yanncam / unshc Goto Github PK

View Code? Open in Web Editor NEW

357.0 24.0 253.0 94 KB

UnSHc - How to decrypt SHc *.sh.x encrypted file ?

License: GNU General Public License v3.0

Shell 100.00%

bash shell shellscript shc unshc mips arm x86 x64 encryption

unshc's Introduction

UnSHc

UnSHc - How to decrypt SHc *.sh.x encrypted file ?

Please note

I will not decrypt any file for people. Issues on GitHub are only to discuss about bug and/or improvement of the tool "UnSHc".

Due to the many problems since shc 4.0.3, there seems to be a need for clarification. In shc 4.0.3 many structural changes have been incorporated, so that shc now makes use of various security mechanisms provided by the linux-kernel itself. Therefore, it is now almost impossible to extract the original shell script at all with current UnSHc version, if the new shc version was used. This requires a more in-depth approach, which means that a modified bash or a modified linux-kernel is needed to bypass the security measures.

If you think you have found a bug, please provide me the encrypted file AND the unencrypted file corresponding. Without these two files I can't reverse it and analyze it. Add some information about the architecture where the encrypted file has been created (what linux distribution and version, what architecture x86 or x64, etc.).

All others "file decryption issues" will be closed directly.

SHc review

SHc (SHell compiler) is a fabulous tool created and maintained by Francisco Javier Rosales Garcia (http://www.datsi.fi.upm.es/~frosal/). This tool protect any shell script with encryption (ARC4).

wget -q http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9.tgz
tar zxvf shc-3.8.9.tgz
cd shc-3.8.9
make

How to use SHc ?

root@server:~/shc/shc-3.8.9# shc -h
shc Version 3.8.9, Generic Script Compiler
shc Copyright (c) 1994-2012 Francisco Rosales <[email protected]>
shc Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-rvDTCAh] -f script
-e %s Expiration date in dd/mm/yyyy format [none]
-m %s Message to display upon expiration [&quot;Please contact your provider&quot;]
-f %s File name of the script to compile
-i %s Inline option for the shell interpreter i.e: -e
-x %s eXec command, as a printf format i.e: exec('%s',@ARGV);
-l %s Last shell option i.e: --
-r Relax security. Make a redistributable binary
-v Verbose compilation
-D Switch ON debug exec calls [OFF]
-T Allow binary to be traceable [no]
-C Display license and exit
-A Display abstract and exit
-h Display help and exit
Environment variables used:
Name Default Usage
CC cc C compiler command
CFLAGS C compiler flags
Please consult the shc(1) man page.

Encrypted shell script are named "*.sh.x" by default.

UnSHc is a tool to reverse the encryption of any SHc encrypted *.sh.x script.

How to use UnSHc ?

[root@server:~/unshc]$ ./unshc.sh -h
 _   _       _____ _   _
| | | |     /  ___| | | |
| | | |_ __ \ `--.| |_| | ___
| | | | '_ \ `--. \  _  |/ __|
| |_| | | | /\__/ / | | | (__
 \___/|_| |_\____/\_| |_/\___|

--- UnSHc - The shc decrypter.
--- Version: 0.6
------------------------------
UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM
- SHc   : [http://www.datsi.fi.upm.es/~frosal/]
- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]
------------------------------

[*] Usage : ./unshc.sh [OPTIONS] <file.sh.x>
         -h | --help                          : print this help message
         -a OFFSET | --arc4 OFFSET            : specify the arc4() offset arbitrarily (without 0x prefix)
         -d DUMPFILE | --dumpfile DUMPFILE    : provide an object dump file (objdump -D script.sh.x > DUMPFILE)
         -s STRFILE | --stringfile STRFILE    : provide a string dump file (objdump -s script.sh.x > STRFILE)
         -o OUTFILE | --outputfile OUTFILE    : indicate the output file name

[*] e.g :
        ./unshc.sh script.sh.x
        ./unshc.sh script.sh.x -o script_decrypted.sh
        ./unshc.sh script.sh.x -a 400f9b
        ./unshc.sh script.sh.x -d /tmp/dumpfile -s /tmp/strfile
        ./unshc.sh script.sh.x -a 400f9b -d /tmp/dumpfile -s /tmp/strfile -o script_decrypted.sh

UnSHc can only decrypt SHc encrypted file on X86/x64 architecture.

Demonstration in video :
- https://www.youtube.com/watch?v=tmHVhMuG-Vg
SHc (in french) :
- https://www.asafety.fr/prog-and-dev/bashshunix-shc-le-compilateur-et-protecteur-de-script-shell/
UnSHc (in french) :
- https://www.asafety.fr/unshc-the-shc-decrypter/

UnSHc-MIPS

Thanks to @fffonion, a dedicated version of UnSHc has been released targeting SHc encrypted file on MIPS architecture. This UnSHc-MIPS version is available here : https://github.com/fffonion/UnSHc-MIPS

Thank you again for your work and contribution !

UnSHc-ARM

Thanks to @cliffalbert, a dedicated version of UnSHc has been released targeting SHc encrypted file on ARM architecture. This UnSHc-ARM version is available here : https://github.com/cliffalbert/UnSHc-arm

Thank you again for your work and contribution !

unshc's People

Contributors

Stargazers

Watchers

Forkers

jj225512 forhuan mahermeg17 ymxz snowmois assisborges cddc22 yinweizhuzhu xxoxx antutu110 otgo llych taotaolin xlqstar ldkiss qingshenyijiu mz135135 mpb159753 adamesss gx158 synetis chimvian ustbgaofan xbbds seclog l2003529 superman1982 cloudyu ipcpu kengric hongxiaoo kenser chnmoonwater ssh4you youree82 517185 jfucanada 4kercc geoleonsh aslanpro11 veniciooliveira tonygao1217 skyformat99 nestor shekkbuilder millken w796933 optionalg xionun fffonion flysea520 oeone zhenhappy gusha915 58563528 onepig-fang nwct lidi395350 iboyi long-sir gleydsonmazioli chenmin1992 jiafenggit cyclonekid shellgithub kaowul qjh176 emirmord f6945469 vrtapp jigsawkramer dreyannz noyesno kevin01523 tqtrung99 nhymxu cliffalbert idazuo dkdenza docker98k davelhml gaara2016 tagfire akimdi abubakarsyed intika-linux-apps beifengl wyx176 samyang2558 hujingzhen pliu22 xiaxianlei rizerok miuiadmin xiaonibakeji admin8583 yousifyaqeen thenelse hellscreamcat nowflying

unshc's Issues

Having issue using UnSHc

https://transfer.sh/hC8Zy/postinst

I am running a competition with some friends and they insist that it's possible to encrypt a postinst file for a jailbroken iOS debian package, which we've been discussing that it's just not possible for many various reasons.

They finally provided a sample file and in the process of me trying to obtain the source code, I came across your tool to un-shc scripts: exactly what I need to prove them wrong ahah

Anyways, when I run unshc I get this:

`[*] Input file name to decrypt [postinst]
BFD: unable to read unknown load command 0x21
BFD: unable to read unknown load command 0x29
/sw/bin/objdump: can't disassemble for architecture UNKNOWN!

BFD: unable to read unknown load command 0x21
BFD: unable to read unknown load command 0x29
[-] Unable to define arc4() call address...`

Am I missing more /bin files? I've already had to obtain shc and objtools for objdump, is BFD another bin I need, or am I missing something else here?

The file I uploaded I think I've only ran chmod 777 on it, so IDK if that will effect it. I have no idea what the source file was compiled on, but most likely it was compiled under an intel based mac since most jailbreak developers use that environment for ease of use.

