Skip to content

Instantly share code, notes, and snippets.

Created February 12, 2019 23:18
Show Gist options
  • Save NullArray/f39b026b9e0d19f1e17390a244d679ec to your computer and use it in GitHub Desktop.
Save NullArray/f39b026b9e0d19f1e17390a244d679ec to your computer and use it in GitHub Desktop.
RootHelper Obfuscated, Encrypted, Converted to C source
//#____ ____ __
//#\ \ / /____ _____/ |_ ___________
//# \ Y // __ \_/ ___\ __\/ _ \_ __ \
//# \ /\ ___/\ \___| | ( <_> ) | \/
//# \___/ \___ >\___ >__| \____/|__|
//# \/ \/
//#--Licensed under GNU GPL 3
//#----Authored by Vector/NullArray
static char data [] =
#define tst2_z 19
#define tst2 ((&data[0]))
#define msg2_z 19
#define msg2 ((&data[27]))
#define xecc_z 15
#define xecc ((&data[48]))
#define chk2_z 19
#define chk2 ((&data[66]))
#define date_z 1
#define date ((&data[86]))
#define tst1_z 22
#define tst1 ((&data[92]))
#define msg1_z 65
#define msg1 ((&data[128]))
#define shll_z 10
#define shll ((&data[197]))
#define inlo_z 3
#define inlo ((&data[208]))
#define lsto_z 1
#define lsto ((&data[211]))
#define opts_z 1
#define opts ((&data[212]))
#define rlax_z 1
#define rlax ((&data[213]))
#define chk1_z 22
#define chk1 ((&data[218]))
#define text_z 3647
#define text ((&data[1005]))
#define pswd_z 256
#define pswd ((&data[4945]))
"\164\317\202\025\021\114\027"/* End of data[] */;
#define hide_z 4096
#define DEBUGEXEC 0 /* Define as 1 to debug execvp calls */
#define TRACEABLE 1 /* Define as 1 to enable ptrace the executable */
#define BUSYBOXON 0 /* Define as 1 to enable work with busybox */
/* rtc.c */
#include <sys/stat.h>
#include <sys/types.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
/* 'Alleged RC4' */
static unsigned char stte[256], indx, jndx, kndx;
* Reset arc4 stte.
void stte_0(void)
indx = jndx = kndx = 0;
do {
stte[indx] = indx;
} while (++indx);
* Set key. Can be used more than once.
void key(void * str, int len)
unsigned char tmp, * ptr = (unsigned char *)str;
while (len > 0) {
do {
tmp = stte[indx];
kndx += tmp;
kndx += ptr[(int)indx % len];
stte[indx] = stte[kndx];
stte[kndx] = tmp;
} while (++indx);
ptr += 256;
len -= 256;
* Crypt data.
void arc4(void * str, int len)
unsigned char tmp, * ptr = (unsigned char *)str;
while (len > 0) {
tmp = stte[indx];
jndx += tmp;
stte[indx] = stte[jndx];
stte[jndx] = tmp;
tmp += stte[indx];
*ptr ^= stte[tmp];
/* End of ARC4 */
* Key with file invariants.
int key_with_file(char * file)
struct stat statf[1];
struct stat control[1];
if (stat(file, statf) < 0)
return -1;
/* Turn on stable fields */
memset(control, 0, sizeof(control));
control->st_ino = statf->st_ino;
control->st_dev = statf->st_dev;
control->st_rdev = statf->st_rdev;
control->st_uid = statf->st_uid;
control->st_gid = statf->st_gid;
control->st_size = statf->st_size;
control->st_mtime = statf->st_mtime;
control->st_ctime = statf->st_ctime;
key(control, sizeof(control));
return 0;
void debugexec(char * sh11, int argc, char ** argv)
int i;
fprintf(stderr, "shll=%s\n", sh11 ? sh11 : "<null>");
fprintf(stderr, "argc=%d\n", argc);
if (!argv) {
fprintf(stderr, "argv=<null>\n");
} else {
for (i = 0; i <= argc ; i++)
fprintf(stderr, "argv[%d]=%.60s\n", i, argv[i] ? argv[i] : "<null>");
#endif /* DEBUGEXEC */
void rmarg(char ** argv, char * arg)
for (; argv && *argv && *argv != arg; argv++);
for (; argv && *argv; argv++)
*argv = argv[1];
void chkenv_end(void);
int chkenv(int argc)
char buff[512];
unsigned long mask, m;
int l, a, c;
char * string;
extern char ** environ;
mask = (unsigned long)getpid();
key(&chkenv, (void*)&chkenv_end - (void*)&chkenv);
