search

yanncam / UnSHc

UnSHc - How to decrypt SHc *.sh.x encrypted file ?
GNU General Public License v3.0
363 stars 252 forks source link

Unable to unshc a simple encrypted script #29

Closed sairajgemini closed 4 years ago

sairajgemini commented 4 years ago

I have written a simple bash script and encrypted with shc tool. My filename is kali-upgrade.sh.x. My OS architecture is,

Linux kali 5.6.0-kali2-amd64 #1 SMP Debian 5.6.14-1kali1 (2020-05-25) x86_64 GNU/Linux

My shc version is,

shc Version 4.0.3, Generic Shell Script Compiler

Which I have installed via command,

sudo apt install shc

My shell script looks like this,

cat /etc/opt/.kali-upgrade/.psd | sudo -S apt update && sudo -S apt -y upgrade && sudo -S apt -y dist-upgrade && sudo -S apt -y full-upgrade && sudo -S apt -y autoremove && sudo -S apt -y autoclean && sudo -S apt -y clean && echo "Starting updatedb..." && sudo -S updatedb && echo "updatedb completed..." && echo "Starting mandb..." && sudo -S mandb && echo "mandb completed..."

I tried the following commands. ./unshc.sh kali-upgrade.sh.x -d dumpfile -s scriptfile -o script.sh ./unshc.sh kali-upgrade.sh.x Output I'm getting is,

[*] Input file name to decrypt [kali-upgrade.sh.x] [+] Object dump file specified [dumpfile] [+] String dump file specified [scriptfile] [+] Output file name specified [script.sh] [-] Unable to define arc4() call address...

FYI attached file renamed with .txt. kindly remove .txt extension from the file. kali-upgrade.sh.txt kali-upgrade.sh.x.txt

sairajgemini commented 4 years ago

Any update on this?

yanncam commented 4 years ago

Hello,

As mentioned here : https://github.com/yanncam/UnSHc/issues/31 :

Due to the many problems since shc 4.0.3, there seems to be a need for clarification. In shc 4.0.3 many structural changes have been incorporated, so that shc now makes use of various security mechanisms provided by the linux-kernel itself. Therefore, it is now almost impossible to extract the original shell script at all, if the new shc version was used. This requires a more in-depth approach, which means that a modified bash or a modified linux-kernel is needed to bypass the security measures. On the basis of a system with regular behaviour I don't see a big chance, even if there may be weaknesses in terms of security holes. At least in my own tests I was not able to extract the shell script without sabotaging the system.

Current UnSHc doesn't seem to be able to decrypt shc 4.0.3 encrypted file, sorry.

Sincerely,