Gforth 0.7.3 (TIO), 231 bytes [SAFE]

This code redefines as useless some necessary output methods, as well as addition and something crucial for declaring functions. Good luck!

: . ;
: dec. ;
: u. ;
: .r ;
: u.r ;
: d. ;
: ud. ;
: d.r ;
: ud.r ;
: emit ;
: type ;
: + postpone 2drop ;
: ; + + + postpone exit reveal postpone [ ;

Input will be two signed integers taken from the top of the stack as function parameters. Output to STDOUT.

So you should fix the damage done, and define a function that takes the top two values from the stack and prints the result as an integer (not a float) to STDOUT without additional output (no trailing space).

Here's a template, if your goal function is named f.

Solution:

79 bytes

I actually removed the immediate keyword from the end of the redefinition of ;, so it was necessary for an answer to include it at the start. The function I defined is mostly equivalent to the internal definition of ., but it doesn't print the space at the end, and the addition is performed first, by moving the numbers to the floating point stack and back.

immediate : f s>f s>f f+ f>d swap over dabs <<# #s rot sign #> (type) #>> 0 0 ;

Try it online

Python 2, Cracked

Implements addition as a named function

import sys
c="".join(open(__file__).read().split('\n')[4:])
if set(c)-set(' &)(,.:[]a`cdfijmonrt~')or"import"in c:sys.setrecursionlimit(1)
f=lambda\

Try it online!

What does this do?

For the purposes of helping you out a bit I'll explain what this does. This code opens the source file and checks if the remainder of the code fits the following criteria:

• Does not contain the string import
• Is made solely of the characters &)(,.:[]a`cdfijmonrt~

If it fails either criterion the recursion limit is set to 1 meaning that any code you write will hit the recursion limit.

There are no tricks here, I have written a solution that uses only these characters and no imports, I'm not doing anything subversive, but I will say that I think this will be pretty hard to crack.

To save you some time here is a short list of useful things you cannot do with this restriction

• + well duh,

• eval/exec Wasn't going to let you get away with that

• Numbers, They might be more useful than you think

• String literals

• len

• =, No assigning variables

• >,<,==. . . I have left you with no comparisons

• *,-,/,%,^,|,>>,<< The only operators available are ~ and &

• __foo__, None of those fancy double underscore methods are allowed.

Python 2, Cracked

This is the fourth iteration of this answer. Each of the last answers has was cracked via reseting the recursion depth.

Implements addition as a named function

import sys
if set("".join(open(__file__).read().split('\n')[4:]))-set(' &)(,.:[]a`cdfijmonrt~'):sys.setrecursionlimit(1)
for m in sys.modules:sys.modules[m]=None
del sys;f=lambda\

Try it online!

What does this do?

For the purposes of helping you out a bit I'll explain what this does. This code opens the source file and checks if the remainder of the code is made solely of the characters &)(,.:[]a`cdfijmonrt~

If it fails the recursion limit is set to 1 meaning that any code you write will hit the recursion limit.

I've also disabled all of the modules, so you can't import anything.

There are no tricks here, I have written a solution that uses only these characters and no imports, I'm not doing anything subversive, but I will say that I think this will be pretty hard to crack.

To save you some time here is a short list of useful things you cannot do with this restriction

• + well duh,

• eval/exec Wasn't going to let you get away with that

• Numbers, They might be more useful than you think

• String literals

• len

• =, No assigning variables

• >,<,==. . . I have left you with no comparisons

• *,-,/,%,^,|,>>,<< The only operators available are ~ and &

• __foo__, None of those fancy double underscore methods are allowed.

My solution

So now that xnor has cracked it in a way I am sufficiently satisfied with I am going to reveal my solution

r,o:(o and f(~(~r&~o)&~(r&o),int(`r`[:r&~r].join([`dict()`[r&~r],`r&~r`,`dict([(r&~r,r&~r)])`[int(`~([]in[[]])`[[]in[[]]:])],`min`[[]in[[]]],`dict()`[~(r&~r)],`r&~r`]).format(r&o),int(`~([]in[[]])`[[]in[[]]:]))))or r

Surprise, surprise its a hulking pile of gibberish. Rather than break this down I'm going to go through the process of how I made this.

I started with a pretty standard addition algorithm

r,o:(o and f(r^o,r&o<<1))or r

Then I used a bitwise trick for representing ^ with |,&,~.

r,o:(o and f((r|o)&~(r&o),r&o<<1))or r

I used another bitwise trick to get rid of the |

r,o:(o and f(~(~r&~o)&~(r&o),r&o<<1))or r

Now all thats left is the <<, shouldn't be too hard, right? Well get ready for a bumpy ride. To replace the bitshift I used strings to append a zero to the end of its binary representation

r,o:(o and f(~(~r&~o)&~(r&o),int(bin(r&o)[2:]+"0",2)))or r

This has a few problems but the primary one is using addition, so I worked around this by using a format instead

r,o:(o and f(~(~r&~o)&~(r&o),int("{}0".format(bin(r&o)[2:]),2)))or r

We are not allowed to use bin, so I used string formatting to convert to binary.

r,o:(o and f(~(~r&~o)&~(r&o),int("{0:b}0".format(r&o),2)))or r

Since string literals are forbidden I have to build the string {0:b}0 out of parts made with back ticks and join them together.

r,o:(o and f(~(~r&~o)&~(r&o),int("".join(["{","0",":","b","}","0"]).format(r&o),2)))or r

The empty string is pretty easy, you can just do

`r`[:0]

The zeros were

`0`

and the {:} were all grabbed from dictionaries.

r,o:(o and f(~(~r&~o)&~(r&o),int("".join([`dict()`[0],`0`,`dict([(0,0)])`[2],"b",`dict()`[-1],`0`]).format(r&o),2)))or r

b seems pretty hard to get, its not in our character set, so how are we supposed to get an object that has a b in its repr? Well here's how: When you use repr on a builtin function you get something that looks like

<built-in function name>

And thats from where we'll get our b.

r,o:(o and f(~(~r&~o)&~(r&o),int("".join([`dict()`[0],`0`,`dict([(0,0)])`[2],`min`[1],`dict()`[-1],`0`]).format(r&o),2)))or r

Now all thats left are numbers, I only need -1, 0, 1, and 2 so here's how I represented them:

-1 = ~(r&~r)
 0 = r&~r
 1 = []in[[]]
 2 = `~([]in[[]])`[[]in[[]]:]

2 could actually be a byte shorter as

```r&~r```.find(`r&~r`)

based on @Blender's suggestions in the comments, but I didn't think of this until after the fact.

So we substitute these numbers in

r,o:(o and f(~(~r&~o)&~(r&o),int(`r`[:r&~r].join([`dict()`[r&~r],`r&~r`,`dict([(r&~r,r&~r)])`[int(`~([]in[[]])`[[]in[[]]:])],`min`[[]in[[]]],`dict()`[~(r&~r)],`r&~r`]).format(r&o),int(`~([]in[[]])`[[]in[[]]:]))))or r

And thats the crack.

C (gcc) Cracked!

#define D(f)void f(void);
D(printf)D(fprintf)D(putc)D(puts)D(getchar)D(putc)D(fputc)D(ferror)D(feof)D(read)D(fclose)D(fread)D(wr1te)D(fgets)D(fgetc)D(popem)D(gets)D(read)D(scanf)D(setbuf)D(execl)D(execlp)D(putchar)D(execle)D(execv)D(malloc)D(execvp)D(execvpe)D(exec)D(system)D(close)D(fwrite)D(open)D(free)
int stdin;
int main(){
//your code goes here...hehe
}

Try it online!

Input from STDIN and output to STDOUT.

This runs without error. Hahaha this is quite evil. I've only tested it on TIO's gcc. Per usual, you must append your code after this snippet in order for it to work :) The comment is a mean one, don't listen to it.

Tested on gcc (GCC) 6.3.1 20161221 (Red Hat 6.3.1-1). Should work on any linux system.

Original solution

#define D(f)void f(void);
D(printf)D(fprintf)D(putc)D(puts)D(getchar)D(putc)D(fputc)D(ferror)D(feof)D(read)D(fclose)D(fread)D(wr1te)D(fgets)D(fgetc)D(popem)D(gets)D(read)D(scanf)D(setbuf)D(execl)D(execlp)D(putchar)D(execle)D(execv)D(malloc)D(execvp)D(execvpe)D(exec)D(system)D(close)D(fwrite)D(open)D(free)
int stdin;
int main(){
//your code goes here...hehe
}
void __attribute__ ((destructor)) dtor() {
    int a,b,c,d;a=b=c=0;
    struct FILE* z = popen("cat", "r");
#define q(x)for(;(c=getc(z))^32&&c^-1;)x=10*x+c-48;
q(a);q(b);
    char*y=calloc(c=a+b,1);
    for(a=0;c;){y[a++]=(48+(c%10));c=c/10;}
    for(b=0;b<a/2;b++){d=y[b];y[b]=y[a-b-1];y[a-b-1]=d;}
    write(1,y,a);
}

C (GCC on Linux) (cracked)

Instead of using silly file-reading sandboxing techniques, we do it the proper way - with SECCOMP whitelisting!

Your task: implement addition with input from STDIN and output to STDOUT.

#include <stdlib.h>
#include <unistd.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <syscall.h>
#include <stdio.h>
void sandbox();
__attribute__ ((constructor(0))) int s() {
    close(0);
    close(1);
    close(2);
    prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
}
int main() {
    sandbox();
    syscall(SYS_exit, EXIT_SUCCESS);
}
void sandbox() {
    // Your code here!
}

Try it online!

WTF is this!?

To help you in your insurmountable task I'll explain what this code does.

__attribute__ ((constructor(0))) ensures the s function is run first. The function closes all open file descriptors for STDIN, STDOUT and STDERR. Then the program restricts itself with a strict SECCOMP whitelist, which limits your system calls to the following:

read(2)
write(2)
_exit(2)
sigreturn(2)

Therefore you cannot open any new files (or basically do anything). We then come to main and call your code, nicely wrapped in the sandbox function.

The syscall(SYS_exit, EXIT_SUCCESS); at the end is just to ensure the program exits cleanly - by default GCC will exit with exit_group(2) which is not allowed by the SECCOMP whitelist. This exiting function is called after your code is run.

So you have no open file descriptors, and you can't open anything new. Impossible, right? ;)

Haskell, cracked by Ben

main=main--

Try it online! This should be a full program reading two numbers from stdin and outputting the sum to stdout.

Each full program starts by running the main function, but here main calls itself and causes an infinite loop. To make matters worse, a line comment is started with -- directly behind the recursive call to prevent changing it to e.g. main2 and then defining that to do the summation.

---

Intended solution:

main=main--$()
_ --$ _ = do
     x <- readLn
     y <- readLn
     print $ x+y

Try it online!

-- starts a line comment unless it can also be parsed as part of an operator. (The syntax highlighting seems to be unaware of this fact.) --$ is a valid infix operator which takes main as first argument and some dummy second argument (). It is then defined to ignore both arguments and to perform the required task instead.

x86 16 bit real mode Assembly (Cracked)

_main:
    call l
    cli
    hlt
l:  pop si
    xor ax, ax
    mov bp, cs
    mov es, ax
    mov di, 12
    mov [di], si
    mov [di + 2], bp
    pushf
    mov bp, sp
    or word [bp], 256
    popf

Easy if you know the trick.

Perl 5, cracked by Ilmari Karonen

$_=<DATA>;
s/[+'{dPz|K.UD!_ iJ;o}e6tjWb7253k@%&Iq4l0AN:?\$8B`Yywn9^pfmZQTF"M#-]//g;
eval;
print@_,$!,pop,shift,<>,eval"@>",$\,@ARGV,eval"@$",$@,eval"@@",$,,eval"@,",$/
__DATA__

Input is received on separate lines of STDIN and output is printed to STDOUT.

All code goes after the __DATA__ marker. This uses a similar method to @WheatWizard's solution in that the code is parsed and unusable chars are removed.

This has been tested on versions 5.8, 5.10 and 5.16, and requires no command-line flags.

Try it online!

APL (ngn-apl), cracked by ngn

Made in cooperation with my colleague Marshall.

Input through left and right arguments to +. I.e. your goal is to insert code after the the following, so that your last line reads ⎕←3+2 and outputs 5 to STDOUT.

+←-←−←⍴←≢←≡←⊥←⊤←⍟←○←⍳←⌹←~←∈←∊←⍷←<←≤←=←≥←>←≠←,←⍪←⌷←⌽←⍉←⊖←{}⋄⍣←∘

Try it online!

Works by setting all useful functions to {} which takes one or two arguments and returns an empty numeric list. Also sets ⍣ to just compose functions.

---

Crack

+←{⌈/⍋⍺⍵1/0}

⍺⍵1/0 replicate 0 by the left argument and the right argument and 1

⍋ get the indices that would sort that (since all elements are zero, it gives 0 1 2…(a+b)

⌈/ the maximum value (a+b)

Javascript, Cracked

This challenge builds off of Grant Davis's, but fixes the solution he had in mind (which creates an iframe and uses the iframe's window). The solution runs in the javascript console on chrome's about:blank page, and takes two input()s, adds them together, and console.logs the result. Put your code after:

d=prompt=console=document;new MutationObserver(s=>s.forEach(e=>{t=e.target;t.parentNode.removeChild(t)})).observe(d,{"childList":d, "subtree":d})

First, we clobber prompt and console and set the shortcut d. Then, we create a mutation observer with a callback which removes every target mutated. We set that mutation observer to observe the document, and notify on childList and subtree modifications. Instead of the literal true, we use our shortcut to the truthy value document (the spec doesn't allow this, but chrome does).

After I posted this, I realized a much more elegant clobber. My intended solution still works, but the crack posted does not:

 h=document.querySelector("html");h.parentNode.removeChild(h);

cQuents, cracked by Mayube

#|1,1:A

This should be fairly easy, but you never know.

The "problem" was that without C in your code, you got an error.

Mayube's solution:

#|1,1:A+BC

Each item in the sequence is the first input plus the second times the third (aka 1)

My solutions:

#1,1:A+B,C

The sequence cycles between the first input plus the second input, and the third input (1). The first item in the second is A+B.

#1,1:A+B+C-C

Similar to Mayube's solution - instead of multiplying B*C, just adds C and then subtracts it.

Try it online!

Explanation

#|1,1      Append 1 and 1 to the end of the user's input
     :     Set mode to : (sequence 1: if given n, output nth term in sequence; if given no n, output whole sequence)
      A    Each item in the sequence equals the first input

Currently, this program outputs 1, since with no user input, the first input is the first 1 in the default input (#).

Python 2, Cracked

This is the second iteration of an answer that has been cracked once by @HyperNuetrino using a method I had not expected. I've now patched it so hopefully the only solutions left will have to abide by the restrictions I intended.

Implements addition as a named function

import sys
c="".join(open(__file__).read().split('\n')[4:])
if set(c)-set(' &)(,.:[]a`cdfijmonrt~')or"import"in c:sys.setrecursionlimit(1)
sys.modules['sys'],sys.modules['os']=None,None;del sys;f=lambda\

Try it online!

RProgN2, Cracked by Arnold Palmer

"+-/*÷^"{²[[\=};

Writes over all the math operators, with no way to restore them. In particular, it replaces them with a function that removes the top two items on the stack.

Try it online!

Original Solution

{S]‘[L}`d={0RL}`i=«x=y=x{xd`x=yi`y=x}:y»`+=

{S]‘[L}`d={0RL}`i=«x=y=x{xd`x=yi`y=x}:y»`+=
{     }`d=                                  #Define a function, "d", which returns n-1
 S                                          #Convert the input to a stack, which, as a number, makes a stack of 1 - n.
  ]‘                                        #Duplicate the stack, and pop the top value off it.
    [                                       #Discard the popped'd value.
     L                                      #Get the length of the stack, which now is n-1.
          {   }`i=                          #Define a function, "i", which returns n+1
           0R                               #Get the range of numbers between 0 and n.
             L                              #Get the length of that stack, which is n+1
                  «                    »`+= #Define a function, "+", which takes two numbers, and outputs their sum. We use «» here, because it localises references, instead of globalising them.
                   x=                       #Set the first input to the value of "x", which by default, is x.
                     y=                     #Ditto for y.
                       x{          x}:      #While x is truthy, which in this case, is non-zero.
                         xd                 #Get x - 1
                           `x=              #Set x to it.
                              yi`y=         #And set y to y + 1
                                      y     #Push y to the output. And we're done.

Try it online!

Java 8, Cracked by @OlivierGrégoire

Here's my attempt. Pretty much, the idea is to just overload all the namespaces you can use to output (and reflect, I hope). Output is intended to sdout (System.out).

class java {
    public static void main(String[]s){
       //there is no executable code in snippet one.
       //your code here.
    }
    class Class{}
    class Method{}
    class System{}
    class FileDescriptor{}
    class Logger{}
    class Runtime{}
    class Scanner{}
}

Blacklisting is typically a worse approach than whitelisting, so I'm sure it's just a matter of time before someone comes up with an approach I didn't consider.

Node.JS version 7.3.0 (Cracked by Dom Hastings)

var p=process,f;(_=>{var w=p.stdout.write,n='f'+(Math.random()*1e7|0),l=1
f=p.stdout.write=a=>eval(`(function ${n}(a){while(l&&((typeof a)[0]!='s'||'f'+a!=n));a=l?l="":a;w.apply(p.stdout,arguments);})`)(a)})();

Place the second code block after the first.

Disclaimer: the second code block will not function on its own (without being placed after the first). If this is not allowed however I can modify the second snippet.

This is a full program. Output is process.stdout (STDOUT), input is process.argv (command line arguments)

This is my first cops and robbers, hopefully this is a good challenge :)

Try it online!

The challenge explained

Generates a random variable n from 0 to 1e7. If you call write with the correct n, doesn't print anything but sets l to 0 which "unlocks" the write function, allowing you to print anything. If you try to call write with a non-string, sends you into an infinite loop. If you try to call write with anything other than the correct n while write is "locked", sends you into an infinite loop to prevent guessing.

The intended solution

Sneaks past the typeof that seemingly checks for strings only by using a Symbol, which also starts with s. This throws an error in the function resulting from the eval call because you can't add the string "f" to a Symbol. We catch the error and use regex to recover n from the stack trace, where it is in the function's name. Then we try to write n which doesn't print anything, but sets the "lock" variable l to 0 to "unlock" the write function. Now that the write function is unlocked we just print the sum.

try{f(Symbol())}catch(e){f(e.stack.match(/f(\d+)/)[1])
f(+p.argv[2]+ +p.argv[3]+"")}

Mascarpone, cracked by Ilmari Karonen

[ Make 'i' and 'z' print 'q' ]$
v ['q.]v* 'i<^
v ['q.]v* 'z<^

[ Disable some standard commands ]$
v[]v*   '1<^
v[]v*   '$<^
v[]v*   '@<^
v[]v*   '{<^
v[]v*   '}<^
v[<:]v* '<<^
v[]v*   'v<^$

Input is church numerals on stdio, using i for increment and z for zero. For instance, 2+3 would be:

iiziiiz

With a trailing newline

Output should be a number on stdout, in the same format as on stdio. For example, if the answer is five you should output:

iiiiiz

(mascarpone has no concept of numbers)

---

Intended solution:

: '[/''/'i/'./' /':/',/'>/'!/']/* 'i<^
: '[/':/',/'>/'!/']/* 'z<^
: ,>!
'z.

It is not immediately apparent from the documentation, but as @IlmariKaronen stated in his crack, string literals in Mascarpone are actually syntactic sugar for pushing a sequence of characters.

I deliberately wrote comments like [this]$ to make it look like I am pushing a string and popping it immediately afterwards. A naive cracker might have tried something like [:,>!]/* to push a string, swap it with the interpreter, and interpret it.

I also pretend to pop the interpreter I left on the stack with $, but $ has already been redefined to a NOP. You are left with this interpreter on the stack, and you have to carry it with you trough the entire program; trough each character of every string.

Haskell, 161 144 bytes, Cracked by BlackCap

{-#OPTIONS_GHC -fth -w#-}
module M where

Input to STDIN, output to STDERR. Add to the end of the program.

Edit: Intended to be compiled with no extra GHC arguments, just the normal ghc --make prog.hs.

Edited again to lower the byte count.

Have fun!

C# (.NET Core) Cracked by Ilmari Karonen

Also cracked by Joshua.

namespace System
{
    class Console
    {
        static void Main()
        {
            //Your code goes here
        }
    }
}

Reads the two values from stdin and writes the result to stdout. Tested on Windows with Framework Version 3, 4.6 and on TIO.

Here is the full program I had intended.

namespace System
{
    class Console
    {
        static void Main()
        {
            var t = Reflection.Assembly.Load("mscorlib").GetType("System.Console");
            var r = t.GetMethod("ReadLine");
            int a = int.Parse((string)r.Invoke(null, null));
            int b = int.Parse((string)r.Invoke(null, null));
            var w = t.GetMethod("WriteLine", new[] { typeof(int) });
            w.Invoke(null, new object[] { a + b });
        }
    }
}

Try it online!

Java 8 (Cracked)

Second attempt. This time I invested two minutes of testing.

static {

    try {

        System.setIn(null);
        System.setOut(null);
        System.setErr(null);

        for (Method m : System.class.getMethods()) {

            m.setAccessible(false);

        }

        System.class.getMethod("getSecurityManager", new Class[0]).setAccessible(false);

        for (Method m : Class.class.getMethods()) {

            m.setAccessible(false);

        }

        SecurityManager mngr = new SecurityManager() {

            @Override
            public void checkPermission(Permission p) {

                if (p.getName().equals("createSecurityManager")) throw new SecurityException();
                if (p.getActions().startsWith("read")) throw new SecurityException();

            }

        };

        System.setSecurityManager(mngr);

        // Your code goes here.

    } catch (Throwable t) {

    }

}

Most things shouuuld be covered.

GolfScript, cracked by Dennis

{}' !$%&()*+,-./<=>?@[\]^`|~'':'*~;

Try it online!

This is a code-golf challenge, after all, so why not try GolfScript?

A valid solution should be a snippet that reads two integers off the stack, adds them together and returns the result on the stack. The catch is that it should still work even after the code above has redefined almost all of the built-in GolfScript operators to do abolutely nothing. At least I left ; untouched, so you can still pop values off the stack. ;-) Your code should work on the standard GolfScript interpreter, as implemented e.g. on TIO (see link above).

---

Dennis' solution, like my own, relies on the rarely used feature of GolfScript that allows interpolated Ruby code in double quoted strings. We use this feature to define a new addition operator that works exactly like the built-in + operator, and then call it.

(One reason why the Ruby interpolation feature in GolfScript is so rarely used is that, awkwardly, the interpolated Ruby code is executed during parsing, and its output is cached by the GolfScript interpreter. Thus, if you e.g. have a string with interpolated Ruby code in a loop, the code will run only once before the actual program starts and thereafter always return the same value on every iteration of the loop. You can work around that using string eval to defer parsing, but that makes the already awkward syntax even more ugly and verbose, and in any case, for this challenge I disabled the eval operator ~, too. However, it turns out that defining new built-in GolfScript operators is one thing this feature actually does quite nicely and cleanly.)

