Why does this code give the output `C++Sucks`

? What is the concept behind it?

#include <stdio.h> double m[] = {7709179928849219.0, 771}; int main() { m[1]--?m[0]*=2,main():printf((char*)m); }

Test it here.

Skip to content
# deobfuscation – Concept behind these four lines of tricky C code

## The Question :

*386 people think this question is useful*
*The Question Comments :*
## The Answer 1

*497 people think this answer is useful*
## The Answer 2

*224 people think this answer is useful*
## The Answer 3

*107 people think this answer is useful*

## The Answer 4

*57 people think this answer is useful*
## The Answer 5

*24 people think this answer is useful*
## The Answer 6

*13 people think this answer is useful*
## The Answer 7

*11 people think this answer is useful*
## The Answer 8

*9 people think this answer is useful*
## The Answer 9

*1 people think this answer is useful*

2021-01-05

Why does this code give the output `C++Sucks`

? What is the concept behind it?

#include <stdio.h> double m[] = {7709179928849219.0, 771}; int main() { m[1]--?m[0]*=2,main():printf((char*)m); }

Test it here.

- @BoBTFish technically, yes, but it runs all the same in C99: ideone.com/IZOkql
- @nurettin I had similar thoughts. But it’s not OP’s fault, it’s the people voting for this useless knowledge. Admitted, this code obfuscation stuff may be interesting but type “obfuscation” in Google and you get tons of results in every formal language you can think of. Don’t get me wrong, I find it OK to ask such a question here. It’s just an overrated because not very useful question though.
- @detonator123 “You must be new here” – if you look at the closure reason, you can find out that it is not the case. The required minimal understanding is clearly missing from your question – “I don’t understand this, explain it” is not something that is welcome on Stack Overflow. Should you have attempted something
**yourself**first, would the question have not been closed. It’s trivial to google “double representation C” or the like. - My big-endian PowerPC machine prints out
`skcuS++C`

. - My word, I hate contrived questions like this. It’s a bit pattern in memory that happens to be the same as some silly string. It serves no useful purpose to anyone, and yet it earns hundreds of rep points for both the questioner and the answerer. Meanwhile, difficult questions that could be useful to people earn maybe a handful of points, if any. This is kind of a poster child of what’s wrong with SO.

The number `7709179928849219.0`

has the following binary representation as a 64-bit `double`

:

01000011 00111011 01100011 01110101 01010011 00101011 00101011 01000011 +^^^^^^^ ^^^^---- -------- -------- -------- -------- -------- --------

`+`

shows the position of the sign; `^`

of the exponent, and `-`

of the mantissa (i.e. the value without the exponent).

Since the representation uses binary exponent and mantissa, doubling the number increments the exponent by one. Your program does it precisely 771 times, so the exponent which started at 1075 (decimal representation of `10000110011`

) becomes 1075 + 771 = 1846 at the end; binary representation of 1846 is `11100110110`

. The resultant pattern looks like this:

01110011 01101011 01100011 01110101 01010011 00101011 00101011 01000011 -------- -------- -------- -------- -------- -------- -------- -------- 0x73 's' 0x6B 'k' 0x63 'c' 0x75 'u' 0x53 'S' 0x2B '+' 0x2B '+' 0x43 'C'

This pattern corresponds to the string that you see printed, only backwards. At the same time, the second element of the array becomes zero, providing null terminator, making the string suitable for passing to `printf()`

.

More readable version:

double m[2] = {7709179928849219.0, 771}; // m[0] = 7709179928849219.0; // m[1] = 771; int main() { if (m[1]-- != 0) { m[0] *= 2; main(); } else { printf((char*) m); } }

It recursively calls `main()`

771 times.

In the beginning, `m[0] = 7709179928849219.0`

, which stands for `C++Suc;C`

. In every call, `m[0]`

gets doubled, to “repair” last two letters. In the last call, `m[0]`

contains ASCII char representation of `C++Sucks`

and `m[1]`

contains only zeros, so it has a null terminator for `C++Sucks`

string. All under assumption that `m[0]`

is stored on 8 bytes, so each char takes 1 byte.

Without recursion and illegal `main()`

calling it will look like this:

double m[] = {7709179928849219.0, 0}; for (int i = 0; i < 771; i++) { m[0] *= 2; } printf((char*) m);

*Disclaimer:* This answer was posted to the original form of the question, which mentioned only C++ and included a C++ header. The question’s conversion to pure C was done by the community, without input from the original asker.

Formally speaking, it’s impossible to reason about this program because it’s ill-formed (i.e. it’s not legal C++). It violates C++11[basic.start.main]p3:

The function main shall not be used within a program.

This aside, it relies on the fact that on a typical consumer computer, a `double`

is 8 bytes long, and uses a certain well-known internal representation. The initial values of the array are computed so that when the “algorithm” is performed, the final value of the first `double`

will be such that the internal representation (8 bytes) will be the ASCII codes of the 8 characters `C++Sucks`

. The second element in the array is then `0.0`

, whose first byte is `0`

in the internal representation, making this a valid C-style string. This is then sent to output using `printf()`

.

Running this on HW where some of the above doesn’t hold would result in garbage text (or perhaps even an access out of bounds) instead.

