Chinaunix
标题:
用shc加密shell或其他脚本解析程序.
[打印本页]
作者:
ZealeS
时间:
2006-01-19 11:33
标题:
用shc加密shell或其他脚本解析程序.
随便google或百度一下shc, 都可以找到很多下载的.
安装很简单, 可能有些系统要改一下makefile, 当然需要gcc或cc.
编译的结果就是根据里面的C程序产生一个shc的可执行程序. 随便拷到系统目录可以用了.
shc的原理是先将你的程序转化成标准C程序, 在一些老Unix上可能要改点东西.
我在Solaris, HP-unix下用发现有不同, 可能有些系统头文件中没有PTRACE_ATTACH只要把shc翻译后的C程序里面的这个变量替换为0就行, 然后在手动gcc yourscrip就行.
shc会对脚本进行分析产生对应sh命令的一些宏地址, 然后再将C程序编译成二进制的可执行文件. 相信很少人能看懂哪些宏代表什么, 个人认为是比较使用的, 当然原程序要保存好.
不过每次改sh程序后必须执行shc来产生执行文件.
下面是我的一个例子.
[zec#/usr1/zec/bin]: cat a.sh
#!/bin/ksh
echo mypid is $$
echo today is $(date)
awk 'BEGIN{print "hello world"}'
[zec#/usr1/zec/bin]: sh a.sh
mypid is 22316
today is Thu, Jan 19, 2006 11:10:12 AM
hello world
[zec#/usr1/zec/bin]: shc -r -f a.sh
####这个时侯shc程序会翻译成a.sh.x.c并通过gcc/cc编译成一个a.sh.x.exe
####如果你的gcc/cc编译这个.x.c文件出错, 一般都是ptrace(PTRACE_ATTACH, pid, 0, 0);
####这个函数的问题, 把PTRACE_ATTACH替换为0, 有些系统可能参数不够要增加一两个0在后面. ptrace(PTRACE_ATTACH, pid, 0, 0, 0, 0);
####然后在手动gcc a.sh.x.c就okay拉.
[zec#/usr1/zec/bin]: cat a.sh.x.c
#if 0
shc Version 3.8, Generic Script Compiler
Copyright (c) 1994-2004 Francisco Rosales <frosal@fi.upm.es>
shc -r -f a.sh
#endif
static char data [] =
#define msg2_z 19
#define msg2 ((&data[3]))
"\022\224\115\321\302\126\016\131\044\366\370\166\032\000\074\245"
"\272\074\254\146\111\107\116\360\254\035"
#define chk2_z 19
#define chk2 ((&data[30]))
"\172\251\262\030\340\356\056\211\175\251\350\135\154\104\267\131"
"\244\352\327\226\001\075\157"
#define tst1_z 22
#define tst1 ((&data[51]))
"\106\053\237\301\117\002\102\011\161\027\035\275\005\243\137\262"
"\214\226\373\214\056\322\026\157\256\052"
#define rlax_z 1
#define rlax ((&data[75]))
"\353"
#define pswd_z 256
#define pswd ((&data[80]))
"\164\020\143\353\054\376\061\236\304\260\250\223\171\305\137\040"
"\127\003\177\252\343\374\262\024\174\213\111\043\135\062\254\173"
"\004\354\254\031\144\042\350\164\257\302\271\346\025\276\341\272"
"\141\044\160\201\236\047\040\347\325\014\230\303\015\217\312\246"
"\217\234\370\202\217\344\176\310\121\103\363\220\365\153\263\050"
"\317\314\205\234\257\071\121\211\331\074\235\360\035\212\314\062"
"\335\241\327\011\106\364\176\217\312\257\227\052\345\177\203\225"
"\123\123\204\242\333\242\331\022\223\020\146\032\010\020\355\345"
"\013\116\135\265\200\175\206\377\016\170\177\003\017\041\027\133"
"\174\011\316\361\102\105\137\321\346\170\232\164\245\211\173\267"
"\025\362\067\074\204\043\114\174\357\007\034\045\371\367\113\024"
"\254\072\131\235\134\206\251\107\213\131\165\336\036\321\341\334"
"\313\316\251\020\370\002\240\253\015\302\172\116\166\024\023\220"
"\037\042\267\165\371\071\220\063\024\222\316\364\375\072\236\276"
"\324\040\215\136\326\257\147\142\356\071\367\273\017\175\324\354"
"\377\015\074\261\006\213\357\372\021\011\031\230\114\000\256\036"
