#1 9. August 2010 Hallo Leute, ist es möglich ein .sh Shell script zu decrypten ? Code: ELF sieht ungefähr so aus Ich hoffe ihr könnt mir helfen, gibt natürlich bw für jede Hilfestellung + Multi-Zitat Zitieren
#2 9. August 2010 AW: Shell Script Decrypt 11 ............. hier wird das ganze besprochen: Encrypt and Decrypt script | Unix Linux Forums | Shell Programming and Scripting ist zwar englisch, aber kannst dich ja mal durchwurschteln. + Multi-Zitat Zitieren
#3 9. August 2010 AW: Shell Script Decrypt Problem ist, dass ich das Script nicht selbst gecodet hab. Daher muss ich es entschüsseln, damit ich den Code mal sehe. Daher bringt mir der link nicht so viel, da ich kein ausgangsfile hab. bw haste trotzdem + Multi-Zitat Zitieren
#4 10. August 2010 AW: Shell Script Decrypt Am besten ist, du gehst das Script halt Zeile für Zeile durch. Wenn der Interpreter das entschlüsseln kann, dann kannst du das auch. Poste halt mal das Script, dann kann man dir besser weiterhelfen. Andernfalls kann man nur im Blinden rumstochern. + Multi-Zitat Zitieren
#5 11. August 2010 AW: Shell Script Decrypt tach. die datei die du beschreibst ist keine shell, sondern der code in deinem beitrag sind die magicbytes für ELF dateien (siehe: Executable and Linking Format – Wikipedia) solang du keinen decompiler dafür findest kannst du ein "decrypten" vergessen. + Multi-Zitat Zitieren
#6 12. August 2010 Zuletzt von einem Moderator bearbeitet: 14. April 2017 AW: Shell Script Decrypt Hi Leute, habs mal mit boomerrang probiert, leider kein erfolg. Ich poste mal hier das file, vllt. kann mir jmd helfen. Ich möchte nämlich den code um ein paar zeilen erweitern. Grüße File Hier mein ergebnis in boomerang Code: nt stderr; char global3[1]; char global2; char global1; char global0; void environ; char global5[0] = "\xffffffa4\x1e\xffffffd9\xffffff8e\xffffffc8\xffffffa2x\xffffffbf\xfffffffe\xffffffcb\x1bj\xffffffbb\xffffffb7\xffffffffL\x04M\xffffffd4\x18\x15\xffffffde\xffffffebfE\xffffffbe\xffffffa8x\xffffff9aX\xffffffac\xffffff91H\xffffffe6\xffffffa6/\x15cS\xffffffae\xffffffe4+\xffffff92\xffffff84\x14k\x12\xffffffdc\xffffffb1\xffffffd0\xffffff85*G\xffffffa6\xffffffd9\xfffffff0\xffffffb2\xffffffc2\xffffffaa9]W\xffffffca\xffffffa6=p\xffffffd5R\xffffffd4)"; char global6[0] = "\x1e\xffffffd9\xffffff8e\xffffffc8\xffffffa2x\xffffffbf\xfffffffe\xffffffcb\x1bj\xffffffbb\xffffffb7\xffffffffL\x04M\xffffffd4\x18\x15\xffffffde\xffffffebfE\xffffffbe\xffffffa8x\xffffff9aX\xffffffac\xffffff91H\xffffffe6\xffffffa6/\x15cS\xffffffae\xffffffe4+\xffffff92\xffffff84\x14k\x12\xffffffdc\xffffffb1\xffffffd0\xffffff85*G\xffffffa6\xffffffd9\xfffffff0\xffffffb2\xffffffc2\xffffffaa9]W\xffffffca\xffffffa6=p\xffffffd5R\xffffffd4)"; char global7[0] = " \t,\xffffffa5\xffffff9e[6\xffffffe0\xffffffae'L\x1a]?\xfffffff4\xffffffe6\xffffffab\xfffffffc\xffffffe4I\xffffffaeX?\xffffff99"; char global9[0] = "fm\xffffffa0\x1a\xffffffd3\xffffffc3b\xffffffd8\xffffffd9z\xffffffeb\xffffffc9\xffffff95^b\n\xffffff81\xffffff9e\x1dd\xffffff91Ak\x13q\xffffffc46\xffffffc1B\xffffffb7\xffffffc4u>\xffffffe0&m\xffffff9f@o\xffffffce\xffffff9a\xffffffb4\x04\xffffffdb\xffffff9a\xffffffc7N\x1a\xffffffa0]\xffffff92B\xffffffe3l\xffffffc7"; char global8[0] = "X\xffffffac\xffffff91H\xffffffe6\xffffffa6/\x15cS\xffffffae\xffffffe4+\xffffff92\xffffff84\x14k\x12\xffffffdc\xffffffb1\xffffffd0\xffffff85*G\xffffffa6\xffffffd9\xfffffff0\xffffffb2\xffffffc2\xffffffaa9]W\xffffffca\xffffffa6=p\xffffffd5R\xffffffd4)"; char global10[0] = "\xffffff9aX\xffffffac\xffffff91H\xffffffe6\xffffffa6/\x15cS\xffffffae\xffffffe4+\xffffff92\xffffff84\x14k\x12\xffffffdc\xffffffb1\xffffffd0\xffffff85*G\xffffffa6\xffffffd9\xfffffff0\xffffffb2\xffffffc2\xffffffaa9]W\xffffffca\xffffffa6=p\xffffffd5R\xffffffd4)"; proc2(int param2, int param1); proc3(int param2, int param1); proc4(); proc5(int param1, int param4, int param2, int param3); proc6(int param1, int param4, int param2, int param3); proc7(int