How can I de-obfuscate or decode this Perl code?

匿名 (未验证) 提交于 2019-12-03 01:08:02

问题:

I found this code and I think it's encoded. I tried to understand how it's encoded or how can read it. Does anyone have an idea to decode this code?

#!/usr/bin/perl  eval unpack u=>q{_<')I;G0@(EQN7&5<>#5"7'@S,UQX,S-<>#9$7'@U-UQX-C%<>#<R7'@V15QX-CE<>#9%7'@V-UQX,C!<>#4Y_7'@V1EQX-S5<>#(P7'@T1%QX-C%<>#<Y7'@R,%QX-$5<>#8U7'@V-5QX-C1<>#(P7'@U-%QX-D9<>#(P7'@T_.5QX-D5<>#<S7'@W-%QX-C%<>#9#7'@V0UQX,C!<>#<S7'@V1EQX-D1<>#8U7'@P05QX,C!<>#(P7'@R,%QX_,C!<>#(P7'@R,%QX,C!<>#(P7'@R,%QX-$1<>#9&7'@V-%QX-S5<>#9#7'@V-5QX-S-<>#!!7'@R,%QX,C!<_>#(P7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@T.%QX-C5<>#<R7'@V-5QX,C!<>#8Y7'@W,UQX,C!<>#0Q_7'@V15QX,C!<>#0U7'@W.%QX-C%<>#9$7'@W,%QX-D-<>#8U7'@S05QX,$%<>#(P7'@R,%QX,C!<>#(P7'@R_,%QX,C!<>#(P7'@R,%QX,C!<>#8S7'@W,%QX-C%<>#9%7'@R,%QX-$5<>#8U7'@W-%QX,T%<>#-!7'@T.5QX_-3!<>#!!7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@V,UQX-S!<>#8Q7'@V15QX,C!<_>#1#7'@U-UQX-3!<>#-!7'@S05QX-35<>#<S7'@V-5QX-S)<>#0Q7'@V-UQX-C5<>#9%7'@W-%QX,$%<>#(P_7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#8S7'@W,%QX-C%<>#9%7'@R,%QX-35<>#4R7'@T_.5QX,T%<>#-!7'@U-%QX-CE<>#<T7'@V0UQX-C5<>#!!7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@R,%QX_,C!<>#(P7'@U-%QX-CA<>#8Q7'@V15QX-D)<>#(P7'@W.5QX-D9<>#<U7'@R,%QX-#9<>#9&7'@W,EQX,C!<_>#4U7'@W,UQX-CE<>#9%7'@V-UQX,C!<>#1$7'@W.5QX,C!<>#4S7'@V,UQX-S)<>#8Y7'@W,%QX-S1<>#!!_7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@R,%QX,C!<>#(P7'@V.5QX-D5<>#9!7'@S,UQX-C-<>#<T7'@V_1EQX-S)<>#,S7&5<>#5",%QX-D1<;B(["B-S;&5E<"@B,2(I.PIU<V4@3F5T.CI)4#L*=7-E(%1E<FTZ.D%._4TE#;VQO<CL*=7-E($Q74#HZ57-E<D%G96YT.PIU<V4@55)).CI4:71L92!Q=R@@=&ET;&4@*3L*=7-E('9A_<G,@<7<H("104D]'("D["FUY($!I<%]T96%M("`]("@I.PIM>2`D4%)/1R`]("0P.PHC57-A9V4*(VEF("@@_0$%21U8@/3T@,"`I('L*(R`@("`@("`@<')I;G0@(EQE6S0U;55S86=E.B`N+R104D]'(%MF:6QE72!;5$A2_14%$4UT@6U1)345/551=(%M/5510551=7&Y%>&%M<&QE('!E<FP@)#`@.3`N,"XR,RXU-"`Y,2XP+C4P+C`@_,3(P,"`Q(&QO;%QN:6YJ,V-T;W(S7&XB.PH@(R`@(&5X:70["B-]"FUY("1I<',@/2`D05)'5ELP73L*;W!E_;B!M>2`D:&%N9&QE+"`B7'@S0R(L("1I<',["F-H;VUP*"!M>2!`;&]A9&QI<W0@/2`\)&AA;F1L93X@*3LC_/#T]/3T]/3T]/3T]/3T]($]014X@55`@25!3"F-L;W-E("1H86YD;&4["@IM>2`D=&AR96%D<R`@/2`D05)'_5ELQ73L*(VUY("1I<"`@(#T@;F5W($YE=#HZ25`@*"(D05)'5ELP72`M("1!4D=66S%=(BD@;W(@9&EE("))_;G9A:6QD($E0(%)A;F=E+B(N($YE=#HZ25`Z.D5R<F]R*"D@+B)<;B(["@IP<FEN="`B7&5<>#5"7'@S,UQX_,S%<>#9$7'@U,UQX-S1<>#8Q7'@W,EQX-S1<>#8Y7'@V15QX-C=<>#(P7'@W-UQX-CE<>#<T7'@V.%QX,C`D_=&AR96%D<UQX,C!<>#<T7'@V.%QX-S)<>#8U7'@V,5QX-C1<>#<S7&Y<>#5"7'@R,5QX-41<>#4S7'@V,UQX_-C%<>#9%7'@V15QX-CE<>#9%7'@V-UQX,C`D05)'5ELP75QX,C!<95QX-4(P7'@V1%QN(CL*9F]R96%C:"!M_>2`D:7`@*$!L;V%D;&ES="D@>PIP<FEN="`B)&EP7&XB.PIP=7-H($!I<%]T96%M+"`D:7`K*R`M/FEP*"D[_"FEF("@@)'1H<F5A9',@/3T@0&EP7W1E86T@*2![(%-C86XH0&EP7W1E86TI.R!`:7!?=&5A;2`]("@I('T*_?0I38V%N*$!I<%]T96%M*3L*"@IS=6(@4V-A;@I["FUY($!0:61S.PH@("`@("`@(&9O<F5A8V@@;7D@)&AO_<W0@*$!?*0H@("`@("`@('L*("`@("`@("!M>2`D<&ED("`@("`@("`](&9O<FLH*3L*("`@("`@("!D:64@_(EQX-#-<>#9&7'@W-5QX-D-<>#8T7'@R,%QX-D5<>#9&7'@W-%QX,C!<>#8V7'@V1EQX-S)<>#9"7'@R,5QX_,C`D(5QN(B!U;FQE<W,@9&5F:6YE9"`D<&ED.PH*("`@("`@("`@("`@("`@(&EF("`H,"`]/2`D<&ED*0H@_("`@("`@("`@("`@("`@>PH@("`@("`@("`@("`@("`@("`@("`@("`@("`@("`@('!R:6YT("(D:&]S=%QN_(CL*("`@("`@("`@("`@("`@(&5X:70*("`@("`@("`@("`@("`@('T*("`@("`@("`@("`@("`@(&5L<V4*_("`@("`@("`@("`@("`@('L*("`@("`@("`@("`@("`@('!U<V@@0%!I9',L("1P:60*("`@("`@("`@("`@_("`@('T*("`@("`@("!]"@IF;W)E86-H(&UY("1P:60@*$!0:61S*2![('=A:71P:60H)'!I9"P@,"D@?0I]} 

回答1:

As noted by another poster - the first pass to extract what this is doing is to print rather than eval to get yourself some source code:

Second phase is to run it through -MO=Deparse to see if anyhing odd is happening. (And then perltidy to make it a bit easier to read):

#!usr/bin/local/perl print     "\n\e[33mWarning You May Need To Install some\n         Modules\n         Here is An Example:\n         cpan Net::IP\n         cpan LWP::UserAgent\n         cpan URI::Title\n         Thank you For Using My Script\n         inj3ctor3\e[0m\n"; use Term::ANSIColor; use LWP::UserAgent; use vars ('$PROG'); my (@ip_team) = (); my $PROG      = $0; my $ips       = $ARGV[0]; open my $handle, '<', $ips; chomp( my (@loadlist) = <$handle> ); close $handle; my $threads = $ARGV[1]; print "\e[31mStarting with $threads threads\n[!]Scanning $ARGV[0] \e[0m\n";  foreach my $ip (@loadlist) {     print "$ip\n";     push @ip_team, ( $ip++ )->ip;     if ( $threads == @ip_team ) {         Scan(@ip_team);         @ip_team = ();     } } Scan(@ip_team);  sub Scan {     my @Pids;     foreach my $host (@_) {         my $pid = fork;         die "Could not fork! $!\n" unless defined $pid;         if ( 0 == $pid ) {             print "$host\n";             exit;         }         else {             push @Pids, $pid;         }     }     foreach my $pid (@Pids) {         waitpid $pid, 0;     } } 

Helpfully, that top chunk includes a signature of who wrote it. Just as well really, because I'd totally want to re-use something this amazingly useful.

[33mWarning You May Need To Install some          Modules          Here is An Example:          cpan Net::IP          cpan LWP::UserAgent          cpan URI::Title          Thank you For Using My Script          inj3ctor3[0m 

So it looks like what it does is:

  • opens a file specified as $ARGV[0];
  • reads it in (one line at a time) to a list of IP addresses.
  • batches it into chunks limited by $ARGV[1].
  • uses Net::IP to format an address

ip Return the IP address (or first IP of the prefix or range) in quad format, as a string. print ($ip->ip());

  • Sends the chunks to Scan which:
  • just forks, and prints the IP address, without doing anything like actually scanning it.

So ... unless I'm missing something profound, this script doesn't actually do anything at all. It just prints a list of IP addresses, and could perhaps be used to fork-bomb if the number of forks were set really high.

But as you can see - one of the advantages of perl (some might call it a drawback) is that it's really difficult to obfuscate it, because it's an interpreted language.



回答2:

replace eval with print, you can see what's going on here:

print "\n\e\x5B\x33\x33\x6D\x57\x61\x72\x6E\x69\x6E\x67\x20\x59\x6F\x75\x20\x4D\x61\x79\x20\x4E\x65\x65\x64\x20\x54\x6F\x20\x49\x6E\x73\x74\x61\x6C\x6C\x20\x73\x6F\x6D\x65\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4D\x6F\x64\x75\x6C\x65\x73\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x48\x65\x72\x65\x20\x69\x73\x20\x41\x6E\x20\x45\x78\x61\x6D\x70\x6C\x65\x3A\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x63\x70\x61\x6E\x20\x4E\x65\x74\x3A\x3A\x49\x50\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x63\x70\x61\x6E\x20\x4C\x57\x50\x3A\x3A\x55\x73\x65\x72\x41\x67\x65\x6E\x74\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x63\x70\x61\x6E\x20\x55\x52\x49\x3A\x3A\x54\x69\x74\x6C\x65\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x54\x68\x61\x6E\x6B\x20\x79\x6F\x75\x20\x46\x6F\x72\x20\x55\x73\x69\x6E\x67\x20\x4D\x79\x20\x53\x63\x72\x69\x70\x74\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6E\x6A\x33\x63\x74\x6F\x72\x33\e\x5B0\x6D\n"; #sleep("1"); use Net::IP; use Term::ANSIColor; use LWP::UserAgent; use URI::Title qw( title ); use vars qw( $PROG ); my @ip_team  = (); my $PROG = $0; #Usage #if ( @ARGV == 0 ) { #        print "\e[45mUsage: ./$PROG [file] [THREADS] [TIMEOUT] [OUTPUT]\nExample perl $0 90.0.23.54 91.0.50.0 1200 1 lol\ninj3ctor3\n";  #   exit; #} my $ips = $ARGV[0]; open my $handle, "\x3C", $ips; chomp( my @loadlist = <$handle> );#<============== OPEN UP IPS close $handle;  my $threads  = $ARGV[1]; #my $ip   = new Net::IP ("$ARGV[0] - $ARGV[1]") or die "Invaild IP Range.". Net::IP::Error() ."\n";  print "\e\x5B\x33\x31\x6D\x53\x74\x61\x72\x74\x69\x6E\x67\x20\x77\x69\x74\x68\x20$threads\x20\x74\x68\x72\x65\x61\x64\x73\n\x5B\x21\x5D\x53\x63\x61\x6E\x6E\x69\x6E\x67\x20$ARGV[0]\x20\e\x5B0\x6D\n"; foreach my $ip (@loadlist) { print "$ip\n"; push @ip_team, $ip++ ->ip(); if ( $threads == @ip_team ) { Scan(@ip_team); @ip_team = () } } Scan(@ip_team);   sub Scan { my @Pids;         foreach my $host (@_)         {         my $pid        = fork();         die "\x43\x6F\x75\x6C\x64\x20\x6E\x6F\x74\x20\x66\x6F\x72\x6B\x21\x20$!\n" unless defined $pid;                  if  (0 == $pid)                 {                                 print "$host\n";                 exit                 }                 else                 {                 push @Pids, $pid                 }         }  foreach my $pid (@Pids) { waitpid($pid, 0) } } 

See also: http://perldoc.perl.org/perlpacktut.html#Uuencoding

Uuencoding

Another odd-man-out in the template alphabet is u , which packs a "uuencoded string". ("uu" is short for Unix-to-Unix.) Chances are that you won't ever need this encoding technique which was invented to overcome the shortcomings of old-fashioned transmission mediums that do not support other than simple ASCII data. The essential recipe is simple: Take three bytes, or 24 bits. Split them into 4 six-packs, adding a space (0x20) to each. Repeat until all of the data is blended. Fold groups of 4 bytes into lines no longer than 60 and garnish them in front with the original byte count (incremented by 0x20) and a "\n" at the end. - The pack chef will prepare this for you, a la minute, when you select pack code u on the menu:

my $uubuf = pack( 'u', $bindat ); 

A repeat count after u sets the number of bytes to put into an uuencoded line, which is the maximum of 45 by default, but could be set to some (smaller) integer multiple of three. unpack simply ignores the repeat count.



标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!