UnSHC a SHC binary that was not complied by relax security option about unshc HOT 4 CLOSED

Anyone?

from unshc.

Hello,

Sorry for the late response.
I haven't any good solution for this case where the -r option was missing initialy.
UnSHc doesn't seem to be able to recover this kind of encrypted file not-relaxed.

Unfortunately I do not have time right now to dig into this problem.

But I encourage you to try to reverse manually your binary, to understand precisly "what do SHc without the -r parameter ?".

Recently I've written an article in a french-cybersecurity oriented magazine about UnSHc, with all the detailled process to do it manually. You can try this way :

• Part 1 : https://www.miscmag.com/unshc-dechiffrer-des-scripts-sh-compiles-et-chiffres-par-shc-partie-12/
• Part 2 : https://www.miscmag.com/unshc-dechiffrer-des-scripts-sh-compiles-et-chiffres-par-shc-partie-22/

Sincerely,

from unshc.

from unshc.

SHC relax feature (variable rlax on the sources) does use as an encryption/decryption the attributes of the file (/usr/bin/sh or /usr/bin/bash or else is your system use a different shell), by attributes i mean file size, date etc.

	memset(control, 0, sizeof(control));
	control->st_ino = statf->st_ino;
	control->st_dev = statf->st_dev;
	control->st_rdev = statf->st_rdev;
	control->st_uid = statf->st_uid;
	control->st_gid = statf->st_gid;
	control->st_size = statf->st_size;
	control->st_mtime = statf->st_mtime;
	control->st_ctime = statf->st_ctime;

Control variable is then used to generate the key... so if you enable the the -r option that key won't be used otherwise your shell executable need to be the exact same while you built your sh script (even ctime, not just the file version)

In short in order for you to recover your file you need to restore /usr/bin/bash or /usr/bin/sh with the exact same attributes as the time you built your sh script on.

Additional note.

from unshc.