Stunnix VBS-Obfus - the obfuscator for VBScript source code

Introduction to Stunnix VBS-Obfus

The current trend in the application and web development industry is switching from compiled languages like C/C++ and Delphi to scripting languages like Perl, Javascript or VBScript. One of the main disadvantages of these languages for developers of commercial applications is great ease of studying, analysing and reuse of source code texts of the applications written in these programming languages by customers and competitors. For custom solutions the risk of losing control over intellectual property is even much higher since it's much more difficult to track violations of intellectual property in them due to the highly targeted or even exclusive distribution of such solutions or products - so in such cases violations of intellectual property can be in form of reuse of original source code even with arbitrary level of adaptation! Due to the ease of study and modification, it's extremely difficult to ensure licensing conditions of the code are met too - for example that the script is used only in the documents that came from the hosts it was licensed to, and only till the date it was licensed to run.

Stunnix VBS-Obfus is the unique solution for this problem for code written in VBScript programming language - it's both the obfuscator and encoder for VBScript source code that has advanced support for adding extremely difficult to remove automatic checks of licensing conditions and can process code inside HTML and ASP files. It converts the VBScript source code (in the pure .vbs files or embedded inside HTML or ASP pages or WSC/WSH files) into highly mangled and obfuscated form, making it extermely difficult to study, analyse, reuse and re-work for competitors or customers, while fully retaining functionality of the original blocks of source code. By default that highly mangled and obfuscated code is encoded afterwards to hide the structure of the script completely. Stunnix VBS-Obfus is not a compiler to machine or pseudo code - the obufscated form will still be the usual VBScript source code. State of the art support for ensuring license conditions (lifetime expiration, several types of hostname checks, user-defined checks) is also present in Stunnix VBS-Obfus.

The obfuscation means:

replacing all symbol names it's possible to with the non-meaningfull ones, e.g. replacing files with zcadaa4fc81, while preserving syntaxical and semantical correctness of the source code. Of course predefined symbols like Len and symbols from the third-party libraries the VBScript source code uses will be left the same so the obfuscated code will still work without requiring to obfuscate those third-party VBScript libraries or components;
substitution of numeric values with the arithmetic expressions using (random or constant for the same numeric value as requested by the options) decimial and hexadecimial numeric values that evaluate to the same value;
replacing strings with interpolated variables with the concatenation of the appropriate components;
removing extra white spaces;
jamming as much code on each line as possible.

The encoding means converting code into special form that completely hides program structure and adding a special advanced decoding code, that will decode the code at runtime and execute it. Since the code to decode encoded body is automatically included into each file, no standalone decoders or interpreters are needed. By default encoding is applied to the result of obfuscation, but it's possible to apply encoding to original source to allow effortless code hiding not requiring any changes to the code to be hidden.

Even only obfuscated code with no encoding applied is extremely difficult to understand for a human since the name of variables and subroutines and other symbols are totally meaningless and hard to remember (e.g. files becomes zcadaa4fc81). It's possible to control all aspects of code hiding using the commandline switches of the VBS-Obfus. An example of how cryptic typical file after obfuscation and encoding with VBS-Obfus looks like is available.

The features summary of Stunnix VBS-Obfus:

Stunnix VBS-Obfus features in detail

Project Manager - an advanced user interface for projects of any complexity

Power and flexibility of Stunnix Obfuscators are now available via graphical user interface, eliminating the need to even read descriptions of commandline options supported! Stunnix Obfuscator Project Manager - an advanced intuitive cross-platform graphical user interface is included. It allows to protect projects of any complexity, consisting of files of any type, and possibly including code of any type (client-side, server-side, .asp pages with both server side and client-side code, .html files with client-side code), even allowing code in some files to be processed with different sets of options or even not processed at all. It has 'build project' functionality available in most popular IDEs that will result in processing only files which are more fresh than their protected version; files free from code (like images or .css files) will simply be copied to the directory with protected version of the project, allowing to use Project Manager as a generic replacement for 'Make'-like utility. It completely eliminates the need to compose and invoke commandlines manually, all operations can be performed using mouse.

