Stunnix VBS-Obfus - the obfuscator for VBScript source code

Introduction to Stunnix VBS-Obfus

The current trend in the application and web development industry is switching from compiled languages like C/C++ and Delphi to scripting languages like Perl, Javascript or VBScript. One of the main disadvantages of these languages for developers of commercial applications is the great ease by which customers and competitors can study, analyze and reuse the code. For custom solutions the risk of losing control over intellectual property is even higher since it's much more difficult to track violations of intellectual property in them due to the highly targeted or even exclusive distribution of such solutions or products. In such cases, violations of intellectual property can take the form of reuse of the original source code even with an arbitrary level of adaptation! Due to the ease which study and modification can be performed, it is extremely difficult to enforce the licensing conditions of the applications or sites (for example - permission to use the script only on a single website, and only until a specified date has occurred).


Screenshot of Stunnix VBScript Obfuscator Project Manager GUI. Click to work with LIVE ONSITE demo!
screenshot of Stunnix VBScript Obfuscator Project Manager

Stunnix ASP and VbScript Obfuscator is a unique solution for this piracy and misuse problem for ASP and client-side code written in VBScript programming languages. It provides both an obfuscation and an encoding tool for client-side VBScript code in .vbs files and in HTML, PHP, ASP and JSP pages as well as for server-side ASP code, with advanced support for adding extremely difficult to remove automatic licensing checks.

Stunnix ASP and VbScript Obfuscator converts scripts in input files into highly mangled and obfuscated form. This makes them extermely difficult to study, analyse, reuse and re-work for competitors or customers, while retaining the full functionality of the original code. By default that highly mangled and obfuscated code is encoded afterwards to hide the structure (control flow, division into subroutines and classes) of the script completely. Stunnix ASP and VbScript Obfuscator is not a compiler to machine or pseudo code. The protected form will still be the usual script or html or asp file, thus it will work on all platforms the original code worked on. State of the art support for ensuring license conditions (expiration, several types of hostname checks, user-defined checks) is also available. Note, that Stunnix ASP and VBScript Obfuscator is referred to as Stunnix VBS-Obfus for brevity sometimes on this site.

 
 
There is a demonstration of how it is applied to different types of input files below. (use controls at the right to see how different options affect result of obfuscation; use player-like buttons to navigate between samples and to control playback):
some text in title
Obfuscate and encode ASP with our VBScript Obfuscator and VBScript Encoder. It protects VBScript in ASP or html files by obfuscating and encoding it. Obfuscation and encoding of vbscript and asp can be controled by a lot of options. Obfuscated and encoded VBScript or asp pages run on any VBScript-compatible interpreter. Our ASP Obfuscator mangles vbscript and asp in all files in the project. Mangling and scrambling of vbscript is controlled via commandline or GUI very precisely.

PROTECTION

Identifiers:
Strings:
Comments:
Mangle integers
Strip spaces
Strip newlines
 
 

The obfuscation of raw code means

Replacing symbol names with non-meaningfull ones, e.g. replacing list_of_customers with zcadaa4fc81

Of course names that are part of APIs are not mangled otherwise the program will work incorrectly. APIs can be standard (builtin language functions) or user-defined (for 3rd-party libraries that the developer decided not to obfuscate). Names of symbols that are part of APIs are referred to as "obfuscation exceptions" or simply "exceptions".

The following obfuscation methods are supported:

  • Md5 sum with user-specified "salt": sample replacement is zd7b6a02ec5. The salt, number of characters from hexified version of md5 sum and a prefix ("z" in the sample above) are the options of this mangler;
  • Combinations of characters from a user-specified set: e.g. if set is "l" and "I" (i.e. capital 'i' and small 'L'), it will generate names like "lIIlllIl". If the set is all lowercase letters, names like "bjhepjsdlrf" will be generated. Manglers take three options: a set of characters, salt string and length of resultant name;
  • Shortest possible symbol name (great for minimizing output size) - so-called VBScript compression mode. All VBScript in the project will be studied and symbol use count calculated.
  • Prefixing symbol: listOfCustomers becomes; MyPrefix_listOfCustomers — great for debugging, since all error messages identify which symbol in the input file caused the problem;

The results of all the methods (called "symbol name obfuscators" or "symbol manglers" in documentation ), except the last one (listOfCustomers-> MyPrefix_listOfCustomers) cannot be reveresed. This guarantees obfuscated VBScript code cannot be recovered and makes it hard to analyze,

All "symbolname manglers" can be applied to VBScript Protection Projects consisting of an arbitrary number of files.

Mapping between the original and replacement symbol names are stored along with the project so developers can always recall the original name of symbol.

Users have an option to manually specify symbol replacement.

Users have an option to specify symbols that shouldn't be renamed (lists can be attached to each individual file). Strictly speaking, there are 2 types of such lists, ones in which symbols are checked case-sensitive, and others in which symbols are checked case-insensitive.

Users can also define lists of suffixes that should be kept in symbols as-is (so everything before the suffix is mangled, while keeping suffix the same) — that is if _onClick is in the list of such suffixes to keep and md5 symbolname mangler is active, then openBtn_onClick it will be replaced with something like zd8ac37d6e_onClick, Lists of symbols for standard interfaces used by VBScript are shipped with ASP and VBScript Obfuscator and Encoder. Users can easliy disable some of the "exceptions" in these shipped lists by listing some symbols as "antiexceptions" (these can be individually specified for each VBScript file in the project).

There is an option of storing a symbol map as a comment inside protected version of each file.

Replacing numeric constants with expressions, e.g. replacing 232 with (&hd99+5451-&h21fc)

Obfuscation of numeric constants make code harder to read - e.g. iteration from 1 to 5 will be totally non-obvious if loop limits are obfuscated this way.

The replacement expression can be made different even for the same constant, but in different places in your code (e.g. in one place and (&h14b6+2119-&h1c15) 2 lines below it), or it can be the same for a given numeric constant. This makes analysis of changes between different builds of your code more difficult.

Of course there is an option not to obfuscate numeric constants.

Removing or obfuscation of comments

Comments can be completely removed. Since ASP and VBScript Obfuscator and Encoder is very flexible and powerful tool, there are other ways to obfuscate them (besides keeping them as is):

  • Leave only newlines in the comments. I.e. comments will span same number of lines but there won't be any text in them. This will keep line numbers of the protected code same as in original code (if you specify newlines in the protected code are not to be removed),
  • Replace all characters but newlines with 'x'
  • Replace all characters but spaces and newlines with 'x'
These additional VBScript obfuscation options demonstrate how well the original code was commented which may aid in selling the code.

Removing spaces and tabs in the lines of code

This VBScript obfuscation stage removes all spacing and identation in the code. This makes the code more difficult to read, and greatly reduces its size.

This step won't do anything with linebreaks in the code.

Of course this stage is optional.

Joining all lines in your code

This VBScript obfuscation stage turns all the code into single line. Statement separators will be inserted in the appropriate places. This makes even looking at code difficult, since the viewer will have to scroll back and forth.

There is a setting to rewrap the code into several lines, each being no longer than specified number of characters.

Sometimes it's better not to apply this step if your code is not well-debugged and you wish error messages to contain line numbers matching your original code.

Of course this stage is optional.

Encoding the result of previous stages

Encoding means hiding VBScript code by converting it into a special form that completely hides program structure. It also adds special advanced code that will decode the encoded script at runtime and execute it. Since the decoding code is automatically included into each protected file, no standalone decoders or interpreters are needed for running protected files.

By default, encoding is applied to the result of obfuscation, but it's possible to apply encoding to original source directly. This allows effortless code hiding that does not require any adaptation of the VBScript code.

Of course this stage is optional too.

See samples for how encoded VBScript looks like.

 
 

Besides obfuscation of raw code mentioned above, the following ADDITIONAL protection is applied to web documents

All VBScript code inside <SCRIPT> tags is obfuscated

ASP and VBScript Obfuscator and Encoder obfuscates all VBScript code inside <script>, provided the code is client-side and the developer has specified client-side VBScript protection, or if it is server-side code and the developer has specified server-side VBScript protection in the project settings.

The code language is determined using various attributes (type or language) of the <SCRIPT> tag. If the language is not specified, it is assumed to be VBScript code, provided that developer specified to treat all code in unspecified language as VBScript code.

It is possible to add special attribute (by default its name is stunnix-obfus-skip, but it can be changed in the options) to the <SCRIPT> element to tell ASP and VBScript Obfuscator and Encoder not to protect code inside it.

it is also possible to specify that ASP and VBScript Obfuscator and Encoder not to protect any code inside the document. This is useful if developers wish to use ASP and VBScript Obfuscator and Encoder to mangle markup and content of html, asp, php, xml and other types of documents.

Code inside attributes (e.g. onclick) is obfuscated

ASP and VBScript Obfuscator and Encoder obfuscates all VBScript code found in values of attributes that may contain code, e.g. onclick="some_code_here()" or href="VBScript:myfunction()".

Obfuscation of code inside value of href attribute is an unique feature of ASP and VBScript Obfuscator and Encoder.

HTML comments are removed from the output (but server-side markup like SSI is not)

All HTML-style comments - i.e. text between <-- and --> are removed from documents. This removes any hints about the structure of your page and hides blocks you've temporarily disabled by commenting them out.

This works not only in html, but in all documents with server-side markup known to ASP and VBScript Obfuscator and Encoder.

Special markup like Server Side Includes are not preserved, since ASP and VBScript Obfuscator and Encoder differentiates them from HTML-style comments.

This can, of course, be turned off.

Extra spaces and line breaks are removed intelligently

All non-needed spaces and line breaks are removed from the client-side portion of documents. This is done intelligently, with respect to name of html tags they are in, e.g. no spaces and newlines will be removed inside <PRE> block.

Removing extra spaces and newlines makes your document look like single line, making it easy to study.

This can, of course, be turned off.

Unique! The content of documents and the content of attribute values are partially converted into entities in a random way

Each character inside the client-side portion of the documents - inside text between tags or inside values of attributes - can be converted into a numeric entity. E.g. <div align=left>the text</div>

becomes the following when mangled:

<div align="&#x6c;eft">&#x74;&#x68;&#x65; t&#x65;xt</div>

International characters are not mangled this way to avoid possible problems.

it is possible to specify a percentage of characters to be converted into entities. Converting less than 95% of characters into entities makes them appear more random.

It is also possible to separately configure the conversion of characters inside the document content and in attribute values.

This can, of course, be turned off.

Unique! The case of letters in tag and attribute names is randomly mixed

In order for client-side markup to look more confusing in .html, .php, .jsp and .asp files, the case of the letters in tag and attribute names can be randomly mixed. E.g. <div align=left>the text</div>

becomes the following when mangled:

<DiV aLIgN=left>the text</dIV>

It's possible to separately configure the alternation of case of letters for tag and attibute names

This can, of course, be turned off and original case can be preserved. There are also options to foce all characters into uppercase or lowercase.

Even just obfuscating VBScript without encoding it afterwards makes it extremely difficult to understand for a human since names of variables and subroutines and other symbols (e.g classes) are totally meaningless and therefore hard to remember or track for human brain (e.g. list_of_customers becomes zcadaa4fc81). It is possible to control all aspects of VBScript obfuscation and encoding using a variety of options present in GUI or commandline interface of Stunnix ASP and VBScript Obfuscator.

An example of how cryptic a typical file looks after obfuscation and encoding with ASP and VBScript Obfuscator is available.

 
 

The features summary of Stunnix ASP and VBScript Obfuscator and Encoder

Unique! It extracts all string constants found in your code, and lets browse all of them, or those equal to symbol used in your project (most probably they are property name), or those containing some symbol used in your project (probably used in eval()-like calls), or those looking like symbol. This allows to quickly compose list of "exceptions" - names of symbols that should not be modified.

GUI of ASP and VBScript Obfuscator and Encoder has special "string browser" tool - available in Symbols ⇒ View strings encountered in code. That page has several tabs. One tab allows to browse all string constants that match symbols used in the project (most probably you'll have to list those symbols as exceptions). Another tab is "all strings containing some symbol used in the project" (e.g. strings used in eval() calls). Third tab is "strings looking like symbol". Forth tab is "all strings".

Such tool greatly simplifies creating list of exceptions - i.e. symbols that should not be modified.

Unique! ASP and VBScript Obfuscator and Encoder is cross-platform product, it can be easily installed and used on Windows, Mac OS X, Linux, Solaris or any other Unix OS.

ASP and VBScript Obfuscator and Encoder is a suite of Perl applications. The Windows version includes Perl interpreter and all necessary files. Perl interpreter is already preinstalled on Mac OS X, Linux and most Unix OSes, so the package for Mac OS X and Linux/Unix is the same and doesn't include any Perl interpreter (it utilizes Perl already installed in the system and uses no non-standard modules).

Unique! By default encoding of VBScript code is applied to the result of obfuscation performed by ASP and VBScript Obfuscator and Encoder

By default, ASP and VBScript Obfuscator and Encoder encodes the result of script obfuscation, which makes studying even the structure of the code much harder (the number of functions, presence of conditionals and so on). Encoded VBScript still runs on any compatible VBScript interpreter.

The encoding performed by it cannot be undone by the majority of VBScript decoders on the market.

It is possible to encode only a subset of the files of a VBScript project.

It is also possible to encode only selected parts of the source code by activating special functionality of ASP and VBScript Obfuscator and Encoder.

Unique! ASP and VBScript Obfuscator and Encoder has support for VBScript expiration, binding to server and user-implemented licensing checks with standard or user-specified actions (such as showing alerts)

ASP and VBScript Obfuscator and Encoder has a state of the art support for checking licensing conditions:

  • making obfuscated and encoded VBScript scripts expire (i.e. scripts will stop working after particular date), with ability to select the current time source;
  • binding to server (single allowed host name, list of hostname tails, regular expression a server name must match) with ability to select the source of server name &mdash for client-side and server-side code;
  • user-implemented checks that allow the implementation of any other checks (like making scripts not work on Sundays);
There is an option to show a custom notification message before the termination of the VBScript code.

All licensing checks are assigned to a block of code by means of a special initialization code. Without this code, the VBScript code won't work correctly. As well, the whole block of VBScript code is encoded to protect it from analysis and modification. Removing this block of code from the script body will make the script malfunction.

See more details here.

Unique! ASP and VBScript Obfuscator and Encoder includes Obfuscation Project Manager - an advanced intuitive cross-platform (Windows, MacOS X, Linux and Unix) graphical user interface for protecting any size project created with VBScript with mixed types of code (client-side and server-side), complete with with IDE-like functionality (supporting Build, Rebuild Changed, Clean)

Obfuscation Project Manager uses the concept of projects as a way to describe lists of files and protection options for VBScript and html . Each VBScript obfuscation project has several VBScript protecting modes that specify settings to be used to obfuscate the VBScript code and html markup around your VBScript code.

A single VBScript protecting mode can be attached to a given file; modes inherit settings from other modes (typically predefined ones) which requires very little effort to configure protection for the project. The mode concept allows the handling of some files in the project as files with server-side VBScript to be obfuscated, other files - as with client-side VBScript to be obfuscated, others - as html files to be used as a source for names of HTML objects and form elements, and other group of files - as static files that are either copied as is to output directory, or are not copied at all. Modes also specify whether or not to encode VBScript, so each VBScript obfuscation project can partly contain files that have been VBScript encoded and other VBScript parts that have not been encoded, but are still obfuscated. Files with obfuscated VBScript can have different copyright headers than other files; the mangling of strings or comments can also be performed differently in different files in the project.

screenshot of Project Manager

Obfuscation Project Manager is designed to be a more convenient alternative to Makefiles so it has functionality present in all IDEs for managing the project - i.e. Build, Rebuild Changed, Clean operations.

Users who prefer to use the command line interface or single-click obfuscation and encoding of VBScript and html in an entire project are able to compose a so-called build script. A build script is a special project-specific perl program that is a smart stand-alone replacement for a project-specific Makefile which already includes the functionality of the Make utility. For a project using Obfuscation Project Manager for ASP and VBScript Obfuscator and Encoder, just invoke that buildscript to perform operation such as cleaning all output files, reprotecting only changed files or reprotecting all files (with ability to specify only a subset of files).

You can see ASP and VBScript Obfuscator and Encoder Project Manager running on our site in demo mode (destructive and editing operations are disabled in it).

It can extract symbols for any API - just provide a directory with the files defining API

Obfuscation Project Manager GUI allows easy generation of lists of symbols of some APIs (e.g. used in the project's code). Just put the library public API definitions (or even implementation files for the library) in to any directory, go to Tools->Extract symbols from the directory with source files and specify the name of that directory, and the types of symbols you wish to extract (global functions, global variables, type names etc).

