I found this code and I think it's encoded. I tried to understand how it's encoded or how can read it. Does anyone have an idea to decode this code?
#!/usr/bin/perl eval unpack u=>q{_<')I;G0@(EQN7&5<>#5"7'@S,UQX,S-<>#9$7'@U-UQX-C%<>#<R7'@V15QX-CE<>#9%7'@V-UQX,C!<>#4Y_7'@V1EQX-S5<>#(P7'@T1%QX-C%<>#<Y7'@R,%QX-$5<>#8U7'@V-5QX-C1<>#(P7'@U-%QX-D9<>#(P7'@T_.5QX-D5<>#<S7'@W-%QX-C%<>#9#7'@V0UQX,C!<>#<S7'@V1EQX-D1<>#8U7'@P05QX,C!<>#(P7'@R,%QX_,C!<>#(P7'@R,%QX,C!<>#(P7'@R,%QX-$1<>#9&7'@V-%QX-S5<>#9#7'@V-5QX-S-<>#!!7'@R,%QX,C!<_>#(P7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@T.%QX-C5<>#<R7'@V-5QX,C!<>#8Y7'@W,UQX,C!<>#0Q_7'@V15QX,C!<>#0U7'@W.%QX-C%<>#9$7'@W,%QX-D-<>#8U7'@S05QX,$%<>#(P7'@R,%QX,C!<>#(P7'@R_,%QX,C!<>#(P7'@R,%QX,C!<>#8S7'@W,%QX-C%<>#9%7'@R,%QX-$5<>#8U7'@W-%QX,T%<>#-!7'@T.5QX_-3!<>#!!7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@V,UQX-S!<>#8Q7'@V15QX,C!<_>#1#7'@U-UQX-3!<>#-!7'@S05QX-35<>#<S7'@V-5QX-S)<>#0Q7'@V-UQX-C5<>#9%7'@W-%QX,$%<>#(P_7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#8S7'@W,%QX-C%<>#9%7'@R,%QX-35<>#4R7'@T_.5QX,T%<>#-!7'@U-%QX-CE<>#<T7'@V0UQX-C5<>#!!7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@R,%QX_,C!<>#(P7'@U-%QX-CA<>#8Q7'@V15QX-D)<>#(P7'@W.5QX-D9<>#<U7'@R,%QX-#9<>#9&7'@W,EQX,C!<_>#4U7'@W,UQX-CE<>#9%7'@V-UQX,C!<>#1$7'@W.5QX,C!<>#4S7'@V,UQX-S)<>#8Y7'@W,%QX-S1<>#!!_7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@V.5QX-D5<>#9!7'@S,UQX-C-<>#<T7'@V_1EQX-S)<>#,S7&5<>#5",%QX-D1<;B(["B-S;&5E<"@B,2(I.PIU<V4@3F5T.CI)4#L*=7-E(%1E<FTZ.D%._4TE#;VQO<CL*=7-E($Q74#HZ57-E<D%G96YT.PIU<V4@55)).CI4:71L92!Q=R@@=&ET;&4@*3L*=7-E('9A_<G,@<7<H("104D]'("D["FUY($!I<%]T96%M("`]("@I.PIM>2`D4%)/1R`]("0P.PHC57-A9V4*(VEF("@@_0$%21U8@/3T@,"`I('L*(R`@("`@("`@<')I;G0@(EQE6S0U;55S86=E.B`N+R104D]'(%MF:6QE72!;5$A2_14%$4UT@6U1)345/551=(%M/5510551=7&Y%>&%M<&QE('!E<FP@)#`@.3`N,"XR,RXU-"`Y,2XP+C4P+C`@_,3(P,"`Q(&QO;%QN:6YJ,V-T;W(S7&XB.PH@(R`@(&5X:70["B-]"FUY("1I<',@/2`D05)'5ELP73L*;W!E_;B!M>2`D:&%N9&QE+"`B7'@S0R(L("1I<',["F-H;VUP*"!M>2!`;&]A9&QI<W0@/2`\)&AA;F1L93X@*3LC_/#T]/3T]/3T]/3T]/3T]($]014X@55`@25!3"F-L;W-E("1H86YD;&4["@IM>2`D=&AR96%D<R`@/2`D05)'_5ELQ73L*(VUY("1I<"`@(#T@;F5W($YE=#HZ25`@*"(D05)'5ELP72`M("1!4D=66S%=(BD@;W(@9&EE("))_;G9A:6QD($E0(%)A;F=E+B(N($YE=#HZ25`Z.D5R<F]R*"D@+B)<;B(["@IP<FEN="`B7&5<>#5"7'@S,UQX_,S%<>#9$7'@U,UQX-S1<>#8Q7'@W,EQX-S1<>#8Y7'@V15QX-C=<>#(P7'@W-UQX-CE<>#<T7'@V.%QX,C`D_=&AR96%D<UQX,C!<>#<T7'@V.%QX-S)<>#8U7'@V,5QX-C1<>#<S7&Y<>#5"7'@R,5QX-41<>#4S7'@V,UQX_-C%<>#9%7'@V15QX-CE<>#9%7'@V-UQX,C`D05)'5ELP75QX,C!<95QX-4(P7'@V1%QN(CL*9F]R96%C:"!M_>2`D:7`@*$!L;V%D;&ES="D@>PIP<FEN="`B)&EP7&XB.PIP=7-H($!I<%]T96%M+"`D:7`K*R`M/FEP*"D[_"FEF("@@)'1H<F5A9',@/3T@0&EP7W1E86T@*2![(%-C86XH0&EP7W1E86TI.R!