Users who prefer to use commandline will be able to compose build script (a special project-specific perl program that effectively is a smart stand-alone replacement for project-specific Makefile that already includes functionality of the Make utility) for a project using Project Manager and just invoke that build script to perform desired operation like cleaning all output files, rebuilding only changed files or rebuilding all files (with ability to specify only a subset of files to be subject of an operation).

You can see Stunnix VBS-Obfus Project Manager running on our site in demo mode (destructive and editing operations are disabled in it).

By default encoding is performed on the result of obfuscation

Stunnix VBS-Obfus by default encodes the result of obfuscation, thus making much harder to study even the structure of the code. It's even possible to encode only selected parts of the source code by activating special mode of Stunnix VBS-Obfus.

Support for ensuring license conditions

There is a state of the art support for script expiration and several variants of server hostname checking (single allowed host name, list of hostname tails, regular expression hostname should match). There is an option to show custom notification message; the execution of the script is terminated afterwards in any case. User-defined checks with actions are also supported at the same time too. All checks are grouped in the block of code, to which the special initialization code is added without which the script won't work correctly, and the whole resultant block is encoded to protect it from analysis and modification. This block of code can't be removed from the script body without making it malfunctioning. Several sources of information about current time and server host name are suported. See more details here.

Supports source compression mode

Stunnix VBS-Obfus supports source code compression mode via the use of special aid included- in this mode symbols are renamed to the shortest random allowed symbol name possible in order to minimize resultant size of output (the more used symbols are renamed to the shorter symbols). This turns Stunnix VBS-Obfus into so-called "source code compressor" tool. This module works perfectly for multimodule projects too.

State of the art support for obfuscation/encoding of VBScript embedded into HTML, PHP and ASP, WSC and WSH files

Stunnix VBS-Obfus supports obfuscation and encoding of VBScript code, both client-side or server-side, emebedded into HTML and ASP pages, and code embedded into Windows Scripting Host and Windows Scripting Component files - by the use of special extractor/merger engines for HTML, ASP, Windows Scripting Components (WSC) files and Windows Scripting Host (WSH) files and client-side VBScript in PHP files.

Files with HTML markup in which scripts are protected can contain SSI/ASP/PHP fragments in them at any location - inside scripts (even inside string constants of the script!), inside event handlers and inside html markup (i.e. between < and >) - the feature available only in Stunnix VBS-Obfus. It also allows to minimize size of html in HTML/ASP/PHP files by removing extra spaces and newlines in the html text itself.

Values of internalName attributes inside WSC files are obfuscated automatically.

A special utility to extract names and ids of form fields and other elements is also included. It's even possible to protect both server-side and client-side code at the same time in the same file (though it will require 2 invokations of the VBS-Obfus).

Support for obfuscation of dynamic VBScript code inside "print"-like calls of client-side code or inside almost any server-side language like ASP/JSP/PHP/C/Perl

Stunnix VBS-Obfus supports obfuscation and encoding of dynamic VBScript - e.g. if pieces of VBScript code computed from various variables are output to the client using document.write() by the client-side VBScript code, the content of these pieces (e.g. names of variables in them) can be obfuscated.

Also if client-side VBScript code is output by any server-side language (e.g. ASP, ASP.NET, JSP, PHP, C/C++ or Perl), then the pieces of VBScript code can be obfuscated inside the strings that are arguments of the desired method calls of the server-side language.

The arguments of those methods can include expressions that compute pieces of VBScript code using any operators and calls of other functions and methods; but only strings will be treated as VBScript code and their content will be obfuscated.

More information and samples are available in the manual.

Special mode for as quick preparing of project for protection as possible

A special obfuscation modes are present that let project to be adapted for obfuscation very quickly. There is no need to spend valuable time while performing trial-and-error process of preparation. Due to availability of unique utilities for symbol extraction not available with any other products, the preparation process is short as theoretically possible.

