|Figure 1 Packed Blackhole Exploit kit|
|Figure 2 Enabling AutoResponder|
|Figure 3 Editing the response|
Now I want to modify the script to be able to see the unpacked code so I open the Syntax View tab. This part is different from one pack to another and you might need multiple attempts to figure out the best way to do it. In this example the pack is Blackhole, there is an eval statement at the end very end that executes the script after it is unpacked.I use console.log to get the content, so I replace w(c) by console.log(c) and hit Save.
|Figure 4 Deciding what to modify|
Next I open Google Chrome (make sure it is configured to use Fiddle as a proxy), open the Developer Console with F12 and click on the Console tab. I then browse to the pack URL, in this example http://energirans.net/main.php?page=598991e7306ac07e (you can use Ctrl+U to copy the URL from a session). If all went well the unpacked code should appear in the logs.
|Figure 5 unpacked script in the logs|
Another neat feature of Fiddler is the code beautifier. I copy the script from the log, replace the original script in the SyntaxView and click on Format Script/JSON. The code is now well formatted and ready for analysis.You can find the unpacked code here. Note that this is an old version of Blackhole v1 from February 2012 but the technique still works today.
|Figure 7 Formatted Blackhole code|
This is a quick and dirty technique and could easily be defeated but it works with many packs. If you have any question leave a comment or email me at firstname.lastname@example.org.