NOTE: Exploit Kit sample used in this post was captured in September 2014. Taking the ever changing nature of EKs, the described below might not be applicable to the newer variants.
'Nuclear launch detected'
lookupKey = "LOOKUP_KEY_GOES_HERE" encodedString = "NUMBERS_BLOB_GOES_HERE" listOfValues = map(''.join, zip(*[iter(encodedString)]*2)) decodedString = "" for index in range(len(listOfValues)): if int(listOfValues[index]) < 10: element = int(listOfValues[index]) else: element = int(listOfValues[index]) - 2 decodedElement = lookupKey[element] decodedString += decodedElement print(decodedString)
You'll notice an 'if' condition in the 'lookup' loop - for any value greater than 10 subtract 2 from it and then perform the lookup. This is done to compensate for the escape '\' characters in the lookup key. I'm not entirely sure why '10', but assume the code logic that generates the key will not include characters that require escaping into the first 10 character positions of the key.
Now, if we use the corresponding values from our landing page sample and run the script, we get the following output.
Another KISS approach to data obfuscation. Happy deobfuscation!