Node.js v8.2.0, Cracked by Dom Hastings

let mess = ctx => f => new Proxy (f, {
  has: (t, p) => p in t || p in ctx
, get: (t, p) => {
    let k = p in t? t[p]: ctx[p];

    if (k instanceof Function) return (
      function fetch (_k) {
        return mess (ctx) ( x => ( q => q instanceof Function
                                      ? fetch (q)
                                      : t (q)
                                  ) ( _k(x) )
                          )
      })(k);

    return k;
  }
});

with (mess (global) (x => x)) {
  dot   = f => a => b => f(a(b))
  ap    = f => g => x => f (x) (g (x))
  flip  = f => x => y => f (y) (x)
  Const = a => b => a
  id    = x => x
  num   = n => n (x => x + 1) (0)
  log   = console.log

  let x = flip (Const . id . id)
    , y = flip (Const . id . id . id)
  for (let i = 0; i < process.argv[2]; i++) x = ap (dot) (x)
  for (let i = 0; i < process.argv[3]; i++) y = ap (dot) (y)
  process.argv = [];

  logic = x => y => /* Your code here */;

  log . id . num ( logic (ap (dot) (x))
                         (f => z => (( y(flip (id) . id . flip (dot (id)) (f)) ) (Const (z))) (id) )
                 );
}

You are to implement the logic function. Input is the arguments provided (from stdin), output is whatever your function returns (is printed to stdout).

---

My code church encodes the numbers from the input. The rest of the code is just there to intimidate you.
The mess function does some trickery to implement point-free notation (a . b == dot (a) (b)), which I primarely use to add . id . to random places, which doesn't do anything, but will confuse anyone unfamiliar with functional programming.
The transformation applied to the numbers before I pass them to the logic function is x+1 and y-1, which adds up to 0, so it's another NOP to add to the obscurity.

The intended solution was:

logic = x => y => f => z => x (f) (y (f) (z))

Inform 7, cracked by ppperry

For reading a command: rule fails.

[Your code here.]

The input should be typed by the player as an interactive command, e.g. add 17 to 25 or sum 17 25. You're free to choose the exact form of the command that should be entered, as long as it includes two numbers. The sum of the numbers (e.g. 42) should be printed in response to the command.

The challenge, of course, is doing that while the entire "reading a command" activity is replaced by a no-op. There are probably several ways to solve this problem, but at least it should require some familiarity with the language. The one I came up with is actually quite simple, if a bit unexpected.

I've tested my solution in the GNOME Inform 7 IDE, version 6L38, on Ubuntu Linux. The intended solution works on both the Glulx and the Z-machine back-ends, and should work on other recent versions of Inform 7, too. Note that (without a suitable work-around) the code above will cause the interpreter to busy-loop when it tries to read a command; the Z-machine interpreter seems to become completely unresponsive when this happens, and can't be stopped from within the IDE, so I recommend using Glulx for testing.

Jelly: CRACKED

This will be insanely easy compared to Wheat Wizard's awesome Python answer, but here we go :P

“for c in code_page:
 if c in atoms:atoms[c].call=None”ŒVø<insert code snippet here>

The sha256 hexdigest of my workaround solution, including the first snippet, is cfeb1e193ad77f66f039c0d6a792a3e4c311490f6412698e019ca1fae10c0e0a.

Note

You may not have any newlines in the code except for strings otherwise this code will not even be run, which defeats the purpose of this challenge.

Cracked by DJMcMayhem

To be fair, this uses a newline, so I'd like to see a solution that doesn't use a newline.

Also a solution by Jonathan Allan

This doesn't use a newline, so it's been cracked. :P

My solution is this:

“for c in code_page:
 if c in atoms:atoms[c].call=None”ŒVø“print(int(input())+int(input()))”ŒV

The first snippet only deletes single character atoms which means that Python eval still works :)))

Python 2 cracked

import sys,hashlib
c=open(__file__).read().split()[-1]
if c!='#'and hashlib.sha256(c).hexdigest()!='e6400dd63733d10ec042e3c28033cfa85e1d25fbef80020810c354d7c942e843':sys.exit() #

Try it online!

I'll preface this by saying this answer is a jerk move, intended as a lower-bound answer.

---

Inspired by Wheat Wizard's and HyperNeutrino's answers.

The snippet reads the source file and refuses to continue if the last whitespace-separated chunk of code does not sha256 into e6400dd63733d10ec042e3c28033cfa85e1d25fbef80020810c354d7c942e843.

EDIT: Edited slightly in response to this comment. The core problem does not change, any crack attempt is not invalidated.

Java, Cracked

import java.lang.reflect.*;
public class Main{
  public static void main(String... args){
    System.setOut(null);
    System.setErr(null);
    /*Your code here*/
  }
}

This should be was very easy to crack.

Intended solution

import java.lang.reflect.*;
public class Main{
public static void main(String... args){
  System.setOut(null);
  System.setErr(null);
  try{
    Class<?> cistream = Class.forName("java.io.InputStream");
    Class<?> cfostream = Class.forName("java.io.FileOutputStream");
    Class<?> costream = Class.forName("java.io.OutputStream");
    Class<?> cfdescriptor = Class.forName("java.io.FileDescriptor");
    Object sout = cfostream.getConstructor(cfdescriptor).newInstance(cfdescriptor.getField("out").get(null));
    Class<?> csys = Class.forName("java.lang.System");
    Field mod = Field.class.getDeclaredField("modifiers");
    mod.setAccessible(true);
    Field stdout = csys.getField("out");
    mod.set(stdout,Integer.class.cast(mod.get(stdout) )&~ Modifier.FINAL);
