ask:
Hello, script expert! How to encode scripts within HTA?
--LL
answer:
Hello, LL. You know, when we first saw this question, we were thinking, "What's the big deal? Can't we encode scripts in HTML applications (HTAs) like we did in HTML files?" To our surprise, it seems that we can't encode scripts in HTAs; every time we try to do this, we return an error message like the following:
Scriptingencoderobject("Scripting.Encoder") failedonC:/Scripts/test.hta
Honestly, we never found a way to encode scripts in HTA. But that's OK, because we did come up with a tricky idea to solve this problem. We'll show you in a while.
However, before doing it, we need to take a moment to explain what it means to encode scripts. Microsoft has a utility called ScriptEncoder (Script Encoder) that "bumps" your script code. For example, suppose you have a script similar to the following:
strComputer="."
SetobjWMIService=GetObject("winmgmts://"&strComputer&"/root/cimv2")
SetcolOperatingSystems=objWMIService.ExecQuery("Select*fromWin32_OperatingSystem")
ForEachobjOperatingSystemincolOperatingSystems
MsgboxobjOperatingSystem.Caption&""&objOperatingSystem.Version
Next
Suppose for some reason you want people to be unable to read script code. This is a problem: after all, anyone who has the right to run the script has the same right to open it in Notepad and watch whatever you want. However, after the same script is processed by the "Script Encoder", it will become the following:
#@~^8AEAAA==@#@&@#@&,PP,?!8PV+OrU.n.kkW@#@&,PP,~~PkYMZG:2;D+.P{~JcJ@#@&,PP~~,P~P,~U+O,W(L tq
UnD7k^+,'~! Yr(%+1Y`rArxsosYd)wwrP'PkOD;Wh2!Y+.~LP~J'.KWO'mb:/yJ*@#@&@#@&~P,P~~,PP,~? YP1Gsra+MlOkULUXdY h/,'~G(
L /(U+./b^ R3X+1pE DH~{@#@&~P,P~~,PP,~P,PPvEj+^+1Y~e~W
MWhPqrx2m6a+DCObxL?HdD+hr#@#@&@#@&P,~P,P~P,P~oKDPACm4PW(%6w DmYr
xLjH/O+s~kP^G^rwn.mYrxTjH/O :k@#@&,P,~P,P~P,P~~,PHkL4K6PK8%ra+M
lOkULUXdY hR;l2ObWx~',J~J,',{@#@&P,PP,P,~P,P~P,P~~,PW(%ra+DmOrxT?H/O+h
j+./bGx@#@&~~,PP~~,P~PgnXY@#@&P,PPAx9~?!4@#@&QYQAAA==^#~@
The scripts are still working, but it's a little harder for anyone to look at the code and plagiarize your work results. (You're right: it's really better than you, script expert! Most of the jokes mentioned in it make more sense)
Now, the important thing to remember is that we only encode (or disrupt) the scripts without any encryption. what does that mean? This means that the encoder hides your scripts from most people; however, a real hardcore hacker who has knowledge of coding or has utilities downloaded from the Internet can crack this code. This especially means never "hide" the administrator password in the script, nor do you think that the "script encoder" can ensure that the password is not snooped. It won't be like you think it's an encoder rather than an encryptor, which definitely makes a difference.