key(&data, sizeof(data));
key(&mask, sizeof(mask));
arc4(&mask, sizeof(mask));
sprintf(buff, "x%lx", mask);
string = getenv(buff);
fprintf(stderr, "getenv(%s)=%s\n", buff, string ? string : "<null>");
l = strlen(buff);
if (!string) {
/* 1st */
sprintf(&buff[l], "=%lu %d", mask, argc);
return 0;
c = sscanf(string, "%lu %d%c", &m, &a, buff);
if (c == 2 && m == mask) {
/* 3rd */
rmarg(environ, &string[-l - 1]);
return 1 + (argc - a);
return -1;
void chkenv_end(void){}
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <unistd.h>
#if !defined(PTRACE_ATTACH) && defined(PT_ATTACH)
void untraceable(char * argv0)
char proc[80];
int pid, mine;
switch(pid = fork()) {
case 0:
pid = getppid();
/* For problematic SunOS ptrace */
#if defined(__FreeBSD__)
sprintf(proc, "/proc/%d/mem", (int)pid);
sprintf(proc, "/proc/%d/as", (int)pid);
mine = !open(proc, O_RDWR|O_EXCL);
if (!mine && errno != EBUSY)
mine = !ptrace(PTRACE_ATTACH, pid, 0, 0);
if (mine) {
kill(pid, SIGCONT);
} else {
kill(pid, SIGKILL);
case -1:
if (pid == waitpid(pid, 0, 0))
#endif /* !TRACEABLE */
char * xsh(int argc, char ** argv)
char * scrpt;
int ret, i, j;
char ** varg;
char * me = argv[0];
if (me == NULL) { me = getenv("_"); }
if (me == 0) { fprintf(stderr, "E: neither argv[0] nor $_ works."); exit(1); }
ret = chkenv(argc);
key(pswd, pswd_z);
arc4(msg1, msg1_z);
arc4(date, date_z);
if (date[0] && (atoll(date)<time(NULL)))
return msg1;
arc4(shll, shll_z);
arc4(inlo, inlo_z);
arc4(xecc, xecc_z);
arc4(lsto, lsto_z);
arc4(tst1, tst1_z);
key(tst1, tst1_z);
arc4(chk1, chk1_z);
if ((chk1_z != tst1_z) || memcmp(tst1, chk1, tst1_z))
return tst1;
arc4(msg2, msg2_z);
if (ret < 0)
return msg2;
varg = (char **)calloc(argc + 10, sizeof(char *));
if (!varg)
return 0;
if (ret) {
arc4(rlax, rlax_z);
if (!rlax[0] && key_with_file(shll))
return shll;
arc4(opts, opts_z);
arc4(text, text_z);
arc4(tst2, tst2_z);
key(tst2, tst2_z);
arc4(chk2, chk2_z);
if ((chk2_z != tst2_z) || memcmp(tst2, chk2, tst2_z))
return tst2;
/* Prepend hide_z spaces to script text to hide it. */
scrpt = malloc(hide_z + text_z);
if (!scrpt)
return 0;
memset(scrpt, (int) ' ', hide_z);
memcpy(&scrpt[hide_z], text, text_z);
} else { /* Reexecute */
if (*xecc) {
scrpt = malloc(512);
if (!scrpt)
return 0;
sprintf(scrpt, xecc, me);
} else {
scrpt = me;
j = 0;
varg[j++] = "busybox";
varg[j++] = "sh";
varg[j++] = argv[0]; /* My own name at execution */
if (ret && *opts)
varg[j++] = opts; /* Options on 1st line of code */
if (*inlo)
varg[j++] = inlo; /* Option introducing inline code */
varg[j++] = scrpt; /* The script itself */
if (*lsto)
varg[j++] = lsto; /* Option meaning last option */
i = (ret > 1) ? ret : 0; /* Args numbering correction */
while (i < argc)
varg[j++] = argv[i++]; /* Main run-time arguments */
varg[j] = 0; /* NULL terminated array */
debugexec(shll, j, varg);
execvp(shll, varg);
return shll;
int main(int argc, char ** argv)
debugexec("main", argc, argv);
argv[1] = xsh(argc, argv);
fprintf(stderr, "%s%s%s: %s\n", argv[0],
errno ? ": " : "",
errno ? strerror(errno) : "",
argv[1] ? argv[1] : "<null>"
return 1;
Copy link

My bad. Although you could always obfuscate it yourself. Or just use the regular version. this is an early version of an obfuscation attempt. If i make one with the current version of RootHelper, i will obviously be testing it extensively and put it in the Repo with the original project.

Copy link

Holit commented Jul 5, 2022

Cool project! What kind of obfuscation is this? Where can I find this obfuscator?

obfuscator is

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment