Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rem01gaming/unshell

Effortlessly deobfuscate any shell scripts
https://github.com/rem01gaming/unshell

base64 bash-obfuscate deobfuscation obfuscation shc shell shell-script shell-scripting ssc

Last synced: 11 days ago
JSON representation

Effortlessly deobfuscate any shell scripts

Awesome Lists containing this project

README

        

![unshell_hero](./unshell-banner.png)
# Unshell
> The Script Kiddies Nighmare

Effortlessly deobfuscate shell scripts back into source code even with heavenly and multi layered obfuscation. unshell will search for patterns on shell script, determine and deobfuscate accordingly.

## Features
- Zero configuration: There's no need for any configuration
- Penetrate: Multi layered obfuscation is not a problem
- Easy to use: just `unshell -f encrypted1 encrypted2` in cmd

## Supported obfuscation method

Shell Script Compiler (SHC)
SHC works internally called execve to shell, it decrypted at runtimes and visible via command line args process

eg: /bin/sh -c "decrypted shell"

Simple Script Compiler (SSC)
It works almost the same as SHC but this one uses C++ and shell reads from file descriptor `3`. It visible via `fd` number 3 on the process.

Ri-crypt
Ri-crypt works internally called execve to shell, it decrypted at runtimes and visible via command line args process. we can retrive the shell script using `strace`.

bash-obfuscate (Node.js CLI)
bash-obfuscate works by randomize the script with random variables then execute it in `eval` command.

Bashrock
Bashrock works almost the same way as bash-obfuscate.

TPP Tool
The creator of the this obfuscation said "it has anti-decode feature" despite of multilayered base64 encoding that he use can easily decoded.
As time of this being written, unshell support up to version 12 of this "tool".

BashProtector
Bashrock randomize the script with random variables layered by single `base64` encryption, then execute it in single `eval` command.

Extreme comment/editor EOF trick
Some people obfuscate their script with adding generous amounts of comments in the script until it becomes a really big file, tricking average text editor to shit itself while opening the script so people can't open it.

bzip2
Usually used for obfuscating tunneling/VPN scripts. the actual script is compressed with bzip2 and snuck'ed inside the decompression script itself.

Axeron online module
The script is actually stored somewhere online (usually public GitHub pages, script kiddies ahh behavior) and script on the module does only execution of the actual script after downloaded from cloud, the file link itself is obfuscated with base64 and rot17.

base64
Not too crazy, just classic echo "ZWNobyBzb21lIGJhc2U2NCBlbmNyeXB0ZWQgc2hpdAo=" | base64 -d | sh.

## Installation
```shell
spath=$(echo $PATH | cut -d: -f1)
curl -sLo $spath/unshell https://github.com/Rem01Gaming/unshell/raw/main/unshell
chmod +x $spath/unshell
```

## Usage
```yaml
unshell - Deobfuscate any shell scripts with multiple methods
Usage: unshell [OPTIONS] [FILE]
Usage: unshell [OPTIONS] [DIR]

Options:
-h, --help
print this message
-f, --file [FILE]
Scripts you wanted to deobfuscate, multi input is supported
-r, --recursive [DIR]
Recursively find and deobfuscate all files in the specified directory
-v, --verbose
Be verbose
-d, --execve-delay [SECOND]
Set custom execve delay time in seconds for SHC and SSC encryption
-U, --update
Update the script

Example usages:
unshell -f install.sh menu.sh
unshell -v -f /system/bin/gaming_script
unshell -d 6.018 -f ./VTK
unshell -r .
```

## WARNING
Using unshell to retrieve the original shell script from SHC, SSC, or Ri-crypt obfuscation could potentially harm your machine, these obfuscation type requires to executing the script to order to deobfuscate thus leave your machine in danger if script does something malicious. Avoid running unshell with root permissions unless you fully trust the script!

## Special Credits
- [kawaii-ghost](https://github.com/kawaii-ghost/deshc) for decsh (shc and ssc deobfucator).
- [RiProG-id](https://github.com/RiProG-id/Universal-Shell-Dec.git) for universal-shell-dec, the inspiration and foundation of this project.