iscgar · October 20, 2016 11:11 · chaoticryptidz · Sep 27, 2020 · lunaisnotaboy · Oct 9, 2020
diff --git a/ghe-revealer.rb b/ghe-revealer.rb
 #!/usr/bin/sudo ruby

 # 
 # revealer.rb -- Deobfuscate GHE .rb files.
 # 
 # This is simple:
 # Every obfuscated file in the GHE VM contains the following code:
 # 
 # > require "ruby_concealer.so"
 # > __ruby_concealer__ "..."
 # 
 # GHE uses a C extension (ruby_concealer.so) which defines a global
 # method named `__ruby_concealer__`. The string passed to this method
 # is a string XORed with a "key" and then deflated using `Zlib::Deflate.deflate`.
 # We just need to do it in reverse in order to get readable source code.
 # 
 # This code is quite fragile, but it was made just for the fun of learning
 # a bit about Ruby and the GitHub Enterprise codebase. Besides, it does
 # the job.

 require 'zlib'

 if ARGV.length != 1 or !File.directory?(ARGV[0]) then
    puts "Usage: #{$0} <ghe-directory>"
 else
    fnum = 0
    processed = 0
    key = "This obfuscation is intended to discourage GitHub Enterprise customers from making modifications to the VM. We know this 'encryption' is easily broken. ".bytes.to_a
    Dir.glob("#{ARGV[0]}/**/*.rb") { |fname|
        fnum += 1
        s = File.open(fname, "r") { |f|
            begin
                break if !f.readline.match /^\s*require\s+"ruby_concealer.so"\s*$/
                eval(f.readline.sub(/__ruby_concealer__/, ''))
            rescue EOFError
                break
            end
        }
        next if !s
        puts "Processing #{fname}..."
        uc = Zlib::Inflate.inflate(s)
        File.open(fname, "w") { |of|
            of.write(uc.bytes.each_with_index.map{ |c,i| (c ^ key[i % key.length]).chr }.join)
        }
        processed += 1
    }
    puts "Done. #{fnum} files found, #{processed} of which were processed."
 end
	#!/usr/bin/sudo ruby

	#
	# revealer.rb -- Deobfuscate GHE .rb files.
	#
	# This is simple:
	# Every obfuscated file in the GHE VM contains the following code:
	#
	# > require "ruby_concealer.so"
	# > __ruby_concealer__ "..."
	#
	# GHE uses a C extension (ruby_concealer.so) which defines a global
	# method named `__ruby_concealer__`. The string passed to this method
	# is a string XORed with a "key" and then deflated using `Zlib::Deflate.deflate`.
	# We just need to do it in reverse in order to get readable source code.
	#
	# This code is quite fragile, but it was made just for the fun of learning
	# a bit about Ruby and the GitHub Enterprise codebase. Besides, it does
	# the job.

	require 'zlib'

	if ARGV.length != 1 or !File.directory?(ARGV[0]) then
	puts "Usage: #{$0} <ghe-directory>"
	else
	fnum = 0
	processed = 0
	key = "This obfuscation is intended to discourage GitHub Enterprise customers from making modifications to the VM. We know this 'encryption' is easily broken. ".bytes.to_a
	Dir.glob("#{ARGV[0]}/*/.rb") { \|fname\|
	fnum += 1
	s = File.open(fname, "r") { \|f\|
	begin
	break if !f.readline.match /^\srequire\s+"ruby_concealer.so"\s$/
	eval(f.readline.sub(/__ruby_concealer__/, ''))
	rescue EOFError
	break
	end
	}
	next if !s
	puts "Processing #{fname}..."
	uc = Zlib::Inflate.inflate(s)
	File.open(fname, "w") { \|of\|
	of.write(uc.bytes.each_with_index.map{ \|c,i\| (c ^ key[i % key.length]).chr }.join)
	}
	processed += 1
	}
	puts "Done. #{fnum} files found, #{processed} of which were processed."
	end