Perhaps the easiest way to understand the code is to work through things in reverse. We’ll start with a string to print out — for balance, we’ll use “C++Rocks”. Crucial point: just like the original, it’s exactly eight characters long. Since we’re going to do (roughly) like the original, and print it out in reverse order, we’ll start by putting it in in reverse order. For our first step, we’ll just view that bit pattern as a `double`

, and print out the result:

#include <stdio.h> char string[] = "skcoR++C"; int main(){ printf("%f\n", *(double*)string); }

This produces `3823728713643449.5`

. So, we want to manipulate that in some way that isn’t obvious, but is easy to reverse. I’ll semi-arbitrarily choose multiplication by 256, which gives us `978874550692723072`

. Now, we just need to write some obfuscated code to divide by 256, then print out the individual bytes of that in reverse order:

#include <stdio.h> double x [] = { 978874550692723072, 8 }; char *y = (char *)x; int main(int argc, char **argv){ if (x[1]) { x[0] /= 2; main(--x[1], (char **)++y); } putchar(*--y); }

Now we have lots of casting, passing arguments to (recursive) `main`

that are completely ignored (but evaluation to get the increment and decrement are utterly crucial), and of course that completely arbitrary looking number to cover up the fact that what we’re doing is really pretty straightforward.

Of course, since the whole point is obfuscation, if we feel like it we can take more steps as well. Just for example, we can take advantage of short-circuit evaluation, to turn our `if`

statement into a single expression, so the body of main looks like this:

x[1] && (x[0] /= 2, main(--x[1], (char **)++y)); putchar(*--y);

To anybody who isn’t accustomed to obfuscated code (and/or code golf) this starts to look pretty strange indeed — computing and discarding the logical `and`

of some meaningless floating point number and the return value from `main`

, which isn’t even returning a value. Worse, without realizing (and thinking about) how short-circuit evaluation works, it may not even be immediately obvious how it avoids infinite recursion.

Our next step would probably be to separate printing each character from finding that character. We can do that pretty easily by generating the right character as the return value from `main`

, and printing out what `main`

returns:

x[1] && (x[0] /= 2, putchar(main(--x[1], (char **)++y))); return *--y;

At least to me, that seems obfuscated enough, so I’ll leave it at that.

It is just building up a double array (16 bytes) which – if interpreted as a char array – build up the ASCII codes for the string “C++Sucks”

However, the code is not working on each system, it relies on some of the following undefined facts:

- double has exactly 8 bytes
- endianness

The following code prints `C++Suc;C`

, so the whole multiplication is only for the last two letters

double m[] = {7709179928849219.0, 0}; printf("%s\n", (char *)m);

The others have explained the question pretty thoroughly, I’d like to add a note that this is **undefined behavior** according to the standard.

C++11 3.6.1/3 *Main function*

The function main shall not be used within a program. The linkage (3.5) of main is implementation-defined. A program that defines main as deleted or that declares main to be inline, static, or constexpr is ill-formed. The name main is not otherwise reserved. [ Example: member functions, classes, and enumerations can be called main, as can entities in other namespaces. โend example ]

The code could be re-written like this:

void f() { if (m[1]-- != 0) { m[0] *= 2; f(); } else { printf((char*)m); } }

What it’s doing is producing a set of bytes in the `double`

array `m`

that happen to correspond to the characters ‘C++Sucks’ followed by a null-terminator. They’ve obfuscated the code by choosing a double value which when doubled 771 times produces, in the standard representation, that set of bytes with the null terminator provided by the second member of the array.

Note that this code wouldn’t work under a different endian representation. Also, calling `main()`

is not strictly allowed.

First we should recall that double precision numbers are stored in the memory in binary format as follows:

(i) 1 bit for the sign

(ii) 11 bits for the exponent

(iii) 52 bits for the magnitude

**The order of the bits decrease from (i) to (iii).**

First the decimal fractional number is converted to equivalent fractional binary number and then it is expressed as order of magnitude form in binary.

So the number **7709179928849219.0** becomes

(11011011000110111010101010011001010110010101101000011)base 2 =1.1011011000110111010101010011001010110010101101000011 * 2^52

Now while considering the magnitude bits **1.** is neglected as all the order of magnitude method shall start with **1.**

So the magnitude part becomes :

1011011000110111010101010011001010110010101101000011

Now the power of **2** is **52** , we need to add biasing number to it as **2^(bits for exponent -1)-1**
i.e. **2^(11 -1)-1 =1023** , so our exponent becomes **52 + 1023 = 1075**

Now our code mutiplies the number with **2**, **771** times which makes the exponent to increase by **771**

So our exponent is **(1075+771)= 1846** whose binary equivalent is **(11100110110)**

Now our number is positive so our sign bit is **0**.

So our modified number becomes :

sign bit + exponent+ magnitude (simple concatenation of the bits)

0111001101101011011000110111010101010011001010110010101101000011

since m is converted to char pointer we shall split the bit pattern in chunks of 8 from the LSD

01110011 01101011 01100011 01110101 01010011 00101011 00101011 01000011

(whose Hex equivalent is ๐

0x73 0x6B 0x63 0x75 0x53 0x2B 0x2B 0x43

Which from the character map as shown is :

s k c u S + + C

Now once this has been made m[1] is 0 which means a NULL character

Now assuming that you run this program on a **little-endian** machine( lower order bit is stored in lower address) so pointer m pointer to the lowest address bit and then proceeds by taking up bits in chucks of 8 ( as type casted to char* ) and the printf() stops when encounted 00000000 in the last chunck…

**This code is however not portable.**