I added support for ZIP files to decode-vbe.py
Here is the man page:
Usage: decode-vbe.py [options] [file]
Decode VBE script
Options:
–version show program’s version number and exit
-h, –help show this help message and exit
-m, –man Print manual
Manual:
This program reads from the given file or standard input, and converts the encoded VBE script to VBS.
The provided file can be a password protected ZIP file (with password infected) containing the VBE script.
The content of the VBE script can also be passed as a literal argument. This is similar to a Here Document in Unix.
Start the argument (the “filename”) with character # to pass a literal argument.
Example: decode-vbe.py “##@~^DgAAAA==\ko$K6,JCV^GJqAQAAA==^#~@”
Result: MsgBox “Hello”
It’s also possible to use hexadecimal (prefix #h#) or base64 (prefix #b#) to pass a literal argument.
Example: decode-vbe.py #h#23407E5E4467414141413D3D5C6B6F244B362C4A437F565E474A7141514141413D3D5E237E40
Result: MsgBox “Hello”
Example: decode-vbe.py #b#I0B+XkRnQUFBQT09XGtvJEs2LEpDf1ZeR0pxQVFBQUE9PV4jfkA=
Result: MsgBox “Hello”
decode-vbe_V0_0_2.zip (https)
MD5: 35612087E2D62669E2690573FDE543F2
SHA256: 91A7465FE1F4D291751E6C5D88C51888C914B40C6F187709E33343FF121A116F
Didier Stevens 