Obfuscating 'Hello world!” obfuscate on Python

create the weirdest obfuscated program that prints the string “Hello world!”. I decided to write up an explanation of how the hell it works. So, here’s the entry, in Python 2.7:

(lambda _, __, ___, ____, _____, ______, _______, ________:
    getattr(
        __import__(True.__class__.__name__[_] + [].__class__.__name__[__]),
        ().__class__.__eq__.__class__.__name__[:__] +
        ().__iter__().__class__.__name__[_____:________]
    )(
        _, (lambda _, __, ___: _(_, __, ___))(
            lambda _, __, ___:
                chr(___ % __) + _(_, __, ___ // __) if ___ else
                (lambda: _).func_code.co_lnotab,
            _ 



<p>String literals weren’t allowed, but I set some other restrictions for fun: it had to be a single expression (so no print statement) with minimal builtin usage and no integer literals.<br>
Getting started</p>

<p>Since we can’t use print, we can write to the stdout file object:<br>
</p>

<pre class="brush:php;toolbar:false">import sys
sys.stdout.write("Hello world!\n")

But let’s use something lower-level: os.write(). We need stdout’s file descriptor, which is 1 (you can check with print sys.stdout.fileno()).

import os
os.write(1, "Hello world!\n")

We want a single expression, so we’ll use import():

__import__("os").write(1, "Hello world!\n")

We also want to be able to obfuscate the write(), so we’ll throw in a getattr():

getattr(__import__("os"), "write")(1, "Hello world!\n")

This is the starting point. Everything from now on will be obfuscating the three strings and the int.
Stringing together strings

"os" and "write" are fairly simple, so we’ll create them by joining parts of the names of various built-in classes. There are many different ways to do this, but I chose the following:

"o" from the second letter of bool: True.__class__.__name__[1]
"s" from the third letter of list: [].__class__.__name__[2]
"wr" from the first two letters of wrapper_descriptor, an implementation detail in CPython found as the type of some builtin classes’ methods (more on that here): ().__class__.__eq__.__class__.__name__[:2]
"ite" from the sixth through eighth letters of tupleiterator, the type of object returned by calling iter() on a tuple: ().__iter__().__class__.__name__[5:8]

We’re starting to make some progress!

getattr(
    __import__(True.__class__.__name__[1] + [].__class__.__name__[2]),
    ().__class__.__eq__.__class__.__name__[:2] +
    ().__iter__().__class__.__name__[5:8]
)(1, "Hello world!\n")

"Hello world!n" is more complicated. We’re going to encode it as a big integer, which will be formed of the ASCII code of each character multiplied by 256 to the power of the character’s index in the string. In other words, the following sum:
∑n=0L−1cn(256n)

where L
is the length of the string and cn is the ASCII code of the n

th character in the string. To create the number:

>>> codes = [ord(c) for c in "Hello world!\n"]
>>> num = sum(codes[i] * 256 ** i for i in xrange(len(codes)))
>>> print num
802616035175250124568770929992

Now we need the code to convert this number back into a string. We use a simple recursive algorithm:

>>> def convert(num):
...     if num:
...         return chr(num % 256) + convert(num // 256)
...     else:
...         return ""
...
>>> convert(802616035175250124568770929992)
'Hello world!\n'

Rewriting in one line with lambda:

convert = lambda num: chr(num % 256) + convert(num // 256) if num else ""

Now we use anonymous recursion to turn this into a single expression. This requires a combinator. Start with this:

>>> comb = lambda f, n: f(f, n)
>>> convert = lambda f, n: chr(n % 256) + f(f, n // 256) if n else ""
>>> comb(convert, 802616035175250124568770929992)
'Hello world!\n'

Now we just substitute the two definitions into the expression, and we have our function:

>>> (lambda f, n: f(f, n))(
...     lambda f, n: chr(n % 256) + f(f, n // 256) if n else "",
...     802616035175250124568770929992)
'Hello world!\n'

Now we can stick this into our code from before, replacing some variable names along the way (f → , n → _):

getattr(
    __import__(True.__class__.__name__[1] + [].__class__.__name__[2]),
    ().__class__.__eq__.__class__.__name__[:2] +
    ().__iter__().__class__.__name__[5:8]
)(
    1, (lambda _, __: _(_, __))(
        lambda _, __: chr(__ % 256) + _(_, __ // 256) if __ else "",
        802616035175250124568770929992
    )
)

