Permalink
Browse files

Add release 0.8 with patch for movb instruction for big encrypted file

  • Loading branch information...
root
root committed Oct 26, 2016
1 parent 1ab3e01 commit 6b7a834b712dd234af85f0540d0fbbfa191b5239
Showing with 727 additions and 3 deletions.
  1. +6 −3 latest/unshc.sh
  2. +721 −0 release/0.8/unshc-v0.8.sh
View
9 latest/unshc.sh 100644 → 100755
@@ -24,6 +24,9 @@
# 07/28/16 - v0.7
# -- Add support of multiple ARC4 offsets auto-retrieved by script (iterate over each one), specialy for huge bash file encrypted
# -- Force .sh extension to decrypted file, for initial file without extension (prevent rewrite of original file)
# Updated: Yann CAM v0.8 - yann.cam@gmail.com | www.asafety.fr
# 01/23/17 - v0.8
# -- Adjust grep for retrieve PWD_SIZE in OBJDUMP to ignore movb instruction (https://github.com/yanncam/UnSHc/issues/12)
###################
# Tested on :
# Ubuntu 14.04.3 LTS x86_64
@@ -38,7 +41,7 @@
# Linux server 3.2.0-4-686-pae #1 SMP Debian 3.2.68-1+deb7u2 i686 GNU/Linux
# Linux version 3.2.0-4-686-pae (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.68-1+deb7u2
###################
VERSION="0.7"
VERSION="0.8"
OBJDUMP=`which objdump`
GREP=`which grep`
@@ -294,6 +297,7 @@ function define_variable() {
# So we need the previous call just before the first "call ARC4_CALLADDR" and its args.
# Update 27/06/2013 : Add new objdump format
# Update 18/11/2015 : Simplify extraction
# Update 23/01/2017 : Ignore movb instruction
function extract_password_from_binary(){
echo "[*] Extracting password..."
KEY_ADDR=""
@@ -306,14 +310,13 @@ function extract_password_from_binary(){
#cat $CALLFILE
# Adjust these two next line to grep right addr & size value (depending on your architecture)
KEY_ADDR=$($GREP -B 3 -m 1 "call" $CALLFILE | $GREP mov | $GREP -oE "0x[0-9a-z]{6,}+" | $HEAD -n 1)
KEY_SIZE=$($GREP -B 3 -m 1 "call" $CALLFILE | $GREP mov | $GREP -v $KEY_ADDR | $GREP -oE "0x[0-9a-z]+" | $HEAD -n 1)
KEY_SIZE=$($GREP -B 3 -m 1 "call" $CALLFILE | $GREP mov | $GREP -v $KEY_ADDR | $GREP -v movb | $GREP -oE "0x[0-9a-z]+" | $HEAD -n 1)
i=$(($i + 1))
if [ $i -eq 10 ]; then
echo "[-] Error, function call previous first call of arc4() hasn't been identified..."
exit_error
fi
done
echo -e "\t[+] PWD address found : [$KEY_ADDR]"
echo -e "\t[+] PWD size found : [$KEY_SIZE]"
Oops, something went wrong.

0 comments on commit 6b7a834

Please sign in to comment.