p2p.wrox.com Forums

p2p.wrox.com Forums (http://p2p.wrox.com/)
-   VBScript (http://p2p.wrox.com/vbscript-77/)
-   -   How to determine the function of encoding or encryption ? (http://p2p.wrox.com/vbscript/85049-how-determine-function-encoding-encryption.html)

Hackoo September 14th, 2011 11:15 AM

How to determine the function of encoding or encryption ?
Hi [:)]
I am interested in new viruses that are circulating around these days and I noticed it among them that are encrypted or coded to say they can bypass the antivirus.
So in order to make a cleaning tool to put everything in order and cover their tracks, i must read its contents of course ie the original source code to see what are the keys in the registry that were changed or been added or deleted before being encrypted or encoded.
Yesterday I managed to decode a virus circulating on the USB key, it is because I saw at the end of the source a function that decodes the content by running it, so I took it and I have changed to finally get to decode the contents of this virus.
Here this function:

avira = "encrypted code of the virus ?" 'Of course it is not readable
For i = 1 To Len (avira) = PRGT PRGT & Chr (Asc (Mid (avira, i, 1)) - 1): Next: Execute (PRGT)

and here I tested the code to decode it, well I will not put the entire virus code but just so that I deciphered the first three lines

avira ="(cz!;!NzMpwfGbdfCppl/MjvZjGfjAIpunbjm/DpN po!fssps!sftvnf!ofyu ejn!nztpvsdf-xjoqbui-gmbtiesjwf-gt-ng-bus-ug-sh-ou-difdl-te "
For i = 1 To Len (avira)
PRGT = PRGT & Chr (Asc (Mid (avira, i, 1)) - 1)
Set fso = CreateObject ("Scripting.FileSystemObject")
NomFichierLog = "Fichierdecode.txt"
Set Output = fso.OpenTextFile (NomFichierLog, 2, True)
OutPut.Writeline PRGT

and it will output this:

'by: @ MyLoveFaceBook.LiuYiFei Hotmail.CoM
on error resume next
MySource Sun, WinPath, flashdrive, fs, mf, atr, tf, rg, nt, check, sd

So my question is: knowing the function of decoding or deciphering how I can do the opposite ie determining the function of encoding or encryption?

Thank you for your eventual Help!

All times are GMT -4. The time now is 05:27 PM.

Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
2013 John Wiley & Sons, Inc.