#!/usr/bin/sudo ruby# # revealer.rb -- Deobfuscate GHE .rb files.# # This i

1. #!/usr/bin/sudo ruby
2.  
3. #
4. # revealer.rb -- Deobfuscate GHE .rb files.
5. #
6. # This is simple:
7. # Every obfuscated file in the GHE VM contains the following code:
8. #
9. # > require "ruby_concealer.so"
10. # > __ruby_concealer__ "..."
11. #
12. # GHE uses a C extension (ruby_concealer.so) which defines a global
13. # method named `__ruby_concealer__`. The string passed to this method
14. # is a string XORed with a "key" and then deflated using `Zlib::Deflate.deflate`.
15. # We just need to do it in reverse in order to get readable source code.
16. #
17. # This code is quite fragile, but it was made just for the fun of learning
18. # a bit about Ruby and the GitHub Enterprise codebase. Besides, it does
19. # the job.
20.  
21. require 'zlib'
22.  
23. if ARGV.length != 1 or !File.directory?(ARGV[0]) then
24. puts "Usage: #{$0} <ghe-directory>"
25. else
26. fnum = 0
27. processed = 0
28. key = "This obfuscation is intended to discourage GitHub Enterprise customers from making modifications to the VM. We know this 'encryption' is easily broken. ".bytes.to_a
29. Dir.glob("#{ARGV[0]}/**/*.rb") { |fname|
30. fnum += 1
31. s = File.open(fname, "r") { |f|
32. begin
33. break if !f.readline.match /^\s*require\s+"ruby_concealer.so"\s*$/
34. eval(f.readline.sub(/__ruby_concealer__/, ''))
35. rescue EOFError
36. break
37. end
38. }
39. next if !s
40. puts "Processing #{fname}..."
41. uc = Zlib::Inflate.inflate(s)
42. File.open(fname, "w") { |of|
43. of.write(uc.bytes.each_with_index.map{ |c,i| (c ^ key[i % key.length]).chr }.join)
44. }
45. processed += 1
46. }
47. puts "Done. #{fnum} files found, #{processed} of which were processed."
48. end