Decoding the obfuscated bash script on a Uniqlo t-shirt

318 pointsposted 3 hours ago
by speerer

68 Comments

wbh1

an hour ago

I love this shirt! Here's a nice video from the actual designer about the process of making this shirt (including intentionally making it hard to OCR): https://youtu.be/jocGLiecpjU?t=526

speerer

13 minutes ago

Author here. Thank you so much for the link which I hadn't seen! I'm very happy to see this and I'm gratified that it was deliberately difficult to OCR, not just me.

Tiberium

2 hours ago

OCRing this is a nightmare and is a good benchmark to any self-proclaimed good OCR/vision model.

I think though it could likely be easily OCR'd if you give the image to any decent agentic harness with a good vision model, e.g. newest Claude/GPT ones, and tell them to split the image per lines, and then just OCR each line individually.

I wonder if the script itself was written by an LLM before obfuscation? There seem to be a lot of comments in it, but in this case it's still ok :)

lemagedurage

an hour ago

I don't think it was written by an LLM, some things stand out:

The congratulations text is both in English and Japanese. Contains a single heart emoji.

There was an intention to have a cyan to orange gradient, but the range starts in an ANSI block, ends halfway through the 256 color block and 256 terminal colors are not arranged like a gradient at all.

There's no sleep at the end of the loop where I feel like an LLM would add that defensively.

n2j3

an hour ago

Human here. I added a sleep 0.5 at the end, it's too fast to read otherwise. Makes for a nice terminal screensaver!

INTPenis

37 minutes ago

Hi fellow human, I got the same idea. Just a sleep 0.1 before the echo "" makes it readable. Otherwise it scrolls way too fast.

make3

an hour ago

"the code is not quite detail oriented enough to be AI", times are changing

DaSHacka

34 minutes ago

More like 'not boilerplate-y enough'

lemagedurage

22 minutes ago

Ehh, AI makes plenty mistakes but they have a different vibe to it.

In my mind an AI would do something the most popular way even when that's not appropriate.

A human might do things in an unpopular way even when that's not appropriate.

OtherShrezzing

an hour ago

Safari's copy-text-from-image feature manages the entire base64 part of the string, except for the first character (I instead of a T). Weirdly, it gets much worse performance if you try to copy the entire string, including the hashbang part.

I wonder what it's doing under the hood to get such good performance?

khurs

an hour ago

Didn't know Safari had this.

Looked it up, you put mouse over text, then just select and copy it - very cool!

https://support.apple.com/en-gb/guide/safari/ibrw20183ad7/ma...

iamflimflam1

25 minutes ago

There’s a whole bunch of hidden features that no one seems to be aware of.

Preview has pretty good background removal.

Notes will transcribe audio from audio files.

agys

an hour ago

Preview has it too… And it works extremely well.

shakna

41 minutes ago

> I wonder if the script itself was written by an LLM before obfuscation?

From the prototype shown here [0], and the way they talk about their process, I sincerely doubt it. Especially as they mention trying to make it hard for AI to handle the output.

[0] https://youtu.be/jocGLiecpjU?t=567

netsharc

an hour ago

The last time Internet people were obsessed with OCRing some base64 was a few months ago when the DoJ released tons of emails from some guy who died, but they were released as rasterized PDFs.

Can't remember his name now, there's been so many distractions...

IshKebab

2 hours ago

Definitely LLM. No humans write that many comments.

ChrisMarshallNY

an hour ago

Ahem...

My code usually clocs at 50/50 (or thereabouts)[0]. Has, since my very first real engineering project (in 1987)[1]. I discuss in detail, here[2].

But one reason that I like LLMs, is that they help me to write even more documentation. I have found that I can instruct an LLM to revise my documentation, and make it even more effective.

[0] https://github.com/ChrisMarshallNY (My GH profile. Pretty much everything there, is like that -has, since long before LLMs were a broken rubber on the drug store shelf).

[1] https://littlegreenviper.com/wp-content/uploads/2022/07/TF30... (Downloads a PDF)

[2] https://littlegreenviper.com/leaving-a-legacy/

petu

an hour ago

Human could write that many comments to get enough base64 text for a design. Maybe to even get some of the highlighted characters in places they want (roughly equally spaced apart).

latexr

an hour ago

> No humans write that many comments.

Especially in a case like this, I would definitely write a lot of comments to aid in understanding, thus increasing trust so people would try it out and tinker with it.

boomboomsubban

an hour ago

Plus the main point of this code is to have people look at it, the function is secondary to being an easter egg.

Tiberium

2 hours ago

Honestly it's a bit of a shame. I checked and they could've shortened their base64 payload by 304 chars by removing all comments except the top two congratulatory ones, or by 524 if they removed those too.

OtherShrezzing

an hour ago

Would they still get the highlighted "PEACE FOR ALL" text throughout the shortened string? It looks like the length, and presence of those characters, was an explicit design choice.

lemagedurage

an hour ago

Maybe they added the comments to get a longer payload for the sake of the shirt's design.

The comments can be more cute/awe inspiring for people who aren't as familiar with bash but like solving puzzles as well.

yborg

an hour ago

The HN optimizing T-shirt compiler is the next stage here :D

saidnooneever

2 hours ago

im just sad it didnt render a qr code leading to malware :'). the different ways ppl look at obfuscated codes and scripts hah

world2vec

2 hours ago

Oh wow I saw that tshirt at the store and said to my girlfriend "no way that script is functional, probably just for show". I should have persevered.

actionfromafar

an hour ago

An easy miss. :-) Most of the time our thoughts are on autopilot, since we are not calm.

qiqitori

37 minutes ago

I once wrote a tool that helps with finding mistakes in OCR'd fixed width text, https://blog.qiqitori.com/2023/03/ocring-hex-dumps-or-other-...

