Decrypt an shc crypted file...

Posted by LOD

The function arc4 is called fourteen times in function xsh. The first argument is a ciphered string and the second is the size of this string. When called the arguments must be inserted in stack making a stack frame with that string and size. The function key is called three times in xsh and one time in key_with_file.

The first time the key function is called, the 1st argument is the password string and the 2nd is the password string size. In the second and third calls the arguments are those previous used in arc4 function calls. If you do not specify the "-r" flag, an aditional key function call occurs in key_with_file function. Thus the first argument is a structure with the stat output from the shell binary (e.g.:/bin/bash).

The use of the stat output from shell binary can be viewed as a PSK. In other words, if you do no make a relax binary, you will need the stat output from the shell binary to decipher the shell script. IOHO, this make the process of deciphering more difficult since you need more than the ".x" file. But, if the binary (ciphered-script) need to run in more than one system, the "-r" option must be specified.

Note that you can update your shell binary (e.g. /bin/bash) only with a relax binary (with "-r" defined). OTOH, not set the "-r" increase the security significantly.

If you know all those arguments, the deciphering job of ".x" file is not so difficult. Those informations can be found in the ".x.c" file, excepting the stat output.

Variables in ".x.c" file

In our sample, the genpass.sh.x.c handle all information needed to decrypt the genpass.sh.x (unless the stat information, obvious). Those informations are references to a global variable called "data". The next picture shows you those informations and the global variable data.

In each compilation process, the "C" source code file have a diferent variables arrangement. So, you can have "tst2" variable defined before "text", for example.

As shown in the picture above, we have diferent types and size variables that refer to another variable. This variable is called "data".

Note that not all data variable is used by the variables. We have some useless gaps. Maybe, those gaps are usefull to difficult an superficial analysis (IMHO, those gaps are useless).

In our example, the variables contents are:

Remember the main variables that we know and are present into the code are: xecc, rlax, lsto, msg1, chk2, opts, pswd, tst1, chk1, date, shll, inlo, msg2, text, tst2


Posts Recentes