How Can I Encode Scripts Within an HTA?

ScriptingGuy1

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I encode scripts within an HTA?

— LL

SpacerHey, Scripting Guy! AnswerScript Center

Hey, LL. You know, when we first read this question we thought, “What’s the big deal? Can’t you encode scripts in an HTML Application (HTA) the same way you encode scripts in an HTML file?” Much to our surprise, it appears as though you can’t encode scripts in an HTA; each time we tried we got back an error message similar to this:

Scripting encoder object (“Scripting.Encoder”) failed on C:\Scripts\test.hta

To be honest, we never found a way to encode scripts within an HTA. But that’s OK, because we did find a sneaky way to work around the problem. And we’ll show you that in just a moment.

Before we do that, however, we need to take a second and explain what we mean by encoding scripts. Microsoft has a utility – aptly named the Script Encoder – that can “obfuscate” your script code. For example, suppose you have a script that looks like this:

strComputer = “.”

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)

Set colOperatingSystems = objWMIService.ExecQuery(“Select * from Win32_OperatingSystem”)

For Each objOperatingSystem in colOperatingSystems Msgbox objOperatingSystem.Caption & ” ” & objOperatingSystem.Version Next

Let’s say that, for some reason, you’d prefer that people not be able to read the script code. That’s a problem: after all, anyone who has permission to run a script is going to have permission to open the script up in Notepad and gawk at the code all they want. But here’s what that same script looks like after the Script Encoder gets done with it:

#@~^8AEAAA==@#@&@#@&@#@&,PP,?!8PV+OrU.n.kkW@#@&,PP,~~PkYMZG:2;D+.P{~JcJ@#@&,PP~~,P~P,~U+O,W(Ltq
UnD7k^+,’~!Yr(%+1Y`rArxsosYd)wwrP’PkOD;Wh2!Y+.~LP~J’.KWO’mb:\yJ*@#@&@#@&~P,P~~,PP,~?YP1Gsra+MlOkULUXdYh/,’~G(
L\(U+.\b^R3X+1pEDH~{@#@&~P,P~~,PP,~P,PPvEj+^+1Y~e~W
MWhPqrx2 m6a+DCObxL?HdD+hr#@#@&@#@&P,~P,P~P,P~oKDPACm4PW(%6wDmYr
xLjH/O+s~kP^G^rwn.mYrxTjH/O:k@#@&,P,~P,P~P,P~~,PHkL4K6PK8%ra+M
lOkULUXdYhR;l2ObWx~’,J~J,’,{@#@&P,PP,P,~P,P~P,P~~,PW(%ra+DmOrxT?H/O+h 
j+./bGx@#@&~~,PP~~,P~PgnXY@#@&P,PPAx9~?!4@#@&QYQAAA==^#~@

The script still works, it’s just a bit harder for anyone to glance at the code and plagiarize your work. (And you’re right: even at that it does make more sense than most of the jokes used in Hey, Scripting Guy!)

Now, the important thing to keep in mind is that the script is simply encoded (or obfuscated); it is definitely not encrypted. What does that mean? That means the encoder will hide your script from most people; however, a truly determined hacker – armed with a knowledge of codes or armed with a utility downloaded from the Internet – could crack the code. Among other things, that means that you should never do something like “hide” an Administrator password in a script and assume that the Script Encoder will keep it safe from prying eyes. It won’t. It’s an encoder, not an encrypter, and there’s definitely a difference.

