JavaScript (SpiderMonkey), 66 bytes, cracked by user

if (readline() === ([0][1]+"").slice(4,8)) console.log('cracked!')

Try it online!

The flag is the string cracked!

JavaScript, 10428 bytes, cracked by ovs

Because no one said there was a character limit :)

The flag is cracked! otherwise there is no output.

[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]]+[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+([][[]]+[])[!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+[!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]])[(![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]]((!![]+[])[+[]])[([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]](([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]]+![]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])()[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])+[])[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]])())

Vyxal, 151 Bytes

bṅṅB`🍌🐒🐵🙉🙈🙊`τ `🍌🐒🐵🙉🙈🙊`βb→a
←a L8∆* →b
←aṅ \0 ←b ø↳→c
←c ←c L8 / / →d
←d2vβCṅ₴

Flag

“Ò~pg‡lwAÓFX6ïå»NìðaÝ’
¾`Ç¿&X4óƒvþwßË^Ùî‚6þPsß·,²áç¿tzOΙqïɧvx6ïݯ/ž|2á×Ø÷òå—Mža

I was trying to make an encoder and decoder for monkeyspeak but the decoder was decoding incorrectly so I just merged them together and made a cop post for this challenge. I have no idea how the output works. For all I know, it could be a cryptographic hash function!

Try it online!

Vyxal rS=, 6.25 Bytes, Cracked :(

₀Þ∞Ẏ*∆i

Better know your \$\pi\$ digits! The whole input must match the regex \d+, and the output is the exact string 8 8 1 3 4 6 3 6 4 1 with a trailing newline.

Try it here.

Python 3, 163 Bytes, cracked :(

import re
try:exec(input().replace("sys.stdout.write","print").replace("print","import sys;sys.stderr.write"))
except Exception as e:print(re.sub('\(.*\)','',str(e)))

The flag is the string not a chance with a trailing space then a trailing newline written to STDOUT, without using builtin functions or manipulating the exec function to do so to print a message.

Try it online!

Vyxal, 12 bytes

₌₃Ė₍¨=Ṙ‡2ȯJA

Try it Online!

Flag is 1.

R, 66 bytes, Cracked by Dominic van Essen

function(x) with(x, is.finite(a) && is.finite(b) && is.nan(a + b))

Try it online!

This is a slight (but significant) modification of my previous post. The flag is TRUE. That is, find x such that f(x) is TRUE.

Intended solution

Try it online! There are no two finite numbers that add to NaN. So we have to exploit the use of with. with uses the the contents of x to evaluate the expression. So simply redefine the function && to be unconditionally TRUE.

Python 3, 24 bytes, flag "tab"

print(input() % chr(97))

Try it online!

Easier than you think.

dotcomma, 819 bytes, cracked by the default.

[[,.][[,.],[.[[,.][.].]],.[[.,]]].,][,.]
[,],[[,.][[.][[[.][.].,][,.][.].,][[.][.
][.].,].[[[,.][[].[],.][[[,][,.].,]].,][
[,][.]].][,.][[,][[[,.][[[[.][.].,][,][.
][,][,.].,]].,].[[[,.][[[,][,.].,]][[].[
],].,][[,]].][,.][[,.][[[[.]][.][[[.][[.
]][[[[.]][[.][.][.].,][,.].,][.][,.].,][
,.][[.]].,][,.][.].,][[.]][,.].,][,.].][
.].,]][[.]].,]].,][,],[[[,.][.[[[,.][[].
[.],].,].][[,.][,.][,.].,]].,]][[,.].[.[
[.][,.].][[[[.][.][.][.].,][,.].,],][[[,
.][[[[[[[[[,][,.].,][,.].,][,][,.][.][.]
[.].,][.].,][.].,],],][.][.][.][.][.].,]
.,][.][.].,][,][,][,][,][,][,][[,.][[,][
,][,]].,][,][,][,][[,.][[,][,][,][,][,]]
.,][,][[,.][[[,.][[,]].,]].,][,]],.[[[,.
][[[[.][.][.].,][,][,][,.][[].[,],].,]].
,][[[,.][[[[[[[,.][.].,][.][.].,],][.].,
][.].,],].,][.][.][.][.].,][,][,][,][[,.
][[[,.][[,][,][,]].,]].,]]][.][[.]][[.]]

Try it online!

The flag is accepted.

Since this language is quite new and I've only seen two people (the inventor and me) using it so far, I tried to find a good balance between too hard and too easy.

If I've done it correctly, the code will have two valid passwords. The interpreter is written in Javascript and therefore runs on your local machine.

On my notebook it takes about five seconds to show "accepted" after entering the correct password.

Solution:

The intended solution is the number 49375. I initially wanted to use the decimal value of 0xC0DE (49374), but got things messed up in my head and ended up one number too high. The comparison function works in a way that the input and the solution are being decremented in a loop until one of them becomes zero. Then the other one must be 1 to be accepted. That means, 49376 is also a valid solution.

Other known solutions are [49375], [49376], [49375, -1] and [49376, -1]

The way this was meant to be cracked:

dotcomma is an esoteric language that is really hard to read, so I don't wanted anybody, to really "decompile" it and know exactly, what each command does, but to puzzle around with the blocks.

As already stated in my first comment, the language works a bit like Brain-Flak. The input will implicitly become the initial values in the queue and after the program ended, the content of the queue will implicitly be printed. So an empty program is a cat program.

To solve this, you first need to find the start and end of each block, what will result in something like this:

(1) [[,.][[,.],[.[[,.][.].]],.[[.,]]].,]
(2) [,.]
(3) [,],
(4) [[,.][[.][[[.][.].,][,.][.].,][[.][.][.].,].[[[,.][[].[],.][[[,][,.].,]].,][[,][.]].][,.][[,][[[,.][[[[.][.].,][,][.][,][,.].,]].,].[[[,.][[[,][,.].,]][[].[],].,][[,]].][,.][[,.][[[[.]][.][[[.][[.]][[[[.]][[.][.][.].,][,.].,][.][,.].,][,.][[.]].,][,.][.].,][[.]][,.].,][,.].][.].,]][[.]].,]].,]
(5) [,],
(6) [[[,.][.[[[,.][[].[.],].,].][[,.][,.][,.].,]].,]]
(7) [[,.].[.[[.][,.].][[[[.][.][.][.].,][,.].,],][[[,.][[[[[[[[[,][,.].,][,.].,][,][,.][.][.][.].,][.].,][.].,],],][.][.][.][.][.].,].,][.][.].,][,][,][,][,][,][,][[,.][[,][,][,]].,][,][,][,][[,.][[,][,][,][,][,]].,][,][[,.][[[,.][[,]].,]].,][,]],.[[[,.][[[[.][.][.].,][,][,][,.][[].[,],].,]].,][[[,.][[[[[[[,.][.].,][.][.].,],][.].,][.].,],].,][.][.][.][.].,][,][,][,][[,.][[[,.][[,][,][,]].,]].,]]]
(8) [.]
(9) [[.]]
(10) [[.]]

Then try out, what each block does.

Block 1 (filter): This block actually answers the default.'s question (sorry, I didn't answer it clearly. No other submission had to answer details about the password, and the "wrong password :(" was the only red herring I added to the program. So I didn't want to say "No, it's actually a five digit integer"). If you run that with different data types (numbers, strings, lists of numbers or strings), you will see that it returns the first element of a string or list, if it has multiple elements, or it will return a 1 and the element, if you enter a number or a string/list with only a single letter in it. The purpose of this becomes clear, if you add the second block to it.

Block 2 (delete first element): If you run blocks 1 and 2, you will see that the output will be empty if you input anything with multiple values. Only single numbers or single letters will remain in the queue. (Actually the default. found a bug in the programming language, because negative values should not be possible in the queue. You can't programmatically write a negative value onto the queue, and negative values won't be written to the output, but apparently they still can be read from input). So from this point, it should be clear that the password is either a number or a single letter.

Block 3 (run next block, if there's something in the queue): This will not change the output, but is there for control. You can ignore it.

Block 4 (build constants for comparison): This will build the list [49375, 96, input]. At this point, you may ask yourself, what the big number is for and that it may be important for the password.

Block 5 (run next block, if there's something in the queue): Same as block 3. Since there are three values in the queue, this will also rotate the queue, so the output is [96, input, 49375].

Block 6 (compare input and password): As stated earlier, this decrements the input and the number 49375, until one of them becomes zero. Then decrements the other another time and appends the 96 to it. The output is [49375-input (or input-49376), 96]. At this point, you should point out that you have to change the input in a way that the first value becomes something interesting, like 0, -1 or maybe 96?

Block 7 (write output): This block checks if the first value is 0. If so, it uses the second value to build the string "accepted". If not, it fills the queue with the string "rejected".

Blocks 8-10: Those are just fillers, so my submission will have a nice rectangle shape.

Python, 62 bytes, cracked by @dingledooper and later @M Virts

exec(input(),{"__builtins__":{"if":dir(__import__(input()))}})

Attempt This Online!

Let's try again. Inputs via STDIN, output should be Hello world! printed to STDOUT with a trailing newline. Works in CPython 3.10.

dingledooper got my intended solution.

As for M Virts': dammit, I always forget Python can do that kind of stuff!

Python, 57 bytes, cracked by PyGamer0

exec(input(),{"__builtins__":{"if":__import__(input())}})

Attempt This Online!

Works in CPython 3.10. Inputs via STDIN, and should print Hello world! with a trailing newline to standard output.

Unintended crack, so let's have another go.

JavaScript, 13 bytes, cracked by m90

x=>x in x&&!x

The password must be passed in to the function, and the flag, true, must be returned from the function.

You can try solutions out in the (non-normative) snippet below:

console.log((x=>x in x&&!x)(eval(prompt())))

JavaScript (ES6), 117 bytes, cracked by @tjjfvi

_=>{c=prompt();if(/[^!-'*-Za-z]/.test(c))throw'CHEATER!';x=(o=>o(o.a,o.b,o.c,o.d))((0,eval)(c));return(x===x&&x!==x)}

The function must be called without arguments. The password must be provided via prompt(), and the return value of the function must be true (boolean). Otherwise logging true to the console is not acceptable. You may only use language features as specified in the ES6 standard, using platform-dependent APIs is forbidden.

You can test your passwords here:

f=_=>{c=prompt();if(/[^!-'*-Za-z]/.test(c))throw'CHEATER!';x=(o=>o(o.a,o.b,o.c,o.d))((0,eval)(c));return(x===x&&x!==x)}

console.log(f())

I really hope I managed to filter out all passwords other than the intended one :D

JavaScript, 81 bytes, cracked by ovs

Let's try this again...

alert("xx".split(new RegExp(p=prompt())).reduce((a,b)=>a+b,"").length>2+p.length)

The flag is true.

https://xkcd.com/2217/

JavaScript, 57 bytes, cracked by Conor O'Brien

alert("xx".split(new RegExp(p=prompt())).join``.length>2)

The flag is true.

https://xkcd.com/2217/

Vyxal, 31 bytes (safe)

I.dI:⅛kF*×u⅛Ė.SṪḢ42f÷₍+*Π¾J∑Cøṙ

Try it Online!

Flag: EEEEEEEEEEEEEEEEEEEEEEEE Flag should be printed to STDOUT.

Under the original specifications for this cop, okie had a clever crack here, but that was an unintentional crack, so a couple clarifications are in order.

• The input will not contain any subset of the flag.

• The program should not return any errors.

Intended Solution: 21⅛3 Try it Online!

Before execution, Vyxal attempts to execute the input and see what it returns. The reason for this is to allow you to do things like input a list in Vyxal format, and it will work as intended. This also allows you to put Vyxal code in the input, but normally it will just get captured as a string. For example, and input of 69d:e would just input the string 69d:e.

However, if you put a number at the end of that input, it only captures that number as input, and discards all of the code leading up to it. For example, an input of 69d:e2 would input the number 2, and discard the 69d:e.

In the discarded code, trying to assign variables and functions doesn't do anything, nor does assigning to the global register, since those are in a different scope from the main program. However, the global array is global, and persists after the input execution. In the solution, 21⅛3 pushes 21 to the global array, then inputs 3.

Now let's go through the program step-by-step.

.dI:⅛ - Push 1 to the global array and to the stack

kF* - Multiply FizzBuzz by the 1 on the stack

u⅛ - Push -1 to the global array

× Ė - Multiply the FizzBuzz by the inputted 3 to get FizzBuzzFizzBuzzFizzBuzz

.SṪḢ - Push .

42f÷₍+*Π - Push 48

¾J∑ - Concatenate the global array and the 48 and add. We used the input to push 21 to the global array, so this comes out to 69.

C - Convert to character to get E

øṙ - Regex replace: In string FizzBuzzFizzBuzzFizzBuzz, replace with E anything matching the regex .

JavaScript (Node.js), 209 bytes, Cracked by m90

p=v=>{try{a=[];(f=c=>c?f(c/6n|0n,a.push('![]()+'[c%6n])):0n)(h=BigInt(JSON.stringify(v).replace(/\D/g,'')));try{v=eval(a.join``)}catch(e){return false};if(h<1n<<10000n)throw'x'}catch(e){return v[0]===Math.PI}}

Try it online!

Confused? Good.

Takes a JS value as input, flag is true returned from the function.

This basically resolved down to two separate problems - either expressing Math.PI in ~3600 bytes (10k bits) of Jsfuck which I wasn't sure was possible - My best attempt was around 4000 bytes; or making JSON.stringify error.

I intended to use a cyclic object reference - Try it online!, but m90's idea of a BigInt also works, and probably several other things.

ayr, 41 bytes

Not the most creative, but it makes use of some weird + unique behavior I discovered or wanted to use while thinking of something. I'm not sure if there are multiple flags that will work for this one, which was the case for my previous Arn problem.

%/=:"101&~:&:`;:,/.;`.'/ /%'#.,./&.`#&:=I

The desired flag is 4.368051189167166e_9. This is a full program, so don't run it from the cli.

There is currently no online interpreter, but I'm going to set one up within the next couple of days, as the language is written entirely in JS. As it stands you can npm i -g ayr-lang and use ayr <file of program> [flag].

Python, 54 bytes, cracked by m90

lambda x,y:x.isidentifier()and exec(f"{x}(1),1/0;{y}")

Attempt This Online!

Works in CPython 3.9.7. Accepts two strings as passwords. The flag is None, which should be returned from the function.

m90 got my intended solution. y was just a red herring

Stable Rust 1.52.1, 171 bytes

fn u<T:'static>(_:T){use std::any::*;let _=unsafe{(1 as*mut T).read_volatile()};let a=type_name::<T>();print!("{}",&a[41..]=="(((), ()), ((), ()))>"&&a.contains("&dyn"))}

Playground

Entering the right password will print true and won't segfault (or print anything to stderr). This relies on implementation-defined behavior, so this will only probably work on different versions of Rust.

Password: u::<fn(&dyn std::any::Any)->(((),()),((),()))>.

Explanation:

There are probably other valid passwords but this is the intended one. The function is generic over all 'static types so you can put in almost anything into the function. However, most types will immediately segfault- unsafe{(1 as*mut T).read_volatile()} is a volatile read of address 1. However, not everything will segfault- in Rust, types with a size of zero can be read from any well-aligned non-null pointer, and most zero-sized types have an alignment of one.

This brings me to the second safeguard: parsing the type name. This is the implementation-defined part- the type_name function is only guaranteed to be a best-effort description of the type. The type name was chosen to be particularly difficult to find a zero-sized type to match. The solution I have uses a particular monomorphization of the function I submitted to pass the criteria. It is likely possible to define another type that meets the criteria. Ungolfed code with solution entered.

JavaScript (V8), 26 bytes, cracked by emanresu A

Seemed like a cool challenge, so here's an easy one.

Pass any JS value into the function. Flag is true printed to stdout. (boolean, not string.) If there is any other output apart from true is considered not cracked.

x=>console.log({}[x][x]())

Try it online!

Intended solution:

{v: 0, toString() {Object.prototype.f = () => true; return this.v++ ? "f" : "valueOf"}}

This works because:

{}[x] calls the toString method of x

valueOf returns the original object

Therefore, modifying the Object prototype to add a method f in the toString method of x, returning "valueOf" the first time and "f" the second time does the trick

Python, 141 bytes, cracked by okie

from keyword import*
x=input()
if~-iskeyword(x)and x.isidentifier():
 exec(x,d:={"__builtins__":{}})
 try:exec(f"del {x}",d)
 except:print(1)

Attempt This Online!

This is quite a long setup for what is perhaps a simple trick. Works in CPython 3.9.7. Given the correct input, it should print 1 (with a newline, to STDOUT).

Python 3, 166 bytes, cracked by @ovs

def f(s,a):1/(not{*"_.}"}&{*s});c=compile(s,"","exec");x=bytearray(c.co_code);[0for i in a for x[i]in[9]];return eval(c.replace(co_code=bytes(x)),{"__builtins__":{}})

Attempt This Online!

Works on CPython 3.9.6. Accepts two inputs: a string s and a list of integers a. Should return the dictionary {"a": "b"} (not a string that looks like that dictionary!).

Python 3, 67 bytes, cracked by @rak1507 and @ovs

def f():
 try:exec(open(0).read())
 except:0
 return lambda:["wow"]

Attempt This Online!

Works in CPython 3.9.6. Input via stdin, and outputs by returning a function that returns a singleton list. Your crack should change the output to the string hah (also in a singleton list, in a function, as the return value).

Addendum: I keep trying to write answers to It almost works, but I keep finding unintended workarounds and having to post them here where I can set stricter rules.

@rak1507 and @ovs both cracked this, presumably separately, using ctypes to directly mutate the strings. Here's my intended solution:

import sys
def t(_, m, v):
    import sys
    if m == "return": v[0] = "hah"
    return sys.t
sys.t = t
sys.settrace(t)

If it weren't for some complicated problems (see below), I could have this answer which is a bit easier to read:

import sys
def t(_, m, v):
    if m == "return": v[0] = "hah"
    return t
sys.settrace(t)

sys.settrace enables tracing for the interpreter, which means many operations trigger the calling of the given trace function (here that's t), a feature intended for implementing Python debuggers.

One of the operations that triggers a trace is just before the return of a function; the third argument is the returned object. In this case the returned object is a list which we can mutate, so when the second argument ("event type" is "return"), I set its first element to hah. (The first argument is the stack frame object, which is unused here).

My answer had to return a function that returns the value because tracing is not enabled until a new stack frame is entered (another function being called).

The trace function should return a new trace function (normally itself), or None to disable tracing. My trace function needs to return itself here, but because the code is run by exec, by the time the trace function is executed, it's lost a reference to its global scope and t is no longer defined. For this reason we need to store it somewhere else that won't be garbage collected. Here I chose to set it as an attribute on the sys module because it's convenient.

Python 3.8 (pre-release), 163 bytes, safe.

My output is KDIITIWDRIKIDITI

import random
f=open(1,'w')
random.seed(0)
r=[random.randint(0,255) for l in range(255)]
a=input().encode()
for b in a:
 while b >26:
  b=r[b]
 f.write(chr(b+64))

Try it online!

My original password is passthevoidsalts

Since this basically follows a random directed graph (not a-cyclic, I just got lucky my password doesn't crash it) until it lands within a subset of nodes, it's straight forward to create a lookup table for each letter. Originally I tried to create a reversing crack, which works, but the .encode() on the input threw me off so I ran the process forwards to build a lookup table instead.

For each line output by this crack is the list of options to generate the corresponding character in the desired output.

import random 
out = 'KDIITIWDRIKIDITI'
a = [c for c in range(127) if chr(c).isalpha()]
random.seed(0)
r=[random.randint(0,255) for l in range(255)]
od={}
odd={}
for b in a:
 ob = b
 while b >26:
  b=r[b]
 ch = chr(b+64)
 od[ch] = ob
 if ch in odd:
  odd[ch].append(ob)
 else:
  odd[ch] = [ob]
for c in out:
 print(''.join(chr(x) for x in odd[c]))

Try it online!

dpw
JKMPVWXacjqrvx
ABCDEFHLNRSTZbfhilmnsyz
ABCDEFHLNRSTZbfhilmnsyz
t
ABCDEFHLNRSTZbfhilmnsyz
e
JKMPVWXacjqrvx
o
ABCDEFHLNRSTZbfhilmnsyz
dpw
ABCDEFHLNRSTZbfhilmnsyz
JKMPVWXacjqrvx
ABCDEFHLNRSTZbfhilmnsyz
t
ABCDEFHLNRSTZbfhilmnsyz

Pxem (lazypxem.posixism.tio.sh (8e9ac7ceb2)), filename only: 109 bytes, safe safe.

Sorry for misreading the rules; I misread I would safe if nobody cracked mine for one week; I had to wait for two weeks to be safe.

Some are escaped:

\002.r.w.i._._.-.-\240.z.d.aY.o.d.a\002.r.w.i.i.i.i.s.s.s.s._.i.!Q##.!.-.+.w.d.aY.o.d.a.w.+.i.c\001.+.a.+\377\377].+.+.z.d.aY.o

• Flag: Y, without trailing LF.
• Input from stdin, as a string consists of ASCII printables except space: 33 (!) to 126 (~).
• Output to stdout.
• This program works randomly; your password must always work.

