Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Really happy to join here finally. From couple weeks i have been trying to fetch content from below file which is per-compiled installer but all my tries failed so came here for some help.
this is file.
Could someone please help me to fetch content from above file ?
Or rather, it looks like a shell script obfuscated with shc. You cannot retrieve the source shell code, this is the point of using the obfuscator, actually.
It might still be traceable with strace if it wasn't explicitly made untraceable by shc.
Dropbox and similar sites are mostly for distribution of malware binaries. Which package are you looking for and, if you are on CentOS 7.9, have you checked the EPEL repository? When at all possible the versions in the repository should be prefered. If one is not available, at least roll your own RPM and install from that.
Speaking of CentOS, I presume you have heard the news. It is time to move (back) to Debian or even Devuan.
$ file test
test: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=6f0918f0ba17f02eb2a200ec49335c66f8c10f91, stripped
$ ldd test
linux-vdso.so.1 (0x00007ffeeb155000)
libc.so.6 => /lib64/libc.so.6 (0x00007f06a2459000)
/lib64/ld-linux-x86-64.so.2 (0x00007f06a281c000)
Or rather, it looks like a shell script obfuscated with shc. You cannot retrieve the source shell code, this is the point of using the obfuscator, actually.
It might still be traceable with strace is it wasn't explicitly made untraceable by shc.
so its impossible to retrieve code ? is there any chance could you please guide me to decode the executable code ?
so its impossible to retrieve code ? is there any chance could you please guide me to decode the executable code ?
thanks.
It's not impossible, but it is both extremely difficult and also one likely will not end up with an original source file, but instead their best guess.
I'd say it is extremely unlikely, because no one can just "give" you 1, 2, or 10 instructions to run and then viola you'll have a result. Plus you'll need to have more expertise to the point where you would sort of not need to ask that question, instead you might ask some strategy question about the best way to take a next step.
Here's a possible strategy which you could consider, it's a lot of work, but if you manage to complete that work, then you'll be closer to your desire.
Convert the binary into printable HEX. Use the processor's instruction set to convert the HEX into assembly language.
Inspect the assembly and see if you can follow the logic of the instructions and write a reverse pseudocode representation of the program.
There are no standard tools to do all this work for you, and it is not a one attempt type of process, there are many points where you'd have to take your best guess on something where you may be incorrect and have to change the guesses.
with that reply i understand my skill level is still not at that level. Is there any paid section here so that i can post it ?
Thanks for reply
Yes, and No.
As seen in the Main Menu on the right side of the page here, this site has a .LQ Job Marketplace link. I believe it's free.
Right now there's nothing there, so I suspect it doesn't experience a lot of traffic.
If you accept paying a fee, then I'd opt for a job board like LinkedIn or Indeed, there used to be Monster also. I'm sure there are many, I've never really posted a job I intended to hire persons, personally for. Enjoy!
What shc does is to encrypt the shell script and wrap it in some C code. After compling that C code, you'll get a program that, when executed, will decrypt it on the fly, invoke shell via execvp call, and pass it the code as an argument to the -c option.
Here you can see an example of code generated by shc from a shell script. It uses RC4 to encrypt the source. There were successful attacks mounted against RC4 algorithm as you can read in the Wikipedia article linked above. So it's not unbreakable. You have to be a cryptography expert to be able to do this though.
As i told my skill level is not at that level. And i have tried UnSHC even that couldn't help me
its returning some error with arc12 not parsed. Dont know why i cannot contact users here also or contact is totally disabled here ?
And as moderator suggested that job post i will try as my last option
Thanks @shruggy your really helpful ..
Due to the many problems since shc 4.0.3, there seems to be a need for clarification. In shc 4.0.3 many structural changes have been incorporated, so that shc now makes use of various security mechanisms provided by the linux-kernel itself. Therefore, it is now almost impossible to extract the original shell script at all with current UnSHc version, if the new shc version was used. This requires a more in-depth approach, which means that a modified bash or a modified linux-kernel is needed to bypass the security measures.
FYI, shc 4.0.3 was released in July 2019 and is currently available in most distros.
Just a thought. The code in question was compiled on RHEL7/CentOS7 or similar. shc 4.0.3 was uploaded to EPEL7 in September 2019. If you find a version of the script produced before that there's a chance unshc will be able to handle it.
looks like i have to leave hopes on this and last updated UnSHc was 2 years back. i left my <SPAM EMAIL LINK> to author for other updates..
Why leave your email hidden in a link? And since that is a program, have you run it? What does it do, and what is the purpose of that program you've downloaded?? You say you've been trying for weeks, but don't say what you've tried...can you elaborate??
Also odd that your email address has many references to bulk email programs/sites...so what exactly are you needing help with? Not going to post links to further the SEO attempt, but anyone who is interested can put the email address in question into a search engine and see what I see.
Just a thought. The code in question was compiled on RHEL7/CentOS7 or similar. shc 4.0.3 was uploaded to EPEL7 in September 2019. If you find a version of the script produced before that there's a chance unshc will be able to handle it.
That is for sure cause presently i am using it on centos7.. Thanks for hint then i will try each and every version of author releases. It would be great if we have some paid section here which will save my time cause its beyond my level
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.