Comments (12)
yanncam
commented on May 25, 2024
Your input file "jie" is a *.sh file encrypted with SHc ?
What is the linux distro used to encrypt this file?
What is the OS architecture used during file encryption? (x86, x64, ARM...)
from unshc.
YMXZ
commented on May 25, 2024
This is the address of the file.
https://transfer.sh/TDEze/jie
from unshc.
yanncam
commented on May 25, 2024
Your file seems to be an Hack-tool from China (be carefull).
The initial "*.sh" source code is "huge", si the final binary encrypted called "jie" is "huge" too.
When "UnSHc" try to identified automatically the "arc4" offset from the encrypted binary, 4 differents offsets are identified :
$ objdump -D jie > OBJFILE
$ objdump -s jie > STRINGFILE
$ grep -Eo "call.*[0-9a-f]{6,}" OBJFILE | grep -Eo "[0-9a-f]{6,}" | sort | uniq -c | sort | grep -Eo "(14).*[0-9a-f]{6,}" | grep -Eo "[0-9a-f]{6,}"
14d571ca
4005d0
412b00
41c2d0
With the first one ("14d571ca" automatically chosen by UnSHc by default), UnSHc can't decrypt the file because it's not the right offset for ARC4 function.
So you need to pass other potential offset manually to UnSHc as param :
$ ./unshc.sh jie -a 4005d0 -o jie.sh
_ _ _____ _ _
| | | | / ___| | | |
| | | |_ __ \ `--.| |_| | ___
| | | | '_ \ `--. \ _ |/ __|
| |_| | | | /\__/ / | | | (__
\___/|_| |_\____/\_| |_/\___|
--- UnSHc - The shc decrypter.
--- Version: 0.6
------------------------------
UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM
- SHc : [http://www.datsi.fi.upm.es/~frosal/]
- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]
------------------------------
[*] Input file name to decrypt [jie]
[+] ARC4() offset function call address specified [0x4005d0]
[+] Output file name specified [jie.sh]
[*] Extracting each args address and size for the 14 arc4() calls...
[0] Working with var address at offset [0x6b7d2e] (0x3b bytes)
[1] Working with var address at offset [0x6b7e9d] (0xb bytes)
[2] Working with var address at offset [0x6b7e8e] (0xa bytes)
[3] Working with var address at offset [0x6b7e99] (0x3 bytes)
[4] Working with var address at offset [0x6b7ea9] (0xf bytes)
[5] Working with var address at offset [0x6b7eb8] (0x1 bytes)
[6] Working with var address at offset [0x6b7ebe] (0x16 bytes)
[7] Working with var address at offset [0x6a7200] (0x16 bytes)
[8] Working with var address at offset [0x6a7219] (0x13 bytes)
[9] Working with var address at offset [0x6a7242] (0x1 bytes)
[10] Working with var address at offset [0x6b7d2d] (0x1 bytes)
[11] Working with var address at offset [0x6a86b2] (0xc67f bytes)
[12] Working with var address at offset [0x6a722f] (0x13 bytes)
[13] Working with var address at offset [0x6a7245] (0x13 bytes)
[*] Extracting password...
[+] PWD address found : [0x6b7d82]
[+] PWD size found : [0x100]
[*] Executing [/tmp/boBN2O] to decrypt [jie]
[*] Retrieving initial source code in [jie.sh]
[*] All done!
With this specific offset (4005d0) your "jie" file is correctly decrypted. Check yourself :) !
I will improve UnSHc soon to automatically try others ARC4 offsets and auto-decrypt this kind of "huge" file. Thank you for the sample/use-case.
Sincerely,
from unshc.
FuaerCN
commented on May 25, 2024
Hello , this is what encryption method , how to encrypt
from unshc.
yanncam
commented on May 25, 2024
File *.sh.x is encrypted with the SHc tool via ARC4 (open-source RCA4) symetric encryption algorithm.
UnSHc is used to decrypt this kind of file.
Please refer to the README.md for more information : https://github.com/yanncam/UnSHc
from unshc.
FuaerCN
commented on May 25, 2024
https://transfer.sh/TDEze/jie
Curious how this is done , the volume is so big.
from unshc.
YMXZ
commented on May 25, 2024
[*] Input file name to decrypt [kangml-ce7web]
[-] Unable to define arc4() call address...
decryption failure;
File address
https://transfer.sh/11r50u/ksf
from unshc.
YMXZ
commented on May 25, 2024
from unshc.
YMXZ
commented on May 25, 2024
And this
https://transfer.sh/H0gme/zyzh
Sorry for the inconvenience
from unshc.
yanncam
commented on May 25, 2024
Hello @FuaerCN,
Thans to your "jie" file, I have improved "UnSHc" with a new functionality. UnSHc can now try automaticaly every ARC4 call candidates for decryption.
UnSHc v0.7 is now available and pushed on github, you can use it.
As you can see, your "jie" file is now auto-decrypted :
$ ./unshc.sh jie
_ _ _____ _ _
| | | | / ___| | | |
| | | |_ __ \ `--.| |_| | ___
| | | | '_ \ `--. \ _ |/ __|
| |_| | | | /\__/ / | | | (__
\___/|_| |_\____/\_| |_/\___|
--- UnSHc - The shc decrypter.
