SHC program principle-analysis by example

Source: Internet
Author: User

Some people want to encrypt their own Perl scripts, some want to encrypt their own PHP, some people think that Bash programming is not really a programming, because their source code is visible, unlike C Programs, once compiled, it will no longer be readable... in fact, this is a misunderstanding. One of the first is that the Elf or PE files related to the Platform compiled by C language are not completely unreadable, but are not readable to the application, and hackers can still perform sound disassembly, second, since the application is not a professional, Bash, Perl and other code are also unreadable to them. My wife once completely understood the meaning of echo abc, and the third is Perl or PHP, why hide the code? They are open-source. Why do we need to hide the code written in them? This may be affected by windows...
In any case, a tool is provided on Linux, namely, SHC. On the surface, it seems that Bash can be compiled into a binary form, making many people more assured, however, those who carefully read the code generated by SHC won't think so. In fact, if SHC can really convert a bash script to a platform-related file such as Elf, it means SHC must understand bash syntax and keywords, in addition to bash built-in commands, bash scripts can also call any other Bash scripts, elf files, Perl programs, or other Python programs, the complicated GCC just understands C syntax and keywords. It is impossible for a SHC to understand all the above. For example, a bash script calls a program named, so does SHC link a or try to understand the meaning of program a and replace it with an equivalent C language function? Even if SHC fully understands and can handle bash, nor can it be expected that it fully understands and can handle other programs or commands. This is completely done in an artificial intelligence way and complicated.
Next we will use an example to illustrate what SHC has actually done. Before analyzing the code, Let's explain the answer, that is, SHC encrypts a script with a piece of key, and the algorithm is RC4, then, save the encrypted data and key together into some arrays, and save the decrypted and executed program code and the encrypted script and key in a C file, compile the c file into an executable ELF File (on the Linux platform). When the ELF file is executed, it will decompress the encrypted script array data and then execute it. The following code proves:
First, let's look at a simple script file.
######### -- Simple. Sh --#########
#! /Bin/bash
Echo 1
######### -- End --#########
The following is the c file generated through SHC-f Simple. Sh.
######## -- Simple. Sh. X. c --#########

