UnSHc icon indicating copy to clipboard operation
UnSHc copied to clipboard

Published 20 hours ago verified publisher icon yanncam

Won't work :-(

Open Maxxika opened this issue 7 years ago • 7 comments
trafficstars

I made a testfile with echo "CRYPT/DECRYPT TEST" `shc -f test.sh Tested binary

./test.sh.x CRYPT/DECRYPT TEST ` Run unshc

`./unshc.sh test.sh.x

...

[] Input file name to decrypt [test.sh.x] [+] ARC4 address call candidate : [0x804894e] [] Extracting each args address and size for the 14 arc4() calls with address [0x804894e]... [0] Working with var address at offset [0x804b09c] (0x8 bytes) [1] Working with var address at offset [0x804b2c8] (0x8 bytes) [2] Working with var address at offset [0x804b2c9] (0x8 bytes) [3] Working with var address at offset [0x804b0de] (0x8 bytes) [4] Working with var address at offset [0x804b0e2] (0x8 bytes) [5] Working with var address at offset [0x804b0f4] (0x8 bytes) [6] Working with var address at offset [0x804b123] (0x8 bytes) [7] Working with var address at offset [0x804b13e] (0x8 bytes) [8] Working with var address at offset [0x804b082] (0x8 bytes) [9] Working with var address at offset [0x804b157] (0x8 bytes) [10] Working with var address at offset [0x804b158] (0x8 bytes) [11] Working with var address at offset [0x804b0f7] (0x8 bytes) [12] Working with var address at offset [0x804b159] (0x8 bytes) [13] Working with var address at offset [0x804b2b1] (0x8 bytes) [*] Extracting password... Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]... Try '/usr/bin/grep --help' for more information. Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]... Try '/usr/bin/grep --help' for more information. Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]... Try '/usr/bin/grep --help' for more information. Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]... Try '/usr/bin/grep --help' for more information. Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]... Try '/usr/bin/grep --help' for more information. [-] Error, function call previous first call of arc4() hasn't been identified... ` Callfile content:

`

[*] Extracting password... 8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161> 8048cb2: 83 c4 10 add $0x10,%esp 8048cb5: 83 ec 08 sub $0x8,%esp 8048cb8: 6a 41 push $0x41 8048cba: 68 9c b0 04 08 push $0x804b09c Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]... Try '/usr/bin/grep --help' for more information. 8048ca8: 68 9e b1 04 08 push $0x804b19e 8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161> 8048cb2: 83 c4 10 add $0x10,%esp 8048cb5: 83 ec 08 sub $0x8,%esp 8048cb8: 6a 41 push $0x41 8048cba: 68 9c b0 04 08 push $0x804b09c Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]... Try '/usr/bin/grep --help' for more information. 8048ca3: 68 00 01 00 00 push $0x100 8048ca8: 68 9e b1 04 08 push $0x804b19e 8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161> 8048cb2: 83 c4 10 add $0x10,%esp 8048cb5: 83 ec 08 sub $0x8,%esp 8048cb8: 6a 41 push $0x41 8048cba: 68 9c b0 04 08 push $0x804b09c Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]... Try '/usr/bin/grep --help' for more information. 8048ca0: 83 ec 08 sub $0x8,%esp 8048ca3: 68 00 01 00 00 push $0x100 8048ca8: 68 9e b1 04 08 push $0x804b19e 8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161> 8048cb2: 83 c4 10 add $0x10,%esp 8048cb5: 83 ec 08 sub $0x8,%esp 8048cb8: 6a 41 push $0x41 8048cba: 68 9c b0 04 08 push $0x804b09c Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]... Try '/usr/bin/grep --help' for more information. 8048c9b: e8 8b fb ff ff call 804882b <gmon_start@plt+0x10b> 8048ca0: 83 ec 08 sub $0x8,%esp 8048ca3: 68 00 01 00 00 push $0x100 8048ca8: 68 9e b1 04 08 push $0x804b19e 8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161> 8048cb2: 83 c4 10 add $0x10,%esp 8048cb5: 83 ec 08 sub $0x8,%esp 8048cb8: 6a 41 push $0x41 8048cba: 68 9c b0 04 08 push $0x804b09c Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]... Try '/usr/bin/grep --help' for more information. [-] Error, function call previous first call of arc4() hasn't been identified... `

Maxxika avatar Dec 04 '17 00:12 Maxxika

Hello,

Can you send to me the orignal *.sh and encrypted files *.sh.x in attachment ?

What is your distribution version (Ubuntu, Debian, CentOS ?) and architrecture (x86 / x64) ?

It seems to be a problem with the grep command arround the line 309 in the latest version.

Keep me informed,

yanncam avatar Dec 04 '17 08:12 yanncam

Of course, I attached all items for test. Arch is x86 and this is blackpanther-distro. yes, i saw that problem have in grep command because callfile not contain the expected values.

unshc-wrong-test.tar.gz

Maxxika avatar Dec 04 '17 08:12 Maxxika

Ok, I check on my side and I return to you as soon as possible.

Sincerely,

yanncam avatar Dec 04 '17 09:12 yanncam

Hi yanncam,

I saw the same issue. did shc change the algorithm? the unshc could not find the right address and size according to the grep regular expression.

Thanks Jingzhen

hujingzhen avatar Dec 05 '18 00:12 hujingzhen

did shc change the algorithm?

Yes i did lol ... it's open for new easy exploit search if any one find... :)

intika avatar Dec 06 '18 09:12 intika

Hello,

Can you try again with the relaxed option of SHc (before using UnSHc) ? Like this to produce your encrypted test file:

./shc -r -f myScript.sh

The -r is needed to make a redistribuable binary (work on several distribution).

Then retry to decrypt it with UnSHc.

Sincerely,

yanncam avatar May 08 '19 10:05 yanncam

Hai yanncam

can you help me decrypt this file thank you for you help

9191.zip

droidamlogic avatar Feb 15 '21 08:02 droidamlogic