Try it online!

Hint (posted after 5 days and 2 hours later, I think)

• This program uses a bug of my interpreter.

Intended password

z317-35bP

Python 3, 70 bytes, cracked by @ovs

c=compile(c:=open(0,"rb").read(),"","exec").replace(co_code=c)
exec(c)

Attempt This Online!

Works in CPython 3.9.6. Takes input from STDIN and should output 42 with a trailing newline to STDOUT.

The challenge was to create something of a polyglot between Python source code and CPython bytecode. The Python source would be compiled (so it needed to be syntactically valid), and then have its bytecode replaced with itself, keeping constants and names.

My solution was:

d,F,d,S,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,44,43,42

Disassembly:

Bytes  Instruction      Argument  Meaning
d,     LOAD_CONST             44  stored integer 42
F,     PRINT_EXPR             44  ignored
d,     LOAD_CONST             44  stored integer 42
S,     RETURN_VALUE           44  ignored
...    [garbage...]

The list of numbers is just to get the Python compiler to store enough constants for , (decimal codepoint 44) to be a valid argument in order to index into the tuple and load 42.

By the way, PRINT_EXPR is an opcode used solely by the Python shell to print the return value of an expression. It's never used in normal code, but it's very useful for hacking around in bytecode-land.

Python 3, 70 bytes, cracked by @the default.

class D(dict):__getitem__=0
s=open(0).read()
if"."not in s:exec(s,D())

Attempt This Online!

Works under CPython 3.9.6. Takes input from STDIN and should output ryjtufbohqszxgg with a trailing newline to STDOUT.

Hint: that string is pseudo-random with no hidden meaning.

@thedefault's crack was the same basic idea as mine, but it can be reduced to:

class c:
 from builtins import print
 print("ryjtufbohqszxgg")

As @thedefault says:

Our code is being executed in an environment where trying to access any global variable (including built-in functions) throws an error.

The way around this is to use local variables, using an immediately invoked function, or more simply here, an empty class.

However, import still functions correctly

This is because, when importing modules using the magic function __import__, the interpreter (bizarrely) doesn't dispatch to an overridden __getitem__ method on the __builtins__ namespace, but just uses normal built-in dict lookup semantics on the object. This is apparently not a bug, but an entirely implementation-defined quirk.

In fact, if you were a particularly good internet sleuth, you might have found this issue which I posted to the Python bug tracker yesterday about this very behaviour.

Python 3, 57 bytes, cracked by @the default.

class D(dict):__getitem__=0
exec("".join(open(0)),D())

Attempt This Online!

Works under CPython 3.9.6. Takes input from STDIN and should output uslcgtutmuexbwb with a trailing newline to STDOUT.

Hint: that string is completely random - it has no hidden meaning.

The crack was not my intended one; here's an answer with it fixed!

I'll get things started off with one that probably won't be extremely difficult but may take some thought.

Python 3, 78 bytes: cracked by wastl

while 1:
	try:l=input()
	except:l=''
	exec(l,{},{"exit":0,"quit":0})
	print(1)

Try it online!

Flag is nothing. As in, . The program should not output anything.

Python 3, 157 bytes, cracked by Unrelated String and StackOverflow

import sys
B,V,I=__builtins__,eval,input()
class E(Exception):0
B.exec=B.eval=B.__import__=sys.stdout=0
try:V(I,{"E":E})
except E:sys.__stdout__.write("win")

Try it online!

Takes password via STDIN. Flag is win, printed to STDOUT with no newline.

@UnrelatedString found an unintended crack, which I had no idea existed:

(_ for _ in ()).throw(E)

Turns out generators have a .throw method which inserts an exception into their call stack.

It is, however, sad that my intended solution was also more or less right there on StackOverflow:

a python3 strong stomach solution:

type(lambda: 0)(type((lambda: 0).__code__)(1,0,1,1,67,b'|\0\202\1\0',(),(),('x',),'','',1,b''),{})(Exception())

Even if it was slightly more complicated than it necessarily needed to be (here's mine:)

type(lambda:0)(compile("raise E","","exec"),{"E":E})()

We can construct the code object using compile instead of using quite so much dark arts, which is a bit less fragile. The type(lambda:0) obtains the class for user functions, which can be used to construct new functions using code objects.

Python 3, 53 bytes, cracked by EasyasPi

I=input
X=vars(vars()[I()])
X[I()]=X[I()]
class I:1/0

Try it online!

The password is 3 lines of input on STDIN. The flag is the following text, to be printed to STDERR:

Traceback (most recent call last):
  File ".code.tio", line 4, in <module>
    class I:1/0
IndexError: tuple index out of range

(replace .code.tio with whatever the filename of the program is)

Python 3, 958 bytes, safe

x=[(9,23),(10,24),(10,25),(11,23),(11,24)]
def f(g):
    h=g.copy()
    for move in range(30):
        n=[]
        for i in range(12):
            n.append([])
            for j in range(36):
                c=0
                for (a,b)in[(-1,-1),(-1,0),(-1,1),(0,-1),(0,1),(1,-1),(1,0),(1,1)]:
                    if i+a>=0 and i+a<12 and j+b>=0 and j+b<36:
                        c+=h[i+a][j+b]
                if h[i][j]==0 and c==3:
                    n[i].append(1)
                elif h[i][j]==0:
                    n[i].append(0)
                elif h[i][j]==1 and c!=2 and c!=3:
                    n[i].append(0)
                elif h[i][j]==1:
                    n[i].append(1)
        h=n.copy()
    for i in range(12):
        for j in range(36):
            if g[i][j]!=h[i][j]:
                if not((i,j)in x):
                    print('N')
    for (i,j)in x:
        if g[i][j]==h[i][j]:
            print('N')
    print('Y')

Try it online! Flag: Y. The password is taken through input to f, so to run the code just edit the last line f([]).

Solution:

The code simply runs Conway's game of life on a finite grid, and tests whether the result after 30 ticks is the original grid with a particular set of 5 cells toggled. The solution is:

Gosper's glider gun. [[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1], [1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]] Try it online!

Zsh + coreutils, 213 bytes, safe

n=$(shuf -n1 -i0-9999999);out=$( (eval "$(tr -dc '\t\n -/:-@[-`{-~')") );s=$((n**.5));i=1;p=Yes;while [[ "$i" -le "$s" ]];do;i=$((i+1));if [[ $((n%i)) -eq 0 ]];then;p=No;break;fi;done;[[ "$p" = "$out" ]]&&echo Win

Must be run as root on a typical modern Linux system. (so no TIO link). Telling you why would spoil the challenge.

Flag is Win with a trailing newline, printed to stdout.

I no longer have my exact intended solution, but you can use this technique or similar to achieve arbitrary code execution without alphanumerics.

JavaScript (V8), 113 bytes, cracked by tsh

f=n=>n!=42?`${n} is a number`:`${n} is the answer to the ultimate question of life, the universe, and everything`

Try it online!

f needs to return 42 is a number.

Probably an easy one, but it's worth a shot.

