The Script Kiddies Nighmare
Effortlessly deobfuscate shell scripts back into source code even with heavenly and multi layered obfuscation. unshell will search for patterns on shell script, determine and deobfuscate accordingly.
- Zero configuration: There's no need for any configuration
- Penetrate: Multi layered obfuscation is not a problem
- Easy to use: just
unshell -f encrypted1 encrypted2in cmd
Shell Script Compiler (SHC)
SHC works internally called execve to shell, it decrypted at runtimes and visible via command line args processeg: /bin/sh -c "decrypted shell"
Simple Script Compiler (SSC)
It works almost the same as SHC but this one uses C++ and shell reads from file descriptor `3`. It visible via `fd` number 3 on the process.Ri-crypt
Ri-crypt works internally called execve to shell, it decrypted at runtimes and visible via command line args process. we can retrive the shell script using `strace`.bash-obfuscate (Node.js CLI)
bash-obfuscate works by randomize the script with random variables then execute it in `eval` command.Bashrock
Bashrock works almost the same way as bash-obfuscate.TPP Tool
The creator of the this obfuscation said "it has anti-decode feature" despite of multilayered base64 encoding that he use can easily decoded. As time of this being written, unshell support up to version 12 of this "tool".BashProtector
Bashrock randomize the script with random variables layered by single `base64` encryption, then execute it in single `eval` command.Extreme comment/editor EOF trick
Some people obfuscate their script with adding generous amounts of comments in the script until it becomes a really big file, tricking average text editor to shit itself while opening the script so people can't open it.bzip2
Usually used for obfuscating tunneling/VPN scripts. the actual script is compressed with bzip2 and snuck'ed inside the decompression script itself.Axeron online module
The script is actually stored somewhere online (usually public GitHub pages, script kiddies ahh behavior) and script on the module does only execution of the actual script after downloaded from cloud, the file link itself is obfuscated with base64 and rot17.base64
Not too crazy, just classicecho "ZWNobyBzb21lIGJhc2U2NCBlbmNyeXB0ZWQgc2hpdAo=" | base64 -d | sh.
spath=$(echo $PATH | cut -d: -f1)
curl -sLo $spath/unshell https://github.com/Rem01Gaming/unshell/raw/main/unshell
chmod +x $spath/unshellunshell - Deobfuscate any shell scripts with multiple methods
Usage: unshell [OPTIONS] [FILE]
Usage: unshell [OPTIONS] [DIR]
Options:
-h, --help
print this message
-f, --file [FILE]
Scripts you wanted to deobfuscate, multi input is supported
-r, --recursive [DIR]
Recursively find and deobfuscate all files in the specified directory
-v, --verbose
Be verbose
-d, --execve-delay [SECOND]
Set custom execve delay time in seconds for SHC and SSC encryption
-U, --update
Update the script
Example usages:
unshell -f install.sh menu.sh
unshell -v -f /system/bin/gaming_script
unshell -d 6.018 -f ./VTK
unshell -r .Using unshell to retrieve the original shell script from SHC, SSC, or Ri-crypt obfuscation could potentially harm your machine, these obfuscation type requires to executing the script to order to deobfuscate thus leave your machine in danger if script does something malicious. Avoid running unshell with root permissions unless you fully trust the script!
- kawaii-ghost for decsh (shc and ssc deobfucator).
- RiProG-id for universal-shell-dec, the inspiration and foundation of this project.
