First We See How To Compiled Bash Script To Binary?


tar -xvzf shc-3.8.7.tgz

cd shc-3.8.7



You can see shc usage message.
shc Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-rvDTCAh] -f script

Now we have script which we want to convert in binary.

./shc -f /script_path

So now you can see that it will convert plain text bash source into binary which extension is  .sh.x.

How To Retrieve Plain Text From Binary?

The shc compiled binary decrypts and loads the script into memory when started right after we started the binary, just segfault it and retrieve our script from the core dump.

Core dumps are often used to  debug errors in Linux or UNIX programs. A core file is generated when an application program abnormally terminates due to bug, operating system security protection schema, or program simply try to write beyond the area of memory it has allocated.

By default most of linux distributions turn off core file creation.
So we need to turn on core file creation.

ulimit -c

If output is zero means that core file is not created.

Now we set core file size limit to 70000 byte

ulimit -c 70000

Now we start binary & segfault it right away.I used IP-Digger binary to get plain text from it.

./  ( sleep 0.02 && kill -SIGSEGV $! )

 sleep 0.02 will give the binary enough time to start up and decrypt the original script. The variable $! contains the pid of the last background process started, so we can easily kill it with the segmentation fault signal SIGSEGV (same as kill -11 $!). 
+ segmentation fault (core dumped)  ./
cat core | strings >plain_text


Now open plain_text file which we created & find plain text source of bash script.I upload source code of ip-digger here .

But if your script is too large then adjust core file size.

1 comment: