Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
#!/usr/bin/sudo ruby
# revealer.rb -- Deobfuscate GHE .rb files.
# This is simple:
# Every obfuscated file in the GHE VM contains the following code:
# > require ""
# > __ruby_concealer__ "..."
# GHE uses a C extension ( which defines a global
# method named `__ruby_concealer__`. The string passed to this method
# is a string XORed with a "key" and then deflated using `Zlib::Deflate.deflate`.
# We just need to do it in reverse in order to get readable source code.
# This code is quite fragile, but it was made just for the fun of learning
# a bit about Ruby and the GitHub Enterprise codebase. Besides, it does
# the job.
require 'zlib'
if ARGV.length != 1 or ![0]) then
puts "Usage: #{$0} <ghe-directory>"
fnum = 0
processed = 0
key = "This obfuscation is intended to discourage GitHub Enterprise customers from making modifications to the VM. We know this 'encryption' is easily broken. ".bytes.to_a
Dir.glob("#{ARGV[0]}/**/*.rb") { |fname|
fnum += 1
s =, "r") { |f|
break if !f.readline.match /^\s*require\s+""\s*$/
eval(f.readline.sub(/__ruby_concealer__/, ''))
rescue EOFError
next if !s
puts "Processing #{fname}..."
uc = Zlib::Inflate.inflate(s), "w") { |of|
of.write({ |c,i| (c ^ key[i % key.length]).chr }.join)
processed += 1
puts "Done. #{fnum} files found, #{processed} of which were processed."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.