从编译的 bash 脚本中检索纯文本脚本 [英] Retrieve plain text script from compiled bash script

问题描述

前段时间，我为我的学校写了一些 bash 脚本.我认为保护"它们会非常聪明，所以我用 shc 将它们编译成一个二进制文件.几周后，我丢失了未编译的脚本，现在只剩下二进制文件了.

Some time ago, i wrote some bash scripts for my school. I thought it would be very clever to 'protect' them, so i compiled them with shc into a binary file. Some weeks later, i lost the uncompiled scripts and now i have only my binarys left.

有没有办法从 shc 生成的二进制文件中取回脚本?我查看了 shc 的源代码以找到一种反编译二进制文件的方法，但没有运气.

Is there a way to retrieve the scripts back from the shc generated binarys? I looked into the source code of shc to find a way to decompile the binarys with no luck.

推荐答案

使用 shc 编译脚本并不能保护它们.您不会以这种方式获得更多安全性.shc 编译的二进制文件在启动时解密并将脚本加载到内存中.然后，您可以在启动二进制文件后立即对其进行段错误并从核心转储中检索您的脚本.

Using shc to compile your scripts does not protect them. You don't get more security this way. The shc compiled binary decrypts and loads the script into memory when started. You could then, right after you started the binary, just segfault it and retrieve your script from the coredump.

这是一个名为 test.sh 的小示例脚本:

Here's a little example script named test.sh:

#! /bin/bash
echo "starting script and doing stuff"
sleep 1
echo "finished doing stuff"

用 shc 编译:

shc -f test.sh

将其作为后台进程启动并立即对其进行段错误:

Start it as background process and segfault it right away:

./test.sh.x&  ( sleep 0.2 && kill -SIGSEGV $! )

sleep 0.2 将为二进制文件提供足够的时间来启动和解密原始脚本.变量 $!包含上次启动的后台进程的 pid，因此我们可以使用分段错误信号 SIGSEGV 轻松杀死它(与 kill -11 $! 相同).

sleep 0.2 will give the binary enough time to start up and decrypt the original script. The variable $! contains the pid of the last background process started, so we can easily kill it with the segmentation fault signal SIGSEGV (same as kill -11 $!).

[1]  + segmentation fault (core dumped)  ./test.sh.x

现在我们可以在转储中搜索原始脚本:

Now we can search the dump for the original script:

cat core | strings

我们将转储文件中的数据通过管道传输到字符串，然后它会向我们显示文件中的所有可打印字符，我们现在可以看到垃圾之间的原始脚本:

We pipe the data in the dumpfile to strings, which will then show us all the printable characters in the file and we can now see the original script between the garbage:

...
4.0.37(2)-release
BASH_VERSINFO
BASH_VERSINFO
release
i686-pc-linux-gnu
BASH_EXECUTION_STRING
BASH_EXECUTION_STRING
                           #! /bin/bash
echo "starting script and doing stuff"
sleep 1
echo "finished doing stuff"
1000
EUID
EUID
1000
...

如果脚本很大，可能需要用ulimit来调整核心文件的大小.很简单吧?

If the script is pretty big, maybe you have to adjust the core file size with ulimit. Pretty easy, right?

这篇关于从编译的 bash 脚本中检索纯文本脚本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！