![[Image: backdoor.png]](https://i.postimg.cc/xjPXXYqJ/backdoor.png)
I has Reverse Code for Tool sell by PRIV8TOOL
Telegram shop : @PRIV8WTOOLS_bot
link guide github this tool from PRIV8TOOL :
https://github.com/PRIV8TOOL/CEPHAS
What surprised me is they put backdoor access to their own consumer server.
LETS GO ..
🔓 Cephas Installer Reverse Engineering
Step-by-Step Guide: From .deb Extraction to Full Script Recovery
📋 SCOPE
This document reproduces the exact workflow used to extract and analyze the embedded bash installer script from the cephas_1.0_amd64.deb package by tracing runtime behavior and decoding the installer payload captured in execve arguments.
The flow starts at extracting the .deb, proceeds through OS spoofing and strace capture, and ends with script extraction using extract_script.py (re-created here).
🖥️ TESTED ENVIRONMENT
- OS: Linux (root)
- Package: cephas_1.0_amd64.deb
📁 REPOSITORY LAYOUT
- cephas_1.0_amd64.deb
- extracted_cephas/ (created by dpkg-deb)
- extract_script.py (this repo – script to pull the embedded installer from an strace log)
- cephas_installer_script.sh (final recovered installer script)
- trace.log (strace capture)
🔧 PREREQUISITES
Install the minimal tooling (root):
Code:
apt-get update
apt-get install -y \
strace \
python3 \
fileOptional (useful for extra analysis, not strictly required for extraction):
Code:
apt-get install -y binwalk xxd ltrace tree📦 OBTAINING THE PACKAGE
- Follow the official installation guide: https://github.com/PRIV8TOOL/CEPHAS
- If the package is still available in the repository, you can download it directly:
Code:
apt download cephas- If it has been removed upstream, use the bundled artifact included with this archive:
cephas_1.0_amd64.deb
⚙️ STEP 1 — Extract the .deb Package
Code:
# From the workspace root
cd /root/CookSC
# Extract package contents
mkdir -p extracted_cephas
dpkg-deb -x cephas_1.0_amd64.deb extracted_cephas
# Inspect the main binary
file extracted_cephas/usr/local/bin/cephasExpected: an x86-64 PIE ELF, dynamically linked (self-extracting behavior observed at runtime).
⚙️ STEP 2 — Prepare to Bypass the OS Gate
The installer exits early unless it detects Ubuntu 22.04/24.04. Spoof the OS version temporarily to allow the binary to reach its embedded script runner.
⚠️ Safety first: backup and restore /etc/os-release.
Code:
# Backup original file (important!)
cp /etc/os-release /etc/os-release.backup
# Minimal spoof to mimic Ubuntu 22.04
echo 'VERSION_ID="22.04"' > /tmp/fake-os
cp /tmp/fake-os /etc/os-release⚙️ STEP 3 — Trace Execution and Capture the Embedded Script
Use strace with full-string capture so the script text passed via -c "..." is not truncated.
Code:
# Trace execution with full argument capture
strace -f -s 100000 -e execve cephas 2>&1 > trace.logNotes:
- -f follows forks.
- -s 100000 prevents long argument truncation.
- -e execve restricts logging to process execs (clearer logs, smaller file).
⚙️ STEP 4 — Extract the Embedded Bash Script from Trace
This repository includes extract_script.py which robustly unescapes the script captured by strace (handles \n, octal/hex escapes, quotes). If you don't see it, re-create it as below or confirm it exists at ./extract_script.py.
Usage:
Code:
# Option A: write to stdout
python3 extract_script.py trace.log > cephas_installer_script.sh
# Option B: write to file directly
python3 extract_script.py trace.log -o cephas_installer_script.shThe resulting cephas_installer_script.sh should be ~1.7K lines and contain the complete interactive installer logic (colors, OS checks, LAMP setup, vhost + SSL, Telegram reporting, remote ZIP download/extract, etc.).
⚙️ STEP 5 — Restore Original OS Data
Always restore your real /etc/os-release once finished:
Code:
cp /etc/os-release.backup /etc/os-release✅ QUICK VERIFICATION
Code:
wc -l cephas_installer_script.sh
head -n 20 cephas_installer_script.shYou should see a shebang and the structured installer content (functions, menus, logging).
🐍 SCRIPT: extract_script.py
A copy is provided in this repo at ./extract_script.py. It:
- Searches execve() entries for shells (bash, sh, dash).
- Locates the -c "<script>" payload argument.
- Robustly unescapes strace-encoded strings (prevents UnicodeDecodeError).
Example invocation (as used above):
Code:
python3 extract_script.py trace.log > cephas_installer_script.sh🔒 SECURITY NOTES
⚠️ WARNING:
- Run all steps in an isolated/sandboxed environment.
- Do NOT deploy the recovered payload to production.
- The installer contacts external services, writes system config, and reports to Telegram; do not run in sensitive environments.
📝 APPENDIX — One-shot Reproduction
Code:
# 0) Prereqs
apt-get update && apt-get install -y strace python3 file
# 1) Extract package
cd /root/CookSC
mkdir -p extracted_cephas
dpkg-deb -x cephas_1.0_amd64.deb extracted_cephas
# 2) OS spoof (backup first!)
cp /etc/os-release /etc/os-release.backup
echo 'VERSION_ID="22.04"' > /tmp/fake-os && cp /tmp/fake-os /etc/os-release
# 3) Trace
strace -f -s 100000 -e execve cephas 2>&1 > trace.log
# 4) Extract script (requires extract_script.py in this directory)
python3 extract_script.py trace.log > cephas_installer_script.sh
# 5) Restore OS file
cp /etc/os-release.backup /etc/os-releaseALL FILE AND TUTORIAL TO REVERSE CODE I HAS UPLOAD ON THIS LINK
password archive : HxGRD
https://limewire.com/d/e5OxA#2TebpcAzgk
Last Word : DONT TRUST THIS SELLER, HE USE BACKDOOR ON EVERY TOOL , ALL CODE IS ENCRYPTED.
IF This thread has reply more than 66 , i will share source code is clean and deobfuscated
His tool create user "cephas" as sudo ( mean can act as root ) and can access server member subscriber
![[Image: spy-user.jpg]](https://i.postimg.cc/Wtz2FBzQ/spy-user.jpg)
![[Image: Screenshot-1.png]](https://i.postimg.cc/ZYf6S3mM/Screenshot-1.png)