Sunday, October 21, 2012

BHEK 2.0 encode param value UPDATE

Today MalwareMustDie posted a new BHEK 2.0 infection and one of the pasties showed a new encoding scheme for the param value found in the applet.  I had never seen this before and thought for sure my decoding of the original encoding scheme was now pointless.

So I dove right in examining the JAR for the function that uses the param and decodes the callback.  Not to my surprise the JAR does not decompile correctly.  However it obviously taks advantage of CVE-2012-0507.

So I went back to the drawing board.  My drawing board just happens to be Notepad++
So I pasted the param value Notepad and started to replace all the HTML values with the corresponding ASCII value.

After replacing
At first glance I did not see it.  Then it hit me!  If you ignore the first "0" and then replace the ";" with nothing, then the values become hex values that should look familiar :)

So with all of this knowledge and knowing that my alphabet list I created earlier still held true.  I simply used a python script my pal created for me utilizing my alphabet and decoded the JARs callback.


I believe this marks the first time the BHEK authors have used two forms of obfuscation in the param value field.


  1. Nice. The request there is consistent with the binary get request.