Function internals

We’re left with a "" in the body of our convert function (remember: no string literals!), and a large number that we’ll have to hide somehow. Let’s start with the empty string. We can make one on the fly by examining the internals of some random function:

(lambda _, __, ___, ____, _____, ______, _______, ________:
    getattr(
        __import__(True.__class__.__name__[_] + [].__class__.__name__[__]),
        ().__class__.__eq__.__class__.__name__[:__] +
        ().__iter__().__class__.__name__[_____:________]
    )(
        _, (lambda _, __, ___: _(_, __, ___))(
            lambda _, __, ___:
                chr(___ % __) + _(_, __, ___ // __) if ___ else
                (lambda: _).func_code.co_lnotab,
            _ 



<p>What we’re really doing here is looking at the line number table of the code object contained within the function. Since it’s anonymous, there are no line numbers, so the string is empty. Replace the 0 with _ to make it more confusing (it doesn’t matter, since the function’s not being called), and stick it in. We’ll also refactor out the 256 into an argument that gets passed to our obfuscated convert() along with the number. This requires adding an argument to the combinator:<br>
</p>

<pre class="brush:php;toolbar:false">import sys
sys.stdout.write("Hello world!\n")

A detour

Let’s tackle a different problem for a bit. We want a way to obfuscate the numbers in our code, but it’ll be cumbersome (and not particularly interesting) to recreate them each time they’re used. If we can implement, say, range(1, 9) == [1, 2, 3, 4, 5, 6, 7, 8], then we can wrap our current work in a function that takes variables containing the numbers from 1 to 8, and replace occurrences of integer literals in the body with these variables:

import os
os.write(1, "Hello world!\n")

Even though we need to form 256 and 802616035175250124568770929992 as well, these can be created using arithmetic operations on these eight “fundamental” numbers. The choice of 1–8 is arbitrary, but seems to be a good middle ground.

We can get the number of arguments a function takes via its code object:

__import__("os").write(1, "Hello world!\n")

Build a tuple of functions with argcounts between 1 and 8:

getattr(__import__("os"), "write")(1, "Hello world!\n")

Using a recursive algorithm, we can turn this into the output of range(1, 9):

"o" from the second letter of bool: True.__class__.__name__[1]
"s" from the third letter of list: [].__class__.__name__[2]
"wr" from the first two letters of wrapper_descriptor, an implementation detail in CPython found as the type of some builtin classes’ methods (more on that here): ().__class__.__eq__.__class__.__name__[:2]
"ite" from the sixth through eighth letters of tupleiterator, the type of object returned by calling iter() on a tuple: ().__iter__().__class__.__name__[5:8]

As before, we convert this into lambda form:

getattr(
    __import__(True.__class__.__name__[1] + [].__class__.__name__[2]),
    ().__class__.__eq__.__class__.__name__[:2] +
    ().__iter__().__class__.__name__[5:8]
)(1, "Hello world!\n")

Then, into anonymous-recursive form:

>>> codes = [ord(c) for c in "Hello world!\n"]
>>> num = sum(codes[i] * 256 ** i for i in xrange(len(codes)))
>>> print num
802616035175250124568770929992

For fun, we’ll factor out the argcount operation into an additional function argument, and obfuscate some variable names:

>>> def convert(num):
...     if num:
...         return chr(num % 256) + convert(num // 256)
...     else:
...         return ""
...
>>> convert(802616035175250124568770929992)
'Hello world!\n'

There’s a new problem now: we still need a way to hide 0 and 1. We can get these by examining the number of local variables within arbitrary functions:

convert = lambda num: chr(num % 256) + convert(num // 256) if num else ""

Even though the function bodies look the same, _ in the first function is not an argument, nor is it defined in the function, so Python interprets it as a global variable:

>>> comb = lambda f, n: f(f, n)
>>> convert = lambda f, n: chr(n % 256) + f(f, n // 256) if n else ""
>>> comb(convert, 802616035175250124568770929992)
'Hello world!\n'

This happens regardless of whether _ is actually defined in the global scope.

