Script Decoder is a simple Win32 command line executable that is used as follows:
scrdec18 <infile> <outfile> [-cp codepage] [-urldec|-htmldec]
There's no fancy stuff like wildcard support or overwriting the input file with
the output file. If you really want to do that, just use the DOS for command:
for %a in (*.asp) do scrdec18 %a decoded\%a
move decoded\*.asp .
Note that the FOR command does not support long file names on Windows 95/98/Me.
Alternatively, you can use this little VBScript that Gene Naftulyev sent me (thanks dude!), or the further improved version by Ninio Erez.
After running the decoder, you'll see that all garbled blocks of script, like
will have been decoded into their original form. Please note that you will still
have to manually strip the '.Encode' out of the 'JScript.Encode' and 'VBScript.Encode'
in the <script language=".."> tags!
The script decoder recognizes all encoded blocks that start with the sequence #@~^,
so it will correctly decode 'plain files' that only contain script, ASP style blocks
<%script%>, and <script language="...">script<script> blocks.
Starting with version 1.2, the script decoder has the ability to use different code pages
so it can decode scripts that contain Asian characters. If you want to decode
such scripts, just supply the code page identifier as the third parameter.
If you want to decode scripts using another code page, then you do not need to specify it.
The -urldec switch allows you to do on-the-fly unescaping of scripts that have been URLEncoded.
Such scripts contain characters that have been replaced by a percent sign and a hexadecimal number,
for instance %76%61%72%20%72%69. They are usually unescaped by the JScript using the unescape()
function. Supplying the -urldec switch to scrdec will save you this effort.
The -htmldec switch pretty much works the same way, only for & style encoding.
There are two more switches. To get a better insight in the workings of the decoder, try -verbose.
If you see the decoder skips an encoded block, this might be the result of the HTMLGuardian
defeat mechanism. The decoder tries to be smart and recognize blocks that HTMLGuardian inserted
in order to deceive it. Sometimes this results in scrdec skipping a genuine encoded block.
To disable the defeat mechanism, pass the -dumb switch.