To the Top

Online VBScript Obfuscator/Defuscator (Encrypt/Protect VBS)

Using this handy VBS tool, you can convert your VBScript into an obfuscated VBS source code, without compromising/altering the scripting functionalities and the VBScript keywords. This Free VBScript Obfuscator works by converting each character in your VBS source code into a much obfuscated format. Then these obfuscated letters are combined at runtime and be executed via the Execute function.

msgbox "Is VBScript Dead?"

will be encrypted and protected by the following:

Execute(chr(2380560/CLng("&H5550"))&chr(-7846+CLng("&H1f19"))&chr(9362700/CLng("&H16314"))&chr(-85619+CLng("&H14ed5"))&chr(-88259+CLng("&H15932"))&chr(CLng("&H5d9f")-23847)&chr(-53633+CLng("&Hd1a1"))&chr(2512906/CLng("&H120b5"))&chr(1547089/CLng("&H52c9"))&chr(CLng("&Habe7")-43892)&chr(620608/CLng("&H4bc2"))&chr(CLng("&Hdf7d")-57127)&chr(-66900+CLng("&H10596"))&chr(-82802+CLng("&H143c5"))&chr(4581720/CLng("&Hb4c8"))&chr(6332928/CLng("&Hd900"))&chr(CLng("&H911")-2216)&chr(-56904+CLng("&Hdeb8"))&chr(-83764+CLng("&H147a8"))&chr(1711840/CLng("&Hd0f7"))&chr(3308064/CLng("&Hbe08"))&chr(CLng("&H11c1d")-72632)&chr(-16900+CLng("&H4265"))&chr(9186800/CLng("&H166dc"))&chr(CLng("&H60c1")-24706)&vbcrlf)

However, sophicated software engineer knows how to reverse engineer the obfuscated VBScript source code within a few minutes. This should not be trusted in hiding any sensitive information inside your VBScript source code. However, you can use this tool if you do not want people read the VBS source at an easy glance and modify it.

You could again copy the obfuscated VBS source to the input box and re-apply the obfuscation process to achieve a much higher level of obfuscation.

Online VBScript Obfuscator/Encryptor

How do you Deobfuscate the Obfuscated VBScript?

In case you want to deobfuscate the obfuscated VBScript source code (produced by above VBS Obfuscator Freeware), you can simply Replace the Execute keyword in the obfuscated VBScript source with either MsgBox or WScript.Echo and then all you need to do is to run the source code which should print out the original un-obfuscated VBS source.

How do you Deobfuscate the Obfuscated VBScript?

The VBScript Obfuscator in VBScript

The following is the VBScript Obfuscator written in VBScript. You can obfuscate your VBS source file easily with this command line utility.

Github Repro: https://github.com/DoctorLai/VBScript_Obfuscator

The obfuscator will parse each character of your VBS file, and obfuscate it via a random character. The source code is thus obfuscated with concatenation of these characters. The obfuscated source can be run with the VBScript function Execute but the source code looks pretty obfuscated.

The VBScript Obfuscator in VBScript

You can pass multiple VBScript file names at command line, and the obfuscator will obfuscate each source and print the obfuscated string one by one to the console. You can also redirect the console to save to new vbs via the following example:

cscript.exe vbs_obfuscator.vbs sample.vbs > sample_obfuscated.vbs

VBScript Obfuscator Source Code

Option Explicit

Function vbs_obfuscator(n)
	Dim r, k
	r = Round(Rnd() * 10000) + 1
	k = Round(Rnd() * 2) + 1
	Select Case k
		Case 0
			vbs_obfuscator = "CLng(&H" & Hex(r + n) & ")-" & r
		Case 1
			vbs_obfuscator = (n - r) & "+CLng(&H" & Hex(r) & ")"
		Case Else
			vbs_obfuscator = (n * r) & "/CLng(&H" & Hex(r) & ")"
	End Select
End Function

Function Obfuscator(vbs)
	Dim length, s, i
	length = Len(vbs)
	s = ""
	For i = 1 To length
		s = s & "chr(" & vbs_obfuscator(Asc(Mid(vbs, i))) + ")&"
	Next
	s = s & "vbCrlf"
	Obfuscator = "Execute " & s
End Function

If WScript.Arguments.Count = 0 Then
	WScript.Echo "Missing parameter(s): VBScript source file(s)"
	WScript.Quit
End If 

Dim fso, i
Const ForReading = 1
Set fso = CreateObject("Scripting.FileSystemObject")
For i = 0 To WScript.Arguments.Count - 1
	Dim FileName
	FileName = WScript.Arguments(i)
	Dim MyFile
	Set MyFile = fso.OpenTextFile(FileName, ForReading)
	Dim vbs
	vbs = MyFile.ReadAll
	WScript.Echo Obfuscator(vbs)
	MyFile.Close
Next

Set fso = Nothing

The VBScript Defuscator in VBScript

The obfuscator allows you to obfuscate the VBScript source code and still the VBScript can run as expected. If you don't have the original source code, the process can still be reverted.

The VBScript Defuscator reverts the process. The defuscator tries to look for the function keyword Execute and evaluate the expression, writes the original clean source code back to the console.

The source code of the VBScript defuscator is as follows, which only works for the specific version of VBScript obfuscator:

Option Explicit

Function Defuscator(vbs)
    Dim t
    t = InStr(1, vbs, "Execute", 1)
    t = Mid(vbs, t + Len("Execute")) 
    t = Eval(t)
    Defuscator = t
End Function

Dim fso, i
Const ForReading = 1
Set fso = CreateObject("Scripting.FileSystemObject")
For i = 0 To WScript.Arguments.Count - 1
    Dim FileName
    FileName = WScript.Arguments(i)
    Dim MyFile
    Set MyFile = fso.OpenTextFile(FileName, ForReading)
    Dim vbs
    vbs = MyFile.ReadAll    
    WScript.Echo Defuscator(vbs)
    MyFile.Close
Next
Set fso = Nothing

You can revert the process via the following vbs_defuscator.vbs

cscript.exe vbs_defuscator.vbs sample_defuscated.vbs > sample.vbs
VBScript Defuscator

Adanced ROT47 VBScript Obfuscator in VBScript

Combined with ROT47, the VBScript obfuscator can be quite powerful. The source code of ROT47 VBScript Obfuscator. For example, the original VBS is:

MsgBox "Hello, @justyy"
and it can be obfuscated to:
Function l(str):Dim i,j,k,r:j=Len(str):r="":For i=1 to j:k=Asc(Mid(str,i,1)):If k>=33 And k<=126 Then:r=r&Chr(33+((k+14)Mod 94)):Else:r=r&Chr(k):End If:Next:l=r:End Function
Execute l("|[email protected] [email protected][ o;FDEJJQ")
Similar to previous obfuscator, you can obfuscate the VBS via the command line, for example:
cscript.exe vbs_rot47_obfuscator.vbs sample.vbs > sample-obfuscated.vbs
The ROT47 is a Caesar cipher by 47 chars. If you apply rot47 on the same string twice, you will get its original version. The VBScript source code for ROT47 VBScript obfuscator is maintained in github and the following is the core implementation:
Function Rot47(str)
    Dim i, j, k, r
    j = Len(str)
    r = ""
    For i = 1 to j
        k = Asc(Mid(str, i, 1))
        If k >= 33 And k <= 126 Then
            r = r & Chr(33 + ((k + 14) Mod 94))
        Else
            r = r & Chr(k)
        End If
    Next
    Rot47 = r
End Function

Function Obfuscator(vbs)
    Dim length, s, i, F
    F = "Function l(str):Dim i,j,k,r:j=Len(str):r=" & Chr(34) & Chr(34) & ":For i=1 to j:k=Asc(Mid(str,i,1)):If k>=33 And k<=126 Then:r=r&Chr(33+((k+14)Mod 94)):Else:r=r&Chr(k):End If:Next:l=r:End Function"
    length = Len(vbs)
    s = ""
    For i = 1 To length
        s = s & Rot47(Mid(vbs, i, 1))
    Next    
    Obfuscator = F & vbCrlf & "Execute l(" & Chr(34) & (s)& Chr(34) &")" & vbCrLf 
End Function

The VBScript Obfuscator using Base64 Encoding/Decoding

With Base64 Encoding/Decoding, we can obfuscate the VBScript source easiy. For example, the following source unprotected VBScript:

msgbox "Hello, @justyy"
can be obfuscated into the base64-encoded version:
Function l(a): With CreateObject("Msxml2.DOMDocument").CreateElement("aux"): .DataType = "bin.base64": .Text = a: l = r(.NodeTypedValue): End With: End Function
Function r(b): With CreateObject("ADODB.Stream"): .Type = 1: .Open: .Write b: .Position = 0: .Type = 2: .CharSet = "utf-8": r = .ReadText: .Close:  End With: End function
Execute l("TXNnQm94ICJIZWxsbywgQGp1c3R5eSI=")
The full VBScript Base64 Obfuscator source code is maintained in github.