param1); proc8(int param1, int param2); proc9(int param1, int param2); void proc10(int param1, int param2); void proc11(); // address: 0x80493f5 int main(int argc, char **argv, char **envp) { int local12; // r27 int local13; // r28 int local14; // r29 int local15; // r30 int local16; // r31 int local4; // %pc{48} int local6; // %pc{118} int local9; // r24 *(int*)(local13 - 4) = local14; *(int*)(local13 - 8) = local16; *(int*)(local13 - 12) = local15; *(int*)(local13 - 16) = local12; local9 = *argv; *(int*)(local13 - 52) = local9; local14 = proc2(local9, local13 - 4); argc = *(int*)(local14 + 12); *(int*)local13 = *(int*)(local14 + 8); local9 = proc3(*(int*)(local14 + 12), *(int*)(local14 + 8)); *(int*)(*(int*)(local14 + 12) + 4) = local9; local9 = *(int*)(local14 + 12) + 4; if (*(int*)local9 == 0) { local15 = 0x80495e2; } else { local9 = *(int*)(local14 + 12) + 4; local15 = *(int*)local9; } __errno_location(); local6 = local4; if (*(int*)local9 == 0) { local12 = 0x80495e9; } else { __errno_location(); *(int*)local13 = *(int*)local9; strerror(); local12 = local9; } __errno_location(); if (*(int*)local9 == 0) { local9 = 0x80495e9; } else { local9 = 0x80495ea; } *(int*)(local13 + 20) = local15; *(int*)(local13 + 16) = local12; envp = local9; argv = *(int*)*(int*)(local14 + 12); argc = 0x80495ed; *(int*)local13 = stderr; fprintf("%s%s%s: %s\n", stderr); return 1; } // address: 0x8048ede proc2(int param2, int param1) { int local1; // r24{138} int local11; // %pc{71} int local12; // r24{72} int local14; // %pc{57} int local15; // r24{58} int local23; // %pc{18} int local24; // r29{3} int local25; // %pc{178} int local26; // %pc{193} char *local27; // r29{201} int local28; // r8 int local29; // r24 int local32; // r28 int local9; // r24{87} *(int*)(local32 - 4) = param1; local24 = local32 - 4; *(int*)(local32 - 112) = param2; *(int*)(local32 - 16) = *(int*)20; fork(); local26 = local23; local27 = local24; local27 = local24; *(int*)(local32 - 100) = local29; if (local29 == -1) { L2: *(int*)(local32 - 140) = param2; perror(param2); *(int*)(local32 - 140) = 1; _exit(); } else { if (local29 != 0) { *(int*)(local32 - 132) = 0; *(int*)(local32 - 136) = 0; *(int*)(local32 - 140) = local29; waitpid(); if (local1 == local29) { local27 = param1; } else { goto L2; } } else { getppid(); *(int*)(local32 - 100) = local29; *(int*)(local32 - 132) = local29; *(int*)(local32 - 136) = 0x80495d6; *(int*)(local32 - 140) = local32 - 96; sprintf(local32 - 96, "/proc/%d/as", local29); *(int*)(local32 - 140) = 0; close(); *(int*)(local32 - 136) = 130; *(int*)(local32 - 140) = local32 - 96; open(); local25 = local14; local28 = (local15 == 0) ? 1 : 0; *(int*)(local32 - 104) = (local28); if ((local28) == 0) { __errno_location(); local25 = local11; if (*(int*)local12 != 16) { *(int*)(local32 - 128) = 0; *(int*)(local32 - 132) = 0; *(int*)(local32 - 136) = local29; *(int*)(local32 - 140) = 16; ptrace(); local28 = (local9 == 0) ? 1 : 0; *(int*)(local32 - 104) = (local28); } } if (*(int*)(local32 - 104) == 0) { *(int*)(local32 - 140) = param2; perror(param2); *(int*)(local32 - 136) = 9; *(int*)(local32 - 140) = local29; kill(); } else { *(int*)(local32 - 136) = 18; *(int*)(local32 - 140) = local29; kill(); } *(int*)(local32 - 140) = local29; *(int*)(local32 - 140) = *(int*)(local32 - 104); _exit(); } } param1 = local27; return param1; } // address: 0x8049032 proc3(int param2, int param1) { int local10; // m[r28 - 28] int local11; // m[r28 - 24] int local12; // r24{388} int local13; // r24{495} int local14; // r24{377} int local15; // r24{374} int local16; // r24{129} int local17; // r24{364} int local18; // r24{342} int local19; // r24{328} int local20; // r24{270} int local23; // r24{245} int local25; // r24{225} int local37; // r24{182} int local53; // r24{44} int local54; // r26{44} int local61; // local13{495} char local62; // r8 char local63; // r10 char local64; // r24 char local66; // r26 char