-
-
Save Dunedan/29a9cc17869e881f26606e89f8c930e2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/sudo sh | |
## ruby_revealer.sh -- decrypt obfuscated GHE .rb files. 2.0.0 to 2.3.1+. | |
## From `strings ruby_concealer.so`: | |
## | |
## > This obfuscation is intended to discourage GitHub Enterprise customers | |
## > from making modifications to the VM. | |
## | |
## Well, good, as long as its not intended to discourage *me* from doing this! | |
## After all, I'm not a GitHub Enterprise customer. I'm just some dude who | |
## grabbed the .ova file off the internet! | |
## | |
## > We know this 'encryption' is easily broken. | |
## | |
## Err, yeah. Just do a binary `s/eval/puts/`. Like this! | |
# So... | |
# A version of the ruby_concealer.so with just such a patch, xz'd and base64'd. | |
ruby_revealer_so=' | |
/Td6WFoAAATm1rRGAgAhARwAAAAQz1jM4BfnCD1dAD+RRYRoPYmm2orhgzJO2QUBECVj1ssSLXULCO | |
u4VR2ikjxchQNbmHH657uWGUHjncEu3kPs6K/1/Co5mEyIhDIbS/bptFYX+6ysuGr2qe3Bk3rv3NIx | |
WhlvCMhgbNv7OXOnrcMZJB0nwb6AXTA4IG8Z6UwtDVtZkTzkJ/YbOh99Mb/HDhynIgRz0WjbZOQZH6 | |
ROPqGF4BK8iO58okHz/aQBKgdFnoyLCWvsY5P+x4agRvYbapHKdkG3dpcZVDSecYOXTgVPaH+ln47d | |
F0uOhn22XPq01ueLSky1VwJAPV1YftJ9xC4V9DYrLwuC9wcv4DhfhoEakR0uzySCRDGdWW8x+6ptql | |
qXoE5nQqdpOubKLqiZaTjE3XejV9sf5habmvS8D10vUI5Z4Tu7mQUvKoE3/FmnZVI2zVbHSGONA8g0 | |
k9LUKorBATSye8Gor3DzbsCBEVM2jRHWBvGBnlbjhuFus81EA1egk2sYCh+re6GHiSGsPIMLqnAwjS | |
cpLAqQi9M+2Tg+hYCusmzTlt+wSbUajNkYMe6W5gNYEEUcTx7SjEPDGXDKsGSNrOJYeNAHAnpc1Vid | |
x+iIldYCuZOWjJp/UFMW6QUyJZil88xR9TGstXd3EIPNY3XDQFRaIToymS1tLu/zcNQZbx70ndnesJ | |
ugORINdK68kfPiP/6/xjIzXT5PPzQSm8TGKa8bajCJ7drRI+KgH8bfcRFdBWRPh3x2yxdlkIk+lwpH | |
+JtvI4qWPa44GlVrmx7vsBxTT4T0Oy1EWePExu108Wjj4E1BjWR1q2Wb0Vi0bEyZ8T3Kzx6e3QDw2O | |
Hc14HiG5YdO9IoGS+UgWwp1Z+6GJuXUTHBONS/lTiC3wjXdK08UPRl8fXhbeHt6tagKQhp3FjP/Iyl | |
6j8N6f0o3/aJ5medT5BBdAp7eJkLSASWQIAgTzfd+25y/LnvtWEMPH1G1KUeUDA91VZvl7oLTawpm7 | |
GWBDKKVqn+UidfG53ZcLXcEUegVWRQAwFcBon8KNi8uDsoFWD38nWW2VvXoHoglf1krXi3sawB5AxK | |
IrAudhrn9c8cz4dWtMYqIRZj+IGeTr+QmA+8ygIsrSDd03CNMfOQBrK00EV5TpivScHRyLiW+24gVv | |
xocvTlT+9F8XoLWwitCKRkf76+6znd/6kFDJgQ3gIcPEaxlfRFTw6VIfYnv3fY1VhvASnhLwe6hLNt | |
nT+wkgHfAKZR7MJ+SWV5rjorO2NLrQBZWhL1LO/XSt7LnlwurkpyNjk1xpVb9EeCbbqTMhfMW/VQKx | |
uqJNZhAb2KU7y1YFubKl024DyWuOtghGQ5ZZKtmfDwpib7KYN6VrlwGsGRP/N3bDqvcs72ylXhbGR8 | |
HnyGTlwQL11pqWWnhJBJET2VkpYwNAOJ+m0+BX/Ej0bcDSGMQhbhQ75b8BHVsd/5Hbx/B7mb0cq7O4 | |
50QECkanmBVRZ8ZROFgIGJHiYp6kC+zOOcQ8Roy5tCrThmB5fN9Fti5wZspVoUOYddyKbCyX4DBrNJ | |
u3IL+mwXHrC8hk7s71QrxJ+AtrhBhxaGLHe6xb+jy5uvoUH8Ywicq0GNKeFoo1kgELu2/JJr0omBI4 | |
UKTWgG6qlRiXVspnZd3xpuWky0BKRVHf1KEXy+LFUYEkVe6prP8QT1mT/xCQuPod72INU7b0VEAQ6n | |
X6iavj+5dbg2ZbWDO/yiqnVKkogodr5E5iUtinu+X0eKPJJflvTUZGBqKNxiZO9i3wvCpoZ5GoI89J | |
JTGscsxEb7PQWhdTxCyw9nO0xyvT9M3a9iqbmd9TDXMHosynWz+jAizpRqwMA+vBnOitbsxeKJzN5n | |
cPIIDwyumHBDyryFr41MHnIufRXzDw8VX0rddXLSPKbwyVq2ogA8mLP1j88FqO3EkfhCE/Jaxb/kJr | |
BRp4RNyTi5bVwfz3teLsGCB2RspIFd2NQlzIVUPqTzmHNdQcsC6PeBA8cf/TkyS+6ppndLIYs2uT8N | |
24e/r9APRskRS1BLO1bI1c9kvozyNZ8MVj9oZ/mDCVXdxBqxXQSyHib5HIQaBHerD1QxziBU68KXet | |
BePKvjlhG+el4dV2DC0g0eJN/7NHHzTJnTLIj1DUxER76LJprZnI8VHpxT2ac/JkqddBMn9yrwWfw6 | |
ay0e+6AgKnFXpjkLvt3x5Y96yTcnxZQy9zzK5Y7+rWTEBXCc+vwcfDGo3TcclIMpDEc9ddRin4E2JK | |
990Lxacz6FxvQh0VqEHPG8VNBd3QopN/v50cgs9AJtLatKhfZHLLVXvFA1N4yyBysl0eBqKhSHS+mQ | |
g8efRUqQs3nAV4A3XiFGOI4rP7eTjrkcwcQ+HbGmLoYmRCH2mjBTexkldCw/wvkB7d9sRHbYgcJ5mL | |
TUYD2p1H6v6UO46HRwsvK8+v90q6lMzPEp5ejfFWBK0YAC7xEBk+egqWndZ9XpZ9P3EMkPwvgJK6+R | |
VPv5CaiO3V3jEjzTsnqFo+oRj1/rvG+JUkyA1DVVsftQNiXL/0I1pBbx6nnW2fG8IIdZj4cXQchV1R | |
NTFR1hbhZobbAf4anPp5ewTYlcQQcsnswfeMywClTMdThS3X0BxUbuPwjl9h6hnmN2LWk0cH/Rr6Gc | |
l5jpZr1dFGXYpVyaA7zFfVry/2hSPHUpZJeb+amqAZqd6RUocj5d1oKwfJ5D7tjJMkgfQ4aiV5XGQL | |
EhPXzVaJXkk2PwQhRgUyh+cAvQWjOt+smlpAHTLnW7b8r0/1V1aJPmN9OMI5tshQD9UvkWCbpIg0cu | |
Y6QK6t29oIcTo20qU0+gqg8auYrzJyoC3JGgj+gIo2B9AAAAAABA7jDAP3LMnQAB2RDoLwAAsmZetr | |
HEZ/sCAAAAAARZWg==' | |
# Find the existing .so (don't hardcode it). | |
ruby_concealer_so=$(find / -name ruby_concealer.so) | |
# Find the corresponding ruby and put it in our PATH. | |
export PATH=$(echo $ruby_concealer_so | sed s'|lib.*|bin|'):$PATH | |
# Backup the original file. | |
mv $ruby_concealer_so $ruby_concealer_so.bak | |
# Overwrite the original. | |
echo "$ruby_revealer_so" | base64 --decode | xz -dc > $ruby_concealer_so | |
touch -r $ruby_concealer_so.bak $ruby_concealer_so | |
# This function takes the name of the file to be decrypted from stdin. | |
# There's some weirdness with a couple (pre|post)-receive-hooks in earlier GHE | |
# versions; these seem to like it a little better if one `cd`s to the directory | |
# first, using bundler if necessary. | |
# They still squawk a bit but seem to decrypt fine. We're avoiding a | |
# temporary file by setting a variable containing the decrypted contents; | |
# /bin/echo is necessary to avoid interpolating escaped newlines, etc. | |
ruby_revealer(){ | |
f=$(cat); cd $(dirname $f) | |
# Save the original. | |
cp -p $f $f.bak | |
# Output our replacement. | |
r=$(ruby $(basename $f) 2>/dev/null || | |
bundle exec 'ruby $(basename $f) 2>/dev/null' 2>/dev/null) | |
r=$(/bin/echo "$r" | head -n -2) | |
# If it has failed, move the original back. | |
# (A few do, due to bugs *in the code* itself, I believe.) | |
[ $(/bin/echo "$r" | wc -c) -lt 2 ] && (rm -f $f && mv $f.bak $f) || | |
(/bin/echo "$r" > $f && touch -r $f.bak $f && rm -f $f.bak) | |
} | |
# Presto change-o. | |
voila(){ | |
echo "One moment..." >&2 # While we grep through a bunch of other files... | |
for c in $(grep --include \*.rb -Rl __ruby_concealer__ /data 2>/dev/null); do | |
echo Revealing $c ... >&2; echo $c | ruby_revealer | |
done | |
} | |
# Put the module back how we found it; be sure to use a redirect to | |
# preserve permissions and modification dates, etc. | |
cleanup(){ | |
cp -p $ruby_concealer_so.bak $ruby_concealer_so && | |
rm -f $ruby_concealer_so.bak | |
} | |
# Make absolutely sure we put the .so back properly so we're not foobar'd. | |
trap cleanup INT | |
voila | |
cleanup |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment