VBS-Obfuscator - VBScript obfuscation to allow PenTesters bypass countermeasures

Wednesday, June 17, 2015


VBScript obfuscation to allow PenTesters bypass countermeasures.

Sample Script Output
C:\tools>python obfuscator.py test.vbs out.vbs
Char 109 -> 5505-5396
Char 115 -> 1113775/9685
Char 103 -> 540853/5251
Char 98 -> -2629+2727
Char 111 -> 291-180
Char 120 -> 826320/6886
Char 32 -> 118016/3688
Char 34 -> -2379+2413
Char 72 -> 2401-2329
Char 101 -> -1347+1448
Char 108 -> 759780/7035
Char 108 -> 5391-5283
Char 111 -> 743700/6700
Char 32 -> 7654-7622
Char 87 -> 636927/7321
Char 111 -> -46+157
Char 114 -> 7591-7477
Char 108 -> -9028+9136
Char 100 -> 285800/2858
Char 33 -> 5241-5208
Char 34 -> 7209-7175
Char 44 -> 234080/5320
Char 32 -> 104352/3261
Char 118 -> -3369+3487
Char 98 -> -7575+7673
Char 79 -> -9140+9219
Char 107 -> 4317-4210
Char 79 -> -5433+5512
Char 110 -> -1294+1404
Char 108 -> 6672-6564
Char 121 -> 1109-988
Char 32 -> 166080/5190
Char 43 -> 95675/2225
Char 32 -> 3156-3124
Char 118 -> -9572+9690
Char 98 -> -3093+3191
Char 73 -> 53947/739
Char 110 -> -2239+2349
Char 102 -> 554982/5441
Char 111 -> 4953-4842
Char 114 -> 907440/7960
Char 109 -> 3406-3297
Char 97 -> 3570-3473
Char 116 -> 3624-3508
Char 105 -> 137130/1306
Char 111 -> 632-521
Char 110 -> 8712-8602
Char 44 -> 94468/2147
Char 32 -> 14176/443
Char 34 -> 884/26
Char 84 -> -9768+9852
Char 104 -> -5195+5299
Char 105 -> 706335/6727
Char 115 -> 6469-6354
Char 32 -> 250304/7822
Char 105 -> -9605+9710
Char 115 -> 771190/6706
Char 32 -> -1319+1351
Char 97 -> 674053/6949
Char 32 -> -6907+6939
Char 109 -> 3365-3256
Char 101 -> 170791/1691
Char 115 -> 17020/148
Char 115 -> 3217-3102
Char 97 -> -6948+7045
Char 103 -> -9545+9648
Char 101 -> 9670-9569
Char 98 -> 926002/9449
Char 111 -> 130869/1179
Char 120 -> 255600/2130
Char 34 -> -1384+1418
Char 42 -> 1784-1742
Done!

Results (comparison)
First output
Dim SzVeVmXkoEZx, LALrsGQYjZtj, kLTOaGJfsmSG
SzVeVmXkoEZx = "6974-6865*602140/5236*45732/444*-8743+8841*8842-8731*5179-5059*-4646+4678*892-858*5573-5501*129-28*9855-9747*-6681+6789*-9095+9206*257184/8037*311721/3583*-7211+7322*741684/6506*-5620+5728*241300/2413*198-165*-9925+9959*6380-6336*5552-5520*-9222+9340*569-471*-6484+6563*6988-6881*128533/1627*-5150+5260*4828-4720*5616-5495*6062-6030*5407-5364*313728/9804*-9272+9390*-767+865*3735-3662*-2705+2815*-4151+4253*73704/664*-9531+9645*-7310+7419*-1882+1979*3171-3055*9554-9449*2676-2565*-1012+1122*107448/2442*4055-4023*-6753+6787*2058-1974*-5464+5568*428610/4082*2479-2364*-3013+3045*-9195+9300*128225/1115*56448/1764*-6899+6996*161760/5055*253752/2328*756288/7488*-4081+4196*29900/260*-3164+3261*-6830+6933*-6580+6681*-8764+8862*861360/7760*330840/2757*-2407+2441"
LALrsGQYjZtj = Split(SzVeVmXkoEZx, chr(eval(261366/6223)))
for each SKhxsIKQEybA in LALrsGQYjZtj
kLTOaGJfsmSG = kLTOaGJfsmSG & chr(eval(SKhxsIKQEybA))
next
execute(kLTOaGJfsmSG)
Second output
Dim wEQHvB, vsSBaV, pwgtko
wEQHvB = "-1912+2021*168-53*938948/9116*5796-5698*666666/6006*938-818*-4889+4921*-9635+9669*302112/4196*-9587+9688*-4950+5058*1012608/9376*-6763+6874*235232/7351*-8833+8920*412920/3720*1007190/8835*594432/5504*-5605+5705*1113-1080*9516-9482*347644/7901*181536/5673*198712/1684*615734/6283*779-700*6051-5944*-2574+2653*172370/1567*2086-1978*681472/5632*4765-4733*-2746+2789*54880/1715*2593-2475*733040/7480*-5259+5332*-7261+7371*103326/1013*-8585+8696*7371-7257*6640-6531*4564-4467*-6527+6643*62265/593*-1349+1460*2314-2204*-5438+5482*-5860+5892*4779-4745*1086-1002*-265+369*1276-1171*2588-2473*-2914+2946*101850/970*698050/6070*181760/5680*3610-3513*236896/7403*5004-4895*4565-4464*720245/6263*812360/7064*3582-3485*36977/359*4691-4590*482944/4928*-773+884*546720/4556*5235-5201"
vsSBaV = Split(wEQHvB, chr(eval(1039-997)))
for each KxRKRt in vsSBaV
pwgtko = pwgtko & chr(eval(KxRKRt))
next
execute(pwgtko)




Subscribe via e-mail for updates!