Laman

How to Deobfusecate Bash Script


A while ago, I came across an interesting bash script. The script that I found is as follows: 

z="
";CFz='z$tz';UFz='z$Hz';ZBz='m'\'';H';jz=';bz=';xCz='='\''il';tCz='kz='\''';jCz='z='\''g';hEz='$Sz$';GDz=''\'' do';WDz='r'\'';y';eBz=';Zz=';SBz='uk'\'';';PCz='hmod';Hz='='\''ap';vEz='z$lz';sDz='='\''/s';XEz='z$Fz';lBz='e :;';kz=''\''pps';IBz='s'\'';T';ODz='='\''go';KEz=';fBz';ABz=''\'';iB';SFz='z$LB';sz='i'\'';V';az='iany';bBz=''\'';WB';KFz='DBz$';bEz='$Kz$';jEz='z$Vz';pz='/v'\'';';YDz='kca'\''';cCz='ab.g';BFz='rz$s';yFz='Bz$j';kDz='; sl';Ez='uz='\''';Gz=''\'';Nz';aDz='='\''pi';EGz='Bz$o';cFz='Rz$N';aCz=''\''aco';TEz=' "$A';aEz='z$Jz';HBz=''\''id/';KBz='t-g'\''';
...
;lFz='Bz$W';CCz=''\''ouc';hCz='ndex';rCz='='\''ex';iCz=''\'';BB';SCz=';KBz';MFz='FBz$';iFz='Bz$T';Vz='ark'\''';CDz='h'\'';m';VDz=''\''/va';IEz='z='\''0';gz='o'\'';P';xDz='z='\''r';tz='capi';NEz='fz='\''';FEz='-'\'';P';iBz=';GBz';dBz='.gi'\''';BEz='='\''an';yCz='.g'\'';';Jz='nz='\''';cz='='\''ar';QEz='='\''kc';HCz='='\''ta';rFz='Bz$c';VEz='$Cz$';HFz='ABz$';sFz='Bz$d';TBz='Xz='\''';pBz='Vz='\''';VCz='JBz=';YFz='$Mz$';uBz=''\''4 /';PBz='ar '\''';DCz='h'\'';q';FBz='&1'\'';';fBz=''\'' 06';yz='d/sl';DDz='z='\''s';OBz='z='\''v';wDz=''\'';YB';KCz='dukc';XCz='0'\'';o';fEz='Pz$Q';aFz='z$Pz';nz=''\'';cz';tFz='Bz$e';FFz='z$xz';XFz='z$Lz';sCz='.p'\'';';Zz='iz='\''';SDz='z='\''w';uFz='Bz$f';iEz='Tz$U';RCz='go.'\''';BCz='OBz=';mz='dir ';
...
mFz='Bz$X';WBz='ps'\'';';bDz='l.'\'';';LEz='='\''es';MBz=''\''ar/';gFz='Bz$R';JFz='CBz$';bCz='r'\'';D';oDz=''\''/di';XDz='z='\''u';UCz='7 '\'';';DFz='$uz$';wBz='app'\''';vDz='cp /';qEz='$ez$';Fz='erv/';RFz='KBz$';UEz='z$Bz';yDz='kab'\''';kBz='ga'\'';';CGz='Bz$m';cBz='z='\''l';tEz='$iz$';FDz=';Cz=';fCz='sd'\'';';uDz='Dz='\''';TDz='w/d'\''';Yz='&>'\'';';jFz='Bz$U';NCz=' /'\'';';rz=''\''w/d';AEz=';XBz';EEz=''\''lot';kEz='$Wz$';EFz='vz$w';YEz='$Gz$';PFz='IBz$';VFz='$Iz$';Wz=';lBz';oBz='b.'\'';';Lz=''\'';nB';iDz=''\''/de';dFz='Bz$O';vCz=''\'';oB';nCz='va'\'';';YCz='r/i'\''';nDz=';Lz=';dz='ka'\'';';ZEz='Hz$I';pCz='shm/';mDz=';mk'\''';DEz='bBz=';Cz='='\''de';ZFz='Nz$O';WEz='Dz$E';Az='z="';bFz='$Qz$';
eval "$Az$z$Bz$Cz$Dz$Ez$Fz$Gz$Hz$Iz$Jz$Kz$Lz$Mz$Nz$Oz$Pz$Qz$Rz$Sz$Tz$Uz$Vz$Wz$Xz$Yz$Zz$az$bz$cz$dz$ez$fz$gz$hz$iz$jz$kz$lz$Rz$mz$nz$oz$pz$qz$rz$sz$Rz$tz$uz$vz$wz$xz$yz$ABz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$JBz$KBz$LBz$MBz$NBz$OBz$PBz$QBz$RBz$SBz$TBz$UBz$VBz$Hz$WBz$XBz$YBz$ZBz$Rz$aBz$bBz$cBz$dBz$eBz$fBz$gBz$Mz$hBz$iBz$jBz$kBz$Rz$lBz$mBz$nBz$oBz$pBz$qBz$rBz$JBz$sBz$tBz$uBz$vBz$Mz$wBz$xBz$yBz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$OCz$PCz$QCz$ECz$RCz$SCz$TCz$UCz$VCz$WCz$XCz$JBz$YCz$ZCz$aCz$bCz$Rz$cCz$dCz$eCz$fCz$gCz$hCz$iCz$jCz$kCz$lCz$mCz$nCz$oCz$pCz$qCz$rCz$sCz$tCz$uCz$vCz$cBz$wCz$xCz$yCz$ADz$BDz$CDz$DDz$EDz$FDz$GDz$HDz$DDz$IDz$JDz$KDz$LDz$Rz$MDz$NDz$ODz$PDz$QDz$GDz$RDz$SDz$TDz$UDz$VDz$WDz$XDz$YDz$ZDz$aDz$bDz$cDz$dDz$eDz$fDz$gDz$hDz$iDz$jDz$Rz$kDz$lDz$Mz$mDz$nDz$oDz$pDz$OBz$qDz$rDz$sDz$tDz$uDz$vDz$wDz$xDz$yDz$AEz$BEz$CEz$DEz$EEz$FEz$Rz$GEz$HEz$IEz$JEz$KEz$LEz$MEz$NEz$OEz$PEz$QEz$REz$z$SEz$TEz$UEz$VEz$WEz$XEz$YEz$ZEz$aEz$bEz$cEz$dEz$eEz$fEz$gEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$pEz$qEz$rEz$sEz$tEz$uEz$vEz$wEz$xEz$yEz$AFz$BFz$CFz$DFz$EFz$FFz$GFz$HFz$IFz$JFz$KFz$LFz$MFz$NFz$OFz$PFz$QFz$RFz$ZEz$aEz$bEz$cEz$dEz$eEz$fEz$gEz$hEz$iEz$SFz$TFz$UFz$VFz$WFz$XFz$YFz$ZFz$aFz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz"

