Let's analyze the program. First you initialize @a with some large and small numbers. Then you tie @b - but to what, one may ask. Well, the result of &^Px$^P. It's not really relevant what &^P returns (an object - the result of AUTOLOAD), because $^P is essentially 0, leading to &^Px$^P being an empty string. Hence, it's tied into the class main. This causes main::TIEARRAY to be called, which is taken care off by AUTOLOAD - which returns an empty object blessed into the main class. Now Duff's device copies the elements of @a into @b one by one. However, since @b is tied, instead of storing the elements in @b, main::STORE is called. Again, this is taken care of by AUTOLOAD, but it doesn't store anything, it just returns another blessed object (which will be discarded right away).

What remains is the two subs. First the empty DESTROY makes sure destruction of the many objects created doesn't trigger AUTOLOAD to be called. Then AUTOLOAD. The first line sets $# to the value %c. This influences the way how Perl stringifies numbers (basically by doing sprintf "%c", $number;). It also sets %c, but that hash is never accessed. Then it prints $_[2], which, in the case of STORE, contains the number to be stored. Due to the way stringification has been altered, it results into garbage on my screen. Perhaps with another printing device a sensible message appears (I suspect the numbers in @a not to be random).

And that's it. Nothing is going to be stored in @b.

Abigail

Thanks for posting the solution.

Now I've got 3 different reports that the script does not work. Someone said it even did not work on Solaris. I can not reproduce the bad behaivior so it will be difficult to track down the bug, especially because it seems to run on most machines.

(Update @ 2006 may 24: it seems I could finally reproduce the error on a machine. I'll try to investigate it if I have time.)

I'll however explain where I've got the numbers and why they translate to a sensible message. I've got the basic idea after the thread $#="%c"; possible bug.

The trick is that $#="%c"; print 3.14; is entirely unlike printf "%c", 3.14;. Just try $#="%d"; print 10;! It does not print 10, rather, it prints 0 (i386) or some stupid number depending on the endianndess of your cpu. This is because when formatting numbers a la $#, perl calls sprintf (or some equivalent) with $# as a format and the number as a floating point number to the stack. I don't know where this is in the source, probably hidden somewhere in sv.c, but I'm quite sure it works like this.

Update: I'd be glad if someone could point me to the guilty code.

The floating-point numbers are given so that when represented as a double, their upper and lower 4 bytes are both the same small integer, the ascii code of a character in the message. I had to put the same integer twice, so that the code would work in both intel-endian and sparc-endian cpu's. Really, if you consider only one kind of cpus, half as much numbers would have been enough. Let me show this.

Type perl -we 'print join ", ", unpack "d*", pack "l*", unpack "c*", "perl"; print $/;'. This prints (on intel) 2.14321574942828e-312, 2.29175545480573e-312. Now using this numbers you can write perl -we '$#="%c%c"; print 2.14321574942828e-312, 2.29175545480573e-312; print $/;', which prints perl. I created the obfu in a very similar way.

The problem is that all this will fail if your perl was compiled with long double support, as the floating point format is quite different. There may be other problems why the script did not run for some people, which I currently don't know. Please check that your perl is not compiled with long doubles. Just run use Config; print qq[@Config{"nvtype","nvsize"}\n]; if it prints double 8, that is good. If it prints long double 12, the obfu will not work. There may also be issues about 64-bitness, I can not check that. Note that I have not tried the obfu from Windows, but in theory it should work.

I get "double 8" on ActiveState under win2k, yet the obfu doesn't work.

It does seem to have some issue with %c not working the same as printf, though. Printing 65 gives a nul character output, not 'A'. Printing 3.14 gives the bytes FD 91 BA B8 94 9F. Your print 2.14321574942828e-312, 2.29175545480573e-312; example prints "perl" as expected!

Maybe I wasn't clear in the explanation.

$#="%c";print 65; should not print an A. It pushes 65.0 (a double) and "%x" on the C stack, and calls sprintf. Then sprintf sees "%c", so tries to pop an int from the stack. 65.0 is represented as the bytes (00 00 00 00 00 40 50 40)hex, but an int is just 4 bytes so it pops (00 00 00 00)hex which is 0 as an int so it prints a nul char. (On sparc, however, it will get (40 50 40 00)hex, which is 67437568, so it will either print a null character or a multibyte character sequence corresponding to unicode chr 67437568, depending on the version of Perl.)

Dlugosz, I guess your cpu is an x86, correct me if it isn't.

I wonder, what is printf("%c", 2.92e48) supposed to do? There is no character with that number, so I would hope for an error.

I'm not sure where it would "naturally" wrap, if that's what it's doing, since the range of legal Unicode ordinals is not a neat power of two. (I'm getting Unicode code points displayed for something like printf '%c',0x434 even without a use utf8 or other preparation.)

I'd be interested to know just what yours is doing.

output  : Jwuv borvjgt Pgtn jbdmgt
expected: Just Another Perl Hacker
[download]

This is the output you get if the floating point valuse are given to too few decimal places. I thought this should not happen to the obfu I've given, but I'll check it (when I'll have time).