"\126\005\160\062\027\110\132\073\023\065\337\347\024\100\076\334"
"\024\175\351\146\156\204\010\036\103\263\125\116\026\305\144\203"
"\345\106\336\204\231\341\370\141\103\335\147\334"
#define text_z 85
#define text ((&data[396]))
"\320\257\311\257\354\040\054\221\135\302\144\131\266\336\255\207"
"\264\032\105\126\377\305\055\346\377\106\026\173\360\303\362\023"
"\247\127\017\322\371\266\044\114\240\357\012\147\200\306\045\151"
"\177\277\017\163\351\072\215\145\253\323\151\017\061\064\262\371"
"\230\075\160\045\322\053\044\265\100\271\245\256\124\335\352\225"
"\010\312\222\364\075\162\146\046\354\272\230\202\317\344\063\143"
"\310\057\355\110\047\351\102\063\156\071\100\026\154\025\157\124"
"\264"
#define tst2_z 19
#define tst2 ((&data[492]))
"\011\276\306\311\166\013\114\152\236\045\325\204\027\073\142\150"
"\264\326\076\305\333\335"
#define opts_z 1
#define opts ((&data[511]))
"\173"
#define msg1_z 42
#define msg1 ((&data[519]))
"\145\357\240\071\350\302\117\050\302\364\151\223\330\317\227\013"
"\236\046\324\344\313\014\242\220\070\167\111\373\121\043\106\150"
"\227\260\307\173\102\174\146\200\101\120\124\120\341\316\352\155"
"\313\370"
#define date_z 8
#define date ((double*)(&data[568]))
"\377\307\035\122\152\177\041\123\046\211\230\370\201\253"
#define chk1_z 22
#define chk1 ((&data[577]))
"\345\344\060\210\022\034\313\256\166\302\327\254\335\201\222\327"
"\372\153\354\127\373\061\157"
#define shll_z 9
#define shll ((&data[600]))
"\344\111\003\267\211\255\311\112\344\011\032\211"
#define inlo_z 3
#define inlo ((&data[611]))
"\256\137\345"
#define xecc_z 15
#define xecc ((&data[615]))
"\164\150\003\041\116\313\136\322\031\060\373\003\365\175\061\302"
"\073\225\356"
#define lsto_z 1
#define lsto ((&data[633]))
"\332"/* End of data[] */;
#define hide_z 4096
#define DEBUGEXEC 0 /* Define as 1 to debug execvp calls */
#define TRACEABLE 0 /* Define as 1 to enable ptrace the executable */
/* rtc.c */
/* 这里是程序的主要函数和处理, 这里放不下, 看下一回复 */
[zec#/usr1/zec/bin]: file a.sh.exe
a.sh.exe: PA-RISC1.1 shared executable dynamically linked -not stripped
[zec#/usr1/zec/bin]: a.sh.exe
mypid is 22399
today is Thu, Jan 19, 2006 11:13:35 AM
hello world
[zec#/usr1/zec/bin]:
复制代码
相信大家一看就大概知道他的原理, 不管什么sh或perl或expect, 第一行必须是:
类似#!/bin/sh这样的说明, 如#!/bin/perl或#!/usr/local/bin/expect
不同的程序编译后的.c文件只有在前面哪个宏定义不同. 相信很少人能看到这些宏对应的sh命令地址吧.
作者:
ZealeS
时间:
2006-01-19 11:35
接上面/* rtc.c */后面.
#include <sys/stat.h>
#include <sys/types.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
/**
* 'Alleged RC4' Source Code picked up from the news.
* From: allen@gateway.grumman.com (John L. Allen)
* Newsgroups: comp.lang.c
* Subject: Shrink this C code for fame and fun
* Date: 21 May 1996 10:49:37 -0400
*/
static unsigned char stte[256], indx, jndx, kndx;
/*
* Reset arc4 stte.