Python 3.8, 322 bytes, safe

from ast import*
a=input()
b=walk(parse(a,"","eval"))
c=Constant
n=Name
if not {z.__class__ for z in b}-{Load,Call,Expression,c,n}:
 for x in b:
  if (i:=instanceof)(x,c):
   if not i(x.value, str):
    break
  if i(x,n):
   if x.id=="getattr":
    break
 else:
  print(eval(a,{"__builtins__":{},"getattr":getattr})==eval)

Could probably be golfed more, but I'm trying to avoid accidentally leaking anything :P

Output is True followed by a newline

Solution:

The program only runs programs that load names or constants and call functions. It also runs the input with only the global function getattr (which is essentially a function implementation of the ., so a.b == getattr(a,"b"), so our goal is to get to eval with only these pieces. The solution that I came up with was by building up from an expression that I came up with that could become eval using the classes that Python loads at runtime, and then slowly using pythons magic dunder methods to try to "simplify" down language features that I can't use to get to getattr(getattr(getattr(getattr(getattr(getattr(getattr(getattr(getattr(getattr,"__class__"),"mro")(),"__getitem__")(1),"__subclasses__")(),"__getitem__")(getattr(getattr(getattr(getattr(getattr(getattr(getattr(getattr,"__class__"),"mro")(),"__getitem__")(1),"__subclasses__")(),"__repr__")(),"split")(","),"index")(" <class 'codecs.Codec'>")),"decode"),"__globals__"),"__getitem__")("__builtins__"),"__getitem__")("eval")

Try it online!

Japt, 6 bytes, safe

OvUc^H

The flag is the array [-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14]. I recommend setting the language flag -Q to see the output correctly, this is included in the below link as well.

Beware that the above snippet may result in an endless loop for certain specific inputs, but this is not the case for most inputs.

Try it out here.

Solution:

The program takes the input, XORs its charcodes with 32 and then evaluates the result as Japt. More or less any valid program that outputs the range will work once the program string is XORed beforehand. One such answer might be "gçé", but interestingly also "fOOBAR".

Racket, 202 bytes, Safe

#lang racket

(define (h z)
  (when (procedure? z) (error "you lose"))
  (define a (λ (x) (not x)))
  ((λ (f) (call/cc (λ (k) (k (or (a z) (set! a ((eval f) k))))))) z)
  (and z (print (a "hello"))))

The flag is hello. The password (in the form of a quote-string) is passed as the argument to the h function.

Try it online!

Python 3.7, 84 bytes, Cracked

Takes Python code as input from input from stdin. The code is only executed if it consists of a subset of the characters of '\n ,.:;=@_abcdefijlmnoprstvz' and the keyword class occurs at most two times.

c=open(0).read()
{*c}<{*'\n ,.:;=@_abcdefijlmnoprstvz'}!=3>c.count('class')!=exec(c)

Try it online! (on 3.7.4)

The flag is -1025 (printed to STDOUT).

My intended solution:

@print
@int.__invert__
@object.__sizeof__
class o:__slots__=__name__,__name__,__name__,__name__

Try it online!

BrainF***, 22 bytes, Cracked by Cinaski

+++++[>,[--->+<]>.<<-]

Try it online!

The flag is wEe0H with nothing else. This shouldn't be too hard.

Python 3.8 (pre-release), 93 bytes, cracked by pppery

from functools import*;lambda a,b,c:(d:=reduce)(lambda e,f:e[f],c,d(getattr,b,__import__(a)))

Try it online!

• Input is function arguments, output is function return value.
• Flag is the string pxeger (my username)

pppery didn't find my intended solution, and noone else has, but here it is:

The function

takes a module name to import, a list of attributes, and a list of indeces, and looks up a value. It is best explained with an example: ! f("spam_module", ["eggs", "ham"], [2, 3]) ! # ==> ! import spam_module ! spam_module.eggs.ham[2][3] !

Given that:

My username is regexp (as in Regular Expression), backwards, and regexp is quite a common variable name

So we need to:

1. Find a use of the word regexp in the standard library

2. Access it using Python's extensive runtime introspection API

3. Reverse it

Specifically

In the csv module there is a class called Sniffer which has a method called _guess_quote_and_delimiter which uses a variable called regexp.

Python lets you

access that variable name as an element of the attribute .__code__.co_varnames. (I recommend looking into everything you can get from __code__ - it's very interesting, albeit excessive)

Then

regexp is the sixth variable name used there, so I lookup csv.Sniffer._guess_quote_and_delimiter.__code__.co_varnames[5]

Finally,

reverse that by slicing it with slice(None, None, -1) (equivalent to x[::-1])

So the whole solution is

f("csv",["Sniffer","_guess_quote_and_delimiter","__code__","co_varnames"],[5,slice(None,None,-1)])

Ruby, 85 bytes, cracked twice by the-default

x=gets
puts (x[0...n=x.size/2].to_i*x[n..-1].to_i).to_s(36) if x[-9..-1]=="123456789"

Try it online!

Flag is: codegolfguessmypasswordrobber001qtr5vxskd64lddb0gsyw2w4hp8zd1t0j, as a string, in STDOUT.

Explanation

Two prime numbers have been chosen, each having 50 decimal digits. One of them ends with "0123456789", and their product begins with codegolfguessmypasswordrobber when written in base 36.

p = 91642145128772682907542781226248344977333099146327
q = 15416260853069873976599113800182718102190123456789
n = p*q = 1412779214440046356547554449820888121475969772090456386542605159205021769559275444371360154172564003

This looks like an RSA factoring challenge, and factorizing the semi-prime is definitely one way to find the password. Bruteforce was explicitly forbidden for this challenge, though. And apparently, it wasn't too hard anyway to factorize n with an open-source program called cado-nfs. I should probably have picked a longer semiprime, e.g. RSA-200.

There's a (badly hidden) backdoor : String#to_i is happy to convert any string to an integer.

Extraneous characters past the end of a valid number are ignored.

So "1x000123456789".to_i gets converted to 1, and the challenge becomes trivial. It's now possible to "factorize" n as n*1.

R, 67 bytes, cracked by pppery

function(x) with(x, is.finite(a) && !is.finite(b) && is.nan(a + b))

Try it online!

The flag is TRUE. That is, find x such that f(x) is TRUE.

R, 143 bytes, cracked by Giuseppe

function(x, y, z){
  if(length(ls(1)) > 1 | length(ls()) != 3) return("S")
  LETTERS[lengths(lapply(y, intToUtf8(x), z)) * lengths(lapply(y, intToUtf8(x+32), z))]
}

Try it online!

Once again, the value to output is the string "R". The line with length(ls()) is there to try to close some loopholes; in any case, you need to find objects x, y and z such that f(x, y, z) == "R" is TRUE.

Giuseppe found a nice solution using the functions ^ and ~. The solution I had in mind was f(67, list(as.factor(1:3)), 4:6): Try it online! (any vectors of length 3 would work). The trick is that the functions c and C both exist (with the second being much less known). Calling c(1:3, 4:6) returns the length 6 integer vector 1 2 3 4 5 6; calling C(as.factor(1:3), 4:6) returns a length 3 factor 1 2 3 (with contrasts 4 5 6). The product of the lengths is thus 18, which is the position of R in the alphabet.

Ruby, 39 bytes, cracked by @EricDuminil

p eval($<.read.tr'Scfpvy.:?\'"%<`(',$/)

Try it online!

