hey VBA people... I already posted this on another forum and talked about it there but I thought I would share it with everyone here sinse it'S all about VBA.

I set myself out on a mission to find a way to encrypt VBA code and decrypt/execute on the "fly" I come across allot of trouble with the code until I come up with this (and still cant exactly be classed as a true encryption of the code) only encrypting half of it. So here it is:

Sub EncryptedCodeSub()
' "1ih" xoBgsM
' "2ih" xoBgsM
' "3ih" xoBgsM
End Sub

Sub Auto_Open()
Dim lines() As String: Dim b As String
With ThisDocument: Set Project = .VBProject
a = Project.VBComponents(1).CodeModule.lines(2, 3)
lines = Split(a, vbCrLf): For i = 0 To UBound( _
lines): b = b & vbCrLf & StrReverse(Replace(lines _
(i), "'", "")): Next: Project.VBComponents(1). _
CodeModule.InsertLines 2, b: EncryptedCodeSub
Project.VBComponents(1).CodeModule.DeleteLines 2, 4
End With: End Sub
Ofcourse I "could" write a DLL in VB6 and add that DLL as a Reference in my project - But that's out of the subject.

ps: yes, I know reversing a string is not encryption ;)

or you could obfuscate the encryption/decrypting sub

Sub Auto_Open()
Dim r1743435449() As String: Dim r17506438749 As String
With ThisDocument: Set r17546434449 = .VBProject
a = r17546434449.VBComponents(((2 Mod 6) * 1) - 1).CodeModule. _
lines(2 Mod 6 * 1, 3): r1743435449 = Split(a, vbCrLf): For i _
= 2 Mod 1 To UBound(r1743435449): r17506438749 = r17506438749 & _
vbCrLf & StrReverse(Replace(r1743435449(i), "'", "")): Next
r17546434449.VBComponents(1).CodeModule.InsertLines (2 Mod 6) * 1 _
, r17506438749: EncryptedCodeSub: r17546434449.VBComponents(((2 _
Mod 6) * 1) - 1).CodeModule.DeleteLines 2 Mod 5, (3 Mod 8) + 1
End With: End Sub

Microsoft tried this themselves with windows script encoder (http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en) and it didn't take too long for it to get cracked. The fundamental problem with this idea is that to encrypt script without a radical change in your virtual machine, you have to use symmetrical encryption. Which is to say you have to be able to recover the original value. And the key, for obvious reasons gets hard-coded (assuming one is even used). So once it is cracked (http://www.aspheute.com/english/20011123.asp), it's cracked forever, for all code.

In this example, anyone with access to the project can still get the text. All you have to do is step through the sub that "decrypts" it. And sadly VBA projects aren't all that hard to get in to.

Another concern with this example is that it is essentially polymorphic code. Which is used by some less than honorable people to change their code signature. Most antivirus companies also know about this approach, and that is one of the (many) reasons that quite a few AV companies cause their software to auto trigger an alert on any office document that references the VBIDE. So if you are using it for legitimate purposes it may still get flagged anyway... Which would be suboptimum.

Some interesting white papers on the topic:
http://www.math.ias.edu/~boaz/Papers/obf_informal.html
http://www.math.ias.edu/~boaz/Papers/obfuscate.html
http://en.wikipedia.org/wiki/Obfuscated_code#Disadvantages_of_obfuscation


At best code obfuscation is a deterrent. But it's also a two edged sword. As it will also provoke curiosity. If I see obfuscated code, the first thing that goes through my mind, is "Hmm let's see what they thought was worth hiding."

Seem's the good old virus writers never went as far as to create self replicating code instead of having their virus read itself.

Anyhoo thank's for these papers!

Seem's the good old virus writers never went as far as to create self replicating code instead of having their virus read itself.

Anyhoo thank's for these papers!
erm Virus writers never wrote a virus that self replicated?

erm Virus writers never wrote a virus that self replicated?

What I ment is, self reproducing :yes Usually their looking for new ways to infect a file.. such as poisoning the .NOTE section. Padding and prepending to original file. And ofcourse EPO.. ect... the typical polymorphism days (like variable chaning, trash) are pretty much over, atleast for the serious coders.

The scene is dead. But there still exist idea's that are basically too complicated for even the most advanced of programmers to handle, that would for example be Metamorphism, Tried and failed.

What hung you up?

What hung you up?

work :(