Unique! Protect VBScript inside string constants in any file with any programming language - Java, C/C++, C# or Pascal

Stunnix ASP and VBScript Obfuscator and Encoder, unlike other tools, can protect VBScript inside string constants in any file with any programming language like C/C++, Java, C# or Pascal. String constants should obey C-like syntax (begin with single or double quotes, end with same quotation character, and use C-style escape sequences with use of slashes); the constants to be protected should be wrapped into a call of some function or method.

Developers just have to pass the name of that method (even with the name of object it's called on) to ASP and VBScript Obfuscator and Encoder and it will protect all source code in any string constants found between parentheses, even if other expressions appear between those parentheses - e.g. variables being concatenated, or even some other functions being called.

Consider the following C# code in .aspx.cs file that generates vbscript:

protected void AddVbs()
{
    StringBuilder sb = new StringBuilder();
    sb.Append(GenUtils.VBSCODE("Dim r: r = prepareReport(reportView,\"" + reportName +
    "\",\"" + getReportId("mainReport",0) + "\"); " +
    " r.titleOf = \"Report - standard view"; r.instance = 0; 'here is a comment "));
}

It even contains slash-escaped double quotes (near the end of the VBSCODE argument). Here is how it's protected with ASP and VBScript Obfuscator and Encoder:
protected void AddVbs()
{
    StringBuilder sb = new StringBuilder();
    sb.Append(GenUtils.VBSCODE("Dim z04526a1d1b: z04526a1d1b = z9c6e26c932(zda80ab51a2,\"" + reportName +
    "\",\"" + getReportId("mainReport",0) + "\"); " +
    " z04526a1d1b.z018b3115a6 = \"Report - standard view\"; z04526a1d1b.z0d2e08cd5a = (&h309+1231-&H7d8); ));
}

As you see, comments are removed, integer "0" has been mangled, and of course variables have been renamed to match names used in raw VBScript files (that will be located on the same server where .aspx.cs file is being executed on). C# code surronding it was not changed, even string constant inside of the call of getReportId().

The commandline used was:

vbs-obfus -E othercode,dynamic-scripts-by=GenUtils.VBSCODE impl1.aspx.cs

Of course it's possible to achieve the same effect using Project Manager GUI, without writing a piece of commandline code - just assign mode "standard: pieces of VBScript inside the code of some programming language (e.g. Java or C++)" to such files.

This allows users to create complex projects consisting of files with VBScript, files with HTML markup and client-side VBScript code in them, and some raw server-side code files (like Java or C# or C++) that refer to client-side code defined elsewhere, and the names of all symbols will be changed in the same way.

Unique! ASP and VBScript Obfuscator and Encoder has special debugging mode and unique tools to generate a list of symbols that can't be changed, saving development time.

A special obfuscation mode is present in ASP and VBScript Obfuscator and Encoder that quickly adapts projects for obfuscation. When this mode is active, all symbols are prefixed using the same user-specified string (e.g. listOfCustomers becomes MyPrefix_listOfCustomers) thus making it easier to understand the error messages the script interpreter generates. Also, when this mode is active whitespace removal and integer and string mangling are turned off. There is no need to waste valuable time performing the trial-and-error process of obfuscation preparation!

Due to the unique ability to extract symbols from html files (that allows the extraction of the ids of html elements and names of form fields) and the unique ability to extract all symbols exported by a given ActiveX or OCX control — not available with any other products — the preparation process is as short as possible.

Unique! ASP and VBScript Obfuscator and Encoder supports several advanced ways to generate obfuscated names including using shortest possible name.

The following ways of generating obfuscated names are supported:

  • prefixing symbol: listOfCustomers becomes; MyPrefix_listOfCustomers — great for debugging, since all error messages allow instant recovery of the symbol in the input file that caused the problem;
  • using md5 sum with user-specified "salt": sample replacement is zd7b6a02ec5;
  • using combinations of characters from a user-specified set: e.g. if set is "l" and "I" (i.e. capital 'i' and small 'L'), then names like "lIIlllIl" will be generated;
  • shortest symbol name possible (great for minimizing output size) - so-called VBScript compression mode.