Here's hoping I've managed to close the backdoor that @Sisyphus exposed in the previous version. As before, input is via STDIN and the flag is """\n (with \n representing a trailing newline) printed to STDOUT. Nothing is printed to STDERR.

My password: Try it online! Same idea as the crack but somewhat different implementation.

Arn, 19 bytes, cracked by r3mainer

€weL˜ù┼󪘛’U•žfcmº

I would provide the unpacked form, but it's rather trivial to decode adds to the challenge if you have to decode it yourself. Not terribly difficult, but it requires you to access the source code. The flag you want is:

7.9228162514264337593543950336e+28

this was done in the online interpreter. This shouldn't be too difficult, and multiple inputs should theoretically work. However, I encourage you to try and figure out the one I used (you will know immediately if you found the right one).

Solution + Explanation

The flag r3mainer used was J0e_Biden!. The flag I intended to be the solution will remain hidden, as to encourage others to try :). However, to make it easier, here is an explanation for the program :*:*((|:(|\):}):i0^:i"n

:* Square
  :* Square
      ( Begin expression
        (
            |: Bifurcate*
              (
                |\ Fold with concatenation (remove spaces)
                  _ Variable initialized to STDIN; implied
              ) End expression
          :} Tail
        )
      :i Index of
        0 Literal zero
    ^ To the power of
        _ Implied
      :i
        "n" literal string

• Note: bifurcate is currently broken, and this program takes advantage of that. Basically, |:(...):} is a synonym for reversing the string ... (don't you love bugs?)

JavaScript, 2465 bytes, cracked by the default.

X=([...O],S=[])=>{let M,F,a,b,R,n;M=F=0;while(O.length)eval(("?S.shift())#[a,b]!2);F=a==b;?a-b)#M++#?M)#%#M=0#M=%#R=%O=[]#n=%n!n);if(F)O=n.concat(O)".split`#`[O.shift()]||"").replace(/%/g,"S.pop();").replace(/\?/g,"S.push(").replace(/!/g,"=S.splice(-"));return R};const U=prompt().split``.map(e => e.charCodeAt()).join``.replace(/9/g,"").split("").map(e=>+e);R={s:20,m:0x80000000,a:1103515245,c:12345,get q(){return R.s=(R.a*R.s*+R.c)%R.m},i(v){return R.q/~-R.m*v|0},get b(){return R.i(2)},h([...a]){for(i=~-a.length;i>0;i--){j=R.i(i+1);[a[i],a[j]]=[a[j],a[i]]}return a}};R.s=U.reduce((p,c)=>p+c,0);class S{constructor(w,n=0){this.w=w;this.n=n;this.s={};this.c={}}N(T=this){return new S(T.w,T.n)}P(T=this){for(let i=0;i<T.w;i++)if(!T.c[i])T.A(i,T.n++);return T}M(s,t,T=this){let A=T.c[s],B=T.c[t];T.s[A]=T.s[A]||[];T.s[B]=T.s[B]||[];T.s[A].push(...T.s[B]);T.s[B].map(c=>{T.c[c]=A});delete T.s[B]}S(a,b,T=this){return T.c[a]==T.c[b]}A(c,s,T=this){T.c[c]=s+="";T.s[s]=T.s[s]||[];T.s[s].push(c)}*[Symbol.iterator](){yield*Object.entries(this.s)}Z(f=false,T=this){let C,b,c,v,N,r,g,l,m;C=[];b=[c=0];for(;c<~-T.w;c++){if(T.S(c,c+1)||(!f&&R.b)){C.push(b);b=[c+1]}else{T.M(c,c+1);b.push(c+1)}}C.push(b);v=[];N=T.N();if(!f){for(let[i,s]of T){let q=R.i(s.length-1);if(!q)q++;g=R.h(s).slice(0,q);v.push(...g);g.map(c=>N.A(c,i))}}r=[];C.map(c=>c.map((e,i,a)=>{l=i+1==a.length;m=!l*2;m|=1*(v.indexOf(e)!==-1);r.push(m)}));return[N.P(),r]}static F(w=10,h=10){let s=new S(w).P(),r,g=[[1]],i=0;for(;i<w;i++)g[0].push(1,1);for(let i=0;i<h;i++){[s,r]=s.Z(i===h-1);g.push(...I(r))}return g}};let I=(r, last=false)=>{let D=[1],E=[1];r.map(c=>{D.push(0,+((c&2)==0));E.push(+((c&1)==0),1)});return[D,E]};class B{constructor(w=10,h=10){this.m=S.F(w,h);this.r=0;this.G=true;this.f()}a(x=this.x,y=this.y){return this.m[y][x]}f(T=this){T.x=T.y=T.ey=1;while(T.a()!=0)T.x++;T.ex=this.m[0].length-1;while(T.a(T.ex)!=0)T.ex--}W(){return this.x==this.ex&&this.y==this.ey}d(r=this.r){return [[0,1],[-1,0],[0,-1],[1,0]][r]}L(){this.r++;this.r%=4}F(){let o=this.x,p=this.y,d=this.d();this.x+=d[0];this.y+=d[1];if(this.a()==1){this.x=o;this.y=p;this.G=false}if(this.W()){console.log("win");this.G=false}}M(r){r=this.r+r;r%=4;let m=-1,d=this.d(r),x=this.x,y=this.y;while(this.a(x,y)!=1){x+=d[0];y+=d[1];m++}return m}T(f){let ms=[1,3,0,2],v=f(ms.map(e=>this.M(e)));while(v&&this.G){this["KLFK"[v%4]].bind(this)();v>>=2}return this.G}R(f){let Y=999;while(this.G&&Y-->0)this.T(f)}}(new B()).R(a=>X(U,a))

Try it online! The flag is win. There should be no other output produced by the program. Although I designed this program to work with Firefox's implementation of JavaScript, it also works on node, hence the link. Input is a string through prompt, which is substituted for a command line argument in the header of the node TIO link.

There is very much method in this madness; brute force is neither recommended nor viable, hopefully. Slightly golfed. More so an attempt to make it to 2 weeks, than doing it with the lowest score possible—a proof of concept, if you will.

