From fdc8a1559551c8d5242d7b48f0cf339f10bf5a12 Mon Sep 17 00:00:00 2001 From: bwhitn Date: Sun, 27 Aug 2017 09:29:26 -0400 Subject: [PATCH 1/9] Added Decode VBE --- src/core/config/Categories.js | 1 + src/core/config/OperationConfig.js | 9 +- src/core/operations/VBE.js | 258 +++++++++++++++++++++++++++++ test/index.js | 1 + test/tests/operations/VBE.js | 22 +++ 5 files changed, 290 insertions(+), 1 deletion(-) create mode 100644 src/core/operations/VBE.js create mode 100644 test/tests/operations/VBE.js diff --git a/src/core/config/Categories.js b/src/core/config/Categories.js index 270c1e1e..9118840d 100755 --- a/src/core/config/Categories.js +++ b/src/core/config/Categories.js @@ -66,6 +66,7 @@ const Categories = [ "Encode text", "Decode text", "Swap endianness", + "Decode VBE", ] }, { diff --git a/src/core/config/OperationConfig.js b/src/core/config/OperationConfig.js index 40571293..0c6f3a7a 100755 --- a/src/core/config/OperationConfig.js +++ b/src/core/config/OperationConfig.js @@ -38,7 +38,7 @@ import Tidy from "../operations/Tidy.js"; import Unicode from "../operations/Unicode.js"; import URL_ from "../operations/URL.js"; import UUID from "../operations/UUID.js"; - +import VBE from "../operations/VBE.js"; /** * Type definition for an OpConf. @@ -3204,6 +3204,13 @@ const OperationConfig = { } ] }, + "Decode VBE": { + description: "Decodes Microsoft VBE files that have been encoded with Microsoft's custom encoding.", + run: VBE.runDecodeVBE, + inputType: "string", + outputType: "string", + args: [] + }, "Syntax highlighter": { description: "Adds syntax highlighting to a range of source code languages. Note that this will not indent the code. Use one of the 'Beautify' operations for that.", run: Code.runSyntaxHighlight, diff --git a/src/core/operations/VBE.js b/src/core/operations/VBE.js new file mode 100644 index 00000000..cb2ed71c --- /dev/null +++ b/src/core/operations/VBE.js @@ -0,0 +1,258 @@ +/** + * Decodes Microsft Encoded VBS files that can be read and executed by cscript.exe/wscript.exe. + * This is a conversion of a Python script that was originally created by Didier Stevens (https://DidierStevens.com). + * + * @author bmwhitn [brian.m.whitney@outlook.com] + * + * @namespace + */ +const VBE = { + + /** + * @constant + * @default + */ + D_DECODE: [ + "", + "", + "", + "", + "", + "", + "", + "", + "", + "\x57\x6E\x7B", + "\x4A\x4C\x41", + "\x0B\x0B\x0B", + "\x0C\x0C\x0C", + "\x4A\x4C\x41", + "\x0E\x0E\x0E", + "\x0F\x0F\x0F", + "\x10\x10\x10", + "\x11\x11\x11", + "\x12\x12\x12", + "\x13\x13\x13", + "\x14\x14\x14", + "\x15\x15\x15", + "\x16\x16\x16", + "\x17\x17\x17", + "\x18\x18\x18", + "\x19\x19\x19", + "\x1A\x1A\x1A", + "\x1B\x1B\x1B", + "\x1C\x1C\x1C", + "\x1D\x1D\x1D", + "\x1E\x1E\x1E", + "\x1F\x1F\x1F", + "\x2E\x2D\x32", + "\x47\x75\x30", + "\x7A\x52\x21", + "\x56\x60\x29", + "\x42\x71\x5B", + "\x6A\x5E\x38", + "\x2F\x49\x33", + "\x26\x5C\x3D", + "\x49\x62\x58", + "\x41\x7D\x3A", + "\x34\x29\x35", + "\x32\x36\x65", + "\x5B\x20\x39", + "\x76\x7C\x5C", + "\x72\x7A\x56", + "\x43\x7F\x73", + "\x38\x6B\x66", + "\x39\x63\x4E", + "\x70\x33\x45", + "\x45\x2B\x6B", + "\x68\x68\x62", + "\x71\x51\x59", + "\x4F\x66\x78", + "\x09\x76\x5E", + "\x62\x31\x7D", + "\x44\x64\x4A", + "\x23\x54\x6D", + "\x75\x43\x71", + "\x4A\x4C\x41", + "\x7E\x3A\x60", + "\x4A\x4C\x41", + "\x5E\x7E\x53