MalZilla

[bobby]

Hi denmilu,

remove var payload = unescape(" at the beginning of the script and "); at the end of script.
Click on "UCS2 to Hex" and on "Hex to bin" after that.
You will get plain EXE file.

[denmilu]

Hi Bobby,

Thanks for your help but in my mazilla 1.2.0 I did not find button "Hex to bin".
Because I did not find "Hex to bin" button, So I click on " Hex to File" and after that, I got a filename.bin, and I could not read the content inside.

So do you have any suggestion for me to do now? I wana to find the link in this decode script.



I has just beging use mazilla, so the first time i think I will have many problems, hope you help me pass this.

Thank you!

[denmilu]

I think here is a simple encode script, similar with above,

Code: [Select]

JWXNcwDTisuUZviJAX+=unescape("%u7468%u7074%u2F3A%u652F%u7078%u6F6C%u7469%u612E%u6470%u6972%u6C6C%u612E%u6973%u2F61%u616D%u776C%u7261%u3065%u2E31%u7865%u0065");

And when do as your intruction i got the link

Code: [Select]

http://exploit.apdrill.asia/malware01.exe

but with link above, i can not read the content on Bin file.

I also Attach a txt file that content encode content, but i could not decode it to view plain content inside, can you tell me how to decode it?

[MysteryFCM]

Remove EVERYTHING except the USC code, and then click USC2 To Hex, then copy it and paste it into the Hex decoder tab (it's got an MZ header at the top indicating it's an actual executable btw)

[MysteryFCM]

Should've looked at the next page before replying, hehe.

It's Hex to File btw, not Hex to Bin (on the Misc Decoders tab)

[MysteryFCM]

So do you have any suggestion for me to do now? I wana to find the link in this decode script.

You can load the .bin in either the Hex Decoder tab, or download and install FileInsight

[denmilu]

Hi MysteryFCM,

Thanks for your help!
Now I have understood the menthod to decode this type (%uxxxx) of script, But I wonder how can we could encode a link to USC code? Do we have any tool help us to do that?

For example, we have a link 

Code: [Select]

http://www.malwaredomainlist.com So how can we encode it to a USC code?

[MysteryFCM]

Why would you want to?

[denmilu]

Hi MysteryFCM,

Because I'm preparing for a lecture, so I need to understand all technology that used in malicious codes. The main purpose is analysic malware, but before analysic, we need to know how it can be that (how to encode).

So I need your help! Thanks

[MysteryFCM]

If it's for a lecture, I'll let you do the work and just give you a pointer

http://php.net/manual/en/function.iconv.php

Would defeat the object if we did it for you

[denmilu]

Oh, thank you!

Actually, I want to do something by myselft and I think I can do what I want with the page you gave. It's so simple! 

[MysteryFCM]

No problem

[denmilu]

Hi all,

I have a problem when use mazilla to decode a hex code, After copy a hex code and open download tab then click HEX tab,  Right click and chose "paste as hex" I will see the result that was decoded in the right conner, But with some hex code, it is could not decode. So could you show me how to use mazilla to decode some hex code that I had attached bellow.

Thanks.

[MysteryFCM]

Replace the spaces with %, and remove the line breaks

[denmilu]

Hi MysteryFCM,

I did it, thank you very much!