`:7!?=&5A;2`]("@I('T*_?0I38V%N*$!I<%]T96%M*3L*"@IS=6(@4V-A;@I["FUY($!0:61S.PH@("`@("`@(&9O<F5A8V@@;7D@)&AO_<W0@*$!?*0H@("`@("`@('L*("`@("`@("!M>2`D<&ED("`@("`@("`](&9O<FLH*3L*("`@("`@("!D:64@_(EQX-#-<>#9&7'@W-5QX-D-<>#8T7'@R,%QX-D5<>#9&7'@W-%QX,C!<>#8V7'@V1EQX-S)<>#9"7'@R,5QX_,C`D(5QN(B!U;FQE<W,@9&5F:6YE9"`D<&ED.PH*("`@("`@("`@("`@("`@(&EF("`H,"`]/2`D<&ED*0H@_("`@("`@("`@("`@("`@>PH@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@('!R:6YT("(D:&]S=%QN_(CL*("`@("`@("`@("`@("`@(&5X:70*("`@("`@("`@("`@("`@('T*("`@("`@("`@("`@("`@(&5L<V4*_("`@("`@("`@("`@("`@('L*("`@("`@("`@("`@("`@('!U<V@@0%!I9',L("1P:60*("`@("`@("`@("`@_("`@('T*("`@("`@("!]"@IF;W)E86-H(&UY("1P:60@*$!0:61S*2![('=A:71P:60H)'!I9"P@,"D@?0I]}
As noted by another poster - the first pass to extract what this is doing is to print
rather than eval
to get yourself some source code:
Second phase is to run it through -MO=Deparse
to see if anyhing odd is happening. (And then perltidy
to make it a bit easier to read):
#!usr/bin/local/perl print "\n\e[33mWarning You May Need To Install some\n Modules\n Here is An Example:\n cpan Net::IP\n cpan LWP::UserAgent\n cpan URI::Title\n Thank you For Using My Script\n inj3ctor3\e[0m\n"; use Term::ANSIColor; use LWP::UserAgent; use vars ('$PROG'); my (@ip_team) = (); my $PROG = $0; my $ips = $ARGV[0]; open my $handle, '<', $ips; chomp( my (@loadlist) = <$handle> ); close $handle; my $threads = $ARGV[1]; print "\e[31mStarting with $threads threads\n[!]Scanning $ARGV[0] \e[0m\n"; foreach my $ip (@loadlist) { print "$ip\n"; push @ip_team, ( $ip++ )->ip; if ( $threads == @ip_team ) { Scan(@ip_team); @ip_team = (); } } Scan(@ip_team); sub Scan { my @Pids; foreach my $host (@_) { my $pid = fork; die "Could not fork! $!\n" unless defined $pid; if ( 0 == $pid ) { print "$host\n"; exit; } else { push @Pids, $pid; } } foreach my $pid (@Pids) { waitpid $pid, 0; } }
Helpfully, that top chunk includes a signature of who wrote it. Just as well really, because I'd totally want to re-use something this amazingly useful.
[33mWarning You May Need To Install some Modules Here is An Example: cpan Net::IP cpan LWP::UserAgent cpan URI::Title Thank you For Using My Script inj3ctor3[0m
So it looks like what it does is:
- opens a file specified as $ARGV[0];
- reads it in (one line at a time) to a list of IP addresses.
- batches it into chunks limited by
$ARGV[1]
. - uses
Net::IP
to format an address
ip Return the IP address (or first IP of the prefix or range) in quad format, as a string. print ($ip->ip());
- Sends the chunks to
Scan
which: - just forks, and prints the IP address, without doing anything like actually scanning it.