", + "\x40\x4C\x40", + "\x77\x45\x42", + "\x4A\x2C\x27", + "\x61\x2A\x48", + "\x5D\x74\x72", + "\x22\x27\x75", + "\x4B\x37\x31", + "\x6F\x44\x37", + "\x4E\x79\x4D", + "\x3B\x59\x52", + "\x4C\x2F\x22", + "\x50\x6F\x54", + "\x67\x26\x6A", + "\x2A\x72\x47", + "\x7D\x6A\x64", + "\x74\x39\x2D", + "\x54\x7B\x20", + "\x2B\x3F\x7F", + "\x2D\x38\x2E", + "\x2C\x77\x4C", + "\x30\x67\x5D", + "\x6E\x53\x7E", + "\x6B\x47\x6C", + "\x66\x34\x6F", + "\x35\x78\x79", + "\x25\x5D\x74", + "\x21\x30\x43", + "\x64\x23\x26", + "\x4D\x5A\x76", + "\x52\x5B\x25", + "\x63\x6C\x24", + "\x3F\x48\x2B", + "\x7B\x55\x28", + "\x78\x70\x23", + "\x29\x69\x41", + "\x28\x2E\x34", + "\x73\x4C\x09", + "\x59\x21\x2A", + "\x33\x24\x44", + "\x7F\x4E\x3F", + "\x6D\x50\x77", + "\x55\x09\x3B", + "\x53\x56\x55", + "\x7C\x73\x69", + "\x3A\x35\x61", + "\x5F\x61\x63", + "\x65\x4B\x50", + "\x46\x58\x67", + "\x58\x3B\x51", + "\x31\x57\x49", + "\x69\x22\x4F", + "\x6C\x6D\x46", + "\x5A\x4D\x68", + "\x48\x25\x7C", + "\x27\x28\x36", + "\x5C\x46\x70", + "\x3D\x4A\x6E", + "\x24\x32\x7A", + "\x79\x41\x2F", + "\x37\x3D\x5F", + "\x60\x5F\x4B", + "\x51\x4F\x5A", + "\x20\x42\x2C", + "\x36\x65\x57" + ], + + /** + * @constant + * @default + */ + D_COMBINATION: [ + 0, + 1, + 2, + 0, + 1, + 2, + 1, + 2, + 2, + 1, + 2, + 1, + 0, + 2, + 1, + 2, + 0, + 2, + 1, + 2, + 0, + 0, + 1, + 2, + 2, + 1, + 0, + 2, + 1, + 2, + 2, + 1, + 0, + 0, + 2, + 1, + 2, + 1, + 2, + 0, + 2, + 0, + 0, + 1, + 2, + 0, + 2, + 1, + 0, + 2, + 1, + 2, + 0, + 0, + 1, + 2, + 2, + 0, + 0, + 1, + 2, + 0, + 2, + 1 + ], + + /** + * @param {string} input + * @returns {string} + */ + decode: function (data) { + let result = ""; + let index = -1; + data = data.replace("@&", String.fromCharCode(10)); + data = data.replace("@#", String.fromCharCode(13)); + data = data.replace("@*", ">"); + data = data.replace("@!", "<"); + data = data.replace("@$", "@"); + for (let i = 0; i < data.length; i++) { + let byte = data.charCodeAt(i); + if (byte < 128){ + index++; + } + if ((9 === byte || 31 < byte && 128 > byte) && 60 !== byte && 62 !== byte && 64 !== byte) { + let char = VBE.D_DECODE[byte].charAt([VBE.D_COMBINATION[index % 64]]); + result = result.concat(char); + } + } + return result; + }, + + /** + * @param {string} input + * @param {Object[]} args + * @returns {string} + */ + runDecodeVBE: function (data, args) { + let matcher = /#@~\^......==(.+)......==\^#~@/gm, + result = "", + encodedData; + while ((encodedData = matcher.exec(data))) { + result = result.concat(VBE.decode(encodedData[1])); + } + return result; + }, +}; + +export default VBE; diff --git a/test/index.js b/test/index.js index 25059465..00d147fe 100644 --- a/test/index.js +++ b/test/index.js @@ -24,6 +24,7 @@ import "./tests/operations/Image.js"; import "./tests/operations/MorseCode.js"; import "./tests/operations/StrUtils.js"; import "./tests/operations/SeqUtils.js"; +import "./tests/operations/VBE.js" let allTestsPassing = true; const testStatusCounts = { diff --git a/test/tests/operations/VBE.js b/test/tests/operations/VBE.js new file mode 100644 index 00000000..d43f9b3e --- /dev/null +++ b/test/tests/operations/VBE.js @@ -0,0 +1,22 @@ +/** + * CharEnc tests. + * + * @author tlwr [toby@toby.codes] + * @copyright Crown Copyright 2017 + * @license Apache-2.0 + */ +import TestRegister from "../../TestRegister.js"; + +TestRegister.addTests([ + { + name: "VBE Decode", + input: "##@~^DgAAAA==\\ko$K6,JCV^GJqAQAAA==^#~@", + expectedOutput: "MsgBox \"Hello\"", + recipeConfig: [ + { + "op": "Decode VBE", + "args": [] + }, + ], + }, +]); From 414726ecd46790c6859e8839012d154ad857a889 Mon Sep 17 00:00:00 2001 From: bwhitn Date: Sun, 27 Aug 2017 09:44:26 -0400 Subject: [PATCH 2/9] Fixed small syntax error --- test/index.