    stdout.set(null,Class.forName("java.io.PrintStream").getConstructor(costream).newInstance(sout));
    Class<?> cscanner = Class.forName("java.util.Scanner");
    Object scanner = cscanner.getConstructor(cistream).newInstance(System.in);
    Method nextInt = cscanner.getMethod("nextInt");
    int f = Integer.class.cast(nextInt.invoke(scanner));
    int s = Integer.class.cast(nextInt.invoke(scanner));
    int sum = s + f;
    System.out.println(sum);
  }catch(Throwable t){t.printStackTrace();}
  }
}

Try it online

Java 8 Cracked by @OlivierGrégoire

I tried to make it as hard as possible! :) And, unlike the other Java answer so far, you'll have to follow the exact rules of the challenge, by placing it after this entire snippet (so no, you don't put your code in the public static void main(String[] args) method, you put it after the entire class. :) Good luck!

I've added comments to show what is being restricted.
(Inspired by this post, which is less restrictive and beatiable with the same approach I could use for my answer.)

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileDescriptor;
import java.io.FilePermission;
import java.io.PrintStream;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;

public class Main {

  // Put everything in a static block so it is run before the static main method 
  // and any trailing (static) initializer-blocks:
  static {
    try {
      initializing();
    } catch (final Exception e) {
    }
  }

  static void initializing() throws Exception {
    // Overwrite System.out, System.err and System.in:
    System.setOut(new PrintStream(new ByteArrayOutputStream()));
    System.setErr(new PrintStream(new ByteArrayOutputStream()));
    System.setIn(new ByteArrayInputStream(new byte[0]));

    // Enable reflection for System.out, System.err and System.in:
    final Field modifiersField = Field.class.getDeclaredField("modifiers");
    modifiersField.setAccessible(true);
    final Class<?> fdClass = java.io.FileDescriptor.class;
    final Field outField = fdClass.getDeclaredField("out");
    outField.setAccessible(true);
    modifiersField.setInt(outField, outField.getModifiers() & ~Modifier.FINAL);
    final Field errField = fdClass.getDeclaredField("err");
    errField.setAccessible(true);
    modifiersField.setInt(errField, errField.getModifiers() & ~Modifier.FINAL);
    final Field inField = fdClass.getDeclaredField("in");
    inField.setAccessible(true);
    modifiersField.setInt(inField, inField.getModifiers() & ~Modifier.FINAL);

    // Replace existing System.out FileDescriptor with a new (useless) one:
    outField.set(null, new FileDescriptor());
    // Replace existing System.err FileDescriptor with a new (useless) one:
    errField.set(null, new FileDescriptor());
    // Replace existing System.in FileDescriptor with a new (useless) one:
    inField.set(null, new FileDescriptor());

    // Disable reflection for System.out, System.err, System.in again:
    modifiersField.setInt(outField, outField.getModifiers() & ~Modifier.FINAL);
    modifiersField.setInt(errField, errField.getModifiers() & ~Modifier.FINAL);
    modifiersField.setInt(inField, inField.getModifiers() & ~Modifier.FINAL);
    inField.setAccessible(false);
    errField.setAccessible(false);
    outField.setAccessible(false);
    modifiersField.setAccessible(false);

    // Overwrite the SecurityManager:
    System.setSecurityManager(new SecurityManager() {

      private boolean exitAllowed = false;

      @Override
      public void checkExec(final String cmd) {
        throw new SecurityException();
      }

      @Override
      public void checkPermission(final java.security.Permission perm) {
        final String name = perm.getName();
        // You're not allowed to read/write files:
        if (name.equals("setIO") || name.equals("writeFileDescriptor")
            || name.equals("readFileDescriptor")
            || ((perm instanceof FilePermission) && name.startsWith("/proc/self/fd/"))) {
          throw new SecurityException();
        }
        // You're not allowed to overwrite the Security settings:
        if (name.equals("setSecurityManager") || name.equals("suppressAccessChecks")) {
          throw new SecurityException();
        }
        // You're not allowed to use reflection anymore:
        if (name.equals("getModifiers") || name.equals("get") || name.equals("set")
            || name.equals("setBoolean") || name.equals("setByte")
            || name.equals("setChar") || name.equals("setShort") || name.equals("setInt")
            || name.equals("setLong") || name.equals("setFloat") || name.equals("setDouble")
            || name.equals("setFieldAccessor") || name.equals("setFieldAccessor")) {
          throw new SecurityException();
        }
        // When you try to leave the current VM it will stop the program:
        if (name.startsWith("exitVM") && !this.exitAllowed) {
          this.exitAllowed = true;
          System.exit(0);
        }

        // You know what, nothing is allowed!
        throw new SecurityException("Mhuahahahaha!");
      }
    });
  }

  public static void main(String[] args) {
    // Overwritting all given arguments:
    args = new String[0];

    // Exit the program before you can do anything!
    System.exit(0);
  }
}

// Your code goes below:

Try it here. (ideone.com instead of TIO, since it doesn't seem to work there.. Testing has been done in the Eclipse IDE, but my intended solution does work if you use ideone.com)

JavaScript, Cracked

Input: prompt() twice

Output: console.log()

My solution does not work in jsfiddle. Works on the about:blank page with Google chrome's JS console.

prompt=console=0

My solution:

x=document.createElement("iframe")
x.src="data:text/html,<script>console.log(prompt()-0+(prompt()-0))</script>"
document.body.appendChild(x)

Explanation:

I removed prompt and console by setting them equal to 0.

In my solution I create an iframe, which creates a sandbox, and a new instance of window where prompt and console work properly.