local67; // r28 int local9; // m[r28 - 16] local63 = proc4(); /* Warning: also results in local66 */ local63 = proc5(0x8053084, 256, local63, local66); /* Warning: also results in local66 */ local63 = proc6(0x804b0b6, 46, local63, local66); /* Warning: also results in local66 */ local63 = proc6(0x804b110, 1, local63, local66); /* Warning: also results in local66 */ if ((unsigned char) (global5) == 0) { L53: local63 = proc6(0x804b110, 1, local63, local66); /* Warning: also results in local66 */ local63 = proc6(0x805319e, 3, local63, local66); /* Warning: also results in local66 */ local63 = proc6(0x8053034, 15, local63, local66); /* Warning: also results in local66 */ local63 = proc6(0x804b12c, 1, local63, local66); /* Warning: also results in local66 */ local63 = proc6(0x80531a3, 22, local63, local66); /* Warning: also results in local66 */ local63 = proc5(0x80531a3, 22, local63, local66); /* Warning: also results in local66 */ local63 = proc6(0x80531bf, 22, local63, local66); memcmp(); if (local64 == 0) { local16 = proc7(0x80531bf); /* Warning: also results in local66 */ local63 = proc6(0x80531bf, 22, local63, local66); if (local16 >= 0) { calloc(); if (local64 != 0) { if (local16 == 0) { if ((unsigned char) (global7) == 0) { local20 = *(int*)param1; local9 = local20; L15: *(char*)local64 = *(int*)param1; local10 = 1; if (local16 != 0) { if ((unsigned char) (global8) != 0) { *(int*)(local64 + 4) = 0x804b12d; local10 = 2; } } if ((unsigned char) (global9) != 0) { local19 = local10 * 4 + local64; *(int*)local19 = 0x805319e; local10++; } local18 = local10 * 4 + local64; *(int*)local18 = local9; local10++; if ((unsigned char) (global10) != 0) { local17 = local10 * 4 + local64; *(int*)local17 = 0x804b12c; local10++; } if (local16 <= 1) { local14 = 0; local61 = local14; } else { local15 = local16; local61 = local15; } local13 = local61; local11 = local13; while (local11 < param2) { local12 = local10 * 4 + local64; local66 = local11 * 4 + param1; *(int*)local12 = *(char*)local66; local10++; local11++; } local64 = local10 * 4 + local64; *(char*)local64 = 0; execvp(); local64 = 0x804b0ef; local62 = 239; } else { local23 = malloc(512); local9 = local23; if (local23 != 0) { sprintf(local23, " \t,\xffffffa5\xffffff9e[6\xffffffe0\xffffffae'L\x1a]?\xfffffff4\xffffffe6\xffffffab\xfffffffc\xffffffe4I\xffffffaeX?\xffffff99"); goto L15; } else { local64 = 0; local62 = 0; } } } else { local63 = proc6(0x80531bf, 22, local63, local66); /* Warning: also results in local66 */ if ((unsigned char) (global6) != 0) { L30: local63 = proc6(0x80531bf, 22, local63, local66); /* Warning: also results in local66 */ local63 = proc6(0x80531bf, 22, local63, local66); /* Warning: also results in local66 */ local63 = proc6(0x80531bf, 22, local63, local66); /* Warning: also results in local66 */ local63 = proc5(0x80531bf, 22, local63, local66); /* Warning: also results in local66 */ local63 = proc6(0x80531bf, 22, local63, local66); memcmp(); if (local25 == 0) { local9 = 0x804be2c; goto L15; } else { local64 = 0x804b115; local62 = 21; } } else { local37 = proc8(0x80531bf, local63); /* Warning: also results in local63, local66 */ if (local37 == 0) { goto L30; } else { local64 = 0x804b0ef; local62 = 239; } } } } else { local64 = 0; local62 = 0; } } else { local64 = 0x804b0a1; local62 = 161; } } else { local64 = 0x80531a3; local62 = 163; } } else { atoll(); time(); local66 = local64 >> 31; if (local54 > local64 >> 31) { goto L53; } else { if (local54 < local64 >> 31) { L54: local64 = 0x804b0b6; local62 = 182; } else { if ((unsigned)local53 >= (unsigned)local64) { goto L53; } else { goto L54; } } } } return local64; /* WARNING: Also returning: local62, local63 */ } // address: 0x8048a94 proc4() { char local2; // r24 global0 = 0; global1 = 0; global2 = 0; do { local2 = ((unsigned char) *(unsigned char*)0x8053300); *(char*)(local2 + 0x8053200) = (unsigned char) *(unsigned char*)0x8053300; local2 = *(unsigned