9 | 
 10 | 
 11 | Const TAG_BEGIN1 = "#@~^" 
 12 | Const TAG_BEGIN2 = "==" 
 13 | Const TAG_BEGIN2_OFFSET = 10 
 14 | Const TAG_BEGIN_LEN = 12
 15 | Const TAG_END = "==^#~@" 
 16 | Const TAG_END_LEN = 6
 17 | 
 18 | Dim argv
 19 | Dim wsoShellApp
 20 | Dim oFolder
 21 | Dim sFolder
 22 | Dim sFileSource
 23 | Dim sFileDest
 24 | Dim fso
 25 | Dim fld
 26 | Dim fc
 27 | Dim bEncoded
 28 | Dim fSource
 29 | Dim tsSource
 30 | Dim tsDest
 31 | Dim iNumExamined
 32 | Dim iNumProcessed
 33 | Dim iNumSkipped
 34 | 
 35 | Function Decode(Chaine)
 36 | 	Dim se,i,c,j,index,ChaineTemp
 37 | 	Dim tDecode(127)
 38 | 	Const Combinaison="1231232332321323132311233213233211323231311231321323112331123132"
 39 | 
 40 | 	Set se=WSCript.CreateObject("Scripting.Encoder")
 41 | 	For i=9 to 127
 42 | 		tDecode(i)="JLA"
 43 | 	Next
 44 | 	For i=9 to 127
 45 | 		ChaineTemp=Mid(se.EncodeScriptFile(".vbs",string(3,i),0,""),13,3)
 46 | 		For j=1 to 3
 47 | 			c=Asc(Mid(ChaineTemp,j,1))
 48 | 			tDecode(c)=Left(tDecode(c),j-1) & chr(i) & Mid(tDecode(c),j+1)
 49 | 		Next
 50 | 	Next
 51 | 	
 52 | 	tDecode(42)=Left(tDecode(42),1) & ")" & Right(tDecode(42),1)
 53 | 	Set se=Nothing
 54 | 
 55 | 	Chaine=Replace(Replace(Chaine,"@&",chr(10)),"@#",chr(13))
 56 | 	Chaine=Replace(Replace(Chaine,"@*",">"),"@!","<")
 57 | 	Chaine=Replace(Chaine,"@$","@")
 58 | 	index=-1
 59 | 	For i=1 to Len(Chaine)
 60 | 		c=asc(Mid(Chaine,i,1))
 61 | 		If c<128 Then index=index+1
 62 | 		If (c=9) or ((c>31) and (c<128)) Then
 63 | 			If (c<>60) and (c<>62) and (c<>64) Then
 64 | 				Chaine=Left(Chaine,i-1) & Mid(tDecode(c),Mid(Combinaison,(index mod 64)+1,1),1) & Mid(Chaine,i+1)
 65 | 			End If
 66 | 		End If
 67 | 	Next
 68 | 	Decode=Chaine
 69 | End Function
 70 | 
 71 | Sub Process (s)
 72 | 	Dim bProcess
 73 | 	Dim iTagBeginPos
 74 | 	Dim iTagEndPos
 75 | 
 76 | 
 77 | 	iNumExamined = iNumExamined + 1
 78 | 
 79 | 	iTagBeginPos = Instr(s, TAG_BEGIN1)
 80 | 
 81 | 	Select Case iTagBeginPos
 82 | 	Case 0
 83 | 		MsgBox sFileSource & " does not appear to be encoded.  Missing Beginning Tag.  Skipping file."