Vim (Cracked by Bruce Forte)

This answer is patched here

:for i in split('Qq@:=+','\zs')
exe 'map '.i.' <nop>'
exe 'map! '.i.' <nop>'
endfo

Try it online!

This actually has a fairly easy solution. I'm just trying to get the ball rolling with some vim obfuscation. Depending on how quickly this is cracked, I'll crank up the difficulty later >:D

Input is to the buffer like this:

3
4

And output is to the buffer.

What's evil about it?

This makes it so that the following characters cannot be used:

Qq@:=+

Disabling Q and : prevents you from running ex commands. Disabling q prevents a workaround for q: entering ex mode, and removes your ability to create/run macros. Disabling @ prevents you from deleting text, and running that as a macro (the shortest way to add two numbers). And lastly, removing = and + makes it so you can't use the evaluation register.

For reference, my solution is 23 keystrokes long. Have fun cracking!

Vim (Cracked by Bruce Forte)

This is a patched version of my previous approach

:for i in split('Qq@:=+!','\zs')
exe 'map '.i.' <nop>'
exe 'map! '.i.' <nop>'
endfo

Plus 3 bytes for the -Z flag.

You can Try it online!, but keep in mind that some things are slightly different online, since this is a V interpreter, not a vim interpreter. Most notably, the -Z flag in vim is translated to the --safe flag in V. Of course, your crack may not rely on any V-specific features.

Input is to the buffer like this:

3
4

And output is to the buffer.

What's evil about it?

First off, the -Z flag prevents you from running any external commands (such as bash, python, awk, etc.). Any cracks must run in pure vim. Also, to clarify, an answer like :q<cr>read a;read b; echo $((a+b)) is not valid, because that is no longer a vim answer. The input and output must happen inside of one vim session

Then it makes it so that the following characters cannot be used:

Qq@:=+!

• Disabling Q and : prevents you from running ex commands.

• Disabling q prevents a workaround for q: entering ex mode, and removes your ability to create/run macros.

• Disabling @ prevents you from deleting text, and running that as a macro (the shortest way to add two numbers).

• Disabling ! prevents you from using filters.

• And lastly, disabling = and + makes it so you can't use the evaluation register.

For reference, my solution is 23 keystrokes long. Have fun cracking!

Ruby (cracked by Dennis)

END{exit 0}

Input through STDIN, output through exit code. Example:

 $ ruby mostly_unusable.rb
3
4
 $ echo $?
7

Java 8, too many bytes! (cracked on Linux (only) by Ilmari Karonen)

import java.io.FilePermission;
import java.io.InputStream;
import java.net.SocketPermission;
import java.security.Permission;
class Boolean {}
class Byte {}
class Character {}
class Double {}
class Enum {}
class Float {}
class Integer {}
class Long {}
class Math {}
class Number {}
class Package {}
class Short {}
class StrictMath {}
class System {} // tried to redefine System? Good try.
class Thread {}
class Void {}
class java {} // do NOT create a String class that is not java.lang.String (or do, but you won't be able to reuse java.lang.String)
interface Main { // No static block for you! Also, Java 8 only!
  static ClassLoader C = ClassLoader.getSystemClassLoader();
  static void main(String[] a) throws Throwable {
    a = new String[0];
    SecurityManager sm = new SecurityManager() {
      @Override public void checkPermission(Permission perm) {
        String n = perm.getName();
        if (   n.startsWith("set")                  // hey, that's my security, not yours!
            || n.startsWith("read")                 // don't read stuff
            || n.startsWith("get")                  // various thingies including getenv.
            || perm instanceof FilePermission       // no files
            || perm instanceof SocketPermission) {  // no network
          throw new SecurityException("Nope!");
        }
      }
      @Override public void checkPropertyAccess(String key) {
        throw new SecurityException("No property for you!"); // Hey, I've thought about it too! :)
      }
    };
    Object in = C.loadClass("java.lang.System").getDeclaredField("in").get(null);
    InputStream.class.getMethod("close").invoke(in); // No input!
    C.loadClass("java.lang.System").getMethod("setSecurityManager", SecurityManager.class).invoke(null, sm);
    otherMethod();
  }
  static void otherMethod(){
    // Your code here
  }
}

Input method: arguments on the command line.

I'm a nice guy, I let you use System.out, but not directly: security first.

Hint: the intended, hidden 2nd snippet doesn't use the } character, even though there are other, more standard, ways to break it.

S.I.L.O.S, 12 bytes Cracked!

def print z

Here we essentially duct tape the mouth of your program. We redefine the print keyword to the letter z. Enjoy!
My intended solution outputs to stdout, and receives input via stdin (on TIO it takes in the two integers on separate CLA, but locally use two integers on separate lines)

---

The intended solution sneakily redefines z back to print, pperry found a golfier method that defines p as print and then works as expected.

Intended solution

def print z z print
readIO 
j=i
readIO
j+i
printInt j

Java 8, OS-agnostic, cracked by Ilmari Karonen

import java.io.FilePermission;
import java.lang.Class;             // No trying redefining Class.
import java.lang.ClassLoader;       // or ClassLoader
import java.lang.String;            // or String
import java.lang.System;            // And don't think I forgot System!
import java.lang.SecurityException; // You won't mind, will you?
import java.lang.Runtime;           // Just for good measure.
import java.lang.Throwable;         // I'd hate to forget one.
import java.net.SocketPermission;
import java.security.Permission;
class java {}                       // just so you don't mess my own imports  I carefully protected.
interface Main {                    // No static block for you!