The target device is a 64 bit iPhone 6+ and I don't remember off the top of my head what type of ARM artecture it uses, but it's definitely compatible with 32/64 bit.

ARM64 Can not run.

When I run unshc [filename] prompt: Unable to define arc4 () call address ...
I am running on Ubuntu xenial ARM64.
Hope to support the arm architecture. . .

？

[] Extracting password...
[+] PWD address found : [0x611544]
[+] PWD size found : [0x100]
[] Executing [/tmp/iiqYfI] to decrypt [vpn7.sh.x]
[] Retrieving initial source code in [vpn7.sh]
./unsh.sh: line 698: /tmp/iiqYfI: Permission denied
[] All done!

Error on debian and centos6 unshc.sh: line 713: /tmp/ALoyWM: Permission denied

I`ve got an issue with script.Tried it on centOS6 but had the same issue, decided to install Debian 7, but got the same issue.

i already changed rights to 777 in tmp and shc
the file i`m trying to decript:
auto-script.sh.zip

PLEASE HELP ME I GOT THIS ERROR

I tried to decrypt this bash file which is encrypted

This is what I see in the bash file

a new question!

which: no gcc in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
| | | | / ___| | | |
| | | |_ __ \ `--.| |_| | ___
| | | | '_ \ `--. \ _ |/ __|
| |_| | | | // / | | | (

- /|| |__/|

- - [ ] |/__|

--- UnSHc - The shc decrypter.
--- Version: 0.7
UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM
- SHc : [http://www.datsi.fi.upm.es/~frosal/]
- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]
[*] Input file name to decrypt [main.sh.x]
[-] Unable to define arc4() call address...

this file adress https://drive.google.com/file/d/0B2oGSsjRZUOqdXI4NDd3b09lbGc/view?usp=sharing

thank you

descrypt file

Hello Yanncam

can you help me for descrypt this file to txt, itry Unshc but error
thank you for you help
9191.zip

how to decrypt this script？？

https://transfer.sh/mgg4t/hello.sh
the adress above is the script .

i have look over the same issue,but i can't still decrypt it.

this script has only one adress , but unshc can't decrypt it.

the error is Unable to extract addresses of 14 arc4 args with ARC4 address call [0x143b86b8]...

help me,please :)

Unable to define arc4() call address...

centos
Linux version 2.6.32-573.22.1.el6.x86_64 ([email protected]) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Wed Mar 23 03:35:39 UTC 2016
Linux iZ2zejdh2ap4dldv31rd38Z 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

ssr.txt

problem with raspberry pi

./unshc.sh: line 9: syntax error near unexpected token newline' ./unshc.sh: line 9: '

nable to extract addresses of 14 arc4 args with ARC4 address call [0x4005d0]...

I am getting error nable to extract addresses of 14 arc4 args with ARC4 address call [0x4005d0]...
sh unshc.sh -a 4005d0 -o sss.sh.x

| | | | / | | | |
| | | | __ \ --.| |_| | ___ | | | | '_ \ --. \ _ |/ __|
| || | | | /_/ / | | | (__
_/|| |_/_| |/___|

--- UnSHc - The shc decrypter.
--- Version: 0.8

UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM

SHc : [http://www.datsi.fi.upm.es/~frosal/]
UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]

[+] ARC4() offset function call address specified [0x4005d0]
[+] Output file name specified [interspireinstaller7.sh.x]
/usr/bin/objdump: 'a.out': No such file
/usr/bin/objdump: 'a.out': No such file
[] Extracting each args address and size for the 14 arc4() calls with address [0x4005d0]...
[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x4005d0]...
[] Extracting password...
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
[-] Error, function call previous first call of arc4() hasn't been identified...

Could you please help me...
test.sh.zip

not working with

https://github.com/neurobin/shc

cant decrypt from neurobin shc method

unshc on Mac doesn´t seem to work

I would love to see this work on the Mac and I have submitted source files for you to review...
Archive 2.zip
Awesome tool in Linux - thanks!

unshc Stuck at [11] Working with var address at offset [0x6025e2] (0x187f8 bytes)

I am trying to decrypt my encrypted shell file but unshc utility stucked at following line

| | | | / | | | |
| | | | __ \ --.| |_| | ___ | | | | '_ \ --. \ _ |/ __|
| || | | | /_/ / | | | (__
_/|| |_/_| |/___|

--- UnSHc - The shc decrypter.
--- Version: 0.8

UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM

SHc : [http://www.datsi.fi.upm.es/~frosal/]
UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]

[] Input file name to decrypt [mumarainstaller6.sh.x]
[+] ARC4 address call candidate : [0x400c10]
[] Extracting each args address and size for the 14 arc4() calls with address [0x400c10]...
[0] Working with var address at offset [0x62087d] (0x2a bytes)
[1] Working with var address at offset [0x601a38] (0x1 bytes)
[2] Working with var address at offset [0x601a2c] (0xa bytes)
[3] Working with var address at offset [0x601a4e] (0x3 bytes)
[4] Working with var address at offset [0x601a3c] (0xf bytes)
[5] Working with var address at offset [0x601a39] (0x1 bytes)
[6] Working with var address at offset [0x6019f9] (0x16 bytes)
[7] Working with var address at offset [0x601a13] (0x16 bytes)
[8] Working with var address at offset [0x6019e1] (0x13 bytes)
[9] Working with var address at offset [0x601a37] (0x1 bytes)
[10] Working with var address at offset [0x601a51] (0x1 bytes)
[11] Working with var address at offset [0x6025e2] (0x187f8 bytes)

Please help to resolve this issue....

Unable to decrypt - files attached

Version 0.8
Unable to define arc4() call address...

test.sh.txt
test.sh.x.c.txt
test.sh.x.txt

Won't work :-(

I made a testfile with echo "CRYPT/DECRYPT TEST"
`shc -f test.sh
Tested binary

./test.sh.x
CRYPT/DECRYPT TEST
`
Run unshc

`./unshc.sh test.sh.x

...

[] Input file name to decrypt [test.sh.x]
[+] ARC4 address call candidate : [0x804894e]
[] Extracting each args address and size for the 14 arc4() calls with address [0x804894e]...
[0] Working with var address at offset [0x804b09c] (0x8 bytes)
[1] Working with var address at offset [0x804b2c8] (0x8 bytes)
[2] Working with var address at offset [0x804b2c9] (0x8 bytes)
[3] Working with var address at offset [0x804b0de] (0x8 bytes)
[4] Working with var address at offset [0x804b0e2] (0x8 bytes)
[5] Working with var address at offset [0x804b0f4] (0x8 bytes)
[6] Working with var address at offset [0x804b123] (0x8 bytes)
[7] Working with var address at offset [0x804b13e] (0x8 bytes)
[8] Working with var address at offset [0x804b082] (0x8 bytes)
[9] Working with var address at offset [0x804b157] (0x8 bytes)
[10] Working with var address at offset [0x804b158] (0x8 bytes)
[11] Working with var address at offset [0x804b0f7] (0x8 bytes)
[12] Working with var address at offset [0x804b159] (0x8 bytes)
[13] Working with var address at offset [0x804b2b1] (0x8 bytes)
[*] Extracting password...
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
[-] Error, function call previous first call of arc4() hasn't been identified...
`
Callfile content:

`

[*] Extracting password...
8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161>
8048cb2: 83 c4 10 add $0x10,%esp
8048cb5: 83 ec 08 sub $0x8,%esp
8048cb8: 6a 41 push $0x41
8048cba: 68 9c b0 04 08 push $0x804b09c
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
8048ca8: 68 9e b1 04 08 push $0x804b19e
8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161>
8048cb2: 83 c4 10 add $0x10,%esp
8048cb5: 83 ec 08 sub $0x8,%esp
8048cb8: 6a 41 push $0x41
8048cba: 68 9c b0 04 08 push $0x804b09c
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
8048ca3: 68 00 01 00 00 push $0x100
8048ca8: 68 9e b1 04 08 push $0x804b19e
8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161>
8048cb2: 83 c4 10 add $0x10,%esp
8048cb5: 83 ec 08 sub $0x8,%esp
8048cb8: 6a 41 push $0x41
8048cba: 68 9c b0 04 08 push $0x804b09c
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
8048ca0: 83 ec 08 sub $0x8,%esp
8048ca3: 68 00 01 00 00 push $0x100
8048ca8: 68 9e b1 04 08 push $0x804b19e
8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161>
8048cb2: 83 c4 10 add $0x10,%esp
8048cb5: 83 ec 08 sub $0x8,%esp
8048cb8: 6a 41 push $0x41
8048cba: 68 9c b0 04 08 push $0x804b09c
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
8048c9b: e8 8b fb ff ff call 804882b <gmon_start@plt+0x10b>
8048ca0: 83 ec 08 sub $0x8,%esp
8048ca3: 68 00 01 00 00 push $0x100
8048ca8: 68 9e b1 04 08 push $0x804b19e
8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161>
8048cb2: 83 c4 10 add $0x10,%esp
8048cb5: 83 ec 08 sub $0x8,%esp
8048cb8: 6a 41 push $0x41
8048cba: 68 9c b0 04 08 push $0x804b09c
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
[-] Error, function call previous first call of arc4() hasn't been identified...
`

Stuck, what's the problem?

[root@VM_169_52_centos ~]# ./unsh.sh vpn7.sh.x -o sbw
which: no gcc in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)

| | | | / | | | |
| | | | __ \ --.| |_| | ___ | | | | '_ \--. \ _ |/ |
| |_| | | | /**/ / | | | (
_/|| |**/| |/___|

--- UnSHc - The shc decrypter.

--- Version: 0.5

UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM

SHc : [http://www.datsi.fi.upm.es/~frosal/]

- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]

[] Input file name to decrypt [vpn7.sh.x]
[+] Output file name specified [sbw]
[+] ARC4 address call defined : [0x400c10]
[] Extracting each args address and size for the 14 arc4() calls...
[0] Working with var address at offset [0x611687](0x2a bytes)
[1] Working with var address at offset [0x6019e1](0x1 bytes)
[2] Working with var address at offset [0x6116b3](0xa bytes)
[3] Working with var address at offset [0x61151b](0x3 bytes)
[4] Working with var address at offset [0x611672](0xf bytes)
[5] Working with var address at offset [0x611682](0x1 bytes)
[6] Working with var address at offset [0x611701](0x16 bytes)
[7] Working with var address at offset [0x611717](0x16 bytes)
[8] Working with var address at offset [0x6116be](0x13 bytes)
[9] Working with var address at offset [0x61166e](0x1 bytes)
[10] Working with var address at offset [0x6019e0](0x1 bytes)
[11] Working with var address at offset [0x60465c](0xc14e bytes)

syntax error near unexpected token `newline'

./unshc.sh: line 7: syntax error near unexpected token newline' ./unshc.sh: line 7: '

why is PWD size zero ? is it a bug?

[] Input file name to decrypt [lpz]
[+] ARC4 address call candidate : [0x400e20]
[] Extracting each args address and size for the 14 arc4() calls with address [0x400e20]...
[0] Working with var address at offset [0x6022be] (0x2a bytes)
[1] Working with var address at offset [0x6022b0] (0x1 bytes)
[2] Working with var address at offset [0x6022b3] (0xa bytes)
[3] Working with var address at offset [0x6022ee] (0x3 bytes)
[4] Working with var address at offset [0x6022f1] (0xf bytes)
[5] Working with var address at offset [0x61571f] (0x1 bytes)
[6] Working with var address at offset [0x602297] (0x16 bytes)
[7] Working with var address at offset [0x60224d] (0x16 bytes)
[8] Working with var address at offset [0x60227e] (0x13 bytes)
[9] Working with var address at offset [0x60224a] (0x1 bytes)
[10] Working with var address at offset [0x602294] (0x1 bytes)
[11] Working with var address at offset [0x6057b8] (0xec4f bytes)
[12] Working with var address at offset [0x615724] (0x13 bytes)
[13] Working with var address at offset [0x602266] (0x13 bytes)
[] Extracting password...
[+] PWD address found : [0x602149]
[+] PWD size found : [0x0]
[] Executing [/tmp/UyrIjP] to decrypt [lpz]
[] Retrieving initial source code in [lpz.sh]
[] All done!

the result file lpz.sh is empty

Can´t encrypt

Important Note

Due to the many problems since shc 4.0.3, there seems to be a need for clarification. In shc 4.0.3 many structural changes have been incorporated, so that shc now makes use of various security mechanisms provided by the linux-kernel itself. Therefore, it is now almost impossible to extract the original shell script at all, if the new shc version was used. This requires a more in-depth approach, which means that a modified bash or a modified linux-kernel is needed to bypass the security measures. On the basis of a system with regular behaviour I don't see a big chance, even if there may be weaknesses in terms of security holes. At least in my own tests I was not able to extract the shell script without sabotaging the system.

Hello, I can't decrypt arc4. I tried two versions of decryption script with almost the same tips. How can I solve this problem?

| | | | / | | | |
| | | | __ \ --.| |_| | ___ | | | | '_ \ --. \ _ |/ __|
| || | | | /_/ / | | | (__
_/|| |_/_| |/___|

--- UnSHc - The shc decrypter.
--- Version: 0.8

UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM

SHc : [http://www.datsi.fi.upm.es/~frosal/]
UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]

[*] Input file name to decrypt [0x41c2d0]
[+] Output file name specified [a.sh]
[-] Error, File [0x41c2d0] not found.
[root@localhost ~]# ./unshc.sh a.sh

| | | | / | | | |
| | | | __ \ --.| |_| | ___ | | | | '_ \ --. \ _ |/ __|
| || | | | /_/ / | | | (__
_/|| |_/_| |/___|

--- UnSHc - The shc decrypter.
--- Version: 0.7

UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM

SHc : [http://www.datsi.fi.upm.es/~frosal/]
UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]

[*] Input file name to decrypt [a.sh]
[-] Unable to define arc4() call address...
[root@localhost ~]# ^C
[root@localhost ~]# ./unshc1.sh a.sh

| | | | / | | | |
| | | | __ \ --.| |_| | ___ | | | | '_ \ --. \ _ |/ __|
| || | | | /_/ / | | | (__
_/|| |_/_| |/___|

--- UnSHc - The shc decrypter.
--- Version: 0.8

UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM

SHc : [http://www.datsi.fi.upm.es/~frosal/]
UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]

[*] Input file name to decrypt [a.sh]
[-] Unable to define arc4() call address...

Unable to define arc4() call address

ubuntu18.04 amd64

cat test.sh

#!/bin/bash
echo "hello world"

shc -f test.sh #shc version 3.8.9b

$ unshc.sh test.sh.x -o dec.sh

[*] Input file name to decrypt [test.sh.x]
[+] Output file name specified [dec.sh]
[-] Unable to define arc4() call address...

Excuse me, is there a better encryption than SHC?

Sorry to bother you again, may I ask what's the problem?？

[] Input file name to decrypt [jie]
[+] ARC4 address call defined : [0x41c2d0]
[] Extracting each args address and size for the 14 arc4() calls...
[-] Unable to extract addresses of 14 arc4 args...