Basically it just clusters same characters and asks the human to find the problems, which is easy when you're looking at a series of pictures like ssssss5sss.

The UI is kinda least-effort. Should ask a modern AI agent to make it look nice and intuitive, sometime maybe.

preetham_rangu

12 minutes ago

The real threat model here isn't the base64 payload, it's Uniqlo turning a T-shirt into a QR code that requires a human OCR pipeline to redeem.

haileys

2 hours ago

I thought it was funny that the author used a variety of OCR tools with mixed success before spending a lot of time manually fixing up the output from the best one, rather than just typing it in

christoph

an hour ago

That was also my thought… but I grew up mashing rubber keys for hours copying “games” out of magazines and books! Then hours after fixing all the typos!

grumbel

29 minutes ago

Gemini3.5 Flash didn't have a problem OCR'ing and base64 decoding it, despite the OCR step having errors, it just fixed them in the base64 decoding step.

acters

an hour ago

I ran it through paddle paddle OCR and it flawlessly did it. Google's OCR through my phone's Google lens had also worked at getting a very good extraction but not 100% correct. Definitely would spend less time fixing it than hand copying.

IDK what the author was using but I feel like he could have shared how his OCR attempt went, but I am thinking he tried some naive OCR tools.

speerer

17 minutes ago

Author here - that's a good idea actually, it shouldn't be too hard to compare the various attempts. The tools I used were whatever my Android built-in is (likely Google Gemini, but I can't tell whether this is something Samsung has replaced in OneUI); tesseract; tesseract with various tweaks and charsrt restrictions; Claude; and finally, manual fixes based on disagreements between all the previous.

rtldg

an hour ago

Took me almost 2 minutes for 4 lines (and I missed a character in one of them!). I would opt for OCR too, obviously so I'm prepared for the next bash t-shirt I'd come across...

OtherShrezzing

an hour ago

I think this is a case where two people can successfully complete the task manually faster than one attempting to automate it. Get a ruler, read five centimetres of characters to your colleague, have them type it in as you go, then repeat that five centimetres back to you. Correct as you go. Format your string with the same line-breaks as the t-shirt, and remove them at the end, so you can be sure you've got the correct length on each row. Trial-and-error adjust the five-cm distance depending on your success rate as you go along

All in, you should have a non-corrupted string in 10-15 min.

mayas_

2 hours ago

"just typing it" would be more error prone for the average human

duskdozer

an hour ago

I'm guilty of this, but for me this kind of thing is optimizing over annoyance rather than time.

DrewADesign

2 hours ago

> I guess Uniqlo is run through Windows though: one thing that struck me was the font, which I’m almost certain is Consolas,

Surely this would use whatever font the virtual terminal profile was set to? I don’t know of any method to choose a virtual terminal font from bash and don’t see any code that addresses it?

nisiddharth

2 hours ago

They're referring to the font on the T-shirt.

tym0

an hour ago

Thank you for spelling it out for me because I thought I was looking at a completely hallucinated AI article...

FijiBY

11 minutes ago

Nice investigation, thx

khurs

an hour ago

Brilliant marketing when you can get people to pay to walk around advertising with your logo!!

dylanzhangdev

2 hours ago

Cool! I bought one a few months ago as soon as I spotted it at a Uniqlo store, and later ordered a larger size online—I really love wearing them. But it never occurred to me to look into the story behind them.

doppp

an hour ago

Thanks for the post! Love Easter Eggs like these!

kijin

44 minutes ago

Well at least they're not instructing consumers to run curl | bash.

That's better than half the tech howtos out there.

INTPenis

36 minutes ago

No, they're instructing their customers to run unknown base64 encoded code instead. :D

l337h4x0rz

an hour ago

there's no newline between the shebang and the actual code

icevl

an hour ago

Base64 without error correction turns the t-shirt itself into a lossy transport layer, so the OCR/transcription step becomes the actual challenge.

high_byte

2 hours ago

what if it contained a zero day for tesseract and the script you thought you got is just a throwaway

brazzy

an hour ago

After being primed by the article, I read the author's name as "Shirtliker"...

breppp

35 minutes ago

Feels very reminiscent of the old DeCSS tshirts era

lloydatkinson

an hour ago

P ./cool.sh: line 31: bc: command not found ./cool.sh: line 34: bc: command not found ./cool.sh: line 37: bc: command not found E ./cool.sh: line 31: bc: command not found ./cool.sh: line 34: bc: command not found ./cool.sh: line 37: bc: command not found

Very wow. Shame they assumed everyone has "bc"...

em500

an hour ago

Why would that be a shame? "bc" is a mandatory POSIX command, while /bin/bash isn't (/bin/sh is the standard).

greazy

an hour ago

Which distro are you running? Perchance did you run the shell script in alpine Linux (docker)?

piacos_

an hour ago

it doesn't seem to be installed on my endeavouros laptop

comradesmith

an hour ago

You are fun.

lloydatkinson

18 minutes ago

Are we really at the "redditor insult" type comments stage of HN now? There is nothing wrong with saying a piece of code is broken.

bryanrasmussen

2 hours ago

Why does the shirt have an obfuscated bash script on the back?