char*)0x8053300 + 1; global2 = (unsigned char) local2; } while ((unsigned char) ((unsigned char) local2) != 0); return (unsigned char) *(unsigned char*)0x8053300; /* WARNING: Also returning: *(unsigned char*)0x8053300 */ } // address: 0x8048ae9 proc5(int param1, int param4, int param2, int param3) { int local1; // m[r28 - 12] int local10; // r28 long long local11; // tmpl int local3; // r24{67} int local4; // r24{56} int local5; // r24{44} int local6; // r24{27} int local7; // m[0x8053302]{104} int local8; // r8 int local9; // r24 local1 = param1; while (param4 > 0) { do { local9 = ((unsigned char) *(unsigned char*)0x8053300); local9 = (global3[local9]); local8 = (unsigned char) (local7); local8 = (local8 + (unsigned char) local9); global0 = local8; local6 = ((unsigned char) *(unsigned char*)0x8053300); local11 = local6 >> 31 << 32 | local6; local5 = local11 % param4 + local1; global0 = (unsigned char) *(unsigned char*)local5 + (local8); local4 = ((unsigned char) *(unsigned char*)0x8053300); param3 = ((unsigned char) *(unsigned char*)0x8053302); param3 = (global3[param3]); *(char*)(local4 + 0x8053200) = (unsigned char) param3; local3 = ((unsigned char) *(unsigned char*)0x8053302); param3 = ((unsigned char) local9); param2 = (unsigned char) ((unsigned char) local9); *(char*)(local3 + 0x8053200) = (unsigned char) ((unsigned char) local9); local9 = *(unsigned char*)0x8053300 + 1; global2 = (unsigned char) local9; } while ((unsigned char) ((unsigned char) local9) != 0); local1 += 256; param4 = param4 - 256; } return param2; /* WARNING: Also returning: param3 */ } // address: 0x8048bb3 proc6(int param1, int param4, int param2, int param3) { int local1; // m[r28 - 12] int local10; // r24 int local11; // r28 char local2; // m[r28 - 5] int local3; // r26{61} int local4; // r24{45} int local5; // r24{22} int local6; // r24{34} int local7; // r24{20} int local8; // m[m[r28 - 12]]{72} int local9; // r8 local1 = param1; while (param4 > 0) { local10 = *(unsigned char*)0x8053300 + 1; global2 = (unsigned char) local10; local7 = ((unsigned char) ((unsigned char) local10)); local5 = (global3[local7]); local9 = (unsigned char) *(unsigned char*)0x8053301; local9 = (local9 + (unsigned char) local5); global1 = local9; local6 = ((unsigned char) ((unsigned char) local10)); param3 = ((unsigned char) (local9)); param3 = (global3[param3]); *(char*)(local6 + 0x8053200) = (unsigned char) param3; local4 = ((unsigned char) (local9)); *(char*)(local4 + 0x8053200) = (unsigned char) ((unsigned char) local5); local10 = ((unsigned char) ((unsigned char) local10)); local10 = (global3[local10]); local2 = *(unsigned char*)0x8053300 + (unsigned char) local10; local3 = *(unsigned char*)local1; local10 = *(unsigned char*)(local11 - 5); local10 = (global3[local10]); param3 = local3 ^ local10; param2 = (unsigned char) local3 ^ local10; local8 = (unsigned char) local3 ^ local10; local1++; param4 = param4 - 1; } return param2; /* WARNING: Also returning: param3 */ } // address: 0x8048d69 proc7(int param1) { char local0[1024]; // m[r28 - 528] int local13; // m[r28 - 536] int local14; // m[r28 - 544] int local16; // r24{91} int local18; // r24{44} int local19; // r24{37} int local25; // r24 int local27; // r26 int local28; // r28 getpid(); sprintf(local0, "x%lx", 0x8048d69 ^ local25 * 0xf7fb7296); local19 = getenv(local0); local18 = strlen(local0); if (local19 != 0) { __isoc99_sscanf(); if (local16 != 2) { L2: local25 = -1; } else { if (local13 != (0x8048d69 ^ local25 * 0xf7fb7296)) { goto L2; } else { proc10(environ, 0x80495c0); local25 = param1 - local14 + 1; } } } else { sprintf(local28 - 528 + local18, "=%lu %d", 0x8048d69 ^ local25 * 0xf7fb7296, param1); strdup(); putenv(); local25 = 0; } local27 = 0; return local25; /* WARNING: Also returning: local27 */ } // address: 0x8048c6b proc8(int param1, int param2) { int local0; // m[r28 - 188] int local12; // m[r28 - 64] int local28; // r24 int local30; // r26 int local31; // r28 local28 = proc9(param1, local31 - 100); /* Warning: also results in local30 */ if (local28 >= 0) { memset(&local0, 0, 88); param2 = proc5(local31 - 188, 88, param2, local12); /* Warning: also results in local30 */ local28 = 0; } else { local28 = -1; } return local28; /* WARNING: Also returning: param2, local30 */ } // address: 0x8049530 proc9(int param1, int param2) { int local10; // r28 int local7; // r24 int local9; // r26 proc11(); local7 = stat(3, param1, param2); return local7; /* WARNING: Also returning: local9 */ } // address: 0x8048d23 void proc10(int param1, int param2) { int local1; // m[m[r28 + 4]]{28} int local2; // r24 int local3; // r28 while (param1 != 0) { local2 = *(int*)param1; if (local2 == 0) { break; } local2 = *(int*)param1; if (local2 == param2) { break; } param1 += 4; } while (param1 != 0) { local2 = *(int*)param1; if (local2 == 0) { break; } local1 = *(int*)(param1 + 4); param1 += 4; } return; } // address: 0x804952a void proc11() { return; } + Multi-Zitat Zitieren
#7 12. August 2010 AW: Shell Script Decrypt Hier mein zweiter versuch mit Hex Decompiler Code: Detected compiler: GNU C++ */ #include <defs.h> //------------------------------------------------------------------------- // Data declarations extern _UNKNOWN start; // weak extern char format[]; // idb extern char aLuD[]; // idb extern char aLuDC[9]; // weak extern char aProcDAs[]; // idb extern char aNull[7]; // weak extern _UNKNOWN unk_80495E9; // weak extern char asc_80495EA[3]; // weak extern char aSSSS[]; // idb extern int dword_804AF0C; // weak extern int dword_804AF14[]; // weak extern _UNKNOWN unk_804AF18; // weak extern int dword_804AF1C; // weak extern _UNKNOWN unk_804B0A1; // weak extern _UNKNOWN unk_804B0B6; // weak extern char file[7]; // idb extern _UNKNOWN unk_804B0FA; // weak extern char nptr[1]; // idb extern _UNKNOWN unk_804B111; // weak extern _UNKNOWN unk_804B115; // weak extern _UNKNOWN unk_804B12C; // weak extern _UNKNOWN unk_804B12D; // weak extern _UNKNOWN unk_804BE2C; // weak extern char aEu6roL[11]; // idb extern _UNKNOWN unk_8053084; // weak extern _UNKNOWN unk_805319E; // weak extern _UNKNOWN unk_80531A3; // weak extern _UNKNOWN unk_80531BF; // weak extern FILE *stderr; // idb extern int environ; // weak extern char byte_80531E8; // weak extern int dword_80531EC; // weak extern char byte_8053200[]; // weak extern char byte_8053300; // weak extern char byte_8053301; // weak extern char byte_8053302; // weak // extern _UNKNOWN _gmon_start__; weak //------------------------------------------------------------------------- // Function declarations int __cdecl init_proc(); int *__errno_location(void); int sprintf(char *s, const char *format, ...); int open(const char *file, int oflag, ...); __pid_t getpid(void); char *strerror(int errnum); int memcmp(const void *s1, const void *s2, size_t n); int __xstat(int ver, const char *filename, struct stat *stat_buf); int __gmon_start__(void); // weak int __isoc99_sscanf(_DWORD, const char *, ...); // weak __int32 ptrace(enum __ptrace_request request, ...); char *getenv(const char *name); void *calloc(size_t nmemb, size_t size); void *memset(void *s, int c, size_t n); void _exit(int status); void perror(const char *s); __int64 atoll(const char *nptr); int execvp(const char *file, char *const *argv); size_t strlen(const char *s); __pid_t getppid(void); __pid_t waitpid(__pid_t pid, int *stat_loc, int options); int putenv(char *string); int close(int fd); int fprintf(FILE *stream, const char *format, ...); time_t time(time_t *timer); void *malloc(size_t size); int __fastcall __stack_chk_fail(_DWORD, _DWORD); // weak __pid_t fork(void); int kill(__pid_t pid, int sig); char *strdup(const char *s); void __cdecl sub_8048A10(); int __cdecl sub_8048A70(); int __cdecl sub_8048A94(); int __cdecl sub_8048AE9(int a1, signed int a2); int __cdecl sub_8048BB3(int a1, int a2); signed int __cdecl sub_8048C6B(const char *filename); int __cdecl sub_8048D23(int a1, int a2); int __cdecl sub_8048D69(int); // weak int __cdecl sub_8048EDE(const char *a1); _UNKNOWN *__cdecl sub_8049032(int a1, void **a2); signed int __cdecl sub_80493F5(int a1, int a2); void __cdecl sub_80494C0(); int *__cdecl sub_80494D0(); void __cdecl sub_804952A(); int __cdecl sub_8049530(const char *filename, struct stat *a2); void (*__cdecl sub_8049570())(void); void __cdecl term_proc(); //----- (080487B4) -------------------------------------------------------- int __cdecl init_proc() { int v1; // ST04_4@3 if ( &_gmon_start__ ) __gmon_start__(); sub_8048A70(); sub_8049570(); return v1; } // 8048864: using guessed type int __gmon_start__(void); //----- (080489E0) -------------------------------------------------------- #error "80489E3: positive sp value has been found (funcsize=2)" //----- (08048A10) -------------------------------------------------------- void __cdecl sub_8048A10() { int v0; // eax@2 int i; // ebx@2 if ( !byte_80531E8 ) { v0 = dword_80531EC; for ( i = ((signed int)(&unk_804AF18 - (_UNKNOWN *)dword_804AF14) >> 2) - 1; dword_80531EC < (unsigned int)i; v0 = dword_80531EC ) { dword_80531EC = v0 + 1; ((void (*)(void))dword_804AF14[dword_80531EC])(); } byte_80531E8 = 1; } } // 804AF14: using guessed type int dword_804AF14[]; // 80531E8: using guessed type char byte_80531E8; // 80531EC: using guessed type int dword_80531EC; //----- (08048A70) -------------------------------------------------------- int __cdecl sub_8048A70() { int result; // eax@1 result = dword_804AF1C; if ( dword_804AF1C ) result = 0; return result; } // 804AF1C: using guessed type int dword_804AF1C; //----- (08048A94) -------------------------------------------------------- int __cdecl sub_8048A94() { int result; // eax@2 byte_8053302 = 0; byte_8053301 = byte_8053302; byte_8053300 = byte_8053301; do { byte_8053200[(unsigned __int8)byte_8053300] = byte_8053300; ++byte_8053300; result = (unsigned __int8)byte_8053300; } while ( byte_8053300 ); return result; } // 8053300: using guessed type char byte_8053300; // 8053301: using guessed type char byte_8053301; // 8053302: using guessed type char byte_8053302; //----- (08048AE9) -------------------------------------------------------- int __cdecl sub_8048AE9(int a1, signed int a2) { int result; // eax@1 char v3; // ST0F_1@2 int v4; // [sp+8h] [bp-8h]@1 result = a1; v4 = a1; while ( a2 > 0 ) { do { v3 = byte_8053200[(unsigned __int8)byte_8053300]; byte_8053302 += v3; byte_8053302 += *(_BYTE *)(v4 + (unsigned __int8)byte_8053300 % a2); byte_8053200[(unsigned __int8)byte_8053300] = byte_8053200[(unsigned __int8)byte_8053302]; byte_8053200[(unsigned __int8)byte_8053302] = v3; ++byte_8053300; result = (unsigned __int8)byte_8053300; } while ( byte_8053300 ); v4 += 256; a2 -= 256; } return result; } // 8053300: using guessed type char byte_8053300; // 8053302: using guessed type char byte_8053302; //----- (08048BB3) -------------------------------------------------------- int __cdecl sub_8048BB3(int a1, int a2) { int result; // eax@1 char v3; // ST0F_1@2 int v4; // [sp+8h] [bp-8h]@1 result = a1; v4 = a1; while ( a2 > 0 ) { ++byte_8053300; v3 = byte_8053200[(unsigned __int8)byte_8053300]; byte_8053301 += v3; byte_8053200[(unsigned __int8)byte_8053300] = byte_8053200[(unsigned __int8)byte_8053301]; byte_8053200[(unsigned __int8)byte_8053301] = v3; result = v4; *(_BYTE *)v4++ ^= byte_8053200[(unsigned __int8)(byte_8053200[(unsigned __int8)byte_8053300] + v3)]; --a2; } return result; } // 8053300: using guessed type char byte_8053300; // 8053301: using guessed type char byte_8053301; //----- (08048C6B) -------------------------------------------------------- signed int __cdecl sub_8048C6B(const char *filename) { signed int result; // eax@2 int s; // [sp+10h] [bp-B8h]@3 int v3; // [sp+14h] [bp-B4h]@3 int v4; // [sp+1Ch] [bp-ACh]@3 int v5; // [sp+28h] [bp-A0h]@3 int v6; // [sp+2Ch] [bp-9Ch]@3 int v7; // [sp+30h] [bp-98h]@3 int v8; // [sp+34h] [bp-94h]@3 int v9; // [sp+3Ch] [bp-8Ch]@3 int v10; // [sp+50h] [bp-78h]@3 int v11; // [sp+58h] [bp-70h]@3 int v12; // [sp+68h] [bp-60h]@1 int v13; // [sp+6Ch] [bp-5Ch]@3 int v14; // [sp+74h] [bp-54h]@3 int v15; // [sp+80h] [bp-48h]@3 int v16; // [sp+84h] [bp-44h]@3 int v17; // [sp+88h] [bp-40h]@3 int v18; // [sp+8Ch] [bp-3Ch]@3 int v19; // [sp+94h] [bp-34h]@3 int v20; // [sp+A8h] [bp-20h]@3 int v21; // [sp+B0h] [bp-18h]@3 if ( sub_8049530(filename, (struct stat *)&v12) >= 0 ) { memset(&s, 0, 0x58u); v4 = v14; s = v12; v3 = v13; v7 = v17; v8 = v18; v5 = v15; v6 = v16; v9 = v19; v10 = v20; v11 = v21; sub_8048AE9((int)&s, 88); result = 0; } else { result = -1; } return result; } //----- (08048D23) -------------------------------------------------------- int __cdecl sub_8048D23(int a1, int a2) { int result; // eax@4 while ( a1 ) { result = *(_DWORD *)a1; if ( !*(_DWORD *)a1 ) break; result = *(_DWORD *)a1; if ( *(_DWORD *)a1 == a2 ) break; a1 += 4; } while ( a1 ) { result = *(_DWORD *)a1; if ( !*(_DWORD *)a1 ) break; result = a1; *(_DWORD *)a1 = *(_DWORD *)(a1 + 4); a1 += 4; } return result; } //----- (08048D69) -------------------------------------------------------- int __cdecl sub_8048D69(int a1) { int result; // eax@2 int v2; // ecx@2 char *v3; // eax@2 char *v4; // [sp+24h] [bp-224h]@1 int v5; // [sp+2Ch] [bp-21Ch]@3 size_t v6; // [sp+30h] [bp-218h]@1 int v7; // [sp+34h] [bp-214h]@3 unsigned int v8; // [sp+38h] [bp-210h]@1 char s[512]; // [sp+3Ch] [bp-20Ch]@1 int v10; // [sp+23Ch] [bp-Ch]@1 v10 = *MK_FP(__GS__, 20); v8 = ~(unsigned int)sub_8048D69 * getpid() ^ (unsigned int)sub_8048D69; sprintf(s, "x%lx", v8); v4 = getenv(s); v6 = strlen(s); if ( v4 ) { if ( __isoc99_sscanf(v4, "%lu %d%c", &v7, &v5, s) != 2 || v7 != v8 ) { result = -1; } else { sub_8048D23(environ, (int)&v4[~v6]); v2 = a1 - v5; result = a1 - v5 + 1; } } else { sprintf(&s[v6], "=%lu %d", v8, a1); v3 = strdup(s); putenv(v3); result = 0; } if ( *MK_FP(__GS__, 20) != v10 ) __stack_chk_fail(v2, *MK_FP(__GS__, 20) ^ v10); return result; } // 8048874: using guessed type int __isoc99_sscanf(_DWORD, const char *, ...); // 8048994: using guessed type int __fastcall __stack_chk_fail(_DWORD, _DWORD); // 8048D69: using guessed type int __cdecl sub_8048D69(int); // 80531E4: using guessed type int environ; // 8048D69: using guessed type char s[512]; //----- (08048EDE) -------------------------------------------------------- int __cdecl sub_8048EDE(const char *a1) { __pid_t v1; // eax@1 int v2; // eax@3 int v3; // edx@10 int v4; // ecx@10 int result; // eax@13 int v6; // [sp+24h] [bp-64h]@3 __pid_t v7; // [sp+28h] [bp-60h]@3 char file; // [sp+2Ch] [bp-5Ch]@3 int v9; // [sp+7Ch] [bp-Ch]@1 v9 = *MK_FP(__GS__, 20); v1 = fork(); if ( v1 == -1 ) goto LABEL_17; if ( !v1 ) { v7 = getppid(); sprintf(&file, "/proc/%d/as", v7); close(0); v2 = open(&file, 130); v6 = v2 == 0; if ( v2 != 0 ) { if ( *__errno_location() != 16 ) v6 = ptrace(PTRACE_ATTACH, v7, 0, 0) == 0; } if ( v6 ) { kill(v7, 18); } else { perror(a1); kill(v7, 9); } _exit(v6); } if ( waitpid(v1, 0, 0) != v1 ) { LABEL_17: perror(a1); _exit(1); } result = *MK_FP(__GS__, 20) ^ v9; if ( *MK_FP(__GS__, 20) != v9 ) __stack_chk_fail(v4, v3); return result; } // 8048994: using guessed type int __fastcall __stack_chk_fail(_DWORD, _DWORD); //----- (08049032) -------------------------------------------------------- _UNKNOWN *__cdecl sub_8049032(int a1, void **a2) { signed int v2; // eax@2 unsigned int v3; // ebx@2 signed int v4; // esi@2 __int64 v5; // qax@2 int v7; // eax@32 void *v8; // [sp+1Ch] [bp-1Ch]@10 signed int v9; // [sp+20h] [bp-18h]@24 int v10; // [sp+20h] [bp-18h]@29 int i; // [sp+24h] [bp-14h]@34 int v12; // [sp+28h] [bp-10h]@8 void *v13; // [sp+2Ch] [bp-Ch]@18 sub_8048A94(); sub_8048AE9((int)&unk_8053084, 256); sub_8048BB3((int)&unk_804B0B6, 46); sub_8048BB3((int)"¤", 1); if ( nptr[0] ) { v5 = atoll("¤"); v3 = v5; v4 = HIDWORD(v5); v2 = time(0); if ( v4 <= v2 >> 31 ) { if ( v4 < v2 >> 31 || v3 < v2 ) return &unk_804B0B6; } } sub_8048BB3((int)"\"\v|\bÉ>È", 10); sub_8048BB3((int)&unk_805319E, 3); sub_8048BB3((int)" \t,¥?[6à®'L", 15); sub_8048BB3((int)&unk_804B12C, 1); sub_8048BB3((int)&unk_80531A3, 22); sub_8048AE9((int)&unk_80531A3, 22); sub_8048BB3((int)&unk_80531BF, 22); if ( memcmp(&unk_80531A3, &unk_80531BF, 0x16u) ) return &unk_80531A3; v12 = sub_8048D69(a1); sub_8048BB3((int)&unk_804B0A1, 19); if ( v12 < 0 ) return &unk_804B0A1; v8 = calloc(a1 + 10, 4u); if ( !v8 ) return 0; if ( v12 ) { sub_8048BB3((int)&unk_804B111, 1); if ( !unk_804B111 && sub_8048C6B("\"\v|\bÉ>È") ) return (_UNKNOWN *)"\"\v|\bÉ>È"; sub_8048BB3((int)&unk_804B12D, 1); sub_8048BB3((int)&unk_804BE2C, 25348); sub_8048BB3((int)&unk_804B115, 19); sub_8048AE9((int)&unk_804B115, 19); sub_8048BB3((int)&unk_804B0FA, 19); if ( memcmp(&unk_804B115, &unk_804B0FA, 0x13u) ) return &unk_804B115; v13 = &unk_804BE2C; } else { if ( aEu6roL[0] ) { v13 = malloc(0x200u); if ( !v13 ) return 0; sprintf((char *)v13, " \t,¥?[6à®'L", *a2); } else { v13 = *a2; } } *(_DWORD *)v8 = *a2; v9 = 1; if ( v12 ) { if ( unk_804B12D ) { *((_DWORD *)v8 + 1) = &unk_804B12D; v9 = 2; } } if ( unk_805319E ) *((_DWORD *)v8 + v9++) = &unk_805319E; *((_DWORD *)v8 + v9) = v13; v10 = v9 + 1; if ( unk_804B12C ) *((_DWORD *)v8 + v10++) = &unk_804B12C; if ( v12 <= 1 ) v7 = 0; else v7 = v12; for ( i = v7; i < a1; ++i ) *((_DWORD *)v8 + v10++) = a2[i]; *((_DWORD *)v8 + v10) = 0; execvp("\"\v|\bÉ>È", (char *const *)v8); return (_UNKNOWN *)"\"\v|\bÉ>È"; } // 8048D69: using guessed type int __cdecl sub_8048D69(int); //----- (080493F5) -------------------------------------------------------- signed int __cdecl sub_80493F5(int a1, int a2) { int v2; // esi@2 int *v3; // eax@5 char *v4; // ebx@5 _UNKNOWN *v5; // eax@8 sub_8048EDE(*(const char **)a2); *(_DWORD *)(a2 + 4) = sub_8049032(a1, (void **)a2); if ( *(_DWORD *)(a2 + 4) ) v2 = *(_DWORD *)(a2 + 4); else v2 = (int)"<null>"; if ( *__errno_location() ) { v3 = __errno_location(); v4 = strerror(*v3); } else { v4 = (char *)&unk_80495E9; } if ( *__errno_location() ) v5 = (_UNKNOWN *)": "; else v5 = &unk_80495E9; fprintf(stderr, "%s%s%s: %s\n", *(_DWORD *)a2, v5, v4, v2); return 1; } //----- (080494C0) -------------------------------------------------------- void __cdecl sub_80494C0() { ; } //----- (080494D0) -------------------------------------------------------- int *__cdecl sub_80494D0() { init_proc(); return &dword_804AF0C; } // 804AF0C: using guessed type int dword_804AF0C; //----- (0804952A) -------------------------------------------------------- void __cdecl sub_804952A() { ; } //----- (08049530) -------------------------------------------------------- int __cdecl sub_8049530(const char *filename, struct stat *a2) { return __xstat(3, filename, a2); } //----- (08049570) -------------------------------------------------------- void (*__cdecl sub_8049570())(void) { void (*result)(void); // eax@1 int *v1; // ebx@2 result = (void (*)(void))dword_804AF0C; if ( dword_804AF0C != -1 ) { v1 = &dword_804AF0C; do { --v1; result(); result = (void (*)(void))*v1; } while ( *v1 != -1 ); } return result; } // 804AF0C: using guessed type int dword_804AF0C; //----- (0804959C) -------------------------------------------------------- void __cdecl term_proc() { sub_8048A10(); } #error "There were 1 decompilation failure(s) on 19 function(s)" + Multi-Zitat Zitieren
#8 12. August 2010 AW: Shell Script Decrypt Wie Murdoc schon sagte, ist das keine Shellscript sondern eine ganz normale ELF-Binary: Code: pyro@exuma:~ $ file Downloads/start.sh Downloads/start.sh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped An den originalen Source wirst du nicht rankommen. Mit dem Assemblercode wirst du ebenfalls nichts anfangen können. Vllt. fragst du einfach beim Autor nach, ob er dir deine Features einbauen kann. + Multi-Zitat Zitieren