perls before /. swine

Jayce^ jason at infogenix.com
Mon Apr 18 12:35:20 MDT 2005


On Monday 18 April 2005 12:19, Gabriel Gunderson wrote:
> I came across a sig on /. that caught my eye.  I guess it is supposed to
> be malicious code.  I took the perl -e off the front so nobody will run
> it.  What does it do?
>
> '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{~" -;;s;;$_;see'
>
> One thing is for sure, it reinforces the idea that perl can be cryptic.

Yeah, and they are trying very hard to make it so :)

This tool can help a *little* bit in the readability.

[jayce at riva bin]$ perl -MO=Deparse,-p -c -e \
'$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{~" -;;s;;$_;see'

-returns-

($? ? s/;s/s;;$?/ : s//=]=>%-{<-|}<&|`{/);
tr( -/:-@[-`{-})[`-{~" \-];
s//$_;/see;
-e syntax OK


-----
Some help:
       $?      The status returned by the last pipe close, backtick (``) 
command, successful call to wait() or waitpid(), or from the system() 
operator.

(Perldoc perlvar for more information)

the second ? is part of a ternary operation (like C) in which if the return 
value is true, the first regex is performed, else the second one is.

Then it performs the tr.

then another regex, note the switches 'see' at the end.  S is for treating it 
as a single line, and 'e' means evaluate the modified value, the second e 
means evaluate the evaluated return :)

They are making soem fun use of the $_ (default var) in this script.

Now with those hints, anybody want to explain?


-- 
Jayce^
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20050418/02330e26/attachment.bin 


More information about the PLUG mailing list