### Let's go to the movies

by teamster_jr (Curate)
 on Apr 11, 2006 at 09:08 UTC Need Help??

Hello monks,
Here's my latest effort, it's pure perl, so should run anywhere.

It is parametised so it will take the number of boxes in the output as an argument in the form:
# perl blah.pl 19x20
(19x20 is the default)

This will produce a variable sized file (default is normally around 6Mb) called al.XXX (where XXX would reveal the surprise) in the directory from which it is run

```

\$_=q^(\$w,\$h
+)=s
plit/x/,shift||"19x20";\$q=10+10*\$w;\$r=20+10*\$h;@m=((31,(1
+5)x
(\$w-1))x\$h,(31)x\$w);\$m[\$c]|=16,!(@a=grep!(\$m[\$c+\$\$_[0]]&16+\$|*\$\$_[1])
+,[-
1,8],[1,1],[\$w,4],[-\$w,2])?\$c=pop@p:\${(\$i,\$j)=@{\$a[rand@a
]};\$m[\$c]&=~
(8/\$j);push@p,\$c;\$m[\$c+=\$i]&=~\$j;++\$u-\$h*\$w+\$h||map\$_&=15,@m,splice(@
+p),
\$c=\$|=1}until\$|&\$c+2>\$w*\$h;\$C=\$q-4*int\$q/4;\$A=(\$q+\$C)*\$r;\$u=pack"x"x(
+(\$q
+\$C)*\$r);subZd{my(\$f,\$g,\$h,\$i,\$e)=@_;@a=sort{"000\$a"<=>"000\$b"}\$h,\$i|
+|\$h
;for(\$a[0]..\$a[1]){\$s=(\$r-\$_)*(\$q+\$C)+\$f;vec(\$u,\$_,8)=\$e||2 for\$s..\$s
++\$g
-1}};subZt{\$a=shift;\$x=10*(\$a%\$w);\$y=10*(2+int\$a/\$w)};dZ9,\$q-20,10;dZ
+9,\$
q-20,\$r-10;dZ9,1,10,\$r-10;dZ\$q-11,1,10,\$r-10;map{t\$_;if(\$_%\$w){\$m[\$_]
+&2?
d\$x-1,11,\$y:"";\$m[\$_]&8?d\$x+9,1,\$y-10,\$y:"";}}0..-1+\$w*\$h;\$F="LIST";o
+pen
(FH,">al.avi");binmodeZFH;selectZFH;printZpack"V*",/\d/?\$_:unpack"V*"
+,\$_
Zfor"RIFF",(1256+(\$A+24)*(\$B=3+scalar@p)),"AVIZ\$F",1216,"hdrlavih",56
+,50
0000,32,0,2064,\$B,0,1,\$A,\$q,\$r,(0)x4,\$F,1140,"strlstrh",56,"vids",(0)
+x4,
1,10,0,\$B,\$A,-1,(0)x3,"strf",1064,40,\$q,\$r,pack("vv",1,8),0,\$A,(0)x4,
+pac
k(("C"x1024),(0xff)x3,0,128),\$F,(4+(\$A+8)*\$B),"movi";map{printZSTDOUT
+"."
;t\$z||1;\$l=\$x;\$t=\$y;t\$_;\$ri=\$x;if(\$l>\$x){\$ri=\$l;\$l=\$x}d\$l+2,5+\$ri-\$l,
+(\$t
<\$y?\$t:\$y)-7,(\$t<\$y?\$y:\$t)-3,1;\$z=\$_;print"00db".pack("V",\$A).\$u}@p,(
+-1+
\$w*\$h)x3;print"idx1".pack"V",16*\$B;\$o=4;for(1..\$B){print"00db".pack"V
+VV"
,16,\$o,\$A;\$o+=\$A+8}^;s#((?{\$a.=\$+})\s?(\S*)\s?)*#\$a=~s/Z/ /g;\$a#see

(that's supposed to be a clapboard btw!)

If there is enough interest i'll write a deobfuscation/explanation of what went into it,
I've written a clean version here.

In the meantime some of my references and some other notes are in the spoiler below:

I've tested the output in windows media player and mplayer (on windows and linux), however i couldn't get it working with winamp - i tried to fix it, but i'm not entirely sure it's not winamp.

• the data is generated by a hacked up version of this
• BMP file format
• I used tachyon's post here to remind me a bit about packing and to explore bmp file headers
• An excellent reference on the avi format can be found here

I hope you all enjoy it.
Alex
Also use V not L (see this) to force correct endianness - this should now work on mac's
and fixed a bug where it didn't work for 5.8.8

Replies are listed 'Best First'.
Re: Let's go to the movies
by liverpole (Monsignor) on Apr 11, 2006 at 11:56 UTC
An exremely clever idea! ++

Let me take a crack at deobfuscation ...

Running perl -MO=Deparse doesn't produce anything particularly readable, so I saved it to a file, and put newlines after all the semicolons:
```% perl -MO=Deparse movies > movies1
% vi movies1
% cat movies1
\$_ = qq[(\\$w,\\$h)=split/x/,shift||"19x20";
\\$q=10+10*\\$w;
\\$r=20+10*\\$h;
\@m=((31,(15\n )x(\\$w-1))x\\$h,(31)x\\$w);
\\$m[\\$c]|=16,!(\@a=grep!(\\$m[\\$c+\\$\\$_[0]]&16+\\$|*\\$\\$_[1]),\n [- 1,8]
+,[1,1],[\\$w,4],[-\\$w,2])?\\$c=pop\@p:\\${(\\$i,\\$j)=\@{\\$a[rand\@a]};
\\$m[\\$c]&=~\n 8/\\$j;
push\@p,\\$c;
\\$m[\\$c+=\\$i]&=~\\$j;
++\\$u-\\$h*\\$w+\\$h||map\\$_&=15,\@m,splice(\@p),\\$c\n =\\$|=1}until\\$|&\\$
+c+2>\\$w*\\$h;
\\$C=\\$q-4*int\\$q/4;
\\$A=(\\$q+\\$C)*\\$r;
\\$u=pack"x"x((\\$q+\\$\n C)*\\$r);
subZd{my(\\$f,\\$g,\\$h,\\$i,\\$e)=\@_;
\@a=sort{"000\\$a"<=>"000\\$b"}\\$h,\\$i||\\$h;
f\n or(\\$a[0]..\\$a[1]){\\$s=(\\$r-\\$_)*(\\$q+\\$C)+\\$f;
vec(\\$u,\\$_,8)=\\$e||2for\\$s..\\$s+\\$g-1}\n };
subZt{\\$a=shift;
\\$x=10*(\\$a%\\$w);
\\$y=10*(2+int\\$a/\\$w)};
dZ9,\\$q-20,10;
dZ9,\\$q-2\n 0,\\$r-10;
dZ9,1,10,\\$r-10;
dZ\\$q-11,1,10,\\$r-10;
map{t\\$_;
if(\\$_%\\$w){\\$m[\\$_]&2?d\\$x\n -1,11,\\$y:"";
\\$m[\\$_]&8?d\\$x+9,1,\\$y-10,\\$y:"";
}}0..-1+\\$w*\\$h;
\\$F="LIST";
open(FH\n ,">al.avi");
binmodeZFH;
selectZFH;
printZpack"L*",/\\d/?\\$_:unpack"L*",\\$_Zfo\n r"RIFF",(1256+(\\$A+24)*(\
+\$B=3+scalar\@p)),"AVIZ\\$F",1216,"hdrlavih",56,50000\n 0,32,0,2064,\\$B
+,0,1,\\$A,\\$q,\\$r,(0)x4,\\$F,1140,"strlstrh",56,"vids",(0)x4,1,1\n 0,0,
+\\$B,\\$A,-1,(0)x3,"strf",1064,40,\\$q,\\$r,pack("SS",1,8),0,\\$A,(0)x4,pa
+ck((\n "H"x1024),"f","f","f",0,"a"),\\$F,(4+(\\$A+8)*\\$B),"movi";
map{printZSTDOUTZ++\n \\$G,\\$/;
t\\$z||1;
\\$l=\\$x;
\\$t=\\$y;
t\\$_;
\\$ri=\\$x;
if(\\$l>\\$x){\\$ri=\\$l;
\\$l=\\$x}d\\$l+2,5+\\$ri-\\$\n l,(\\$t<\\$y?\\$t:\\$y)-7,(\\$t<\\$y?\\$y:\\$t)-3,1
+;
\\$z=\\$_;
print"00db".pack("L",\\$A).\\$u}\@p\n ,(-1+\\$w*\\$h)x3;
print"idx1".pack"L",16*\\$B;
\\$o=4;
for(1..\\$B){print"00db".pack\n "LLL",16,\\$o,\\$A;
\\$o+=\\$A+8}];