Comes with rich set of exception tables

A very rich set of exception tables is included for VBScript core functions, W3C html model, non-standard Mozilla and MSIE html models, DOM, DOM Events, CSS model, SVG, XPATH and even XUL - for client-side web scripts, and list of exceptions with names of objects and their methods available to scripts in ASP pages. Also exceptions for ADO/ WSH/ WSC frameworks are included. All events for client-side web scripts and server side ASP scripts and WSH events are also supported, and there is a support for custom event names. Each exception table is stored in a separate file, it's easy to select what set of tables to load on a given invokation or all invokations of Stunnix VBS-Obfus due to a rich set of commandline options and configuration file.

Included are utilities to gather project-specific exceptions

Unique utilities to gather project-specific exceptions are included: utility to gather html form fields' names and IDs of html elements, and ability to extract all symbols from ActiveX or OLE components.

These utilities are a must have ones for any professional Obfuscator; without them composing lists of exceptions for a project of even medium size is very time-consuming, dull and error-prone process, most typically accomplished by using trial-and-error technique.

The functionality of both utilities is fully integrated into Project Manager user interface and thus can be carried on by using mouse only.

Obfuscated and/or encoded code runs on any VBScript interpreter

Unlike output of some VBScript encoders, the code obfuscated and/or encoded with Stunnix VBS-Obfus runs on any fully-compliant VBScript interpreter.

Full support for products consisting of several VBScript files and use of eval

Stunnix VBS-Obfus, unlike other tools, was designed with multi-file complex products in mind. It means that with same set of obfuscation parameters given symbol name will be obfuscated to the same name independant of its position and file it's located in. Stunnix VBS-Obfus also has support for code that uses eval() (and Execute/ExecuteGlobal functions) with argument that is string containing names of variables and functions - once properly marked up, the names of variables and functions in the string will be obfuscated properly too, thus allowing the obfuscated code to work correctly.

Full support for keeping library files application uses in non-obfuscated (original) form

Some VBScript applications use third-party libraries or even COM/CORBA objects. In case of third-party COM/CORBA objects, there is no way to make their method and property names to become obfuscated, and in case of third-party libraries licensing conditions most often disallow modification of those modules, thus there are no options except shipping them in original, non-obfuscated form. Stunnix VBS-Obfus perfectly allows such cases with the concept of the exception lists - a lists of names that shouldn't be obfuscated; some means to generate such exception lists from the source to be obfuscated are also present in Stunnix VBS-Obfus.

A lot of options to tightly control the obfuscation

As all Stunnix products, programs of a Stunnix VBS-Obfus suite have a lot of commandline options to tightly control each aspect of their operation. All options have intuitive names, and there is extensive documentation on each option available. Default options for main part of the Stunnix VBS-Obfus suite can be stored in a globally-visible file in order to make use of it more convenient.

There is free very useful web-based commandline builder for VBS-Obfus too; it's very useful for getting impressions of what abilities VBS-Obfus provides.

Means to make analysis of changes between different releases of the obfuscated product more difficult

Among a variety of options that control each aspect of obfuscation and encoding, there are ones that make only obfuscated versions of the same source code to be different from each other. This can be used to make analysis of changes between different versions of the software much more difficult. Another use is distributing unique versions of the obfuscated code to each customer - this way developer can track which customer violated license conditions that resulted in distribution of the product to somebody else.

Key internal parameters of encoding already depend on random values, so the encoded version of the same file will be different on each run.

Easy to install on any Unix/Linux or Windows workstation or server

Stunnix VBS-Obfus is a suite of Perl applications. It requires a Perl interpreter to run, if you don't have one, you can install the one supplied by your OS vendor or download it for free from ActiveState. No additional non-standard Perl modules are required for Stunnix VBS-Obfus to run.

It's used just fine on Linux, WindowsXP and Windows98.

Stunnix VBS-Obfus comes as an archive file in tar.gz format. It needs to be extracted to any directory you like. Optionally one can set default values for the site-specific options in the configuration file, however most people won't need to change the defaults.

Web-based commandline builder is available

Despite the fact that primary interface to Stunnix VBS-Obfus is commandline-based, there is very useful commandline builder for VBS-Obfus available. There is a link to the documentation near each form field, that fully explains the purpose and semantics of corresponding option.

It is very useful for getting impression of what abilities VBS-Obfus provides.

IT Software Press Release and News