 84 | 		iNumSkipped = iNumSkipped + 1
 85 | 
 86 | 	Case 1
 87 | 		If (Instr(iTagBeginPos, s, TAG_BEGIN2) - iTagBeginPos) = TAG_BEGIN2_OFFSET Then
 88 | 			iTagEndPos = Instr(iTagBeginPos, s, TAG_END)
 89 | 
 90 | 			If iTagEndPos > 0 Then
 91 | 				Select Case Mid(s, iTagEndPos + TAG_END_LEN)
 92 | 				Case "", Chr(0)
 93 | 					bProcess = True
 94 | 
 95 | 					If fso.FileExists(sFileDest) Then
 96 | 						If MsgBox("File """ & sFileDest & """ exists.  Overwrite?", vbYesNo + vbDefaultButton2) <> vbYes Then
 97 | 							bProcess = False
 98 | 							iNumSkipped = iNumSkipped + 1
 99 | 						End If
100 | 					End If
101 | 
102 | 					If bProcess Then
103 | 						s = Decode(Mid(s, iTagBeginPos + TAG_BEGIN_LEN, iTagEndPos - iTagBeginPos - TAG_BEGIN_LEN - TAG_END_LEN))
104 | 
105 | 					
106 | 
107 | 						Set tsDest = fso.CreateTextFile(sFileDest, TRUE, FALSE)
108 | 						tsDest.Write s
109 | 						tsDest.Close
110 | 						Set tsDest = Nothing
111 | 
112 | 						iNumProcessed = iNumProcessed + 1
113 | 					End If
114 | 
115 | 				Case Else
116 | 					MsgBox sFileSource & " does not appear to be encoded.  Found " & Len(Mid(s, iTagEndPos + TAG_END_LEN)) & " characters AFTER Ending Tag.  Skipping file."
117 | 					iNumSkipped = iNumSkipped + 1
118 | 				End Select
119 | 
120 | 			Else
121 | 				MsgBox sFileSource & " does not appear to be encoded.  Missing ending Tag.  Skipping file."
122 | 				iNumSkipped = iNumSkipped + 1
123 | 			End If
124 | 
125 | 		Else
126 | 			MsgBox sFileSource & " does not appear to be encoded.  Incomplete Beginning Tag.  Skipping file."
127 | 			iNumSkipped = iNumSkipped + 1
128 | 		End If
129 | 
130 | 	Case Else
131 | 		MsgBox sFileSource & " does not appear to be encoded.  Found " & (iTagBeginPos - 1) & "characters BEFORE Beginning Tag.  Skipping file."
132 | 		iNumSkipped = iNumSkipped + 1
133 | 	End Select
134 | End Sub
135 | 
136 | Set argv = WScript.Arguments 
137 | 
138 | sFileSource = ""
139 | sFolder = ""
140 | iNumExamined = 0
141 | iNumProcessed = 0
142 | iNumSkipped = 0
143 | 
144 | Select Case argv.Count
145 | Case 0
146 | 	Set wsoShellApp = WScript.CreateObject("Shell.Application")
147 | 
148 | 	On Error Resume Next
149 | 	set oFolder = wsoShellApp.BrowseForFolder (0, "Select a folder containing files to decode", BIF_NEWDIALOGSTYLE + BIF_NONEWFOLDERBUTTON + BIF_RETURNONLYFSDIRS)
150 | 	If Err.Number = 0 Then 
151 | 		If TypeName(oFolder) = "Folder3" Then Set oFolder = oFolder.Items.Item
152 | 		sFolder = oFolder.Path
153 | 	End If
154 | 	On Error GoTo 0
155 | 
156 | 	Set oFolder = Nothing
157 | 	Set wsoShellApp = Nothing
158 | 
159 | 	If sFolder = "" Then
160 | 		MsgBox "Please pass a full file spec or select a folder containing encoded files"
161 | 		WScript.Quit 
162 | 	End If
163 | 
164 | Case 1
165 | 	sFileSource = argv(0)
166 | 
167 | 	If InStr(sFileSource, "?") > 0 Then 
168 | 		MsgBox "Pass a full file spec or no arguments (browse for a folder)"
169 | 		WScript.Quit
170 | 	End If
171 | 
172 | Case Else