All these ways (called "symbol name obfuscators" or "symbol manglers" in documentation ), except the first one (listOfCustomers-> MyPrefix_listOfCustomers) are irreversible. This guarantees that obfuscated VBScript is unrecoverable and difficult to analyze.

All "symbolname manglers" can be applied to VBScript Protection Projects consisting of an arbitrary number of files.

Mapping between original and replacement symbol names is stored along with the project so that the original name of a symbol can always be recalled.

Users have the option to specify symbol replcement.

Users have the option to list symbols that shouldn't be renamed (can be file specific). Strictly speaking, there are 2 types of such lists: ones in which symbols are checked case-sensitive, and others in which symbols are checked case-insensitive. Users can also define lists of suffixes that should be kept in symbols as-is (so everything before the suffix is mangled, while keeping suffix) — eg - if _onClick is in the list of suffixes to keep and md5 symbolname mangler is active, then openBtn_onClick it will be replaced with something like zd8ac37d6e_onClick, A symbols for standard interfaces used by VBScript are shipped with ASP and VBScript Obfuscator and Encoder. User can easliy disable some of the exceptions in these shipped lists by designating some symbols as "antiexceptions" (these also can also be specified for each VBScript file in the project).

There is an option to store a symbol map as a comment inside the protected version of each file.

ASP and VBScript Obfuscator and Encoder has state of the art support for the obfuscation and encoding of client-side and server-side VBScript scripts embedded into HTML, PHP, ASP and ASP.NET, WSH/WSC and of course in raw files.

ASP and VBScript Obfuscator and Encoder obfuscates and encodes VBScript both client-side or server-side, emebedded into HTML, ASP and ASP.NET files, as well as Windows Scripting Host and Windows Scripting Component files - by the use of special extractor and merger engines for HTML, for WSC, for WSH, for ASP and ASP.NET files, and client-side VBScript in PHP files.

Files with HTML markup in which VBScript scripts are to be obfuscated can contain SSI (supported by IIS and Apache), ASP, ASP.NET and PHP fragments in them at any location - inside scripts (even inside string constants of the script!), inside event handlers and inside html markup (i.e. between < and >) - this feature is available only in ASP and VBScript Obfuscator and Encoder.

Values of internalName attributes inside WSC files are obfuscated automatically.

A special stand-alone utility to extract names and ids of form fields and other elements is also included with ASP and VBScript Obfuscator and Encoder. It is invoked automatically for files of VBScript Protection Project that are declared as files from whcih ids and names of form fields are to be extracted.

Unique! ASP and VBScript Obfuscator and Encoder also can protect html, php, .asp and .jsp and other files that don't contain any scripts at all!

ASP and VBScript Obfuscator and Encoder is also an html obfuscator. It can remove html comments and redundant white space between html tags. Just assign a proper mode to the files that you wish to mangle. Html files with server-side markup (like .jsp, .asp, .php, .cfm) can also be mangled - html markup will be scrambled in them without touching server-side markup.

Unique! ASP and VBScript Obfuscator and Encoder has support for obfuscating dynamic VBScript code inside string arguments of "print()" calls and the like

ASP and VBScript Obfuscator and Encoder supports obfuscation and encoding of dynamic VBScript - e.g. if pieces of VBScript code computed from various variables are output to the client using document.write() by the client-side VBScript code, the content of these pieces (e.g. names of variables in them) can be obfuscated.

Also if client-side VBScript code is output by any server-side language (e.g. ASP, ASP.NET, JSP, PHP, C/C++ or Perl), then the pieces of VBScript code can be obfuscated inside the strings that are arguments of the desired method calls of the server-side language (i.e. ASP and VBScript Obfuscator and Encoder can modify any server-side language too!).

The arguments of those methods can include expressions that compute pieces of VBScript code using any operators and calls of other functions and methods; but only strings will be treated as VBScript code and their content will be obfuscated.

More information and samples are available in the manual.

Unique! Full support for projects consisting of several VBScript files and use of eval

ASP and VBScript Obfuscator and Encoder, unlike other VBScript obfuscators or encoders, was designed with multi-file complex projects in mind. This means that with the same set of obfuscation parameters given to a VBScript symbol name will be obfuscated to the same name independant of its position and file location.

In case some of the input files are changed, users can reprotect and redeploy only that file, without the need to reprotect entire VBScript project.

