5

I need to figure out what this obfuscated C++ code (written by someone else) does. I've figured pretty much everything, except one tricky part:

bool part1(char *flag)
{
    int *t = (int *) memfrob(flag, 8);

    unsigned int b[] = {3164519328, 2997125270};

    for (int i = 0; i < 2; b[i] = ~b[i], ++i);

    return !(0<:t:>-0<:b:>+1<:t:>-1<:b:>);
}

What is going on in the return statement of this function? I have no idea what these colons mean...

I've tried googling what does the colon operator in C++ do, but found only answers about class constructors and the conditional expression, which doesn't seem relevant to this problem.

Daniel Widdis
  • 8,424
  • 13
  • 41
  • 63
LeKSuS
  • 91
  • 5
  • @StoryTeller I'm not sure about adding [digraphs] as a tag. OP doesn't know that the syntax is using that feature, and if they did, the question would be moot. OTOH, the tag *is* relevant, so perhaps it's good to add it? – cigien Jul 10 '21 at 13:27
  • 1
    @cigien - deobfuscation is irrelevant as a tag. And making the question easier to find in the future is not doing harm to the OP. – StoryTeller - Unslander Monica Jul 10 '21 at 13:28
  • @StoryTeller-UnslanderMonica Yeah, removing [deobfuscation] makes sense. And you're right, there's no *harm* in adding a tag that helps with searches. Got it, thanks. – cigien Jul 10 '21 at 13:29
  • duplicates: [What is this smiley-with-beard expression: `<:]{%>`?](https://stackoverflow.com/q/15736282/995714), [`<:` and `:>` in obfuscated code](https://stackoverflow.com/q/25495042/995714) – phuclv Jul 10 '21 at 14:28

1 Answers1

7

The code is making use of two-letter alternative tokens, also known as "digraphs". Specifically, <: is [, and :> is ].

So, syntax like 0<:t:> is just 0[t], and since array subscripts can be swapped with the array identifier, this is just t[0].

A great tool that can help with deobfuscating code is cppinsights.io. As can be seen in the link, the code is just doing some arithmetic on the array values (ignore the static_cast for this example, it's not important for the purposes of understanding the transformation).

cigien
  • 57,834
  • 11
  • 73
  • 112
  • Furthermore, given that the program also uses the non-digraph symbols, the digraphs are presumably there for purpose of intentional obfuscation. – eerorika Jul 10 '21 at 13:37
  • @eerorika Yeah, it's definitely meant for obfuscation. As the OP mentions, they got the obfuscated code from somewhere, possibly from a competition, or quiz, or something like that. – cigien Jul 10 '21 at 13:40