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/index.js b/test/index.js index 00d147fe..52d3b38c 100644 --- a/test/index.js +++ b/test/index.js @@ -24,7 +24,8 @@ import "./tests/operations/Image.js"; import "./tests/operations/MorseCode.js"; import "./tests/operations/StrUtils.js"; import "./tests/operations/SeqUtils.js"; -import "./tests/operations/VBE.js" +import "./tests/operations/VBE.js"; + let allTestsPassing = true; const testStatusCounts = { From 2a7c0252a076502856db6680a04054f3a790039b Mon Sep 17 00:00:00 2001 From: bwhitn Date: Sun, 27 Aug 2017 11:49:28 -0400 Subject: [PATCH 3/9] Fixed regex issue --- src/core/operations/VBE.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/operations/VBE.js b/src/core/operations/VBE.js index cb2ed71c..2b26b6fb 100644 --- a/src/core/operations/VBE.js +++ b/src/core/operations/VBE.js @@ -245,7 +245,7 @@ const VBE = { * @returns {string} */ runDecodeVBE: function (data, args) { - let matcher = /#@~\^......==(.+)......==\^#~@/gm, + let matcher = /#@~\^......==(.+)......==\^#~@/, result = "", encodedData; while ((encodedData = matcher.exec(data))) { From 9c5f06101e5e4ffb0bffaee49fdbf21c3d3d5b12 Mon Sep 17 00:00:00 2001 From: bwhitn Date: Sun, 27 Aug 2017 18:45:42 -0400 Subject: [PATCH 4/9] Fixed the replace statements --- src/core/operations/VBE.js | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/src/core/operations/VBE.js b/src/core/operations/VBE.js index 2b26b6fb..fa28a9c6 100644 --- a/src/core/operations/VBE.js +++ b/src/core/operations/VBE.js @@ -219,24 +219,25 @@ const VBE = { * @returns {string} */ decode: function (data) { - let result = ""; + let result = []; let index = -1; - data = data.replace("@&", String.fromCharCode(10)); - data = data.replace("@#", String.fromCharCode(13)); - data = data.replace("@*", ">"); - data = data.replace("@!", "<"); - data = data.replace("@$", "@"); + data = data.split("@&").join(String.fromCharCode(10)); + data = data.split("@#").join(String.fromCharCode(13)); + data = data.split("@*").join(">"); + data = data.split("@!").join("<"); + data = data.split("@$").join("@"); for (let i = 0; i < data.length; i++) { let byte = data.charCodeAt(i); - if (byte < 128){ + let char = data.charAt(i); + if (byte < 128) { index++; } - if ((9 === byte || 31 < byte && 128 > byte) && 60 !== byte && 62 !== byte && 64 !== byte) { - let char = VBE.D_DECODE[byte].charAt([VBE.D_COMBINATION[index % 64]]); - result = result.concat(char); + if ((byte === 9 || byte > 31 && byte < 128) && byte !== 60 && byte !== 62 && byte !== 64) { + char = VBE.D_DECODE[byte].charAt([VBE.D_COMBINATION[index % 64]]); } + result.push(char); } - return result; + return result.join(""); }, /** @@ -245,13 +246,10 @@ const VBE = { * @returns {string} */ runDecodeVBE: function (data, args) { - let matcher = /#@~\^......==(.+)......==\^#~@/, - result = "", - encodedData; - while ((encodedData = matcher.exec(data))) { - result = result.concat(VBE.decode(encodedData[1])); - } - return result; + let matcher = /#@~\^......