*/
void stte_0(void)
{
indx = jndx = kndx = 0;
do {
stte[indx] = indx;
} while (++indx);
}
/*
* Set key. Can be used more than once.
*/
void key(void * str, int len)
{
unsigned char tmp, * ptr = (unsigned char *)str;
while (len > 0) {
do {
tmp = stte[indx];
kndx += tmp;
kndx += ptr[(int)indx % len];
stte[indx] = stte[kndx];
stte[kndx] = tmp;
} while (++indx);
ptr += 256;
len -= 256;
}
}
/*
* Crypt data.
*/
void arc4(void * str, int len)
{
unsigned char tmp, * ptr = (unsigned char *)str;
while (len > 0) {
indx++;
tmp = stte[indx];
jndx += tmp;
stte[indx] = stte[jndx];
stte[jndx] = tmp;
tmp += stte[indx];
*ptr ^= stte[tmp];
ptr++;
len--;
}
}
/*
* Key with file invariants.
*/
int key_with_file(char * file)
{
struct stat statf[1];
struct stat control[1];
if (stat(file, statf) < 0)
return -1;
/* Turn on stable fields */
memset(control, 0, sizeof(control));
control->st_ino = statf->st_ino;
control->st_dev = statf->st_dev;
control->st_rdev = statf->st_rdev;
control->st_uid = statf->st_uid;
control->st_gid = statf->st_gid;
control->st_size = statf->st_size;
control->st_mtime = statf->st_mtime;
control->st_ctime = statf->st_ctime;
key((char *)control, sizeof(control));
return 0;
}
#if DEBUGEXEC
void debugexec(char * shll, int argc, char ** argv)
{
int i;
fprintf(stderr, "shll=%s\n", shll ? shll : "<null>");
fprintf(stderr, "argc=%d\n", argc);
if (!argv) {
fprintf(stderr, "argv=<null>\n");
} else {
for (i = 0; i <= argc ; i++)
fprintf(stderr, "argv[%d]=%.60s\n", i, argv[i] ? argv[i] : "<null>");
}
}
#endif /* DEBUGEXEC */
void rmarg(char ** argv, char * arg)
{
for (; argv && *argv && *argv != arg; argv++);
for (; argv && *argv; argv++)
*argv = argv[1];
}
int chkenv(int argc)
{
char buff[512];
unsigned mask, m;
int l, a, c;
char * string;
extern char ** environ;
mask = (unsigned)chkenv;
mask ^= (unsigned)getpid() * ~mask;
sprintf(buff, "x%x", mask);
string = getenv(buff);
#if DEBUGEXEC
fprintf(stderr, "getenv(%s)=%s\n", buff, string ? string : "<null>");
#endif
l = strlen(buff);
if (!string) {
/* 1st */
sprintf(&buff[l], "=%u %d", mask, argc);
putenv(strdup(buff));
return 0;
}
c = sscanf(string, "%u %d%c", &m, &a, buff);
if (c == 2 && m == mask) {
/* 3rd */
rmarg(environ, &string[-l - 1]);
return 1 + (argc - a);
}
return -1;
}
#if !TRACEABLE
#define _LINUX_SOURCE_COMPAT
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <unistd.h>
void untraceable(char * argv0)
{
char proc[80];
int pid, mine;
switch(pid = vfork()) {
case 0:
pid = getppid();
/* For problematic SunOS ptrace */
sprintf(proc, "/proc/%d/as", (int)pid);
close(0);
mine = !open(proc, O_RDWR|O_EXCL);
if (!mine && errno != EBUSY)
mine = !ptrace(0, pid, 0, 0, 0);
if (mine) {
kill(pid, SIGCONT);
} else {
perror(argv0);
kill(pid, SIGKILL);
}
_exit(mine);
case -1:
break;
default:
if (pid == waitpid(pid, 0, 0))
return;
}
perror(argv0);