--- Version: 0.7
------------------------------
UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM
- SHc : [http://www.datsi.fi.upm.es/~frosal/]
- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]
------------------------------
[*] Input file name to decrypt [jie]
[+] ARC4 address call candidate : [0x41c2d0]
[*] Extracting each args address and size for the 14 arc4() calls with address [0x41c2d0]...
[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x41c2d0]...
[+] ARC4 address call candidate : [0x412b00]
[*] Extracting each args address and size for the 14 arc4() calls with address [0x412b00]...
[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x412b00]...
[+] ARC4 address call candidate : [0x4005d0]
[*] Extracting each args address and size for the 14 arc4() calls with address [0x4005d0]...
[0] Working with var address at offset [0x6b7d2e] (0x3b bytes)
[1] Working with var address at offset [0x6b7e9d] (0xb bytes)
[2] Working with var address at offset [0x6b7e8e] (0xa bytes)
[3] Working with var address at offset [0x6b7e99] (0x3 bytes)
[4] Working with var address at offset [0x6b7ea9] (0xf bytes)
[5] Working with var address at offset [0x6b7eb8] (0x1 bytes)
[6] Working with var address at offset [0x6b7ebe] (0x16 bytes)
[7] Working with var address at offset [0x6a7200] (0x16 bytes)
[8] Working with var address at offset [0x6a7219] (0x13 bytes)
[9] Working with var address at offset [0x6a7242] (0x1 bytes)
[10] Working with var address at offset [0x6b7d2d] (0x1 bytes)
[11] Working with var address at offset [0x6a86b2] (0xc67f bytes)
[12] Working with var address at offset [0x6a722f] (0x13 bytes)
[13] Working with var address at offset [0x6a7245] (0x13 bytes)
[*] Extracting password...
[+] PWD address found : [0x6b7d82]
[+] PWD size found : [0x100]
[*] Executing [/tmp/As1xoI] to decrypt [jie]
[*] Retrieving initial source code in [jie.sh]
[*] All done!
Concerning "zyzh" and "ksf", I think these files are not encrypted via SHc, so UnSHc can't decrypt them.
Sincerely,
from unshc.
cary-sas
commented on May 25, 2024
@yanncam
Hello,
Sorry to bother you again, I have one file which should be shc on ARM machine, I try to unsch it also on Ubuntu ARM, with your ARM version of unsch.sh .
I did some modify of your script. (change /tmp to ~/tmp)
but I can only find a null decrypted file. and still "Permission denied"
[+] PWD size found : [256]
PWD:
[] Executing [/home/ubuntu/tmp/1AVOoi] to decrypt [install.sh.x]
[] Retrieving initial source code in [script_decrypted.sh]
./unshc.sh: line 756: /home/ubuntu/tmp/1AVOoi: Permission denied
then I just modify to "cat
<.ARM.attributes>:
3841
61656100
1006962
2e
726f4305
2d786574
6003941
841070a
12020901
14011304
17011501
19011803
22021a01
44012a01
Address]
[+] PWD size found : [256]
PWD:
[] Executing [/home/ubuntu/tmp/LBkLWE] to decrypt [install.sh.x]
[] Retrieving initial source code in [script_decrypted.sh]
[*] All done!
but the output is still null.
ubuntu@instance-20210805-1602:~$ cat script_decrypted.sh
Would you please help me have a look?
from unshc.
firdaus-rx
commented on May 25, 2024
| | | | / | | | |
| | | | __ \ --.| |_| | ___ | | | | '_ \ --. \ _ |/ __|
| || | | | /_/ / | | | (__
_/|| |_/_| |/___|
--- UnSHc - The shc decrypter.
--- Version: 0.8
UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM
- SHc : [http://www.datsi.fi.upm.es/~frosal/]
- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]
[] Input file name to decrypt [tes.sh.x]
[+] ARC4 address call candidate : [0x14df0218]
[] Extracting each args address and size for the 14 arc4() calls with address [0x14df0218]...
[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x14df0218]...
[+] ARC4 address call candidate : [0x14de0fb8]
[*] Extracting each args address and size for the 14 arc4() calls with address [0x14de0fb8]...
[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x14de0fb8]...
[-] Unable to define arc4() call address...
from unshc.
Related Issues (20)
- unshc on Mac doesn´t seem to work HOT 7
- Won't work :-( HOT 7
- ARM64 Can not run. HOT 1
- PLEASE HELP ME I GOT THIS ERROR HOT 1
- Error on debian and centos6 unshc.sh: line 713: /tmp/ALoyWM: Permission denied HOT 7
- problem with raspberry pi HOT 1
- UnSHC a SHC binary that was not complied by relax security option HOT 4
- Hello, I can't decrypt arc4. I tried two versions of decryption script with almost the same tips. How can I solve this problem? HOT 5
- syntax error near unexpected token `newline' HOT 1
- Unable to decrypt - files attached HOT 3
- not working with HOT 3
- unshc Stuck at [11] Working with var address at offset [0x6025e2] (0x187f8 bytes) HOT 1
- Can´t encrypt HOT 1
- Error on my Project HOT 1
- Unable to unshc a simple encrypted script HOT 2
- nable to extract addresses of 14 arc4 args with ARC4 address call [0x4005d0]... HOT 3
- Important Note HOT 1
- descrypt file
- Unable to define arc4() call address HOT 4
- ELF-64bit shared object Unable to define arc4() call address HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unshc.