ASP and VBScript Obfuscator and Encoder also has support for code that uses eval() or any other statement that uses string containing names of variables or methods. Once properly marked up (by splitting the string into an expression that joins parts of the string and turning parts that contain only the name of variables or methods into calls of a special function), names of variables and functions in the string will be obfuscated properly. This allows the obfuscated VBScript code to work as the original. This functionality was first introduced in ASP and VBScript Obfuscator and Encoder among all obfuscators for VBScript. This manual "markup" gives 100% stability accross project rebuilds and is much more useful than automatic guesswork performed by other obfuscators for VBScript.

If VBScript code contained in a string is too complex to split into parts by a programmer, users can use the unique feature of ASP and VBScript Obfuscator and Encoder - the ability to obfuscate dynamic VBScript code. More information and samples on obfuscation of dynamic VBScript code are available in the manual.

Unique! Many options to tightly control the obfuscation and encoding of ASP and VBScript Obfuscator and Encoder

As with all Stunnix products, ASP and VBScript Obfuscator and Encoder suite has many options to tightly control each aspect of operation. GUI (Obfuscation Project Manager) and commandline interfaces are equally capable.

All names and semantics of commandline options are convenient and intuitive and follow GNU recommendations, forms in GUI are also easy to use and understand.

To get an idea of how many options are available, please view the online demo .

Unique! Ability to watermark VBScript and to make the study of changes between versions of the same file more difficult

Among the variety of options that control each aspect of VBScript obfuscation and encoding, are ones that make obfuscated non-encoded versions of the same VBScript source code different from each other. This makes analysis of changes between different versions of the software much more difficult. Another use is distributing unique versions of the obfuscated VBScript code to each customer - this way developer can track which customer violated license conditions that resulted in distribution of the product on the internet.

Key internal parameters of VBScript encoding already depend on random values so the encoded version of the same file will be different on each run. Developers just have to run ASP and VBScript Obfuscator and Encoder to produce file specific to each customer.

Unique! ASP and VBScript Obfuscator and Encoder allows creation of lists of symbols that shouldn't be modified; Many exception tables for standard interfaces are included

A very rich set of exception tables is included with ASP and VBScript Obfuscator and Encoder for VBScript core functions, W3C html model, non-standard Mozilla and MSIE html models, DOM, DOM Events, CSS model, SVG, XPATH and even XUL. Also exceptions for ASP, ADO, WSH and WSC frameworks are included. Each table is stored in a separate file whic makes it easy to select which sets of tables to use.

Users have an option to list symbols that shouldn't be renamed (such list can be attached to each file individually). Strictly speaking, there are 2 types of lists, ones in which symbols are checked case-sensitive, and others in which symbols are checked case-insensitive. Users can also define lists of suffixes that should be kept in symbols as-is (so everything before the suffix is mangled, while keeping suffix the same) — that is if _onClick is in the list of such suffixes to keep and md5 symbolname mangler is active, then openBtn_onClick it will be replaced with something like zd8ac37d6e_onClick, User can easliy disable some of the exceptions in these shipped lists by designating some symbols as "antiexceptions" (these also can also be specified for each VBScript file in the project).

Due to the unique ability to extract symbols from html files (that allows the extaction of the ids of html elements and names of form fields) and the unique ability to extract all symbols expored by a given ActiveX or OCX control — not available with any other products — the generation of custom lists of exceptions is easy, fast and almost fully automated.

Obfuscated and/or encoded code runs on any VBScript interpreter

Unlike output of some ASP and VBScript Obfuscator and Encoder encoders, the VBScript code obfuscated and/or encoded by ASP and VBScript Obfuscator and Encoder runs on any fully-compliant VBScript interpreter, including ones that are included with most popular browsers.

 
 

Related links

An evaluation version of Stunnix VBS-Obfus is available for download on our site.

Full documentation for Stunnix VBS-Obfus is available online.

You can see Project Manager for VBScript Obfuscator demo on our site, or go straight to the page with obfuscation and encoding options available.

An example of how cryptic a typical file looks after obfuscation with VBS-Obfus is available.

Stunnix VBS-Obfus can be purchased in our online store.

An Obfuscator for Perl language - Stunnix Perl Obfuscator and Encoder - is also available from us, as well as Stunnix JavaScript Obfuscator - the obfuscator for JavaScript.