173 | 	MsgBox "Pass a full file spec, -?, /?, ?, or no arguments (browse for a folder)"
174 | 	WScript.Quit 
175 | End Select
176 | 
177 | Set fso = WScript.CreateObject("Scripting.FileSystemObject")
178 | 
179 | If sFolder <> "" Then
180 | 	On Error Resume Next
181 | 	Set fld = fso.GetFolder(sFolder)
182 | 	If Err.Number <> 0 Then 
183 | 		Set fld = Nothing
184 | 		Set fso = Nothing
185 | 		MsgBox "Folder """ & sFolder & """ is not valid in this context"
186 | 		WScript.Quit 
187 | 	End If
188 | 	On Error GoTo 0
189 | 
190 | 	Set fc = fld.Files
191 | 
192 | 	For Each fSource In fc
193 | 		sFileSource = fSource.Path
194 | 
195 | 		Select Case LCase(Right(sFileSource, 4))
196 | 		Case ".vbe"
197 | 			sFileDest = Left(sFileSource, Len(sFileSource) - 1) & "s"
198 | 			bEncoded = True
199 | 	
200 | 		Case Else
201 | 			bEncoded = False
202 | 		End Select
203 | 
204 | 		If bEncoded Then
205 | 			Set tsSource = fSource.OpenAsTextStream(FOR_READING)
206 | 			Process tsSource.ReadAll
207 | 			tsSource.Close
208 | 			Set tsSource = Nothing
209 | 		End If
210 | 	Next 
211 | 
212 | 	Set fc = Nothing
213 | 	Set fld = Nothing
214 | 
215 | Else
216 | 	If Not fso.FileExists(sFileSource) Then
217 | 		MsgBox "File """ & sFileSource & """ not found"
218 | 	Else
219 | 		bEncoded = False
220 | 
221 | 		Select Case LCase(Right(sFileSource, 4))
222 | 		Case ".vbe"
223 | 			sFileDest = Left(sFileSource, Len(sFileSource) - 1) & "s"
224 | 			bEncoded = True
225 | 				Case Else
226 | 			MsgBox "File """ & sFileSource & """ needs to be of type VBE or JSE"
227 | 			bEncoded = False
228 | 		End Select
229 | 
230 | 		If bEncoded Then
231 | 			Set tsSource = fso.OpenTextFile(sFileSource, FOR_READING)
232 | 			Process tsSource.ReadAll
233 | 			tsSource.Close
234 | 			Set tsSource = Nothing
235 | 		End If
236 | 	End If
237 | End If
238 | 
239 | Set fso = Nothing
240 | 
241 | MsgBox iNumExamined & " Files Examined; " & iNumProcessed & " Files Processed; " & iNumSkipped & " Files Skipped"


--------------------------------------------------------------------------------
/encode.vbs:
--------------------------------------------------------------------------------
 1 | Option Explicit 
 2 |  
 3 | dim oEncoder, oFilesToEncode, file, sDest 
 4 | dim sFileOut, oFile, oEncFile, oFSO, i 
 5 | dim oStream, sSourceFile 
 6 |  
 7 | set oFilesToEncode = WScript.Arguments 
 8 | set oEncoder = CreateObject("Scripting.Encoder") 
 9 | For i = 0 to oFilesToEncode.Count - 1 
10 |     set oFSO = CreateObject("Scripting.FileSystemObject") 
11 |     file = oFilesToEncode(i) 
12 |     set oFile = oFSO.GetFile(file) 
13 |     Set oStream = oFile.OpenAsTextStream(1) 
14 |     sSourceFile=oStream.ReadAll 
15 |     oStream.Close 
16 |     sDest = oEncoder.EncodeScriptFile(".vbs",sSourceFile,0,"") 
17 |     sFileOut = Left(file, Len(file) - 3) & "vbe" 
18 |     Set oEncFile = oFSO.CreateTextFile(sFileOut) 
19 |     oEncFile.Write sDest 
20 |     oEncFile.Close 
21 | Next 


--------------------------------------------------------------------------------