-1

I'm looking for a bash shell script obfusctor and found this one, however I'm wondering how I could adapt it to my script so it could work as well for me

https://github.com/ActiveState/code/tree/master/recipes/Bash/578986_Obfuscation_In_Bash_Shell

How to make it run so I have the encrypted code? Sorry I only learnt basic bash from forums and have limits in my knowledge

Many thanks

Improve this question
2
  • Sorry someone put a - to my question. Not sure what's wrong with it? I'm looking at how to implement this. I looked at other options like obfsh but couldn't make it work either. If someone else has any suggestions please feel free to do Commented Sep 27, 2018 at 10:29
  • I'm also unsure why you got downvoted. Maybe it is due to lack of effort. Usually people expect you to show that you have worked on the problem yourself. Commented Sep 27, 2018 at 11:30

1 Answer 1

Reset to default
4

How to make it run

The author of your linked repo did not provide any method to automatically obfuscate your script. You have to do it yourself, but I wouldn't recommend to do so.

The Obfuscation Idea

Your linked obfuscation method replaces each character by a variable containing said character. That way a string equal to the original command is built. Then said string is passed to eval. Example:

cmd a "b c"

becomes something like

Ba=a; Bb=b; Bc=c; Bm=m; Bd=d; Cs=' '; Cq='"'
eval $Bc$Bm$Bd$Cs$Ba$Cs$Cq$Bb$Cs$Bc$Cq

Why The Linked Obfuscation Is Bad

  • It is extremely easy to undo. Replace all evals with printf '%s\n' then run the script. The script will print its original source code.
  • You have to make sure that there are no variable name collisions between your script and the obfuscation method.
  • When writing an obfuscator you have to come up with a method to obfuscate more advanced constructs. For instance a loop spanning multiple lines cannot be split into multiple evals. You have to preprocess. Either replace linebreaks by ; or use a heredoc <<END.

An Alternative

Obfuscation can only be an obstacle, but never completely stop someone from understanding or modifying the obfuscated code. I would strongly advise against obfuscation. But if you feel better that way, you could use the following approach.

You can compress your script A and embed the compressed version in another script B. Executing B decompresses and executes A. Security-wise this approach is as bad as your linked obfuscation method. Compression is easy to undo. However there are no drawbacks like name collisions and preprocessing. Furthermore the obfuscated scripts appear to be binary files which may prevent some editors from opening them.

Here is a script to obfuscate bash scripts using gzip compression:

obfuscate.sh:

#! /bin/bash
loader='#! /bin/bash
source <(gzip -c -d <(tail -n+"$((LINENO + 2))" "$BASH_SOURCE"));
status="$?"; return "$status" 2> /dev/null || exit "$status"
'
for original; do
        obfuscated="$original-obfuscated.sh"
        gzip -c "$original" | cat <(printf %s "$loader") - > "$obfuscated"
        chmod u+x "$obfuscated"
done

Usage: ./obfuscate.sh myScript.sh creates the obfuscated script myScript.sh-obfuscated.sh in the current directory.

When the target system does not support process substitution <( ) you can use the following alternative version.

#! /bin/bash
loader='#! /bin/bash
tail -n+"$((LINENO + 2))" "$BASH_SOURCE" | gzip -c -d | source /dev/stdin;
status="$?"; return "$status" 2> /dev/null || exit "$status"
'
for original; do
        obfuscated="$original-obfuscated.sh"
        printf %s "$loader" > "$obfuscated"
        gzip -c "$original" >> "$obfuscated"
        chmod u+x "$obfuscated"
done

That should work if the target system has bash >4.0 and /dev/stdin. If it doesn't meet these requirements replace | source /dev/stdin by bash -s - "$@". The only downside of doing so is that the obfuscated script cannot be sourced (. script.sh or source script.sh) anymore.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Thanks I like this approach! When running the command ./obfuscate.sh myScript.sh I'm getting this error though: -ash: obfuscate.sh: line 7: syntax error: unexpected "("
Sounds like your shell does not support process substitution <( ). Can you give me the first line of bash --version? I tested obfuscate.sh in GNU bash 4.3.48(1)-release (x86_64-pc-linux-gnu) and 4.3.30(1)-release (i486--netbsdelf).
Right I'm on a LEDE OS and version is: GNU bash, version 4.3.42(1)-release (arm-openwrt-linux-gnu)
I don't know LEDE OS, but I'm confident that the alternative version I posted should work for you.
Yes the alternative works for me with both bash -s - "$@" and | source /dev/stdin and produce the myScript.sh-obfuscated.sh file. How to execute or test the obfuscated file? As when executing ./myScript.sh-obfuscated.sh then my ssh window closes and the command (reboot for this test) from the myScript.sh file is not executed as the device doesn't reboot
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.