Obash is a bash script obfuscator written in the C programming language. obash encodes and encrypts bash shell scripts into executable binaries much like shc, the project that inspired it, but uses AES-256 encryption and the key and initialization vector are retrieved from the hardware instead of being hard coded into the binary itself. The obash project was started to address some of the issues that affect shc, the main one being able to see the original shell script source by simply issuing ps -ef. Although the objectives are the same, obash shares no code with shc and was built from scratch from the ground up, any code similarities are purely accidental and dictated by the shared objectives.

Obash is still a work in progress but the master branch on GitHub generally has usable sources while the testing branch may be in a transition state at any given time.

How it works internally

edit

Obash takes the input script and AES-256 encrypts it, and also base64 encodes the AES ciphertext so that it can be used to declare an unsigned char array. It then produces an intermediate C file which is basically the interpreter (see interpreter.c), functions, text array containing the ciphertext, the optional key and IV for reusable binaries (not bound to the hardware) and the main. The intermediate C file is then compiled into an executable. The intermediate C file is built in the following manner (see mk_sh_c function in functions.c):

  1. includes block from interpreter.h
  2. crypted_script variable containing the AES-256 encrypted script encoded via base64
  3. serial and uuid variables (empty if non reusable)
  4. functions block from interpreter.h
  5. main_body block from interpreter.h

See recreate_interpreter_header script for details on how interpreter.h is created from interpreter.c.

Key and initialization vector for AES-256 encryption

edit

The key and IV are not hard-coded into the binary (unless you decide to build a reusable static binary with the -r flag) but are retrieved each time from the hardware (hence binding it to a machine). In case of a reusable static binary (built with the -r flag) then the uuid and serial are in the binary itself but will be manipulated anyway by makekey and makeiv so that they are not usable immediately should anyone ever inspect the binary itself. Although the whereabouts from where the serial and uuid are retrieved is traceable and is not a secret (machine uuid and serial number for non reusable and random hex digits for reusable) these should be then manipulated in a way that they are not directly usable as is. In the code there is a comment suggesting where this should be done (see makekey and makeiv functions in functions.c): each and every one of you using obash is encouraged to do so or it would be fairly easy to extract the script source from the obfuscated binary.. In the distributed code, as an example, the "-" are stripped from the uuid and the serial is padded to reach the suggested length for the cipher used.

Alternatives

edit

References

edit


edit
  1. https://github.com/louigi600/obash