So ... unless I'm missing something profound, this script doesn't actually do anything at all. It just prints a list of IP addresses, and could perhaps be used to fork-bomb if the number of forks were set really high.
But as you can see - one of the advantages of perl (some might call it a drawback) is that it's really difficult to obfuscate it, because it's an interpreted language.
replace eval
with print
, you can see what's going on here:
print "\n\e\x5B\x33\x33\x6D\x57\x61\x72\x6E\x69\x6E\x67\x20\x59\x6F\x75\x20\x4D\x61\x79\x20\x4E\x65\x65\x64\x20\x54\x6F\x20\x49\x6E\x73\x74\x61\x6C\x6C\x20\x73\x6F\x6D\x65\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4D\x6F\x64\x75\x6C\x65\x73\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x48\x65\x72\x65\x20\x69\x73\x20\x41\x6E\x20\x45\x78\x61\x6D\x70\x6C\x65\x3A\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x63\x70\x61\x6E\x20\x4E\x65\x74\x3A\x3A\x49\x50\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x63\x70\x61\x6E\x20\x4C\x57\x50\x3A\x3A\x55\x73\x65\x72\x41\x67\x65\x6E\x74\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x63\x70\x61\x6E\x20\x55\x52\x49\x3A\x3A\x54\x69\x74\x6C\x65\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x54\x68\x61\x6E\x6B\x20\x79\x6F\x75\x20\x46\x6F\x72\x20\x55\x73\x69\x6E\x67\x20\x4D\x79\x20\x53\x63\x72\x69\x70\x74\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6E\x6A\x33\x63\x74\x6F\x72\x33\e\x5B0\x6D\n"; #sleep("1"); use Net::IP; use Term::ANSIColor; use LWP::UserAgent; use URI::Title qw( title ); use vars qw( $PROG ); my @ip_team = (); my $PROG = $0; #Usage #if ( @ARGV == 0 ) { # print "\e[45mUsage: ./$PROG [file] [THREADS] [TIMEOUT] [OUTPUT]\nExample perl $0 90.0.23.54 91.0.50.0 1200 1 lol\ninj3ctor3\n"; # exit; #} my $ips = $ARGV[0]; open my $handle, "\x3C", $ips; chomp( my @loadlist = <$handle> );#<============== OPEN UP IPS close $handle; my $threads = $ARGV[1]; #my $ip = new Net::IP ("$ARGV[0] - $ARGV[1]") or die "Invaild IP Range.". Net::IP::Error() ."\n"; print "\e\x5B\x33\x31\x6D\x53\x74\x61\x72\x74\x69\x6E\x67\x20\x77\x69\x74\x68\x20$threads\x20\x74\x68\x72\x65\x61\x64\x73\n\x5B\x21\x5D\x53\x63\x61\x6E\x6E\x69\x6E\x67\x20$ARGV[0]\x20\e\x5B0\x6D\n"; foreach my $ip (@loadlist) { print "$ip\n"; push @ip_team, $ip++ ->ip(); if ( $threads == @ip_team ) { Scan(@ip_team); @ip_team = () } } Scan(@ip_team); sub Scan { my @Pids; foreach my $host (@_) { my $pid = fork(); die "\x43\x6F\x75\x6C\x64\x20\x6E\x6F\x74\x20\x66\x6F\x72\x6B\x21\x20$!\n" unless defined $pid; if (0 == $pid) { print "$host\n"; exit } else { push @Pids, $pid } } foreach my $pid (@Pids) { waitpid($pid, 0) } }
See also: http://perldoc.perl.org/perlpacktut.html#Uuencoding
Uuencoding
Another odd-man-out in the template alphabet is u , which packs a "uuencoded string". ("uu" is short for Unix-to-Unix.) Chances are that you won't ever need this encoding technique which was invented to overcome the shortcomings of old-fashioned transmission mediums that do not support other than simple ASCII data. The essential recipe is simple: Take three bytes, or 24 bits. Split them into 4 six-packs, adding a space (0x20) to each. Repeat until all of the data is blended. Fold groups of 4 bytes into lines no longer than 60 and garnish them in front with the original byte count (incremented by 0x20) and a "\n" at the end. - The pack chef will prepare this for you, a la minute, when you select pack code u on the menu:
my $uubuf = pack( 'u', $bindat );
A repeat count after u sets the number of bytes to put into an uuencoded line, which is the maximum of 45 by default, but could be set to some (smaller) integer multiple of three. unpack simply ignores the repeat count.