Error on my Project

Hi have see error on test in project.

bash -x unshc.sh mytest
+ VERSION=0.8
++ which objdump
+ OBJDUMP=/usr/bin/objdump
++ which grep
+ GREP=/usr/bin/grep
++ which cut
+ CUT=/usr/bin/cut
++ which shred
+ SHRED=/usr/bin/shred
++ which uniq
+ UNIQ=/usr/bin/uniq
++ which sort
+ SORT=/usr/bin/sort
++ which gcc
+ GCC=/usr/bin/gcc
++ which wc
+ WC=/usr/bin/wc
++ which awk
+ AWK=/usr/bin/awk
++ which sed
+ SED=/usr/bin/sed
++ which tr
+ TR=/usr/bin/tr
++ which head
+ HEAD=/usr/bin/head
++ which tail
+ TAIL=/usr/bin/tail
+ BINARY=
++ mktemp /tmp/XXXXXX
+ TMPBINARY=/tmp/XbLH3c
+ DUMPFILE=
+ STRINGFILE=
++ mktemp /tmp/XXXXXX
+ CALLFILE=/tmp/toqAgr
++ mktemp /tmp/XXXXXX
+ CALLADDRFILE=/tmp/iPrMJZ
++ mktemp /tmp/XXXXXX
+ CALLSIZEFILE=/tmp/DXRuaq
+ declare -A LISTOFCALL
+ j=0
+ echo ' _   _       _____ _   _      '
 _   _       _____ _   _      
+ echo '| | | |     /  ___| | | |     '
| | | |     /  ___| | | |     
+ echo '| | | |_ __ \ `--.| |_| | ___ '
| | | |_ __ \ `--.| |_| | ___ 
+ echo '| | | | '\''_ \ `--. \  _  |/ __|'
| | | | '_ \ `--. \  _  |/ __|
+ echo '| |_| | | | /\__/ / | | | (__ '
| |_| | | | /\__/ / | | | (__ 
+ echo ' \___/|_| |_\____/\_| |_/\___|'
 \___/|_| |_\____/\_| |_/\___|
+ echo

+ echo '--- UnSHc - The shc decrypter.'
--- UnSHc - The shc decrypter.
+ echo '--- Version: 0.8'
--- Version: 0.8
+ echo ------------------------------
------------------------------
+ echo 'UnSHc is used to decrypt script encrypted with SHc'
UnSHc is used to decrypt script encrypted with SHc
+ echo 'Original idea from Luiz Octavio Duarte (LOD)'
Original idea from Luiz Octavio Duarte (LOD)
+ echo 'Updated and modernized by Yann CAM'
Updated and modernized by Yann CAM
+ echo '- SHc   : [http://www.datsi.fi.upm.es/~frosal/]'
- SHc   : [http://www.datsi.fi.upm.es/~frosal/]
+ echo '- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]'
- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]
+ echo ------------------------------
------------------------------
+ echo

