DISCLAIMER: There isn't a single way to deal with obfuscated data/code. There are many automated and semi-automated tools available to help you with that. In this post though I'll be using none. The aim here is to walk through some code deobfuscation manually. This is not a comprehensive Nuclear EK landing page analysis. Only bits related to data/code obfuscation are covered.
NOTE: Exploit Kit sample used in this post was captured in September 2014. Taking the ever changing nature of EKs, the described below might not be applicable to the newer variants.
'Nuclear launch detected'
lookupKey = "LOOKUP_KEY_GOES_HERE" encodedString = "NUMBERS_BLOB_GOES_HERE" listOfValues = map(''.join, zip(*[iter(encodedString)]*2)) decodedString = "" for index in range(len(listOfValues)): if int(listOfValues[index]) < 10: element = int(listOfValues[index]) else: element = int(listOfValues[index]) - 2 decodedElement = lookupKey[element] decodedString += decodedElement print(decodedString)
You'll notice an 'if' condition in the 'lookup' loop - for any value greater than 10 subtract 2 from it and then perform the lookup. This is done to compensate for the escape '\' characters in the lookup key. I'm not entirely sure why '10', but assume the code logic that generates the key will not include characters that require escaping into the first 10 character positions of the key.
Now, if we use the corresponding values from our landing page sample and run the script, we get the following output.
Another KISS approach to data obfuscation. Happy deobfuscation!