TODO

Adding more complex obfuscation/deobfuscation steps. e.g. add a character map and reference the characters in complicated ways.

API Source Code (PHP) for VBScript Obfuscator

We provide a free-to-use-on-fair-policy API to obfuscate any length of VBScript source code. The VBS Obfuscator API is implemented in PHP.

// https://isvbscriptdead.com/vbs-obfuscator/
  $s = trim($_GET['s'] ?? '');
  mt_srand();
  
  function vbs_obfuscator($n) {
    $r = mt_rand(1, 99999);
    $k = mt_rand(0, 2);
    if ($k == 0) return 'CLng("&H'. dechex($r + $n) . '")-' . $r;
    if ($k == 1) return ($n - $r) . '+CLng("&H' . dechex($r) . '")';
    return ($n * $r) . '/CLng("&H' . dechex($r) . '")';
  }
  
  function obfuscate($s) {
    $len = strlen($s);
    $t = '';
    for ($i = 0; $i < $len; ++ $i) {
      $t .= "chr(" . vbs_obfuscator(ord($s[$i])) . ")&";
    } 
    $t .= "vbcrlf";
    return "Execute(" . $t . ")";
  }
    
  $data = obfuscate($s);
  header("Access-Control-Allow-Origin: *");
  header('Content-Type: application/json');
  die(json_encode($data));

You can use the following APIs from 4 API servers:

For example:

https://helloacm.com/api/vbscript-obfuscator/?s=msgbox "Is VBScript Dead?"
returns (results may vary subject to VBS obfuscator/defuscator algorithm):
"Execute(chr(3797669\/34841)&chr(728640\/6336)&chr(3127-3024)&chr(7506408\/76596)&chr(-23535+23646)&chr(92295-92175)&chr(-83289+83321)&chr(72965-72931)&chr(-45345+45418)&chr(70842-70727)&chr(-99208+99240)&chr(-75657+75743)&chr(-53395+53461)&chr(74507-74424)&chr(1141866\/11534)&chr(10149876\/89034)&chr(3190530\/30386)&chr(89543-89431)&chr(2302600\/19850)&chr(-1719+1751)&chr(93172-93104)&chr(9492485\/93985)&chr(5194835\/53555)&chr(2435600\/24356)&chr(-25929+25992)&chr(948090\/27885)&vbcrlf)"
The following API will store the output obfuscated VBScript source code at the CloudFlare CDN, so you can expect the obfuscated cached and served quickly than the above API, which always returns randomly-obfuscated VBScript source code and that is served directly from the API server.
https://helloacm.com/api/vbscript-obfuscator/?cached&s=msgbox "Is VBScript Dead?"
That should return the same output for a limited time period, e.g. 1 hour depending on the cache settings.

Please Note: It is recommended to pass the parameters via POST method instead of handy GET method. Passing the parameters via POST allows a lengthy input VBScript string and you don't need to explicity encode the return carriage and other characters that are required to be URL-encoded when it comes to GET.
For example:

curl -X POST https://helloacm.com/api/vbscript-obfuscator/ -d "s=msgbox 1234" -d "cached"
Passing parameters via GET is also not secure, as the source code of the VBScript is glued to the API Calling URL (and limited by a maximum length). The content of VBS encoded via $_GET parameter may cause the API blocked by CloudFlare Web Firewall.

Disclamier of VBScript Obfuscator

Contact Me

via Web Email.

Donation helps

Donation helps the cost of the domain/server, and is very much appreciated.

Why Donate?

Check This page for a few reasons. :)

Page Edited on Irregular Basis: 09/Oct/2018 02:14:02
View in AMP (Accelerated Mobile Pages) Version