-
Notifications
You must be signed in to change notification settings - Fork 256
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Won't work :-( #14
Comments
Hello, Can you send to me the orignal *.sh and encrypted files *.sh.x in attachment ? What is your distribution version (Ubuntu, Debian, CentOS ?) and architrecture (x86 / x64) ? It seems to be a problem with the grep command arround the line 309 in the latest version. Keep me informed, |
Of course, I attached all items for test. Arch is x86 and this is blackpanther-distro. |
Ok, I check on my side and I return to you as soon as possible. Sincerely, |
Hi yanncam, I saw the same issue. did shc change the algorithm? Thanks |
Yes i did lol ... it's open for new easy exploit search if any one find... :) |
Hello, Can you try again with the relaxed option of SHc (before using UnSHc) ?
The Then retry to decrypt it with UnSHc. Sincerely, |
Hai yanncam can you help me decrypt this file |
I made a testfile with echo "CRYPT/DECRYPT TEST"
`shc -f test.sh
Tested binary
./test.sh.x
CRYPT/DECRYPT TEST
`
Run unshc
`./unshc.sh test.sh.x
...
[] Input file name to decrypt [test.sh.x]
[+] ARC4 address call candidate : [0x804894e]
[] Extracting each args address and size for the 14 arc4() calls with address [0x804894e]...
[0] Working with var address at offset [0x804b09c] (0x8 bytes)
[1] Working with var address at offset [0x804b2c8] (0x8 bytes)
[2] Working with var address at offset [0x804b2c9] (0x8 bytes)
[3] Working with var address at offset [0x804b0de] (0x8 bytes)
[4] Working with var address at offset [0x804b0e2] (0x8 bytes)
[5] Working with var address at offset [0x804b0f4] (0x8 bytes)
[6] Working with var address at offset [0x804b123] (0x8 bytes)
[7] Working with var address at offset [0x804b13e] (0x8 bytes)
[8] Working with var address at offset [0x804b082] (0x8 bytes)
[9] Working with var address at offset [0x804b157] (0x8 bytes)
[10] Working with var address at offset [0x804b158] (0x8 bytes)
[11] Working with var address at offset [0x804b0f7] (0x8 bytes)
[12] Working with var address at offset [0x804b159] (0x8 bytes)
[13] Working with var address at offset [0x804b2b1] (0x8 bytes)
[*] Extracting password...
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
[-] Error, function call previous first call of arc4() hasn't been identified...
`
Callfile content:
`
[*] Extracting password...
8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161>
8048cb2: 83 c4 10 add $0x10,%esp
8048cb5: 83 ec 08 sub $0x8,%esp
8048cb8: 6a 41 push $0x41
8048cba: 68 9c b0 04 08 push $0x804b09c
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
8048ca8: 68 9e b1 04 08 push $0x804b19e
8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161>
8048cb2: 83 c4 10 add $0x10,%esp
8048cb5: 83 ec 08 sub $0x8,%esp
8048cb8: 6a 41 push $0x41
8048cba: 68 9c b0 04 08 push $0x804b09c
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
8048ca3: 68 00 01 00 00 push $0x100
8048ca8: 68 9e b1 04 08 push $0x804b19e
8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161>
8048cb2: 83 c4 10 add $0x10,%esp
8048cb5: 83 ec 08 sub $0x8,%esp
8048cb8: 6a 41 push $0x41
8048cba: 68 9c b0 04 08 push $0x804b09c
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
8048ca0: 83 ec 08 sub $0x8,%esp
8048ca3: 68 00 01 00 00 push $0x100
8048ca8: 68 9e b1 04 08 push $0x804b19e
8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161>
8048cb2: 83 c4 10 add $0x10,%esp
8048cb5: 83 ec 08 sub $0x8,%esp
8048cb8: 6a 41 push $0x41
8048cba: 68 9c b0 04 08 push $0x804b09c
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
8048c9b: e8 8b fb ff ff call 804882b <gmon_start@plt+0x10b>
8048ca0: 83 ec 08 sub $0x8,%esp
8048ca3: 68 00 01 00 00 push $0x100
8048ca8: 68 9e b1 04 08 push $0x804b19e
8048cad: e8 cf fb ff ff call 8048881 <gmon_start@plt+0x161>
8048cb2: 83 c4 10 add $0x10,%esp
8048cb5: 83 ec 08 sub $0x8,%esp
8048cb8: 6a 41 push $0x41
8048cba: 68 9c b0 04 08 push $0x804b09c
Usage: /usr/bin/grep [OPTION]... PATTERN [FILE]...
Try '/usr/bin/grep --help' for more information.
[-] Error, function call previous first call of arc4() hasn't been identified...
`
The text was updated successfully, but these errors were encountered: