first (intentional) obfu

Replies are listed 'Best First'.
Re: first (intentional) obfu by ambrus (Abbot) on Feb 21, 2006 at 22:41 UTC
Wow! This is a truly brilliant obfu. It completely put me on the wrong track when I tried to understand it. What first took my attention was the `readpipe CX` statement. I couldn't see how it could give anything useful as CX is clearly an invalid command. So as `CX` is invalid, this command would return an empty list. I have removed `readpipe CX` from the code, and indeed, it didn't change anything. But then, the map gets an empty argument so the block would never be executed and the first print statement would do nothing. I changed the map block to `{}` and that broke the obfu. I couldn't see what was wrong. After some time, I've realized that it's all just part of a long regexp. (I should have noticed that the readpipe statement doesn't print the error message it would normally print.) I located the end of the regexp. But then I did another mistake. I thought that the long regexp could never match anything. It's so long that it would never accidentally match and it doesn't have an alteration (`\|`) or a code block (`(?{})`) in it either, so I could just replace it with something simpler. I replaced it with 0 and the japh failed to work again. I tried some other replacements, like `?.^?` so that it would still reset `pos` and have whatever effect together with the `reset` statement, and still it wouldn't work. I overlooked the bracket in the beginning, and the worst thing is that I should have known better as Dietz fooled me with the exact same trick in YAJAPH. From that point, it was straightforward to deobfuscate the japh. I simplified the regexp to `/[528]/`. (This took quite some time, I had to look up every character in `$CX` to see if it's in the character set.) I saw that the pack statement unpacked the string by two characters each chunk (this wasn't trivial at first). So the chunks `65`, `80` and `72` would be matched and `chr` produces `APH` from this. Looking up $^T, I found that it was the time, so `chr(length($^T))` must be a newline. Finally, `"\@l"\|"\n"` is `"Jl` of which you take only the first character.	[reply] [d/l] [select]
Re: first (intentional) obfu by chargrill (Parson) on Feb 21, 2006 at 22:30 UTC
I like it! Though you'll have to wait for the vote fairy to make her rounds before I can ++ you. Anything that doesn't better reveal itself when run with -MO=Deparse is good in my book :) Read more... (2 kB) ++ forthcoming :) --chargrill `$/ = q#(\w)# ; sub sig { print scalar reverse join ' ', @_ } + sig map { s$\$/\$/$\$2\$1$g && $_ } split( ' ', ",erckha rlPe erthnoa stJu +" );` [download]	[reply] [d/l] [select]
Re: first (intentional) obfu by SamCG (Hermit) on Feb 23, 2006 at 18:53 UTC
Thank you all for your kind comments. ambrus especially for his sharp de-obfuscation, chargill especially for his mention of -MO=Deparse (a test I'll make sure any of my future obfus pass), and liverpole especially for welcoming me to the club ;). Actually, it was some of liverpole's impressive obfus that made me think I should post one, though I still don't think I'm particularly gifted at it. Next time, I'll try harder :)	[reply]
Re: first (intentional) obfu by liverpole (Monsignor) on Feb 22, 2006 at 15:32 UTC
Welcome to the club, SamCG, It's a novel approach for an obfu, and an especially good one for your first! @ARGV=split//,"/:L"; map{print substr crypt($_,ord pop),2,3}qw"PerlyouC READPIPE provides"	[reply]
Re: first (intentional) obfu by jdalbec (Deacon) on Feb 24, 2006 at 06:07 UTC
Your obfu has a Y2286 bug. See http://www.merlyn.demon.co.uk/critdate.htm.	[reply]
Re^2: first (intentional) obfu by SamCG (Hermit) on Feb 24, 2006 at 17:55 UTC
Yes, this obfu is not recommended for use in programming nuclear reactors, it is not prudent for medical equipment, and is not guaranteed for flight navigational or traffic control systems. ;)	[reply]


Syntactic Confectionery Delight
	PerlMonks