But what about the problem with encoding scripts in an HTA? Well, let’s assume you have an HTA that looks like this (we’ll also assume that you’ve already downloaded and installed the Script Encoder):

<head>
<title>Operating System Version</title>
<HTA:APPLICATION 
     APPLICATIONNAME=”Operating System Version”
     SCROLL=”yes”
     SINGLEINSTANCE=”yes”
>
</head>

<script language=”VBScript”>

Sub GetOSVersion strComputer = “.” Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)

Set colOperatingSystems = objWMIService.ExecQuery _ (“Select * from Win32_OperatingSystem”)

For Each objOperatingSystem in colOperatingSystems Msgbox objOperatingSystem.Caption & ” ” & _ objOperatingSystem.Version Next End Sub </script>

<body> <input type=”button” value=”Operating System” name=”run_button” onClick=”GetOSVersion”>

</body>

If you want to encode the VBScript portion of this HTA the first thing you need to do is use the ‘**Start Encode** tag to mark the beginning of the section to be encoded. In other words, your <Script> tag needs to look like this, with ‘**Start Encode** coming right before the very first line of VBScript code:

<script language=”VBScript”>

‘**Start Encode**

Sub GetOSVersion strComputer = “.” Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”)

Set colOperatingSystems = objWMIService.ExecQuery _ (“Select * from Win32_OperatingSystem”)

For Each objOperatingSystem in colOperatingSystems Msgbox objOperatingSystem.Caption & ” ” & _ objOperatingSystem.Version Next End Sub </script>

In theory, you should then be able to encode the script by running Screnc.exe and passing two parameters, the name of the existing HTA file (Test.hta) and the name to be given to the encoded file (Encoded.hta):

C:\Scripts>screnc test.hta encoded.hta

Unfortunately, though, this doesn’t work.

Update Note: You do not actually need to rename the file.  

All you need to do is to use the /e flag to tell the encoder how to handle file types it doesn’t recognise natively, thus:

 

Screnc /e htm test.hta test.hte

 

Or to do it in place (overwriting the original):

 

Screnc /f /e htm test.hta

 

Thanks DL, for the update! 

Why? Well, we aren’t really sure. But we do know what does work. All we have to do is change the file extension on the existing file from .hta to .htm; in other words, we simply rename the file Test.htm. The Script Encoder can’t handle HTA files, but it has no problems with HTML files. Now we can start the Script Encoder using syntax like this:

C:\Scripts>screnc test.htm encoded.hta

Are we sure that will work? Don’t tell us you doubt the Scripting Guys! Here’s what Encoded.hta looks like:

<head>
<title>Operating System Version</title>
<HTA:APPLICATION 
     APPLICATIONNAME=”Operating System Version”
     SCROLL=”yes”
     SINGLEINSTANCE=”yes”
>
</head>

<script language=”VBScript.Encode”>

‘**Start Encode**#@~^8AEAAA==@#@&@#@&@#@&,PP,?!8PV+OrU.n.kkW@#@&,PP,~~PkYMZG:2;D+.P{~JcJ@#@&,PP~~,P~P,~U+O,W(Ltq UnD7k^+,’~!Yr(%+1Y`rArxsosYd)wwrP’PkOD;Wh2!Y+.~LP~J’.KWO’mb:\yJ*@#@&@#@&~P,P~~,PP,~?YP1Gsra+MlOkULUXdYh/,’~G( L\(U+.\b^R3X+1pEDH~{@#@&~P,P~~,PP,~P,PPvEj+^+1Y~e~W MWhPqrx2 m6a+DCObxL?HdD+hr#@#@&@#@&P,~P,P~P,P~oKDPACm4PW(%6wDmYr xLjH/O+s~kP^G^rwn.mYrxTjH/O:k@#@&,P,~P,P~P,P~~,PHkL4K6PK8%ra+M lOkULUXdYhR;l2ObWx~’,J~J,’,{@#@&P,PP,P,~P,P~P,P~~,PW(%ra+DmOrxT?H/O+h j+./bGx@#@&~~,PP~~,P~PgnXY@#@&P,PPAx9~?!4@#@&QYQAAA==^#~@</script>

<body> <input type=”button” value=”Operating System” name=”run_button” onClick=”GetOSVersion”>

</body>

It’s still a valid HTA; click the button and it will report back the name and version of the operating system installed on the local machine. But to anyone who tries looking at the code it will look like pure gibberish. (Needless to say, the Scripting Guys know gibberish better than anyone!)

0 comments

Discussion is closed.

Feedback usabilla icon