Or, try it here, in your browser

X=([...O],S=[])=>{let M,F,a,b,R,n;M=F=0;while(O.length)eval(("?S.shift())#[a,b]!2);F=a==b;?a-b)#M++#?M)#%#M=0#M=%#R=%O=[]#n=%n!n);if(F)O=n.concat(O)".split`#`[O.shift()]||"").replace(/%/g,"S.pop();").replace(/\?/g,"S.push(").replace(/!/g,"=S.splice(-"));return R};const U=prompt().split``.map(e => e.charCodeAt()).join``.replace(/9/g,"").split("").map(e=>+e);R={s:20,m:0x80000000,a:1103515245,c:12345,get q(){return R.s=(R.a*R.s*+R.c)%R.m},i(v){return R.q/~-R.m*v|0},get b(){return R.i(2)},h([...a]){for(i=~-a.length;i>0;i--){j=R.i(i+1);[a[i],a[j]]=[a[j],a[i]]}return a}};R.s=U.reduce((p,c)=>p+c,0);class S{constructor(w,n=0){this.w=w;this.n=n;this.s={};this.c={}}N(T=this){return new S(T.w,T.n)}P(T=this){for(let i=0;i<T.w;i++)if(!T.c[i])T.A(i,T.n++);return T}M(s,t,T=this){let A=T.c[s],B=T.c[t];T.s[A]=T.s[A]||[];T.s[B]=T.s[B]||[];T.s[A].push(...T.s[B]);T.s[B].map(c=>{T.c[c]=A});delete T.s[B]}S(a,b,T=this){return T.c[a]==T.c[b]}A(c,s,T=this){T.c[c]=s+="";T.s[s]=T.s[s]||[];T.s[s].push(c)}*[Symbol.iterator](){yield*Object.entries(this.s)}Z(f=false,T=this){let C,b,c,v,N,r,g,l,m;C=[];b=[c=0];for(;c<~-T.w;c++){if(T.S(c,c+1)||(!f&&R.b)){C.push(b);b=[c+1]}else{T.M(c,c+1);b.push(c+1)}}C.push(b);v=[];N=T.N();if(!f){for(let[i,s]of T){let q=R.i(s.length-1);if(!q)q++;g=R.h(s).slice(0,q);v.push(...g);g.map(c=>N.A(c,i))}}r=[];C.map(c=>c.map((e,i,a)=>{l=i+1==a.length;m=!l*2;m|=1*(v.indexOf(e)!==-1);r.push(m)}));return[N.P(),r]}static F(w=10,h=10){let s=new S(w).P(),r,g=[[1]],i=0;for(;i<w;i++)g[0].push(1,1);for(let i=0;i<h;i++){[s,r]=s.Z(i===h-1);g.push(...I(r))}return g}};let I=(r, last=false)=>{let D=[1],E=[1];r.map(c=>{D.push(0,+((c&2)==0));E.push(+((c&1)==0),1)});return[D,E]};class B{constructor(w=10,h=10){this.m=S.F(w,h);this.r=0;this.G=true;this.f()}a(x=this.x,y=this.y){return this.m[y][x]}f(T=this){T.x=T.y=T.ey=1;while(T.a()!=0)T.x++;T.ex=this.m[0].length-1;while(T.a(T.ex)!=0)T.ex--}W(){return this.x==this.ex&&this.y==this.ey}d(r=this.r){return [[0,1],[-1,0],[0,-1],[1,0]][r]}L(){this.r++;this.r%=4}F(){let o=this.x,p=this.y,d=this.d();this.x+=d[0];this.y+=d[1];if(this.a()==1){this.x=o;this.y=p;this.G=false}if(this.W()){console.log("win");this.G=false}}M(r){r=this.r+r;r%=4;let m=-1,d=this.d(r),x=this.x,y=this.y;while(this.a(x,y)!=1){x+=d[0];y+=d[1];m++}return m}T(f){let ms=[1,3,0,2],v=f(ms.map(e=>this.M(e)));while(v&&this.G){this["KLFK"[v%4]].bind(this)();v>>=2}return this.G}R(f){let Y=999;while(this.G&&Y-->0)this.T(f)}}(new B()).R(a=>X(U,a))

Intended solution

the default.'s solution was very close to being exactly the same as mine, and in fact, conceptually equal to mine. However, mine has a bit tighter encoding:

Z5[_\\#\]:#][4\]!!!!\]\\\\ \\\]:(Z5[_\\#\]:#][4\] \\\]4\\\]:4\\\\\\\\\\\\\\\\\\\\%

I'll probably released a half-golfed, half-annotated version of the source later.

R, 60 bytes, cracked by Paul

function(x) chartr("zyxwvu", "RRRRRR", tolower(x[1] + x[2]))

Try it online!

As in my previous challenge, the flag to output is the string "R". In other words, you need to find x such that f(x)=="R" is TRUE.

The solution is e.g. as.roman(c(2, 3)). This object is represented as c(II, III); it is of mode numeric but of class roman. Since it is numeric, addition works, giving the roman integer V. But since it is of class roman, tolower coerces it to string, giving the string "v". Then chartr translates this to "R".

C (x86-64), 100 bytes, cracked by @the-default.

This will survive until someone figures out how to run Xorshift in reverse. (So probably not very long!). Requires a key of 8 characters as a command line argument. The flag is CodeGolf followed by a line break (and nothing else before or after). Liable to crash if the key is missing or less than 8 characters in length.

main(int a,char**b){for(unsigned long *x=*++b,i=59295;i--;*x^=*x<<13,*x^=*x>>7,*x^=*x<<5);puts(*b);}

Try it online!

JavaScript (SpiderMonkey), 52 bytes, Cracked by r3mainer

i=>(a=+i,a<a/a?a/a<-a?1/a<a:a*a>1:1<a*a?a*a<a:1/a<a)

Try it online!

Expect output is true.

Input via parameter, output via return value. Global values should not be configured before the function execute. (For example, Object.defineProperty(globalThis, 'a', { get() { return ...; }, set() { return true; } }) is not valid.)

This one could be quite easy. I expected it will be cracked in 30 min...

Ruby -n, 32 bytes, cracked by @Sisyphus

^{Edit to reduce score by 1: (p eval$_) → p(eval$_)}.

!/[Scfpv\.:\?'"%<`(]/&&p(eval$_)

Input via STDIN. Flag is """\n (three double-quote characters with trailing newline) printed to STDOUT.

Python 3, 73 bytes, cracked by pxeger

Hopefully this time there are no loopholes.

s=input()
assert not{*s}&{*'()[]{}'}
eval(s,{'__builtins__':{}})(**{0:0})

Try it online!

Just as before, the password is inputted via STDIN, the flag is (nothing) and should be printed to STDERR. That means no output to STDERR.

Python 3, 42 bytes, cracked by pppery

Just a single line of Python.

eval(input(),{'__builtins__':{}})(**{0:0})

Try it online!

The password is inputted via STDIN, the flag is (nothing) and should be printed to STDERR. That means no output to STDERR.

Haskell, 246 bytes, cracked by ovs

infix 0#
0:p#x=p#1:x
1:p#x:z=p#x:x:z
2:p#x:y:z=p#(y+x):z
3:p#x:y:z=p#(y-x):z
4:p#x:y:z=p#(y*x):z
5:p#x:y:z=p#div y x:z
6:p#x:y:z=p#y:x:y:z
7:p#x:y:z=p#y:x:z
c:p#x|(q,_:r)<-span(<c)p=r#until((==0).head)(q#)x
_#x=x
main=readLn>>=print.(#[]).take 60

Try it online!

Input is taken over STDIN, and output is printed to STDOUT. The flag is the output string: [2,3,5,7,11,13,17,19,23,29,31,37,41,43,47,53,59,61,67,71,73,79,83,89,97,101,103,107,109,113,127,131,137,139,149,151,157,163,167,173,179,181,191,193,197,199,211,223,227,229,233,239,241,251,257,263,269,271,277,281,283,293,307,311,313,317,331,337,347,349,353,359,367,373,379,383,389,397,401,409,419,421,431,433,439,443,449,457,461,463,467,479,487,491,499]

(Those are the primes from 2 to 499.)

PHP, 89 bytes, cracked by Benkerd22

<?php
$x=file_get_contents('php://stdin');
if(!preg_match('/.*golf.*/',$x))echo trim($x);

Try it online!