+ '[' 1 -lt 1 ']'
+ check_binaries
+ '[' '!' -x /usr/bin/objdump ']'
+ '[' '!' -x /usr/bin/grep ']'
+ '[' '!' -x /usr/bin/cut ']'
+ '[' '!' -x /usr/bin/shred ']'
+ '[' '!' -x /usr/bin/uniq ']'
+ '[' '!' -x /usr/bin/sort ']'
+ '[' '!' -x /usr/bin/gcc ']'
+ '[' '!' -x /usr/bin/wc ']'
++ getopt -o h,a:,d:,s:,o: -l help,arc4:,dumpfile:,stringfile:,outputfile: -- mytest
+ OPTS=' -- '\''mytest'\'''
+ '[' 0 '!=' 0 ']'
+ '[' 1 -gt 0 ']'
+ case "$1" in
+ echo '[*] Input file name to decrypt [mytest]'
[*] Input file name to decrypt [mytest]
+ BINARY=mytest
+ shift 1
+ '[' 0 -gt 0 ']'
+ '[' '!' -e mytest ']'
+ '[' -z '' ']'
++ mktemp /tmp/XXXXXX
+ DUMPFILE=/tmp/A21aQo
+ '[' -z '' ']'
++ mktemp /tmp/XXXXXX
+ STRINGFILE=/tmp/5XRbi5
+ generate_dump
+ /usr/bin/objdump -D mytest
+ /usr/bin/objdump -s mytest
+ c=1
+ '[' -z '' ']'
++ /usr/bin/wc -l
+ [[ 0 -ne 14 ]]
+ extract_arc4_call_addr 1
+ TAILNUMBER=1
++ /usr/bin/grep -Eo 'call.*[0-9a-f]{6,}' /tmp/A21aQo
++ /usr/bin/grep -Eo '[0-9a-f]{6,}'
++ /usr/bin/uniq -c
++ /usr/bin/sort
++ /usr/bin/grep -Eo '[0-9a-f]{6,}'
++ /usr/bin/grep -Eo '(14).*[0-9a-f]{6,}'
++ /usr/bin/sort
+ CALLADDRS='14425f0e
403310
403780
409fb6
407b50
407799'
++ wc -l
+ TAILMAX=6
++ echo '14425f0e
403310
403780
409fb6
407b50
407799'
++ /usr/bin/sed 's/ /\n/g'
++ /usr/bin/head -n 1
++ /usr/bin/tail -n 1
+ CALLADDR=407799
+ [[ -z 407799 ]]
+ [[ 1 -gt 6 ]]
+ echo '[+] ARC4 address call candidate : [0x407799]'
[+] ARC4 address call candidate : [0x407799]
+ extract_variables_from_binary
+ echo '[*] Extracting each args address and size for the 14 arc4() calls with address [0x407799]...'
[*] Extracting each args address and size for the 14 arc4() calls with address [0x407799]...
+ i=2
++ /usr/bin/wc -l
+ [[ 0 -ne 14 ]]
+ /usr/bin/grep -B 2 'call.*407799' /tmp/A21aQo
+ /usr/bin/grep -v 407799
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=3
+ '[' 3 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 299 -ne 14 ]]
+ /usr/bin/grep -B 3 'call.*407799' /tmp/A21aQo
+ /usr/bin/grep -v 407799
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=4
+ '[' 4 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 300 -ne 14 ]]
+ /usr/bin/grep -B 4 'call.*407799' /tmp/A21aQo
+ /usr/bin/grep -v 407799
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=5
+ '[' 5 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 310 -ne 14 ]]
+ /usr/bin/grep -B 5 'call.*407799' /tmp/A21aQo
+ /usr/bin/grep -v 407799
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=6
+ '[' 6 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 316 -ne 14 ]]
+ /usr/bin/grep -B 6 'call.*407799' /tmp/A21aQo
+ /usr/bin/grep -v 407799
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=7
+ '[' 7 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 328 -ne 14 ]]
+ /usr/bin/grep -B 7 'call.*407799' /tmp/A21aQo
+ /usr/bin/grep -v 407799
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=8
+ '[' 8 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 343 -ne 14 ]]
+ /usr/bin/grep -B 8 'call.*407799' /tmp/A21aQo
+ /usr/bin/grep -v 407799
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=9
+ '[' 9 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 374 -ne 14 ]]
+ /usr/bin/grep -B 9 'call.*407799' /tmp/A21aQo
+ /usr/bin/grep -v 407799
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=10
+ '[' 10 -eq 10 ']'
+ echo '[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x407799]...'
[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x407799]...
+ return
+ c=2
++ /usr/bin/wc -l
+ [[ 0 -ne 14 ]]
+ extract_arc4_call_addr 2
+ TAILNUMBER=2
++ /usr/bin/grep -Eo 'call.*[0-9a-f]{6,}' /tmp/A21aQo
++ /usr/bin/grep -Eo '[0-9a-f]{6,}'
++ /usr/bin/uniq -c
++ /usr/bin/sort
++ /usr/bin/grep -Eo '[0-9a-f]{6,}'
++ /usr/bin/grep -Eo '(14).*[0-9a-f]{6,}'
++ /usr/bin/sort
+ CALLADDRS='14425f0e
403310
403780
409fb6
407b50
407799'
++ wc -l
+ TAILMAX=6
++ echo '14425f0e
403310
403780
409fb6
407b50
407799'
++ /usr/bin/sed 's/ /\n/g'
++ /usr/bin/tail -n 2
++ /usr/bin/head -n 1
+ CALLADDR=407b50
+ [[ -z 407b50 ]]
+ [[ 2 -gt 6 ]]
+ echo '[+] ARC4 address call candidate : [0x407b50]'
[+] ARC4 address call candidate : [0x407b50]
+ extract_variables_from_binary
+ echo '[*] Extracting each args address and size for the 14 arc4() calls with address [0x407b50]...'
[*] Extracting each args address and size for the 14 arc4() calls with address [0x407b50]...
+ i=2
++ /usr/bin/wc -l
+ [[ 394 -ne 14 ]]
+ /usr/bin/grep -B 2 'call.*407b50' /tmp/A21aQo
+ /usr/bin/grep -v 407b50
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=3
+ '[' 3 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 148 -ne 14 ]]
+ /usr/bin/grep -B 3 'call.*407b50' /tmp/A21aQo
+ /usr/bin/grep -v 407b50
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=4
+ '[' 4 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 148 -ne 14 ]]
+ /usr/bin/grep -B 4 'call.*407b50' /tmp/A21aQo
+ /usr/bin/grep -v 407b50
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=5
+ '[' 5 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 148 -ne 14 ]]
+ /usr/bin/grep -B 5 'call.*407b50' /tmp/A21aQo
+ /usr/bin/grep -v 407b50
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=6
+ '[' 6 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 148 -ne 14 ]]
+ /usr/bin/grep -B 6 'call.*407b50' /tmp/A21aQo
+ /usr/bin/grep -v 407b50
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=7
+ '[' 7 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 148 -ne 14 ]]
+ /usr/bin/grep -B 7 'call.*407b50' /tmp/A21aQo
+ /usr/bin/grep -v 407b50
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=8
+ '[' 8 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 148 -ne 14 ]]
+ /usr/bin/grep -B 8 'call.*407b50' /tmp/A21aQo
+ /usr/bin/grep -v 407b50
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=9
+ '[' 9 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 148 -ne 14 ]]
+ /usr/bin/grep -B 9 'call.*407b50' /tmp/A21aQo
+ /usr/bin/grep -v 407b50
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=10
+ '[' 10 -eq 10 ']'
+ echo '[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x407b50]...'
[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x407b50]...
+ return
+ c=3
++ /usr/bin/wc -l
+ [[ 0 -ne 14 ]]
+ extract_arc4_call_addr 3
+ TAILNUMBER=3
++ /usr/bin/grep -Eo 'call.*[0-9a-f]{6,}' /tmp/A21aQo
++ /usr/bin/grep -Eo '[0-9a-f]{6,}'
++ /usr/bin/sort
++ /usr/bin/sort
++ /usr/bin/grep -Eo '[0-9a-f]{6,}'
++ /usr/bin/uniq -c
++ /usr/bin/grep -Eo '(14).*[0-9a-f]{6,}'
+ CALLADDRS='14425f0e
403310
403780
409fb6
407b50
407799'
++ wc -l
+ TAILMAX=6
++ echo '14425f0e
403310
403780
409fb6
407b50
407799'
++ /usr/bin/sed 's/ /\n/g'
++ /usr/bin/tail -n 3
++ /usr/bin/head -n 1
+ CALLADDR=409fb6
+ [[ -z 409fb6 ]]
+ [[ 3 -gt 6 ]]
+ echo '[+] ARC4 address call candidate : [0x409fb6]'
[+] ARC4 address call candidate : [0x409fb6]
+ extract_variables_from_binary
+ echo '[*] Extracting each args address and size for the 14 arc4() calls with address [0x409fb6]...'
[*] Extracting each args address and size for the 14 arc4() calls with address [0x409fb6]...
+ i=2
++ /usr/bin/wc -l
+ [[ 148 -ne 14 ]]
+ /usr/bin/grep -B 2 'call.*409fb6' /tmp/A21aQo
+ /usr/bin/grep -v 409fb6
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=3
+ '[' 3 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 0 -ne 14 ]]
+ /usr/bin/grep -B 3 'call.*409fb6' /tmp/A21aQo
+ /usr/bin/grep -v 409fb6
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=4
+ '[' 4 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 0 -ne 14 ]]
+ /usr/bin/grep -B 4 'call.*409fb6' /tmp/A21aQo
+ /usr/bin/grep -v 409fb6
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=5
+ '[' 5 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 0 -ne 14 ]]
+ /usr/bin/grep -B 5 'call.*409fb6' /tmp/A21aQo
+ /usr/bin/grep -v 409fb6
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=6
+ '[' 6 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 1 -ne 14 ]]
+ /usr/bin/grep -B 6 'call.*409fb6' /tmp/A21aQo
+ /usr/bin/grep -v 409fb6
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=7
+ '[' 7 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 4 -ne 14 ]]
+ /usr/bin/grep -B 7 'call.*409fb6' /tmp/A21aQo
+ /usr/bin/grep -v 409fb6
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=8
+ '[' 8 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 5 -ne 14 ]]
+ /usr/bin/grep -B 8 'call.*409fb6' /tmp/A21aQo
+ /usr/bin/grep -v 409fb6
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=9
+ '[' 9 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 7 -ne 14 ]]
+ /usr/bin/grep -B 9 'call.*409fb6' /tmp/A21aQo
+ /usr/bin/grep -v 409fb6
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=10
+ '[' 10 -eq 10 ']'
+ echo '[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x409fb6]...'
[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x409fb6]...
+ return
+ c=4
++ /usr/bin/wc -l
+ [[ 0 -ne 14 ]]
+ extract_arc4_call_addr 4
+ TAILNUMBER=4
++ /usr/bin/grep -Eo 'call.*[0-9a-f]{6,}' /tmp/A21aQo
++ /usr/bin/grep -Eo '[0-9a-f]{6,}'
++ /usr/bin/sort
++ /usr/bin/sort
++ /usr/bin/grep -Eo '(14).*[0-9a-f]{6,}'
++ /usr/bin/grep -Eo '[0-9a-f]{6,}'
++ /usr/bin/uniq -c
+ CALLADDRS='14425f0e
403310
403780
409fb6
407b50
407799'
++ wc -l
+ TAILMAX=6
++ echo '14425f0e
403310
403780
409fb6
407b50
407799'
++ /usr/bin/sed 's/ /\n/g'
++ /usr/bin/head -n 1
++ /usr/bin/tail -n 4
+ CALLADDR=403780
+ [[ -z 403780 ]]
+ [[ 4 -gt 6 ]]
+ echo '[+] ARC4 address call candidate : [0x403780]'
[+] ARC4 address call candidate : [0x403780]
+ extract_variables_from_binary
+ echo '[*] Extracting each args address and size for the 14 arc4() calls with address [0x403780]...'
[*] Extracting each args address and size for the 14 arc4() calls with address [0x403780]...
+ i=2
++ /usr/bin/wc -l
+ [[ 7 -ne 14 ]]
+ /usr/bin/grep -B 2 'call.*403780' /tmp/A21aQo
+ /usr/bin/grep -v 403780
+ /usr/bin/grep -Eo '(0x[0-9a-f]{6,})'
+ i=3
+ '[' 3 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 14 -ne 14 ]]
+ i=3
++ /usr/bin/wc -l
+ [[ 0 -ne 14 ]]
+ /usr/bin/grep -B 3 'call.*403780' /tmp/A21aQo
+ /usr/bin/grep -v 403780
+ /usr/bin/grep -Ev '0x[0-9a-f]{6,}'
+ /usr/bin/grep -Eo '(0x[0-9a-f]+,)'
+ /usr/bin/grep -Eo '(0x[0-9a-f]+)'
+ i=4
+ '[' 4 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 5 -ne 14 ]]
+ /usr/bin/grep -B 4 'call.*403780' /tmp/A21aQo
+ /usr/bin/grep -v 403780
+ /usr/bin/grep -Eo '(0x[0-9a-f]+)'
+ /usr/bin/grep -Eo '(0x[0-9a-f]+,)'
+ /usr/bin/grep -Ev '0x[0-9a-f]{6,}'
+ i=5
+ '[' 5 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 6 -ne 14 ]]
+ /usr/bin/grep -B 5 'call.*403780' /tmp/A21aQo
+ /usr/bin/grep -v 403780
+ /usr/bin/grep -Eo '(0x[0-9a-f]+)'
+ /usr/bin/grep -Ev '0x[0-9a-f]{6,}'
+ /usr/bin/grep -Eo '(0x[0-9a-f]+,)'
+ i=6
+ '[' 6 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 7 -ne 14 ]]
+ /usr/bin/grep -B 6 'call.*403780' /tmp/A21aQo
+ /usr/bin/grep -v 403780
+ /usr/bin/grep -Eo '(0x[0-9a-f]+)'
+ /usr/bin/grep -Ev '0x[0-9a-f]{6,}'
+ /usr/bin/grep -Eo '(0x[0-9a-f]+,)'
+ i=7
+ '[' 7 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 11 -ne 14 ]]
+ /usr/bin/grep -B 7 'call.*403780' /tmp/A21aQo
+ /usr/bin/grep -v 403780
+ /usr/bin/grep -Eo '(0x[0-9a-f]+)'
+ /usr/bin/grep -Eo '(0x[0-9a-f]+,)'
+ /usr/bin/grep -Ev '0x[0-9a-f]{6,}'
+ i=8
+ '[' 8 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 12 -ne 14 ]]
+ /usr/bin/grep -B 8 'call.*403780' /tmp/A21aQo
+ /usr/bin/grep -v 403780
+ /usr/bin/grep -Eo '(0x[0-9a-f]+,)'
+ /usr/bin/grep -Ev '0x[0-9a-f]{6,}'
+ /usr/bin/grep -Eo '(0x[0-9a-f]+)'
+ i=9
+ '[' 9 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 16 -ne 14 ]]
+ /usr/bin/grep -B 9 'call.*403780' /tmp/A21aQo
+ /usr/bin/grep -v 403780
+ /usr/bin/grep -Eo '(0x[0-9a-f]+,)'
+ /usr/bin/grep -Eo '(0x[0-9a-f]+)'
+ /usr/bin/grep -Ev '0x[0-9a-f]{6,}'
+ i=10
+ '[' 10 -eq 10 ']'
+ echo '[-] Unable to extract sizes of 14 arc4 args with ARC4 address call [0x403780]...'
[-] Unable to extract sizes of 14 arc4 args with ARC4 address call [0x403780]...
+ return
+ c=5
++ /usr/bin/wc -l
+ [[ 17 -ne 14 ]]
+ extract_arc4_call_addr 5
+ TAILNUMBER=5
++ /usr/bin/grep -Eo 'call.*[0-9a-f]{6,}' /tmp/A21aQo
++ /usr/bin/sort
++ /usr/bin/grep -Eo '[0-9a-f]{6,}'
++ /usr/bin/sort
++ /usr/bin/grep -Eo '(14).*[0-9a-f]{6,}'
++ /usr/bin/grep -Eo '[0-9a-f]{6,}'
++ /usr/bin/uniq -c
+ CALLADDRS='14425f0e
403310
403780
409fb6
407b50
407799'
++ wc -l
+ TAILMAX=6
++ echo '14425f0e
403310
403780
409fb6
407b50
407799'
++ /usr/bin/sed 's/ /\n/g'
++ /usr/bin/tail -n 5
++ /usr/bin/head -n 1
+ CALLADDR=403310
+ [[ -z 403310 ]]
+ [[ 5 -gt 6 ]]
+ echo '[+] ARC4 address call candidate : [0x403310]'
[+] ARC4 address call candidate : [0x403310]
+ extract_variables_from_binary
+ echo '[*] Extracting each args address and size for the 14 arc4() calls with address [0x403310]...'
[*] Extracting each args address and size for the 14 arc4() calls with address [0x403310]...
+ i=2
++ /usr/bin/wc -l
+ [[ 14 -ne 14 ]]
+ i=3
++ /usr/bin/wc -l
+ [[ 17 -ne 14 ]]
+ /usr/bin/grep -B 3 'call.*403310' /tmp/A21aQo
+ /usr/bin/grep -v 403310
+ /usr/bin/grep -Eo '(0x[0-9a-f]+)'
+ /usr/bin/grep -Eo '(0x[0-9a-f]+,)'
+ /usr/bin/grep -Ev '0x[0-9a-f]{6,}'
+ i=4
+ '[' 4 -eq 10 ']'
++ /usr/bin/wc -l
+ [[ 14 -ne 14 ]]
+ IFS='
'
+ read -d '' -r -a LISTOFADDR
+ IFS='
'
+ read -d '' -r -a LISTOFSIZE
+ (( x = 0 ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x1
+ echo -e '\t[0] Working with var address at offset [0x470040] (0x1 bytes)'
	[0] Working with var address at offset [0x470040] (0x1 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=2
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 1 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_MSG1=
+ VAR_MSG1_Z=0x1
+ j=1
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x0
+ echo -e '\t[1] Working with var address at offset [0x470040] (0x0 bytes)'
	[1] Working with var address at offset [0x470040] (0x0 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=2
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 1 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_DATE=
+ VAR_DATE_Z=0x0
+ j=2
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x1
+ echo -e '\t[2] Working with var address at offset [0x470040] (0x1 bytes)'
	[2] Working with var address at offset [0x470040] (0x1 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=2
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 1 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_SHLL=
+ VAR_SHLL_Z=0x1
+ j=3
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x4
+ echo -e '\t[3] Working with var address at offset [0x470040] (0x4 bytes)'
	[3] Working with var address at offset [0x470040] (0x4 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=2
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 1 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_INLO=
+ VAR_INLO_Z=0x4
+ j=4
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x25
+ echo -e '\t[4] Working with var address at offset [0x470040] (0x25 bytes)'
	[4] Working with var address at offset [0x470040] (0x25 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=4
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 3 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/sed -e s:T::g
++ /usr/bin/tr '\n' T
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_XECC=
+ VAR_XECC_Z=0x25
+ j=5
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x1000
+ echo -e '\t[5] Working with var address at offset [0x470040] (0x1000 bytes)'
	[5] Working with var address at offset [0x470040] (0x1000 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=258
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 257 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_LSTO=
+ VAR_LSTO_Z=0x1000
+ j=6
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x1000
+ echo -e '\t[6] Working with var address at offset [0x470040] (0x1000 bytes)'
	[6] Working with var address at offset [0x470040] (0x1000 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=258
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 257 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_TST1=
+ VAR_TST1_Z=0x1000
+ j=7
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x30
+ echo -e '\t[7] Working with var address at offset [0x470040] (0x30 bytes)'
	[7] Working with var address at offset [0x470040] (0x30 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=5
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 4 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_CHK1=
+ VAR_CHK1_Z=0x30
+ j=8
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x57
+ echo -e '\t[8] Working with var address at offset [0x470040] (0x57 bytes)'
	[8] Working with var address at offset [0x470040] (0x57 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=7
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 6 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_MSG2=
+ VAR_MSG2_Z=0x57
+ j=9
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x4
+ echo -e '\t[9] Working with var address at offset [0x470040] (0x4 bytes)'
	[9] Working with var address at offset [0x470040] (0x4 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=2
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 1 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_RLAX=
+ VAR_RLAX_Z=0x4
+ j=10
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x30
+ echo -e '\t[10] Working with var address at offset [0x470040] (0x30 bytes)'
	[10] Working with var address at offset [0x470040] (0x30 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=5
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 4 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/sed -e s:T::g
++ /usr/bin/tr '\n' T
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_OPTS=
+ VAR_OPTS_Z=0x30
+ j=11
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x18
+ echo -e '\t[11] Working with var address at offset [0x470040] (0x18 bytes)'
	[11] Working with var address at offset [0x470040] (0x18 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=3
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 2 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_TEXT=
+ VAR_TEXT_Z=0x18
+ j=12
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x0
+ echo -e '\t[12] Working with var address at offset [0x470040] (0x0 bytes)'
	[12] Working with var address at offset [0x470040] (0x0 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=2
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 1 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_TST2=
+ VAR_TST2_Z=0x0
+ j=13
+ (( x = x+1  ))
+ (( x < 14 ))
+ i=0x470040
+ NBYTES=0x0
+ echo -e '\t[13] Working with var address at offset [0x470040] (0x0 bytes)'
	[13] Working with var address at offset [0x470040] (0x0 bytes)
++ echo 0x470040
++ /usr/bin/cut -d x -f 2
+ KEY=470040
+ NLINES=2
+ let LASTBYTE=0x0
++ /usr/bin/grep -A 1 -E '^ 470040 ' /tmp/5XRbi5
++ /usr/bin/awk '{ print $2$3$4$5}'
++ /usr/bin/tr '\n' T
++ /usr/bin/sed -e s:T::g
+ STRING=
+ STRING=
+ STRING=
+ FINALSTRING=
+ (( i = 0 ))
+ (( i < 0 ))
+ define_variable
+ case "$j" in
+ VAR_CHK2=
+ VAR_CHK2_Z=0x0
+ j=14
+ (( x = x+1  ))
+ (( x < 14 ))
+ c=6
++ /usr/bin/wc -l
+ [[ 14 -ne 14 ]]
+ extract_password_from_binary
+ echo '[*] Extracting password...'
[*] Extracting password...
+ KEY_ADDR=
+ KEY_SIZE=
+ i=5
+ [[ -z '' ]]
+ /usr/bin/grep -B 5 -m 1 'call.*403310' /tmp/A21aQo
+ /usr/bin/grep -v 403310
++ /usr/bin/grep -B 3 -m 1 call /tmp/toqAgr
++ /usr/bin/grep mov
++ /usr/bin/grep -oE '0x[0-9a-z]{6,}+'
++ /usr/bin/head -n 1
+ KEY_ADDR=
++ /usr/bin/grep -B 3 -m 1 call /tmp/toqAgr
++ /usr/bin/grep mov
++ /usr/bin/grep -v ''
++ /usr/bin/grep -oE '0x[0-9a-z]+'
++ /usr/bin/head -n 1
++ /usr/bin/grep -v movb
+ KEY_SIZE=
+ i=6
+ '[' 6 -eq 10 ']'
+ [[ -z '' ]]
+ /usr/bin/grep -B 6 -m 1 'call.*403310' /tmp/A21aQo
+ /usr/bin/grep -v 403310
++ /usr/bin/grep -B 3 -m 1 call /tmp/toqAgr
++ /usr/bin/grep mov
++ /usr/bin/grep -oE '0x[0-9a-z]{6,}+'
++ /usr/bin/head -n 1
+ KEY_ADDR=
++ /usr/bin/grep -B 3 -m 1 call /tmp/toqAgr
++ /usr/bin/grep mov
++ /usr/bin/grep -v ''
++ /usr/bin/grep -v movb
++ /usr/bin/grep -oE '0x[0-9a-z]+'
++ /usr/bin/head -n 1
+ KEY_SIZE=
+ i=7
+ '[' 7 -eq 10 ']'
+ [[ -z '' ]]
+ /usr/bin/grep -B 7 -m 1 'call.*403310' /tmp/A21aQo
+ /usr/bin/grep -v 403310
++ /usr/bin/grep -B 3 -m 1 call /tmp/toqAgr
++ /usr/bin/grep mov
++ /usr/bin/grep -oE '0x[0-9a-z]{6,}+'
++ /usr/bin/head -n 1
+ KEY_ADDR=
++ /usr/bin/grep -B 3 -m 1 call /tmp/toqAgr
++ /usr/bin/grep mov
++ /usr/bin/grep -v ''
++ /usr/bin/grep -v movb
++ /usr/bin/head -n 1
++ /usr/bin/grep -oE '0x[0-9a-z]+'
+ KEY_SIZE=
+ i=8
+ '[' 8 -eq 10 ']'
+ [[ -z '' ]]
+ /usr/bin/grep -B 8 -m 1 'call.*403310' /tmp/A21aQo
+ /usr/bin/grep -v 403310
++ /usr/bin/grep -B 3 -m 1 call /tmp/toqAgr
++ /usr/bin/grep mov
++ /usr/bin/grep -oE '0x[0-9a-z]{6,}+'
++ /usr/bin/head -n 1
+ KEY_ADDR=
++ /usr/bin/grep -B 3 -m 1 call /tmp/toqAgr
++ /usr/bin/grep mov
++ /usr/bin/grep -v movb
++ /usr/bin/grep -v ''
++ /usr/bin/head -n 1
++ /usr/bin/grep -oE '0x[0-9a-z]+'
+ KEY_SIZE=
+ i=9
+ '[' 9 -eq 10 ']'
+ [[ -z '' ]]
+ /usr/bin/grep -B 9 -m 1 'call.*403310' /tmp/A21aQo
+ /usr/bin/grep -v 403310
++ /usr/bin/grep -B 3 -m 1 call /tmp/toqAgr
++ /usr/bin/grep mov
++ /usr/bin/grep -oE '0x[0-9a-z]{6,}+'
++ /usr/bin/head -n 1
+ KEY_ADDR=
++ /usr/bin/grep -B 3 -m 1 call /tmp/toqAgr
++ /usr/bin/grep mov
++ /usr/bin/grep -v movb
++ /usr/bin/grep -v ''
++ /usr/bin/grep -oE '0x[0-9a-z]+'
++ /usr/bin/head -n 1
+ KEY_SIZE=
+ i=10
+ '[' 10 -eq 10 ']'
+ echo '[-] Error, function call previous first call of arc4() hasn'\''t been identified...'
[-] Error, function call previous first call of arc4() hasn't been identified...
+ exit_error
+ clean
+ /usr/bin/shred -zu -n 1 /tmp/A21aQo /tmp/toqAgr /tmp/iPrMJZ /tmp/DXRuaq /tmp/5XRbi5 /tmp/XbLH3c /tmp/XbLH3c.c
+ exit 1

ELF-64bit shared object Unable to define arc4() call address

hi bro i was testing your tool, in ubuntu 18.04 64x86 but i got issues i've watched the video how to use SHC and UnShc to retrieve the code from the binary code. i did it all like in the video but i got the issue unable to define arc4() call address, so i decide to watch the file using file test.sh.x it show me ( ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=9567f9a28e66f4d7ec4baf31cfbf68d0410f0ae6, stripped) so when i got thi issue unable to define arc4() i jump over your example files that you left in the folder and i tried with that one, and it works fine so i decide to watch the file and it shows ( ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=9567f9a28e66f4d7ec4baf31cfbf68d0410f0ae6, stripped) so i think that your script work only with executable but not with shared object, my question is how i can solve this issue, i only have the binary file. thanks please i wish your help or comments.

There seems to be a problem.

[*] Input file name to decrypt [kangml-ce7web]
[-] Unable to define arc4() call address...
decryption failure;
File address
https://transfer.sh/11r50u/ksf
And this
https://transfer.sh/H0gme/zyzh
Sorry for the inconvenience

Help, a new question, thank you！

[root@VM_20_164_centos ~]# ./y cen

_   _       _____ _   _      
| | | |     /  ___| | | |     
| | | |_ __ \ `--.| |_| | ___ 
| | | | '_ \ `--. \  _  |/ __|
| |_| | | | /\__/ / | | | (__ 
 \___/|_| |_\____/\_| |_/\___|

--- UnSHc - The shc decrypter.
--- Version: 0.7
------------------------------
UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM
- SHc   : [http://www.datsi.fi.upm.es/~frosal/]
- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]
------------------------------

[*] Input file name to decrypt [cen]
[+] ARC4 address call candidate : [0x14c283e9]
[*] Extracting each args address and size for the 14 arc4() calls with address [0x14c283e9]...
[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x14c283e9]...
[+] ARC4 address call candidate : [0x146175e1]
[*] Extracting each args address and size for the 14 arc4() calls with address [0x146175e1]...
[-] Unable to extract addresses of 14 arc4 args with ARC4 address call [0x146175e1]...
[-] Unable to define arc4() call address...

File address：https://transfer.sh/iIhUG/cen

Unable to unshc a simple encrypted script

I have written a simple bash script and encrypted with shc tool. My filename is kali-upgrade.sh.x.
My OS architecture is,

Linux kali 5.6.0-kali2-amd64 #1 SMP Debian 5.6.14-1kali1 (2020-05-25) x86_64 GNU/Linux

My shc version is,

shc Version 4.0.3, Generic Shell Script Compiler

Which I have installed via command,

sudo apt install shc

My shell script looks like this,

cat /etc/opt/.kali-upgrade/.psd | sudo -S apt update && sudo -S apt -y upgrade && sudo -S apt -y dist-upgrade && sudo -S apt -y full-upgrade && sudo -S apt -y autoremove && sudo -S apt -y autoclean && sudo -S apt -y clean && echo "Starting updatedb..." && sudo -S updatedb && echo "updatedb completed..." && echo "Starting mandb..." && sudo -S mandb && echo "mandb completed..."

I tried the following commands.
./unshc.sh kali-upgrade.sh.x -d dumpfile -s scriptfile -o script.sh
./unshc.sh kali-upgrade.sh.x
Output I'm getting is,

[*] Input file name to decrypt [kali-upgrade.sh.x]
[+] Object dump file specified [dumpfile]
[+] String dump file specified [scriptfile]
[+] Output file name specified [script.sh]
[-] Unable to define arc4() call address...

FYI attached file renamed with .txt. kindly remove .txt extension from the file.
kali-upgrade.sh.txt
kali-upgrade.sh.x.txt

非常不错

火钳刘明

UnSHC a SHC binary that was not complied by relax security option

Hello,

long time ago (2-3 years ago) I had a dedicated that had a SHC encrypted shell script (script.sh.x file) And I do have that file til now but not that dedicated, it died long time ago, now I used SHC many many times and it always worked well, but when I complied that specific script I forgot to add the -r option to SHC command line "shc -f file.sh" ( -r is the relax security option to make a redistributable binary ), and now I really need to get that script to work again, I no longer have the source code of it, only the binary And whenever I run it on the other system it gives an error that says "abnormal behavior" and some other weird non English characters

Example:
root@[localhost]:~/shc # ./init.sh
./init.sh: ]��&͆��w�`jymM0}abnormal behavior!

When I tried using UnSHC it gave this result: (success)

root@[localhost]:~/shc # ./unshc.sh init.sh

| | | | / | | | |
| | | | __ \ --.| |_| | ___ | | | | '_ \ --. \ _ |/ __|
| || | | | /_/ / | | | (__
_/|| |_/_| |/___|

--- UnSHc - The shc decrypter.
--- Version: 0.8

UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM

SHc : [http://www.datsi.fi.upm.es/~frosal/]
UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]

[] Input file name to decrypt [init.sh]
[+] ARC4 address call candidate : [0x400c74]
[] Extracting each args address and size for the 14 arc4() calls with address [0x400c74]...
[0] Working with var address at offset [0x602cf3] (0x2a bytes)
[1] Working with var address at offset [0x602d1d] (0x1 bytes)
[2] Working with var address at offset [0x602cdc] (0xa bytes)
[3] Working with var address at offset [0x602d1e] (0x3 bytes)
[4] Working with var address at offset [0x602d44] (0xf bytes)
[5] Working with var address at offset [0x602d55] (0x1 bytes)
[6] Working with var address at offset [0x602d27] (0x16 bytes)
[7] Working with var address at offset [0x602d58] (0x16 bytes)
[8] Working with var address at offset [0x602cc3] (0x13 bytes)
[9] Working with var address at offset [0x602ce8] (0x1 bytes)
[10] Working with var address at offset [0x602d21] (0x1 bytes)
[11] Working with var address at offset [0x6023c4] (0x62d bytes)
[12] Working with var address at offset [0x602caf] (0x13 bytes)
[13] Working with var address at offset [0x602304] (0x13 bytes)
[] Extracting password...
[+] PWD address found : [0x602b92]
[+] PWD size found : [0x100]
[] Executing [/tmp/DdINn8] to decrypt [init.sh]
[] Retrieving initial source code in [init.sh.sh]
[] All done!

Meanwhile the output file only had this:

root@[localhost]:~/shc # cat init.sh.sh
젢3��3E��Q�4��Mj�s�=ϣ^�Y␋�2�YIS��M�≠�� "�─J��␉┤π1��≠7��
%N�Q⬥�(<��ل��񚬤␋%ݪ��H��Б▲��F��█��Ƚ^֏├��@�� (≠
��W�࢚��O�⎽�┌�%�&��>��ݢ��Xۙ��␍4��]��)ۭ��≥≠^␊ ��⎼⎺⎺├@[≥G▲S├▒├┤⎽]:•/⎽#␌ #

Any ideas? Thanks in advance.

yanncam / unshc Goto Github PK

unshc's Introduction

UnSHc

Please note

SHc review

How to use SHc ?

How to use UnSHc ?

UnSHc-MIPS

UnSHc-ARM

unshc's People

Contributors

Stargazers

Watchers

Forkers

unshc's Issues

- **/|| |__**/|

- - [ ] |/__|

--- UnSHc - The shc decrypter. --- Version: 0.8

--- UnSHc - The shc decrypter. --- Version: 0.8

...

`

--- Version: 0.5

- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]

--- UnSHc - The shc decrypter. --- Version: 0.8

--- UnSHc - The shc decrypter. --- Version: 0.7

--- UnSHc - The shc decrypter. --- Version: 0.8

--- UnSHc - The shc decrypter. --- Version: 0.8

Recommend Projects

Recommend Topics

Recommend Org

- /|| |__/|

--- UnSHc - The shc decrypter.
--- Version: 0.8

--- UnSHc - The shc decrypter.
--- Version: 0.8

--- UnSHc - The shc decrypter.
--- Version: 0.8

--- UnSHc - The shc decrypter.
--- Version: 0.7

--- UnSHc - The shc decrypter.
--- Version: 0.8

--- UnSHc - The shc decrypter.
--- Version: 0.8