Putting this into practice:

>>> (lambda f, n: f(f, n))(
...     lambda f, n: chr(n % 256) + f(f, n // 256) if n else "",
...     802616035175250124568770929992)
'Hello world!\n'

Now we can substitute the value of funcs in, and then using * to pass the resulting list of integers as eight separate variables, we get this:

getattr(
    __import__(True.__class__.__name__[1] + [].__class__.__name__[2]),
    ().__class__.__eq__.__class__.__name__[:2] +
    ().__iter__().__class__.__name__[5:8]
)(
    1, (lambda _, __: _(_, __))(
        lambda _, __: chr(__ % 256) + _(_, __ // 256) if __ else "",
        802616035175250124568770929992
    )
)

Shifting bits

Almost there! We’ll replace the n{1..8} variables with , _, , _, etc., since it creates confusion with the variables used in our inner functions. This doesn’t cause actual problems, since scoping rules mean the right ones will be used. This is also one of the reasons why we refactored 256 out to where _ refers to 1 instead of our obfuscated convert() function. It’s getting long, so I’ll paste only the first half:

(lambda _, __, ___, ____, _____, ______, _______, ________:
    getattr(
        __import__(True.__class__.__name__[_] + [].__class__.__name__[__]),
        ().__class__.__eq__.__class__.__name__[:__] +
        ().__iter__().__class__.__name__[_____:________]
    )(
        _, (lambda _, __, ___: _(_, __, ___))(
            lambda _, __, ___:
                chr(___ % __) + _(_, __, ___ // __) if ___ else
                (lambda: _).func_code.co_lnotab,
            _ 



<p>Only two more things are left. We’ll start with the easy one: 256. 256=28</p>

<p>, so we can rewrite it as 1 

</p><p>We’ll use the same idea with 802616035175250124568770929992. A simple divide-and-conquer algorithm can break it up into sums of numbers which are themselves sums of numbers that are shifted together, and so on. For example, if we had 112, we could break it up into 96   16 and then (3 >) in Python, both of which are red herrings involving other ways of doing I/O.</p>

<p>The number can be decomposed in a variety of ways; no one method is correct (after all, we could just break it up into (1 
</p>

<pre class="brush:php;toolbar:false">import sys
sys.stdout.write("Hello world!\n")

The basic idea here is that we test various combinations of numbers in a certain range until we come up with two numbers, base and shift, such that base

The argument to range(), span, represents the width of the search space. This can’t be too large, or we’ll end getting num as our base and 0 as our shift (because diff is zero), and since base can’t be represented as a single variable, it’ll repeat, recursing infinitely. If it’s too small, we’ll end up with something like the (1 span=⌈log1.5|num|⌉ ⌊24−depth⌋

Translating the pseudocode into Python and making some tweaks (support for the depth argument, and some caveats involving negative numbers), we get this:

(lambda _, __, ___, ____, _____, ______, _______, ________:
    getattr(
        __import__(True.__class__.__name__[_] + [].__class__.__name__[__]),
        ().__class__.__eq__.__class__.__name__[:__] +
        ().__iter__().__class__.__name__[_____:________]
    )(
        _, (lambda _, __, ___: _(_, __, ___))(
            lambda _, __, ___:
                chr(___ % __) + _(_, __, ___ // __) if ___ else
                (lambda: _).func_code.co_lnotab,
            _ 



<p>Now, when we call convert(802616035175250124568770929992), we get a nice decomposition:<br>
</p>

<pre class="brush:php;toolbar:false">import sys
sys.stdout.write("Hello world!\n")

Stick this in as a replacement for 802616035175250124568770929992, and put all the parts together:

import os
os.write(1, "Hello world!\n")

And there you have it.
Addendum: Python 3 support

Since writing this post, several people have asked about Python 3 support. I didn’t think of it at the time, but as Python 3 continues to gain traction (and thank you for that!), this post is clearly long overdue for an update.

Fortunately, Python 3 (as of writing, 3.6) doesn’t require us to change much:

__import__("os").write(1, "Hello world!\n")

Here is the full Python 3 version:

getattr(__import__("os"), "write")(1, "Hello world!\n")

Thank you for reading! I continue to be amazed by this post’s popularity.

The above is the detailed content of Obfuscating 'Hello world!” obfuscate on Python. For more information, please follow other related articles on the PHP Chinese website!