The script is written in bash and is very long. From the variables listed, you could say the script has been obfuscated. So it is necessary to decode the script so that we know what the system will do when the script is executed. 

So I did a little research on how to deobfuscate bash scripts, and I found something in a post on stackoverflow (All hail stackoverflow!!!).

Here's how to deobfuscate in bash: 

Come In, There's a Secret >>
Diposkan oleh di No comments:
Label: , ,

How to Acquire Linux Volatile Memory with LiME

LiME ~ Linux Memory Extractor

From 504ensicsLabs's github
"A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition."
Come In, There's a Secret >>
Diposkan oleh di No comments:
Label: , , , ,

Installing Rekall in Ubuntu 20.04

So, taking note from Rekall Forensic website.

What is Rekall?

"Rekall is an advanced forensic and incident response framework. While it began life purely as a memory forensic framework, it has now evolved into a complete platform.  Rekall implements the most advanced analysis techniques in the field, while still being developed in the open, with a free and open source license. Many of the innovations implemented within Rekall have been published in peer reviewed papers.

Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework. Rekall at a glance."

In short, rekall is just like Volatility, which you can get from here. Now let's get started on how to install Rekall in Ubuntu 20.04

Come In, There's a Secret >>
Diposkan oleh di No comments:
Label: , , , , , ,

PS2 Emulator (How to Install PCSX2 V 1.6.0 (Lastest))

PlayStation 2 or we known as PS2 has been released for a long time, the console is not portable enough for you to play anywhere. You need the CD for playing games, which is now not available in many place. But there is a hope if you have a PC or Laptop, because there's emulator for PS2 called PCSX2. 


Come In, There's a Secret >>
Diposkan oleh di No comments:
Subscribe to: Posts (Atom)