deobfuscation

How to properly deobfusacte a Perl script?

by

Caution: don’t blindly run obfuscated perl, especially if there’s an eval, backticks, system, open, etc. call somewhere in it and that might not be all too obvious*. De-obfuscating it with Deparse and carefully replacing the evals with print statements is a must until you understand what’s going on. Running in a sandbox/with an unprivileged user/in … Read more

How does this magic JavaScript code work?

by

Before looking closer at the code, you have to know that since JavaScript 1.5 identifiers are allowed to contain not just ASCII characters but also Unicode characters. In this case many of these funny sequences are just identifiers. After exchanging these identifiers by simpler identifiers and removing unnecessary comments and parenthesis, the code looks as … Read more

Concept behind these four lines of tricky C code

by

The number 7709179928849219.0 has the following binary representation as a 64-bit double: 01000011 00111011 01100011 01110101 01010011 00101011 00101011 01000011 +^^^^^^^ ^^^^—- ——– ——– ——– ——– ——– ——– + shows the position of the sign; ^ of the exponent, and – of the mantissa (i.e. the value without the exponent). Since the representation uses binary … Read more

Obfuscated C Code Contest 2006. Please explain sykes2.c

by

Let’s de-obfuscate it. Indenting: main(_) { _^448 && main(-~_); putchar(–_%64 ? 32 | -~7[__TIME__-_/8%8][“>’txiZ^(~z?”-48] >> “;;;====~$::199″[_*2&8|_/64]/(_&2?1:8)%8&1 : 10); } Introducing variables to untangle this mess: main(int i) { if(i^448) main(-~i); if(–i % 64) { char a = -~7[__TIME__-i/8%8][“>’txiZ^(~z?”-48]; char b = a >> “;;;====~$::199″[i*2&8|i/64]/(i&2?1:8)%8; putchar(32 | (b & 1)); } else { putchar(10); // newline … Read more

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)