In this case we are looking at a 32-bit EXE with WinDbg (x86) from the Windows SDK.
This exact process may or may not work depending on how the script was compiled, but the technique will be similar for many different types of interpreted scripts that are “compiled” to EXE
First we open the executable in WinDbg with File –> Open Executable
We then run the following commands
bp vbscript!COleScript::AddNamedItem g bp oleaut32!SysAllocStringLen g
Now EAX is pointing to the beginning of our decompiled script, which we can check with du @EAX
If this doesn’t point to any script, you can instead try creating a dmp file with .dump /ma <filename.dmp> then use http://live.sysinternals.com/strings.exe to parse the dmp, i.e. strings filename.dmp > out.txt and examine the output for decompiled script.
To write the script to a VBS file type the following additional commands:
pt .writemem c:\support\decompiled.vbs @edi @edi+@edx
Open in Notepad or other editor, ensuring to select “UNICODE” format