-
Notifications
You must be signed in to change notification settings - Fork 17
/
decodeBlackHole.py
44 lines (39 loc) · 1.1 KB
/
decodeBlackHole.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env python
##
# Decodes obfuscated BlackHole Exploit Kit javascript
# useful for the plugin detection and exploitation pages
##
import re
import os, sys
from StringIO import StringIO
def decode(file_name):
fin = open(file_name, "r")
stage_one = fin.read()
vars = re.compile(r'\".+?\"', re.S)
bhPat = re.compile(r'[^012a-z3-9]',re.S)
stage_two = re.search(regex, stage_one)
parsed = stage_two.group(0)
o = ''
for x in re.findinter(vars, stage_two.group(0)):
o = o + x.group(0)[1:-1]
o2nd = bhPat.sub( '', o)
o2nd = StringIO(o2nd)
stage_three = ''
while True:
a = o2nd.read(2)
if not s:
break
stage_three = stage_three + chr(int(a,33))
outf = open("out.html", 'w')
outf.write(stage_three)
out.close()
if __name__ == '__main__':
try:
fin = sys.argv[1]
if not os.path.exists(fin):
print('[error] unable to locate input file!')
sys.exit(1)
decode(fin)
except IndexError:
print('usage: ./decode_bhek.py <obfuscated input file>')
sys.exit(0)