Static long date = 0;
Static char Mail [] = "please contact your provider ";
Static int relax = 0;
Typedef char pswd_t [474];
Static char pswd [] = // here is the key
"/367/026/340/141/333/034/344/067/103/155/241/324/354/345/056/253"
...
"/125/300/045/273/061/114 ";
Typedef char shll_t [10];
Static char shll [] =
"/142/255/213/016/240/111/146/224/304/270/321/256/255/314/174/025 ";
Typedef char inlo_t [3];
Static char INLO [] =
"/325/233/105/366/212/116/244/207/272/345/242/161/132/177/134/253"
"/125 ";
Typedef char xecc_t [15];
Static char xecc [] = // This array is used to confuse Code, making disassembly more difficult
"/134/317/165/125/034/257/377/004/136/110/115/262/262/061/027/301"
"/364/157/201/032/052/262/146/240/203 ";
Typedef char lsto_t [1];
Static char lsto [] =
"/226/115/117/220/142 ";
# Define text_chk1 "ksjwfsdvl0ese"
Typedef char chk1_t [14];
Static char CHK1 [] =
"/204/245/141/023/147/245/253/366/274/130/145/064/011/134/043/213"
"/011/226/037/345/232/026/336/045/371/102/333 ";
Typedef char opts_t [1];
Static char opts [] =
"/237/314/241/274/355/321/275/002/027/251/044/063/164/302/246/070 ";
Typedef char text_t [20];
Static char text [] =
"/150/207/154/160/250/073/136/042/050/230/310/252/236/366/061/372"
"/300/123/332/054/043/133/223/055/362/262/022 ";
# Define text_chk2 "24 joascmvuap"
Typedef char chk2_t [13];
Static char CHK2 [] =
"/272/250/101/200/054/030/146/004/003/063/006/172/157/110 ";
Typedef char hide_t [4096];
...
Static unsigned char State [256], indx, jndx;
...
Void key (char * STR, int Len) // sets the key. RC4 is a stream algorithm rather than a grouping algorithm such as des.
{
Unsigned char TMP, * PTR = (unsigned char *) STR;
While (LEN> 0 ){
Do {
TMP = State [indx];
Jndx + = TMP;
Jndx + = PTR [(INT) indx % Len];
State [indx] = State [jndx];
State [jndx] = TMP;
} While (++ indx );
PTR + = 256;
Len-= 256;
}
}
Void RC4 (char * STR, int Len) // The RC4 function decrypts the data, which is encrypted in SHC.
{
Unsigned char TMP, * PTR = (unsigned char *) STR;
Jndx = 0;
While (LEN> 0 ){
Indx ++;
TMP = State [indx];
Jndx + = TMP;
State [indx] = State [jndx];
State [jndx] = TMP;
TMP + = State [indx];
* PTR ^ = State [TMP];
PTR ++;
Len --;
}
}
...
Int chkenv (INT argc)
{
... // This function is mainly used for obfuscation. An environment variable is used to control the execution of this program twice. It is actually executed in EXEC mode.
}
Char * xsh (INT argc, char ** argv) // decrypt the data and finally execute the decryption script.
{
Char buff [512];
Char * scrpt;
Int ret, I, j;
Char ** Varg;
State_0 ();
Key (pswd, sizeof (pswd_t); // set the key. Note that the keys generated during Each SHC execution are different because RC4 is a sequence stream encryption algorithm, if the key is the same, the same plain text in the same segment will obtain the same ciphertext, which will be broken. Therefore, each key is randomly generated.
RC4 (shll, sizeof (shll_t); // The decryption result is the command interpreter:/bin/bash
RC4 (INLO, sizeof (inlo_t); // The decryption result is Bash option:-C, prompting the script to be in a subsequent string rather than in the file
...
RC4 (lsto, sizeof (lsto_t ));
RC4 (CHK1, sizeof (chkw.t ));
If (strcmp (text_chk1, CHK1) // verify that the decryption is correct until now, because we do not know the plaintext in advance, therefore, the ciphertext decryption result cannot be compared to prove that the plaintext after decryption is correct. Because a random string sequence constant is arranged in advance, SHC encrypts and saves it in the encrypted order, if the decrypted data is the same as the stored string in the reverse order, it indicates that the decryption is obtained so far. Note that the stream algorithm has strict requirements on the encryption and decryption sequence, no disorder is allowed.
Return "location has changed! ";
Ret = chkenv (argc );
If (Ret <0)
Return "abnormal behavior! ";
Varg = (char **) calloc (argc + 10, sizeof (char *));
If (RET) {// This RET judgment is purely for obfuscation, in order to let the program execute again...
If (! Relax & key_with_file (shll ))
Return shll;
RC4 (OPTs, sizeof (opts_t ));
RC4 (text, sizeof (text_t ));
RC4 (CHK2, sizeof (chk2_t); // according to the stream algorithm, if the preceding text, that is, the decryption error of the script itself, CHK2 here is not likely to be correct, however, I personally think it is better to use the grouping algorithm with Initialization vectors here.
If (strcmp (text_chk2, CHK2 ))
Return "shell has changed! ";
If (sizeof (text_t) <sizeof (hide_t )){
Scrpt = malloc (sizeof (hide_t ));
Memset (scrpt, (INT) '', sizeof (hide_t ));
Memcpy (& scrpt [sizeof (hide_t)-sizeof (text_t)], text, sizeof (text_t ));
} Else {
Scrpt = text;/* script text */
}
}
... // Omitting the obfuscation process for processing command line parameters
J = 0;
Varg [J ++] = argv [0];
If (Ret & * opts)
Varg [J ++] = opts;
If (* INLO)
Varg [J ++] = INLO;
Varg [J ++] = scrpt;
If (* lsto)
Varg [J ++] = lsto;
I = (Ret> 1 )? RET: 0;
While (I <argc)
Varg [J ++] = argv [I ++];
Varg [J] = 0;
Execvp (shll, Varg); // execute the decrypted script
Return shll;
}

Int main (INT argc, char ** argv)
{
Xsh (argc, argv );
...
}
It turns out that SHC didn't compile the bash script into a binary file. Instead, it only encrypts the file, stores the encrypted file, decrypts it during execution, and executes it.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.