Am Thu, 09 May 2019 16:50:16 -0400 schrieb Paul:
> Markus Robert Kessler wrote:
>
>
>> Hi,
>>
>> I try to figure out how to trace what such a "run file" is doing
>> exactly.
>>
>> At least this one has to be run as root (and terminates if not). So,
>> spying on it is not so easy. Especially if such closed-source binaries
>> are using "stealth" techniques or try to manipulate the tracing process
>> itself.
>>
>> Well, one could use a fresh install, as slim as possible, do an md5sum
>> for every file on disk, before and after installaion. And then compare
>> the md5 lists. Alas, that would mean that you also find tons of files
>> that are changed or newly created by the OS anyway.
>>
>> Same, when using a (VirtualBox) VM.
>>
>> Any better way?
>>
>> Thanks,
>> best regards,
>>
>> Markus
>>
>>
> Try the following.
>
> 1) Download a .run or .sh file intended for install.
> It consists of text at the start of the file and binary soon after.
>
> 2) Open the file in a hex editor. Scroll down
> until the text ends and seemingly binary appears.
> The binary is part of a "here is" structure and is being passed to a
> command very near to the end of the text section.
>
> 3) Where the text ends, the last line ends in 0x0A.
>
> Remove all the text including the 0x0A, save the file to a temporary
> file name, such as .bin
>
> The start of the resulting .bin file is 0x1F 0x8B 0x08 0x00
>
> 4) Use the "file" command which should be present in
> your distro.
>
> file thing.bin
>
> In the case of the HPLIP run file it says
>
> "gzip compressed data"
>
> This is the first level of containment.
>
> 5) Open thing.bin in "Archive Manager". It
> will display the folder in the gzip file that is thing.bin. This
> will allow easy viewing of the content.
>
> 5a) Or, you can do it the old fashioned way.
>
> file thing.bin
>
> (GZIP compressed)
>
> mv thing.bin thing.gz # purely for entertainment value, to make
> the following
> # easier to understand
>
> gzip -lv thing.gz # list the contents, a single file
> "hplip-3.19.3"
>
> gzip -d thing.gz # convert and erase thing.gz, leaving
> "hplip-3.19.3"
>
> file hplip-3.19.3 # tells you it's a "tar" file
>
> mv hplip-3.19.3 hplip-3.19.3.tar # purely for entertainment value
>
> mkdir tar_out
>
> mv hplip-3.19.3.tar tar_out/
>
> cd tar_out # work in a clean place so folders don't
> spill all over.
> # Never trust a tar file to be neat and
> tidy!
>
> tar tf hplip-3.19.3.tar # list the files
>
> tar xf hplip-3.19.3.tar # extract the folders and files to tar_out/
>
> Now, examine the files, see how many binary blobs,
> how many text files, and so on.
>
> You can see how Archive Manager has saved you from much hand-crafted
> commands.
>
> If you are on a headless server, you might not have a lot of fancy
> tools, and have to do it as in (5a).
>
> Paul
Hi Paul,
thanks a lot for your detailed info!
Knowing how to handle such a "run file" makes it easy to get the content.
First I used hexedit as recommended, and then I found out, that even vi
itself can extract the binary non-destructively by just erasing all text
above it and saving it. After that I viewed what was left through xxd --
better safe than sorry...
I renamed the remaining bin file to bin.tgz and opened it via archiver
(ark in my case). So I had access to the whole content.
Surprisingly there was no closed-source-voodoo, but instead all needed
stuff was given as plain scource, e.g. c, header files, tons of python
scripts, ppds, docu and so on.
Fascinating to read through the content -- very instructive lesson :-)
Many thanks again!
Best regards,
Markus
--
Please reply to group only.
For private email please use http://www.dipl-ing-kessler.de/email.htm
--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | FidoUsenet Gateway (3:770/3)
|