Outputs golf, exactly.

Wolfram Language (Mathematica), 15 bytes, cracked by w123

#//.a_:>Head@a&

(Edited to reduce byte count. Solution should be the same; all the unintended solutions I can think of should be trivial to adapt.)

Flag: flag.

Input by function argument, and output by return value. Try it online!

!@#$%^&*()_+, 104 bytes, cracked by @thedefault

*^(%  _+*^)%(0_+%)%  _+^$($_^_$_^_$+!!!!!!!!!+++++++++^$)+_^_  _+$(_^^^^^^^^^^_$^$)+xx_+$(_0+_$^$)+!!@@@

The flag to this program is $$$ output to STDOUT.

I guarantee that the flag will appear in at least 5 seconds given the correct password.

Try it online!

What does it even do?

*^(%  _+*^)%(0_+%)%  _+^$($_^_$_^_$+!!!!!!!!!  # Push the password integer...
+++++++++^$)+_^_  _+$(_^^^^^^^^^^_$^$)+        # ...from STDIN onto the stack
xx_+$(_0+_$^$)+                                # Divide by the ASCII value of 0 i.e 48
!!@@@                                          # Print the result as a character thrice.

Therefore:

\$x = 48 · 36 = 1728\$

Where x is the password.

FYI 36 is the ASCII value of $.

05AB1E (legacy), 8 13 bytes, cracked by @ovs

F}žhм9£.ER.V*

+5 bytes to close a different crack found by @ovs (although he's free to post it as an actual crack instead if he chooses to).

Try it online.

Expected output: \n137438953472\n (where the \n are of course newlines).

Code explanation:

F              # Loop `N` in the range [0, input-1)
 }             # Close the loop
  žhм          # Remove all digits
     9£        # Only keep the first 9 characters
       .E      # Evaluate and execute as Python code
         R     # Reverse
          .V   # Evaluate and execute as 05AB1E (legacy) code
            *  # Multiply two values
               # (after which the result is output implicitly with a single trailing newline)

Tip 1: the program + intended solution only works in the legacy version of 05AB1E (built in Python 3) for two reasons. This won't work in the latest 05AB1E version (built in Elixir), where all these builtins as mentioned in the code explanation above will also act the same as described.
Tip 2: it won't time out on TIO, so an input like 274359834731, which would result in 137438953472\n (note it's missing the intended leading newline) isn't the intended solution, since the loop takes too long (no longer possible after the 5 bytes had been added). The intended solution runs in less than 0.2 seconds on TIO.
Tip 3: one of two reasons mentioned in tip 1 is a bug with .E and a certain type of input (which is ALSO in @ovs' initial crack), that I abuse to get the intended result.
Tip 4: there are three loose inputs (separated with newline delimiter), and the first and third inputs are the same

><>, 4 bytes

i10p

Try it online!

The flag is Something smells delicious... printed to STDOUT, and takes input form STDIN.
Invalid keys may not always terminate the program.

Not a difficult one, but I like this feature.

Python 2.7, 189 bytes, cracked by ovs

import re

inp = raw_input()
if not re.match(r"^[\w\d=]*$", inp):
    quit()
exec(inp)

a = raw_input()
b = raw_input()
flag = a == b

if flag == True:
    print("%s %s"%(a, b))

Try it online!

Flag is The Flag, output to STDOUT. This might be a bit easy, but hopefully still fun!

Python 2, 94 bytes, cracked by Christian Mann

^{Edited to reduce score. See revision history for ungolfed version.}

Another Python answer.

import re,sys
p=sys.stdin.read()
if re.match('^[exc\dhrkb\slim_=:;,.ants]*$',p):exec p;print a

Try it online!

Flag is 0xc0de. The output should be to STDOUT.

My solution was basically the same as Christian's:

The regex only accepts a very limited number of characters. Notable exclusions are all kinds of brackets, string delimiters, almost all operators and the p for print and input.
a='0xc0de' doesn't match the regex, and a=hex(49374) neither.

With these restriction I don't know of a way to call any function that returns a value. I would be interested in counterexamples ;).
^{One exception is a==b, which calls a.__eq__(b), but since q is not available, you can only do this with builtin types.}

The idea is to use the fact that print a calls a.__str__ to get a string representation of the object a. This means we need to define an object a with a custom __str__ method, which is then called by string.
Instantiating objects is not possible without (), but luckily we can define methods on classes rather than instance objects using metaclasses.
The metaclass is required to have an __init__ function, that takes three arguments and returns None. A good choice for this is an __init__ function of a different class.

This result into the final solution:

class b:
    __str__ = 49374 .__hex__
    __init__ = 0 .__init__
class a:
    __metaclass__ = b

Try it online!

This doesn't work in Python 3 for two reasons:

• int's dont have a __hex__ method anymore.
• The syntax for metaclasses has changed. In Python 3 this would look like class a(metaclass=b): ..., which uses forbidden brackets

JavaScript (SpiderMonkey), 23 bytes, Cracked by Sisyphus

a=readline()
print(a+a)

Try it online!

• Expect output: aaa
• Input / Output use stdin, stdout

Perl 5 (-n), 33 bytes, Cracked by Neil

length()<28 && !/\w/ && eval eval

Try it online!

The flag is Flag. The input is stdin and output stdout.

Jelly, 4 bytes, cracked by Bubbler

OÆTP

Try it online!

Outputs 160.58880817718872.

¯\_(ツ)_/¯

R, 29 bytes, cracked by pppery

function(x) intToUtf8(cos(x))

Try it online!

The flag to output is the string "R".

The solution is 5.1i.

Although \$\forall x\in\mathbb R, -1\leq\cos x\leq1\$, those bounds don't hold for complex \$x\$: \$\cos(a+ib)=\cos x\cosh y -i \sin x\sinh y\$, which is unbounded. We want to find \$x\$ such that \$ \cos x=82\$ (the ASCII codepoint of R); pppery gave the answer x=5.0998292455...i. The shorter x=5.1i works, because intToUtf8 can take a complex argument and cast is as integer by ignoring the imaginary part, and rounding down the real part to an integer.

Python 3.8, 95 bytes, cracked by wastl

import os;(c:=os.getenv("A")).isidentifier()and c not in"printinput"and eval(c)(os.getenv("B"))

Input is via environment variables. (no TIO link because it doesn't support them). Flag is the_flag.

@wastl did not find my intended solution - theirs was much simpler. Here is what I indended:

PYTHONBREAKPOINT=builtins.print A=breakpoint B=the_flag python -c 'import os;(c:=os.getenv("A")).isidentifier()and c!="print"and eval(c)(os.getenv("B"))'

The PYTHONBREAKPOINT environment variable describes a function to be called when you use breakpoint(). Python has a lot of weird implicit behaviours like this. I intentionally left "input is environment variables" vague so you would think it would only be A and B

Python 3, 85 bytes, cracked by r3mainer

import re,time
b=input()[:40]
a=time.time()
re.match(b,b)
if time.time()-a>9:print(0)

Try it online!

Prints 0. Works on TIO.

JavaScript (V8), 25 bytes, Cracked by user

y=s=>(l=s.length)?l:l/l|1

Try it online!

The flag is 0.
Input: function parameter.
Output: returned value of function.