-1

I'm looking for a bash shell script obfusctor and found this one, however I'm wondering how I could adapt it to my script so it could work as well for me

https://github.com/ActiveState/code/tree/master/recipes/Bash/578986_Obfuscation_In_Bash_Shell

How to make it run so I have the encrypted code? Sorry I only learnt basic bash from forums and have limits in my knowledge

Many thanks

RockPeach
  • 23
  • 1
  • 6
  • Sorry someone put a - to my question. Not sure what's wrong with it? I'm looking at how to implement this. I looked at other options like obfsh but couldn't make it work either. If someone else has any suggestions please feel free to do – RockPeach Sep 27 '18 at 10:29
  • I'm also unsure why you got downvoted. Maybe it is due to lack of effort. Usually people expect you to show that you have worked on the problem yourself. – Socowi Sep 27 '18 at 11:30

1 Answers1

4

How to make it run

The author of your linked repo did not provide any method to automatically obfuscate your script. You have to do it yourself, but I wouldn't recommend to do so.

The Obfuscation Idea

Your linked obfuscation method replaces each character by a variable containing said character. That way a string equal to the original command is built. Then said string is passed to eval. Example:

cmd a "b c"

becomes something like

Ba=a; Bb=b; Bc=c; Bm=m; Bd=d; Cs=' '; Cq='"'
eval $Bc$Bm$Bd$Cs$Ba$Cs$Cq$Bb$Cs$Bc$Cq

Why The Linked Obfuscation Is Bad

  • It is extremely easy to undo. Replace all evals with printf '%s\n' then run the script. The script will print its original source code.
  • You have to make sure that there are no variable name collisions between your script and the obfuscation method.
  • When writing an obfuscator you have to come up with a method to obfuscate more advanced constructs. For instance a loop spanning multiple lines cannot be split into multiple evals. You have to preprocess. Either replace linebreaks by ; or use a heredoc <<END.

An Alternative

Obfuscation can only be an obstacle, but never completely stop someone from understanding or modifying the obfuscated code. I would strongly advise against obfuscation. But if you feel better that way, you could use the following approach.

You can compress your script A and embed the compressed version in another script B. Executing B decompresses and executes A. Security-wise this approach is as bad as your linked obfuscation method. Compression is easy to undo. However there are no drawbacks like name collisions and preprocessing. Furthermore the obfuscated scripts appear to be binary files which may prevent some editors from opening them.

Here is a script to obfuscate bash scripts using gzip compression:

obfuscate.sh:

#! /bin/bash
loader='#! /bin/bash
source <(gzip -c -d <(tail -n+"$((LINENO + 2))" "$BASH_SOURCE"));
status="$?"; return "$status" 2> /dev/null || exit "$status"
'
for original; do
        obfuscated="$original-obfuscated.sh"
        gzip -c "$original" | cat <(printf %s "$loader") - > "$obfuscated"
        chmod u+x "$obfuscated"
done

Usage: ./obfuscate.sh myScript.sh creates the obfuscated script myScript.sh-obfuscated.sh in the current directory.

When the target system does not support process substitution <( ) you can use the following alternative version.

#! /bin/bash
loader='#! /bin/bash
tail -n+"$((LINENO + 2))" "$BASH_SOURCE" | gzip -c -d | source /dev/stdin;
status="$?"; return "$status" 2> /dev/null || exit "$status"
'
for original; do
        obfuscated="$original-obfuscated.sh"
        printf %s "$loader" > "$obfuscated"
        gzip -c "$original" >> "$obfuscated"
        chmod u+x "$obfuscated"
done

That should work if the target system has bash >4.0 and /dev/stdin. If it doesn't meet these requirements replace | source /dev/stdin by bash -s - "$@". The only downside of doing so is that the obfuscated script cannot be sourced (. script.sh or source script.sh) anymore.

Socowi
  • 25,550
  • 3
  • 32
  • 54
  • Thanks I like this approach! When running the command ./obfuscate.sh myScript.sh I'm getting this error though: -ash: obfuscate.sh: line 7: syntax error: unexpected "(" – RockPeach Sep 27 '18 at 11:31
  • Sounds like your shell does not support process substitution `<( )`. Can you give me the first line of `bash --version`? I tested `obfuscate.sh` in GNU bash 4.3.48(1)-release (x86_64-pc-linux-gnu) and 4.3.30(1)-release (i486--netbsdelf). – Socowi Sep 27 '18 at 11:38
  • Right I'm on a LEDE OS and version is: GNU bash, version 4.3.42(1)-release (arm-openwrt-linux-gnu) – RockPeach Sep 27 '18 at 11:45
  • I don't know LEDE OS, but I'm confident that the alternative version I posted should work for you. – Socowi Sep 27 '18 at 12:10
  • Yes the alternative works for me with both `bash -s - "$@"` and `| source /dev/stdin` and produce the `myScript.sh-obfuscated.sh` file. How to execute or test the obfuscated file? As when executing `./myScript.sh-obfuscated.sh` then my ssh window closes and the command (`reboot` for this test) from the `myScript.sh` file is not executed as the device doesn't reboot – RockPeach Sep 27 '18 at 13:28
  • Whether `| source /dev/stdin` works or not can only be determined by running the generated script. That command is not executed in `obfuscate.sh` but only in the obfuscated scripts. Just running `./myScript.sh-obfuscated.sh` should work. You mentioned that your ssh window closes, this sounds like `reboot` was actually called. Can you give me the ssh command(s) you use? – Socowi Sep 27 '18 at 13:51
  • I used this command `. myScript.sh-obfuscated.sh` for which I can't show you what it returns since it instantaneously close the ssh window. I tried with a script without `reboot` command and the same happens (Putty SSH Window closes). Also when using the NON obfuscated script the SSH window doesn't close on `reboot` command, it just shows an error message saying it has been disconnected. I can also visually see the device is not rebooting, and that it's powered on since 8h 46m – RockPeach Sep 27 '18 at 14:00
  • We both made mistakes. I assumed the obfuscated scripts worked if sourced and you sourced your script. Executing `./script.sh` should work just fine (and would be sufficient in your case); sourcing `. script.sh` doesn't. I fixed the obfuscator. Now the obfuscated programs should also be source-able. – Socowi Sep 27 '18 at 14:30
  • Indeed this works wonderfully! For me by replacing `source /dev/stdin` by `bash -s - "$@"` and using this command line `./myScript.sh-obfuscated.sh` to execute it. Thanks so much for your patience and this brilliant code, by far the best I've seen all over many resources on the Internet! – RockPeach Sep 27 '18 at 16:57