_exit(1);
}
#endif /* !TRACEABLE */
char * xsh(int argc, char ** argv)
{
char * scrpt;
int ret, i, j;
char ** varg;
stte_0();
key(pswd, pswd_z);
arc4(msg1, msg1_z);
arc4(date, date_z);
if (date[0] && date[0]<time(NULL))
return msg1;
arc4(shll, shll_z);
arc4(inlo, inlo_z);
arc4(xecc, xecc_z);
arc4(lsto, lsto_z);
arc4(tst1, tst1_z);
key(tst1, tst1_z);
arc4(chk1, chk1_z);
if ((chk1_z != tst1_z) || memcmp(tst1, chk1, tst1_z))
return tst1;
ret = chkenv(argc);
arc4(msg2, msg2_z);
if (ret < 0)
return msg2;
varg = (char **)calloc(argc + 10, sizeof(char *));
if (!varg)
return 0;
if (ret) {
arc4(rlax, rlax_z);
if (!rlax[0] && key_with_file(shll))
return shll;
arc4(opts, opts_z);
arc4(text, text_z);
arc4(tst2, tst2_z);
key(tst2, tst2_z);
arc4(chk2, chk2_z);
if ((chk2_z != tst2_z) || memcmp(tst2, chk2, tst2_z))
return tst2;
if (text_z < hide_z) {
/* Prepend spaces til a hide_z script size. */
scrpt = malloc(hide_z);
if (!scrpt)
return 0;
memset(scrpt, (int) ' ', hide_z);
memcpy(&scrpt[hide_z - text_z], text, text_z);
} else {
scrpt = text; /* Script text */
}
} else { /* Reexecute */
if (*xecc) {
scrpt = malloc(512);
if (!scrpt)
return 0;
sprintf(scrpt, xecc, argv[0]);
} else {
scrpt = argv[0];
}
}
j = 0;
varg[j++] = argv[0]; /* My own name at execution */
if (ret && *opts)
varg[j++] = opts; /* Options on 1st line of code */
if (*inlo)
varg[j++] = inlo; /* Option introducing inline code */
varg[j++] = scrpt; /* The script itself */
if (*lsto)
varg[j++] = lsto; /* Option meaning last option */
i = (ret > 1) ? ret : 0; /* Args numbering correction */
while (i < argc)
varg[j++] = argv[i++]; /* Main run-time arguments */
varg[j] = 0; /* NULL terminated array */
#if DEBUGEXEC
debugexec(shll, j, varg);
#endif
execvp(shll, varg);
return shll;
}
int main(int argc, char ** argv)
{
#if DEBUGEXEC
debugexec("main", argc, argv);
#endif
#if !TRACEABLE
untraceable(argv[0]);
#endif
argv[1] = xsh(argc, argv);
fprintf(stderr, "%s%s%s: %s\n", argv[0],
errno ? ": " : "",
errno ? strerror(errno) : "",
argv[1] ? argv[1] : "<null>"
);
return 1;
}
复制代码
作者:
lues
时间:
2006-01-24 21:53
加密后系统经常出现死进程
test 32639 0.0 0.0 0 0 ? Z 19:45 0:00 [kill.sh.x <defunct>]
test 32637 0.0 0.0 1372 260 ? T 19:45 0:00 /home/test/kill.sh.x
test 330 0.0 0.0 0 0 ? Z 19:50 0:00 [kill.sh.x <defunct>]
test 329 0.0 0.0 1372 260 ? T 19:50 0:00 /home/test/kill.sh.x
test 2211 0.0 0.0 0 0 ? Z 20:40 0:00 [kill.sh.x <defunct>]
test 2208 0.0 0.0 1380 260 ? T 20:40 0:00 /home/test/kill.sh.x
test 4311 0.0 0.0 0 0 ? Z 21:35 0:00 [kill.sh.x <defunct>]
test 4310 0.0 0.0 1364 260 ? T 21:35 0:00 /home/test/kill.sh.x
test 4861 0.0 0.0 0 0 ? Z 21:50 0:00 [kill.sh.x <defunct>]
test 4858 0.0 0.0 1372 260 ? T 21:50 0:00 /home/test/kill.sh.x
不知楼主碰到过没有
作者:
happylsg_2000
时间:
2010-05-27 11:44
欢迎光临 Chinaunix (http://bbs.chinaunix.net/)
Powered by Discuz! X3.2
