Decompile Compiled VBS EXE with WinDbg

In this case we are looking  at a 32-bit EXE with WinDbg (x86) from the Windows SDK.

This exact process may or may not work depending on how the script was compiled, but the technique will be similar for many different types of interpreted scripts that are “compiled” to EXE

First we open the executable in WinDbg with File –> Open Executable

We then run the following commands

bp vbscript!COleScript::AddNamedItem
g
bp oleaut32!SysAllocStringLen
g

Now EAX is pointing to the beginning of our decompiled script, which we can check with du @EAX

If this doesn’t point to any script, you can instead try creating a dmp file with .dump /ma <filename.dmp> then use http://live.sysinternals.com/strings.exe to parse the dmp, i.e. strings filename.dmp > out.txt and examine the output for decompiled script.

image

To write the script to a VBS file type the following additional commands:

pt
.writemem c:\support\decompiled.vbs @edi @edi+@edx

image

Open in Notepad or other editor, ensuring to select “UNICODE” format

image

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Reverse Engineering, WinDbg and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s