s[((?{\$a.=\$+})\s?(\S*)\s?)*][\$a =~ s/Z/ /g; \$a; ]see;
I knew you were writing to an .avi file (I didn't know you could do that ... very slick!), so I found the open statement:  open(FH\n ,">al.avi");.  But on the very next 2 lines:  binmodeZFH; and selectZFH;.  So you clearly had to be doing some processing on the string before using it.

Ah yes, there it is; near the end of the program is the regular expression substitution (with a double evaluation):

```s[((?{\$a.=\$+})\s?(\S*)\s?)*][\$a =~ s/Z/ /g; \$a; ]see;
So the next step is to drop one of the evaluations, and print the string *before* it would have been executed.  This can even be done on the original program with some Unix pipes, and two calls to sed.  (One call converts the double-evaluation to a single evaluation, and prints the string representing the innermost program instead of executing it.  The second call simply changes semicolons to newlines to make the program readable):
```% perl -MO=Deparse movies | sed s/see/se\;print/ | perl | sed s/\;/\;\
+\n/g

(\$w,\$h)=split/x/,shift||"19x20";
\$q=10+10*\$w;
\$r=20+10*\$h;
@m=((31,(15)x(\$w-1))x\$h,(31)x\$w);
\$m[\$c]|=16,!(@a=grep!(\$m[\$c+\$\$_[0]]&16+\$|*\$\$_[1]),[-1,8],[1,1],[\$w,4],
+[-\$w,2])?\$c=pop@p:\${(\$i,\$j)=@{\$a[rand@a]};
\$m[\$c]&=~8/\$j;
push@p,\$c;
\$m[\$c+=\$i]&=~\$j;
++\$u-\$h*\$w+\$h||map\$_&=15,@m,splice(@p),\$c=\$|=1}until\$|&\$c+2>\$w*\$h;
\$C=\$q-4*int\$q/4;
\$A=(\$q+\$C)*\$r;
\$u=pack"x"x((\$q+\$C)*\$r);
sub d{my(\$f,\$g,\$h,\$i,\$e)=@_;
@a=sort{"000\$a"<=>"000\$b"}\$h,\$i||\$h;
for(\$a[0]..\$a[1]){\$s=(\$r-\$_)*(\$q+\$C)+\$f;
vec(\$u,\$_,8)=\$e||2for\$s..\$s+\$g-1}};
sub t{\$a=shift;
\$x=10*(\$a%\$w);
\$y=10*(2+int\$a/\$w)};
d 9,\$q-20,10;
d 9,\$q-20,\$r-10;
d 9,1,10,\$r-10;
d \$q-11,1,10,\$r-10;
map{t\$_;
if(\$_%\$w){\$m[\$_]&2?d\$x-1,11,\$y:"";
\$m[\$_]&8?d\$x+9,1,\$y-10,\$y:"";
}}0..-1+\$w*\$h;
\$F="LIST";
open(FH,">al.avi");
binmode FH;
select FH;
print pack"L*",/\d/?\$_:unpack"L*",\$_ for"RIFF",(1256+(\$A+24)*(\$B=3+sca
+lar@p)),"AVI \$F",1216,"hdrlavih",56,500000,32,0,2064,\$B,0,1,\$A,\$q,\$r,
+(0)x4,\$F,1140,"strlstrh",56,"vids",(0)x4,1,10,0,\$B,\$A,-1,(0)x3,"strf"
+,1064,40,\$q,\$r,pack("SS",1,8),0,\$A,(0)x4,pack(("H"x1024),"f","f","f",
+0,"a"),\$F,(4+(\$A+8)*\$B),"movi";
map{print STDOUT ++\$G,\$/;
t\$z||1;
\$l=\$x;
\$t=\$y;
t\$_;
\$ri=\$x;
if(\$l>\$x){\$ri=\$l;
\$l=\$x}d\$l+2,5+\$ri-\$l,(\$t<\$y?\$t:\$y)-7,(\$t<\$y?\$y:\$t)-3,1;
\$z=\$_;
print"00db".pack("L",\$A).\$u}@p,(-1+\$w*\$h)x3;
print"idx1".pack"L",16*\$B;
\$o=4;
for(1..\$B){print"00db".pack"LLL",16,\$o,\$A;
\$o+=\$A+8}
at which point the functionality of the program becomes decipherable.

I'm particularly impressed with the way you write directly to the .avi file.  I'm going to definitely study how to do that, so I can make use of it in my own code!

s''(q.S:\$/9=(T1';s;(..)(..);\$..=substr+crypt(\$1,\$2),2,3;eg;print\$..\$/
Re: Let's go to the movies
by marto (Archbishop) on Apr 11, 2006 at 10:08 UTC
teamster_jr,

This is the best obfu I have seen in quite a while. Great work!

Thanks

Martin
Re: Let's go to the movies
by eric256 (Parson) on Apr 11, 2006 at 16:49 UTC

This rocks. Can you *please* walk through how it works?

___________
Eric Hodges
Re: Let's go to the movies
by CountZero (Bishop) on Apr 11, 2006 at 21:53 UTC
Amazeing! ++ well deserved!

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Re: Let's go to the movies
by mikeock (Hermit) on Apr 11, 2006 at 19:12 UTC
That rocks!
Re: Let's go to the movies
by Akhasha (Scribe) on Apr 15, 2006 at 13:40 UTC
Runs out of memory on Perl v5.8.6 built for cygwin-thread-multi-64int, before printing anything to the console. No problems in debian stable though.
Awesome obfu!
Re: Let's go to the movies
by parv (Priest) on Apr 12, 2006 at 20:16 UTC
Can anybody tell me how much is the datasize requirement? As soon as the perl process's datasize exceeds the set datasize limit, the process dies (as expected). I had tried w/ limit set to 512 MB (a few mega bytes larger than user-available amount of 491 MB RAM). (Perl is 5.8.7, built w/ debugging & i386-freebsd-64int, running on FreeBSD/i386 6-STABLE.)
Re: Let's go to the movies
by wulvrine (Friar) on May 02, 2006 at 15:02 UTC
Thats pretty darn cool! nice job!

Create A New User
Node Status?
node history
Node Type: obfuscated [id://542489]
Approved by Corion
Front-paged by liverpole
help
Chatterbox?
and the voices are still...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (5)
As of 2018-04-20 00:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
Voting Booth?
My travels bear the most uncanny semblance to ...

Results (75 votes). Check out past polls.

Notices?