A little about the
encoding algorithm. It is basically a
caesar shift cipher where the
ANSI character set is the alphabet being encoded. It uses a
caesar shift of 2, shifting the
ANSI character set and using that in a nearly direct substitution. The only special cases are chars 10(space,
_), 13(return,
\r), and 32(newline,
\n). Transforming them into chars 15, 16, and 17 respectively. It adds another little twist by decoding 2 characters at a time and reversing their order. It is an extremely simple algorithm, but there is no reason to use a complicated one when it is just used to
obfuscate something and the
decoder is sitting right next to the output.
This function should work as the matching encoder:
Function encoder(plaintext)
For I = 1 To Len(plaintext) Step 2
currChar= Mid(plaintext, I, 1)
nextChar= Mid(plaintext, I + 1, 1)
If Asc(currChar) = 10 Then
currChar= Chr(15)
ElseIf Asc(currChar) = 13 Then
currChar = Chr(16)
ElseIf Asc(currChar) = 32 Then
currChar = Chr(17)
Else
currChar = Chr(Asc(currChar) + 2)
End If
If nextChar<> "" Then
If Asc(nextChar) = 10 Then
nextChar= Chr(15)
ElseIf Asc(nextChar) = 13 Then
nextChar= Chr(16)
ElseIf Asc(nextChar) = 32 Then
nextChar= Chr(17)
Else
nextChar= Chr(Asc(nextChar) + 2)
End If
End If
encoder = encoder & nextChar & currChar
Next
End Function
I would also like to note that it appears the script ends up in an
infinite loop checking if the file it began execution from exists. If it doesn't it recreates the file. I'm not sure how bad this loop will affect performance, but I know one person whose system became unusable. So it isn't completely without
payload.
I just couldn't leave this node alone. I was nearly complete with my own analysis of the script when I was directed to wonko's excellent one above. I guess I can't complain about being beat to the punch by a guy that used to do this for a living.