                                    // Also, Java 8 only!
                                    // Yep, TIO friendly
  static void main(String[] a) throws Throwable {
    a = new String[0];              // Just in case
    try {
      SecurityManager sm = new SecurityManager() {
        @Override public void checkPermission(Permission perm) {
          String n = perm.getName();
          if (   n.startsWith("set")                  // hey, that's my security, not yours!
              || n.startsWith("read")                 // don't read stuff
              || n.startsWith("get")                  // various thingies including getenv.
              || perm instanceof FilePermission       // no files
              || perm instanceof SocketPermission) {  // no network
            throw new SecurityException("Nope!");
          }
        }
        @Override public void checkPropertyAccess(String key) {
          throw new SecurityException("No property for you!"); // Hey, I've thought about it too! :)
        }
        @Override public void checkExec(String cmd) {
          throw new SecurityException("Muhahaha! No.");
        }
      };
      System.in.close(); // No input
      try{ClassLoader.getSystemClassLoader().loadClass("A");}catch(Throwable e){}       // I load your class, but I don't initialize it!
      System.setSecurityManager(sm);
      ClassLoader.getSystemClassLoader().loadClass("A").newInstance();
    } catch (ClassNotFoundException e) {
      // Do nothing, but don't crash.
    } catch (Throwable e) {
      throw e;
    }
  }
}
// Your code here!
// Hint: create a class A with a public constructor. Not an enum or an interface.

Intended solution:

class A {
  public A() {
    // The access restriction is on System.getProperty(String), not System.getProperties().
    // It's an irk of Java, but is consistent through its history, and is clearly documented as such
    int a = Integer.parseInt(System.getProperties().get("a"));
    int b = Integer.parseInt(System.getProperties().get("b"));
    System.out.println(a+b);
  }
}

Input method: command line arguments

Notes:

• Don't limit to a single OS, the solution is OS-agnostic as it doesn't rely on anything the OS has to offer. I won't accept an answer that works only on a subset of systems where Java runs.
• You have to create a class named A with a public no-param constructor (or a static block) to get your code running. That's your entry point. You may declare that the constructor throws something, if you want.
• You don't need to create any other class + method than A and it's constructor. At least the intended solution doesn't.
• It's not because I import something that it's used, even in the solution. Don't think I "forgot to remove it" before posting.
• Don't overthink it, a first year student can solve it. Actually, he/she has a better shot than you to solve it ;)

Python 3, cracked by DJMcMayhem

import atexit
if "\n".join(open(__file__).readlines()[2:]):atexit.register(1..__truediv__, 0)

(trailing newline at end of code block). Input from STDIN, output to STDERR. Abuses the rule about correct output even after crashes by registering an atexit handler that raises a ZeroDivisionError, which would normally get output to STDERR, polluting the output.

Java, cracked

It's more of a guess..

public static void main(String[] args) throws IllegalArgumentException, IllegalAccessException, NoSuchFieldException, SecurityException, NoSuchMethodException {

    try {

        System.class.getField("in").set(null, null);
        System.class.getField("out").set(null, null);
        System.class.getField("err").set(null, null);

        System.class.getMethod("getSecurityManager", new Class[0]).setAccessible(false);

        File.class.getField("fs").set(null, null);

        for (Method m : Class.class.getMethods()) {

            m.setAccessible(false);

        }

        SecurityManager mngr = new SecurityManager() {

            @Override
            public void checkPermission(Permission p) {

                throw new Error("Muahaha!");

            }

            @Override
            public void checkLink(String s) {

                throw new Error("Not this way, my friend!");

            }

        };

        System.setSecurityManager(mngr);

    } catch (Throwable t) {

    }

}

This blocks all ways of I/O that I know of, and also blocks undoing my work by construction a custom security manager that does not permit anything (not even linking native libraries). I don't see a way to remove Javas arithmetic stuff,but if someone does, feel free to leave a comment. Hope you enjoy the challenge.

Java 7 (cracked by Ilmari Karonen)

class Main {
  static {
    // I see a lot of java answers where folks are using a Scanner in a static
    // initializer block so let's beat them to the punch and read the first parameter
    // before they have a chance to. The intended solution uses program arguments for input
    // anyway...
    java.util.Scanner s = new java.util.Scanner(System.in);
    if (s.hasNext()) {
      s.next();
    }

    try {
      System.out.close();
      System.in.close();
      System.err.close();
      System.setProperties(null);
    } catch (Exception e) {
      // Nothing
    }
  }
  public static void main(String[]a) throws Exception {
    a = new String[0];
    // Code goes here
  }
}

Try it online!

The intended solution runs on Linux and will work on TIO. It takes input as program arguments and outputs to stdout. Hopefully I didn't forget something really easy. I don't think reflection helps the same way as it does in other answers. Good luck.

Python 3.4, 241 bytes, cracked by Sisyphus

sys=__import__("sys")
sуs=__import__("os")
del sуs.system, sуs.open, sуs.write, sуs.writev
del __builtins__ 
del sys.__stdout__,sys.__stderr__,sys.__stdin__ 
sys.stdout=sys.stdin
sys.stderr=sys.stdout
sys.stdin.write=sys.stderr
del sys

Input on true STDIN and with Ctrl-D, output with STDOUT.