Part II - Blackhole exploit kit

s=new String();



if(typeof(a) == 'string') {

for (i=0;i<=a.length;i+=2){

q=a.substr(i,1)*10;

q+=a.substr(i+1,1)*1;

s=s+z.substr(q,1);

}

}

else

if(typeof(a) == 'object') {

for(i=0;i<=a.length;i++){

s+=z.substr(a[i],1);

}

}



document.write(s);

Quote

z="kAp\"vl?j >ge_sEXaCG}$PD!wMx7BI+r6.1[5nd@fzq3/Ui{|*uc<hy\\2:4R(QLo'KSFJ=9mWO)VbT]0t^N;H8-,&";

<html><body><style>div {display:none;}</style><div><div>38635150711137803324314680116064525111378011310952533409587958088263800867635037385244533409524451113780113109525331096474834050375180466337081137381231113846311151806074471904163108071604164046051169643344101671111344101180681604162937406333071631648304163108070411316935798779877987797887023840041131693579877987798779788....

<html><body><script>

a=[26,25,87,62,75,54,88,49,57,45,72,48,49,54,78,50,24,87,54,88,49,54,72,27,24,4,22,27,80,47,80,86,64,25,49,86,37,25,62,88,26,24,70,4,22,27,24,70,87,54,88,49,54,72,27,24,4,72,27,50,89,7,41,62,88,87,49,48,25,88,86,54,88,26,42,72,54,26,48,72,54,87,49,78,89,23,19,5,82,72,86,73,82,5,82,41,48,36,54,65,50,57,70,66,82,75,54,53,7...

Quote

a="

Quote

</div></div><script>

Quote

";

Caution !

Quote

z="[>{v-X.0saQ,\"h(p7IPcE4m5Ng\\W";

z+="i8?^lx&MJ;b$!FnHuBw=*13k@y/DKC";

z+="ze|rL: +f'oG)Oj]R_SU2V}tA<Tdq96";



In this part I will show you how to deobfuscate the currently dominating exploit kit - Blackhole.We use a template for decoding again.Here is the template. Create a new file in Malzilla's subdirectory "templates" and name the file "Blackhole".Insert these lines:Blackhole consists of an character table stored as a string in variable ze.g.and an array of indexes for this character table.I have seen 2 different versions of code so far. Indexes are either stored as stringor stored in an arrayAll we need from the original script is the character table and the index values. Delete everything else.Let's start at the top. Load or paste a script into a Mazilla decoder tab.If the indexes are stored in an array, then you only need to remove the leading html tags.It should look like this.If indexes are stored as a string, then remove leading html tags and insertHere is an exampleLet's go to the end of the index values.If we have a Blackhole script that stores indexes in an array, then you only have to remove all codebehind the character table in variable z.If we have the string version of indexes, then replacebyKeep the character table in variable z and delete all other code.Now click on the "Template" button and choose "Blackhole" from list. This will insert our template code at the top of the code.Cut the inserted code and paste it at the end of the script. Now click the "Run Script" button and you will see the deobfuscated code in the bottom window.Latest version of the Blackhole splits character table (variable z) into multiple lines. Make sure that you keep all lines.example