Xz/liblzma: Bash-stage Obfuscation Explained

[jijijijij]

Yeah, but how exactly are they passed to those commands? I don't see/understand that part. I don't see the "take this file here" part.

[chaosite]

That's for 2 reasons:

1. It might not be there in the place where you're looking. It exists in the m4 in the release tarballs, not in the git repo.

2. It's highly obfuscated.

[fomine3]

m4 is somewhat obfuscated by default, that's a part of the problem IMO

[jijijijij]

Looks pretty much like bash to me. Which means... yeah.

[jijijijij]

No, as far as I understand the binary files must be pointed at here: '$gl_am_configmake' ... But I don't see how.

This: 'gl_am_configmake=`grep -aErls "#{4}[[:alnum:]]{5}#{4}$" $srcdir/`' seem to match the '####Hello####', but, as far as I can see, that's supposed to be the already converted script?! I presumed the binary files not to contain human readable strings, maybe that's the whole confusion.

[credulousperson]

Opening bad-3-corrupt_lzma2.xz in an editor reveals it indeed has the string ####Hello####. I don't know enough about lzma compression streams to explain how this appears in the "compressed" version of the payload, but it does.

[loeg]

I think part of it being a bad/corrupt test case means it doesn't have to be valid xz encoding. But I don't know if that even matters.

[deanishe]

> I don't know enough about lzma compression streams to explain how this appears in the "compressed" version of the payload, but it does.

From what I've read, the payload isn't stored in the archive, but rather the test file itself is a sandwich of xz data and payload: There are 1024 bytes of xz archive, N bytes of payload, another 1024 of xz, etc.

[jijijijij]

Thanks. The riddle has been solved :)

Do you have a (safe web view) version of those files? I would like to see what they look like to a casual observer. Judging by the 'tr' assembly command I would expect the bad-3-corrupt_ligma2.xz to be somewhat recognizable as script.