==(.+)......==\^#~@/; + let encodedData = matcher.exec(data); + console.log(encodedData[1]); + return VBE.decode(encodedData[1]); }, }; From aa5939c0511c61818c96c41e99fb4f6c92c6383f Mon Sep 17 00:00:00 2001 From: bwhitn Date: Sun, 27 Aug 2017 20:53:53 -0400 Subject: [PATCH 5/9] Took out logging call. My bad. --- src/core/operations/VBE.js | 1 - 1 file changed, 1 deletion(-) diff --git a/src/core/operations/VBE.js b/src/core/operations/VBE.js index fa28a9c6..59432879 100644 --- a/src/core/operations/VBE.js +++ b/src/core/operations/VBE.js @@ -248,7 +248,6 @@ const VBE = { runDecodeVBE: function (data, args) { let matcher = /#@~\^......==(.+)......==\^#~@/; let encodedData = matcher.exec(data); - console.log(encodedData[1]); return VBE.decode(encodedData[1]); }, }; From 0fc2a219a7e097cdc9cafd76f0a107a5f805e521 Mon Sep 17 00:00:00 2001 From: bwhitn Date: Mon, 28 Aug 2017 17:55:54 -0400 Subject: [PATCH 6/9] Changed the name. Small logic change. Changed from split join to regex replace. --- src/core/config/Categories.js | 2 +- src/core/config/OperationConfig.js | 9 ++++---- src/core/operations/{VBE.js => MS.js} | 30 ++++++++++++++----------- test/index.js | 2 +- test/tests/operations/{VBE.js => MS.js} | 4 ++-- 5 files changed, 26 insertions(+), 21 deletions(-) rename src/core/operations/{VBE.js => MS.js} (87%) rename test/tests/operations/{VBE.js => MS.js} (81%) diff --git a/src/core/config/Categories.js b/src/core/config/Categories.js index 9118840d..80b2b3a7 100755 --- a/src/core/config/Categories.js +++ b/src/core/config/Categories.js @@ -66,7 +66,7 @@ const Categories = [ "Encode text", "Decode text", "Swap endianness", - "Decode VBE", + "Micrsoft Script Decoder", ] }, { diff --git a/src/core/config/OperationConfig.js b/src/core/config/OperationConfig.js index 0c6f3a7a..08a6310f 100755 --- a/src/core/config/OperationConfig.js +++ b/src/core/config/OperationConfig.js @@ -25,6 +25,7 @@ import IP from "../operations/IP.js"; import JS from "../operations/JS.js"; import MAC from "../operations/MAC.js"; import MorseCode from "../operations/MorseCode.js"; +import MS from "../operations/MS.js"; import NetBIOS from "../operations/NetBIOS.js"; import Numberwang from "../operations/Numberwang.js"; import OS from "../operations/OS.js"; @@ -38,7 +39,7 @@ import Tidy from "../operations/Tidy.js"; import Unicode from "../operations/Unicode.js"; import URL_ from "../operations/URL.js"; import UUID from "../operations/UUID.js"; -import VBE from "../operations/VBE.js"; + /** * Type definition for an OpConf. @@ -3204,9 +3205,9 @@ const OperationConfig = { } ] }, - "Decode VBE": { - description: "Decodes Microsoft VBE files that have been encoded with Microsoft's custom encoding.", - run: VBE.runDecodeVBE, + "Micrsoft Script Decoder": { + description: "Decodes Microsoft Encoded Script files that have been encoded with Microsoft's custom encoding.", + run: MS.runDecodeScript, inputType: "string", outputType: "string", args: [] diff --git a/src/core/operations/VBE.js b/src/core/operations/MS.js similarity index 87% rename from src/core/operations/VBE.js rename to src/core/operations/MS.js index 59432879..853f1a42 100644 --- a/src/core/operations/VBE.js +++ b/src/core/operations/MS.js @@ -1,12 +1,12 @@ /** - * Decodes Microsft Encoded VBS files that can be read and executed by cscript.exe/wscript.exe. + * Decodes Microsft Encoded Script files that can be read and executed by cscript.exe/wscript.exe. * This is a conversion of a Python script that was originally created by Didier Stevens (https://DidierStevens.com). * * @author bmwhitn [brian.m.whitney@outlook.com] * * @namespace */ -const VBE = { +const MS = { /** * @constant @@ -215,17 +215,17 @@ const VBE = { ], /** - * @param {string} input + * @param {string} data * @returns {string} */ decode: function (data) { let result = []; let index = -1; - data = data.split("@&").join(String.fromCharCode(10)); - data = data.split("@#").join(String.fromCharCode(13)); - data = data.split("@*").join(">"); - data = data.split("@!").join("<"); - data = data.split("@$").join("@"); + data = data.replace(/@&/g, String.fromCharCode(10)); + data = data.replace(/@#/g, String.fromCharCode(13)); + data = data.replace(/@\*/g, ">"); + data = data.replace(/@!/g, "<"); + data = data.replace(/@\$/g, "@"); for (let i = 0; i < data.length; i++) { let byte = data.charCodeAt(i); let char = data.charAt(i); @@ -233,7 +233,7 @@ const VBE = { index++; } if ((byte === 9 || byte > 31 && byte < 128) && byte !== 60 && byte !== 62 && byte !== 64) { - char = VBE.D_DECODE[byte].charAt([VBE.D_COMBINATION[index % 64]]); + char = MS.D_DECODE[byte].charAt(MS.D_COMBINATION[index % 64]); } result.push(char); } @@ -245,11 +245,15 @@ const VBE = { * @param {Object[]} args * @returns {string} */ - runDecodeVBE: function (data, args) { + runDecodeScript: function (input, args) { let matcher = /#@~\^......==(.+)......==\^#~@/; - let encodedData = matcher.exec(data); - return VBE.decode(encodedData[1]); + let encodedData = matcher.exec(input); + if (encodedData){ + return MS.decode(encodedData[1]); + } else { + return ""; + } }, }; -export default VBE; +export default MS; diff --git a/test/index.js b/test/index.js index 52d3b38c..91c0410e 100644 --- a/test/index.js +++ b/test/index.js @@ -22,9 +22,9 @@ import "./tests/operations/DateTime.js"; import "./tests/operations/FlowControl.js"; import "./tests/operations/Image.js"; import "./tests/operations/MorseCode.js"; +import "./tests/operations/MS.js"; import "./tests/operations/StrUtils.js"; import "./tests/operations/SeqUtils.js"; -import "./tests/operations/VBE.js"; let allTestsPassing = true; diff --git a/test/tests/operations/VBE.js b/test/tests/operations/MS.js similarity index 81% rename from test/tests/operations/VBE.js rename to test/tests/operations/MS.js index d43f9b3e..184e4bd1 100644 --- a/test/tests/operations/VBE.js +++ b/test/tests/operations/MS.js @@ -9,12 +9,12 @@ import TestRegister from "../../TestRegister.js"; TestRegister.addTests([ { - name: "VBE Decode", + name: "Micrsoft Script Decoder", input: "##@~^DgAAAA==\\ko$K6,JCV^GJqAQAAA==^#~@", expectedOutput: "MsgBox \"Hello\"", recipeConfig: [ { - "op": "Decode VBE", + "op": "Micrsoft Script Decoder", "args": [] }, ], From 934ed1af0958ca240ac54fc973eeabf4c1805d6d Mon Sep 17 00:00:00 2001 From: bwhitn Date: Tue, 29 Aug 2017 10:46:34 -0700 Subject: [PATCH 7/9] Fixed spelling errors, syntax errors, and improved the test for script decoding --- src/core/config/Categories.js | 2 +- src/core/config/OperationConfig.js | 5 +++-- src/core/operations/MS.js | 21 ++++++++++++--------- test/tests/operations/MS.js | 12 ++++++------ 4 files changed, 22 insertions(+), 18 deletions(-) diff --git a/src/core/config/Categories.js b/src/core/config/Categories.js index 80b2b3a7..401f6e4f 100755 --- a/src/core/config/Categories.js +++ b/src/core/config/Categories.js @@ -66,7 +66,7 @@ const Categories = [ "Encode text", "Decode text", "Swap endianness", - "Micrsoft Script Decoder", + "Microsoft Script Decoder", ] }, { diff --git a/src/core/config/OperationConfig.js b/src/core/config/OperationConfig.js index 08a6310f..1410f485 100755 --- a/src/core/config/OperationConfig.js +++ b/src/core/config/OperationConfig.js @@ -521,6 +521,7 @@ const OperationConfig = { } ] }, + "To Charcode": { description: "Converts text to its unicode character code equivalent.

e.g. Γειά σου becomes 0393 03b5 03b9 03ac 20 03c3 03bf 03c5", run: ByteRepr.runToCharcode, @@ -3205,8 +3206,8 @@ const OperationConfig = { } ] }, - "Micrsoft Script Decoder": { - description: "Decodes Microsoft Encoded Script files that have been encoded with Microsoft's custom encoding.", + "Microsoft Script Decoder": { + description: "Decodes Microsoft Encoded Script files that have been encoded with Microsoft's custom encoding. These are often VBS (Visual Basic Script) files that are encoded and often renamed ".vbe" extention or JS (JScript) files renamed with ".jse" extention.", run: MS.runDecodeScript, inputType: "string", outputType: "string", diff --git a/src/core/operations/MS.js b/src/core/operations/MS.js index 853f1a42..b382c234 100644 --- a/src/core/operations/MS.js +++ b/src/core/operations/MS.js @@ -1,5 +1,5 @@ /** - * Decodes Microsft Encoded Script files that can be read and executed by cscript.exe/wscript.exe. + * Decodes Microsoft Encoded Script files that can be read and executed by cscript.exe/wscript.exe. * This is a conversion of a Python script that was originally created by Didier Stevens (https://DidierStevens.com). * * @author bmwhitn [brian.m.whitney@outlook.com] @@ -215,17 +215,18 @@ const MS = { ], /** + * @private * @param {string} data * @returns {string} */ - decode: function (data) { + _decode: function (data) { let result = []; let index = -1; - data = data.replace(/@&/g, String.fromCharCode(10)); - data = data.replace(/@#/g, String.fromCharCode(13)); - data = data.replace(/@\*/g, ">"); - data = data.replace(/@!/g, "<"); - data = data.replace(/@\$/g, "@"); + data = data.replace(/@&/g, String.fromCharCode(10)) + .replace(/@#/g, String.fromCharCode(13)) + .replace(/@\*/g, ">") + .replace(/@!/g, "<") + .replace(/@\$/g, "@"); for (let i = 0; i < data.length; i++) { let byte = data.charCodeAt(i); let char = data.charAt(i); @@ -241,15 +242,17 @@ const MS = { }, /** + * Microsoft Script Decoder operation + * * @param {string} input * @param {Object[]} args * @returns {string} */ runDecodeScript: function (input, args) { - let matcher = /#@~\^......==(.+)......==\^#~@/; + let matcher = /#@~\^.{6}==(.+).{6}==\^#~@/; let encodedData = matcher.exec(input); if (encodedData){ - return MS.decode(encodedData[1]); + return MS._decode(encodedData[1]); } else { return ""; } diff --git a/test/tests/operations/MS.js b/test/tests/operations/MS.js index 184e4bd1..acf0f085 100644 --- a/test/tests/operations/MS.js +++ b/test/tests/operations/MS.js @@ -1,7 +1,7 @@ /** - * CharEnc tests. + * MS tests. * - * @author tlwr [toby@toby.codes] + * @author bwhitn [brian.m.whitney@outlook.com] * @copyright Crown Copyright 2017 * @license Apache-2.0 */ @@ -9,12 +9,12 @@ import TestRegister from "../../TestRegister.js"; TestRegister.addTests([ { - name: "Micrsoft Script Decoder", - input: "##@~^DgAAAA==\\ko$K6,JCV^GJqAQAAA==^#~@", - expectedOutput: "MsgBox \"Hello\"", + name: "Microsoft Script Decoder", + input: "#@~^RQAAAA==-mD~sX|:/TP{~J:+dYbxL~@!F@*@!+@*@!&@*eEI@#@&@#@&\x7fjm.raY 214Wv:zms/obI0xEAAA==^#~@", + expectedOutput: "var my_msg = \"Testing <1><2><3>!\";\r\n\r\nWScript.Echo(my_msg);", recipeConfig: [ { - "op": "Micrsoft Script Decoder", + "op": "Microsoft Script Decoder", "args": [] }, ], From f8e9e9ba85b1d35ae2ed7e812339da071055a892 Mon Sep 17 00:00:00 2001 From: bwhitn Date: Tue, 29 Aug 2017 12:04:15 -0700 Subject: [PATCH 8/9] added sample to description --- src/core/config/OperationConfig.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/config/OperationConfig.js b/src/core/config/OperationConfig.js index 1410f485..d309147a 100755 --- a/src/core/config/OperationConfig.js +++ b/src/core/config/OperationConfig.js @@ -3207,7 +3207,7 @@ const OperationConfig = { ] }, "Microsoft Script Decoder": { - description: "Decodes Microsoft Encoded Script files that have been encoded with Microsoft's custom encoding. These are often VBS (Visual Basic Script) files that are encoded and often renamed ".vbe" extention or JS (JScript) files renamed with ".jse" extention.", + description: "Decodes Microsoft Encoded Script files that have been encoded with Microsoft's custom encoding. These are often VBS (Visual Basic Script) files that are encoded and often renamed ".vbe" extention or JS (JScript) files renamed with ".jse" extention.

Sample

Encoded:
#@~^RQAAAA==-mD~sX|:/TP{~J:+dYbxL~@!F@*@!+@*@!&@*eEI@#@&@#@&.jm.raY 214Wv:zms/obI0xEAAA==^#~@

Decoded:
MsgBox "Hello"", run: MS.runDecodeScript, inputType: "string", outputType: "string", From 4a86340d501a9e1acc72185f81f98bdb4911cb84 Mon Sep 17 00:00:00 2001 From: n1474335 Date: Wed, 30 Aug 2017 15:56:51 +0000 Subject: [PATCH 9/9] Tidied up 'Microsoft Script Decoder' operation --- src/core/config/Categories.js | 2 +- src/core/config/OperationConfig.js | 2 +- src/core/operations/MS.js | 89 +++++++----------------------- 3 files changed, 22 insertions(+), 71 deletions(-) diff --git a/src/core/config/Categories.js b/src/core/config/Categories.js index 401f6e4f..07664f87 100755 --- a/src/core/config/Categories.js +++ b/src/core/config/Categories.js @@ -66,7 +66,6 @@ const Categories = [ "Encode text", "Decode text", "Swap endianness", - "Microsoft Script Decoder", ] }, { @@ -283,6 +282,7 @@ const Categories = [ "XPath expression", "JPath expression", "CSS selector", + "Microsoft Script Decoder", "Strip HTML tags", "Diff", "To Snake case", diff --git a/src/core/config/OperationConfig.js b/src/core/config/OperationConfig.js index d309147a..e4210db2 100755 --- a/src/core/config/OperationConfig.js +++ b/src/core/config/OperationConfig.js @@ -3207,7 +3207,7 @@ const OperationConfig = { ] }, "Microsoft Script Decoder": { - description: "Decodes Microsoft Encoded Script files that have been encoded with Microsoft's custom encoding. These are often VBS (Visual Basic Script) files that are encoded and often renamed ".vbe" extention or JS (JScript) files renamed with ".jse" extention.

Sample

Encoded:
#@~^RQAAAA==-mD~sX|:/TP{~J:+dYbxL~@!F@*@!+@*@!&@*eEI@#@&@#@&.jm.raY 214Wv:zms/obI0xEAAA==^#~@

Decoded:
MsgBox "Hello"", + description: "Decodes Microsoft Encoded Script files that have been encoded with Microsoft's custom encoding. These are often VBS (Visual Basic Script) files that are encoded and renamed with a '.vbe' extention or JS (JScript) files renamed with a '.jse' extention.

Sample

Encoded:
#@~^RQAAAA==-mD~sX|:/TP{~J:+dYbxL~@!F@*@!+@*@!&@*eEI@#@&@#@&.jm.raY 214Wv:zms/obI0xEAAA==^#~@

Decoded:
var my_msg = "Testing <1><2><3>!";\n\nVScript.Echo(my_msg);", run: MS.runDecodeScript, inputType: "string", outputType: "string", diff --git a/src/core/operations/MS.js b/src/core/operations/MS.js index b382c234..d0f6149a 100644 --- a/src/core/operations/MS.js +++ b/src/core/operations/MS.js @@ -1,8 +1,9 @@ /** - * Decodes Microsoft Encoded Script files that can be read and executed by cscript.exe/wscript.exe. - * This is a conversion of a Python script that was originally created by Didier Stevens (https://DidierStevens.com). + * Microsoft operations. * * @author bmwhitn [brian.m.whitney@outlook.com] + * @copyright Crown Copyright 2017 + * @license Apache-2.0 * * @namespace */ @@ -148,73 +149,16 @@ const MS = { * @default */ D_COMBINATION: [ - 0, - 1, - 2, - 0, - 1, - 2, - 1, - 2, - 2, - 1, - 2, - 1, - 0, - 2, - 1, - 2, - 0, - 2, - 1, - 2, - 0, - 0, - 1, - 2, - 2, - 1, - 0, - 2, - 1, - 2, - 2, - 1, - 0, - 0, - 2, - 1, - 2, - 1, - 2, - 0, - 2, - 0, - 0, - 1, - 2, - 0, - 2, - 1, - 0, - 2, - 1, - 2, - 0, - 0, - 1, - 2, - 2, - 0, - 0, - 1, - 2, - 0, - 2, - 1 + 0, 1, 2, 0, 1, 2, 1, 2, 2, 1, 2, 1, 0, 2, 1, 2, 0, 2, 1, 2, 0, 0, 1, 2, 2, 1, 0, 2, 1, 2, 2, 1, + 0, 0, 2, 1, 2, 1, 2, 0, 2, 0, 0, 1, 2, 0, 2, 1, 0, 2, 1, 2, 0, 0, 1, 2, 2, 0, 0, 1, 2, 0, 2, 1 ], + /** + * Decodes Microsoft Encoded Script files that can be read and executed by cscript.exe/wscript.exe. + * This is a conversion of a Python script that was originally created by Didier Stevens + * (https://DidierStevens.com). + * * @private * @param {string} data * @returns {string} @@ -227,13 +171,18 @@ const MS = { .replace(/@\*/g, ">") .replace(/@!/g, "<") .replace(/@\$/g, "@"); + for (let i = 0; i < data.length; i++) { let byte = data.charCodeAt(i); let char = data.charAt(i); if (byte < 128) { index++; } - if ((byte === 9 || byte > 31 && byte < 128) && byte !== 60 && byte !== 62 && byte !== 64) { + + if ((byte === 9 || byte > 31 && byte < 128) && + byte !== 60 && + byte !== 62 && + byte !== 64) { char = MS.D_DECODE[byte].charAt(MS.D_COMBINATION[index % 64]); } result.push(char); @@ -241,8 +190,9 @@ const MS = { return result.join(""); }, + /** - * Microsoft Script Decoder operation + * Microsoft Script Decoder operation. * * @param {string} input * @param {Object[]} args @@ -256,7 +206,8 @@ const MS = { } else { return ""; } - }, + } + }; export default MS;