Retrieve plain text script from compiled bash script

Question

Some time ago, i wrote some bash scripts for my school. I thought it would be very clever to 'protect' them, so i compiled them with shc into a binary file. Some weeks later, i lost the uncompiled scripts and now i have only my binarys left.

Is there a way to retrieve the scripts back from the shc generated binarys? I looked into the source code of shc to find a way to decompile the binarys with no luck.

Hopefully you learn your lesson and start using a version control system! (git is a great one) — Daenyth, Aug 04 '10 at 18:25

sloth · Accepted Answer · 2012-04-16T09:44:50.647

Using shc to compile your scripts does not protect them. You don't get more security this way. The shc compiled binary decrypts and loads the script into memory when started. You could then, right after you started the binary, just segfault it and retrieve your script from the coredump.

Here's a little example script named test.sh:

#! /bin/bash
echo "starting script and doing stuff"
sleep 1
echo "finished doing stuff"

Compile it with shc:

shc -f test.sh

Start it as background process and segfault it right away:

./test.sh.x&  ( sleep 0.2 && kill -SIGSEGV $! )

sleep 0.2 will give the binary enough time to start up and decrypt the original script. The variable $! contains the pid of the last background process started, so we can easily kill it with the segmentation fault signal SIGSEGV (same as kill -11 $!).

[1]  + segmentation fault (core dumped)  ./test.sh.x

Now we can search the dump for the original script:

cat core | strings

We pipe the data in the dumpfile to strings, which will then show us all the printable characters in the file and we can now see the original script between the garbage:

...
4.0.37(2)-release
BASH_VERSINFO
BASH_VERSINFO
release
i686-pc-linux-gnu
BASH_EXECUTION_STRING
BASH_EXECUTION_STRING
                           #! /bin/bash
echo "starting script and doing stuff"
sleep 1
echo "finished doing stuff"
1000
EUID
EUID
1000
...

If the script is pretty big, maybe you have to adjust the core file size with ulimit. Pretty easy, right?

If you can't find the core file, see https://stackoverflow.com/questions/2065912/core-dumped-but-core-file-is-not-in-the-current-directory; probably also lose the [useless use of `cat`](https://stackoverflow.com/questions/11710552/useless-use-of-cat), if only for reasons of aesthetics. — tripleee, Apr 25 '23 at 04:34
@tripleee you'll have to pry my `cat xyz |` from my cold, dead hands! — sloth, Apr 25 '23 at 07:58

score 3 · Answer 2 · answered Aug 13 '13 at 14:28

3

Keep it simple! :)

To retrieve the scripts back from the shc generated binaries just save the copy of original sh system executable, then rename cat system executable to sh and run the shc generated binary :) So you will see the decrypted source of the shell script in the console.

answered Aug 13 '13 at 14:28

belousov

91
2
2

4

Please be carefull with replacing the system sh, a lot can go wrong... you might want to do this in a chroot environment – Jens Timmerman Mar 25 '14 at 17:06
Could you elaborate this more – Minhaz Mar 03 '15 at 16:57
You'd probably want to do this in a `chroot` instead of temporarily breaking your real system; if your system reboots (e.g. power outage) before you restore the real `sh`, it probably won't boot correctly. You could just use GDB and set a breakpoint on the `execve` or `write` system calls then look for the decrypted strings in memory. – Peter Cordes Jun 16 '23 at 21:39

pmod · Answer 3 · 2010-08-04T18:33:06.623

1

Just a guess.. you can record system calls using for example strace or something similar and then try to restore at least basic functionality.

Or, you can ask author of shc (http://www.datsi.fi.upm.es/~frosal/sources/shc.html).

PS

The rumour has that somebody has written deshc (http://www.linuxjournal.com/article/8256)

edited Aug 04 '10 at 18:33

answered Aug 04 '10 at 18:25

pmod

10,450
1
37
50

Yann CAM · Answer 4 · 2016-07-12T14:12:16.830

UnSHc, an automatic script to recover *.sh.x encrypted file encrypted with SHc tool has been released on github here.

UnSHc is a tool to reverse the encryption of any SHc encrypted *.sh.x script. It's based on auto-extraction of all cryptographic data embeded in the *.sh.x by reversing it automaticaly. With these cryptographic data (used at encryption), the tool regenerate the initial *.sh file in plaintext.

How to use UnSHc :

[root@server:~/unshc]$ ./unshc.sh -h
 _   _       _____ _   _
| | | |     /  ___| | | |
| | | |_ __ \ `--.| |_| | ___
| | | | '_ \ `--. \  _  |/ __|
| |_| | | | /\__/ / | | | (__
 \___/|_| |_\____/\_| |_/\___|

--- UnSHc - The shc decrypter.
--- Version: 0.6
------------------------------
UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM
- SHc   : [http://www.datsi.fi.upm.es/~frosal/]
- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]
------------------------------

[*] Usage : ./unshc.sh [OPTIONS] <file.sh.x>
         -h | --help                          : print this help message
         -a OFFSET | --arc4 OFFSET            : specify the arc4() offset arbitrarily (without 0x prefix)
         -d DUMPFILE | --dumpfile DUMPFILE    : provide an object dump file (objdump -D script.sh.x > DUMPFILE)
         -s STRFILE | --stringfile STRFILE    : provide a string dump file (objdump -s script.sh.x > STRFILE)
         -o OUTFILE | --outputfile OUTFILE    : indicate the output file name

[*] e.g :
        ./unshc.sh script.sh.x
        ./unshc.sh script.sh.x -o script_decrypted.sh
        ./unshc.sh script.sh.x -a 400f9b
        ./unshc.sh script.sh.x -d /tmp/dumpfile -s /tmp/strfile
        ./unshc.sh script.sh.x -a 400f9b -d /tmp/dumpfile -s /tmp/strfile -o script_decrypted.sh

Demonstration video can be seen here (in english and french).

A link to a potential solution is always welcome, but please [add context around the link](http://meta.stackexchange.com/questions/8231/are-answers-that-just-contain-links-elsewhere-really-good-answers/8259#8259) so your fellow users will have some idea what it is and why it’s there. Always quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline. Take into account that being *barely more than a link to an external site* is a possible reason as to [Why and how are some answers deleted?](http://stackoverflow.com/help/deleted-answers). — Gustavo Morales, Jul 11 '16 at 13:28
Considering that this is English only site, a link to information available only in French seems inappropriate. — J.J. Hakala, Jul 12 '16 at 02:19

Retrieve plain text script from compiled bash script

4 Answers4

Linked

Related