Menu
Inspired by Ryan Barnett's PPT of BlackHat DC 2011, especially the code below:
($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+ ($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__ [_+~$]+$_[_]+$$](_/_) Yesterday was special day for lovers, so I tried to write something similar. Which basically alert "I love you" without any character or digits.
e.g. "I" can be obtained from ((_=-~[])/--_+[])[_]
we have "[object Object]", "true", "false", "NaN", "Infinity" to use, I cannot figure out a way to get "v" this way.
I tried to think of String.fromCharCode(), (Ryan already get window reference for us, so in theory, we can window["String"]["fromCharCode"](118)) however I miss "S" and "C" character here. Also think about window["eval"](...), again, I have no "v".
Just try to explain a little bit, [] is empty, when apply +/-/~ operate to it, it converts to number 0, and ~[] gives 1, 1/0 gives Infinitey. Then it comes to 1/0 + [], they will both converted to string for the add, which gives "Infinity", and "Infinity"[_] == "Infinity"[0] == "I"...
The original code of Ryan is more complex, it utilized a lot more, includes scope, special return value, etc. (this is another story)
This might not seem to be a great idea to do things, but just very interesting.
With help with meze, I was able to produce this for Firefox:
($=($=[$=[]][(__=!$+$)[_=-~-~-~$]+(_$={}+$)[_/_]+ ($$=($_=!''+$)[_/_]+$_[+$])])())[__[_/_]+__ [_+~$]+$_[_]+$$]((_$_=(__$=-~[])/--__$+[])[__$]+_$[_+++_]+__[__$=-~-~[]]+_$[-~[]]+($[_$[$__=_+_]+_$[++$__]+_$[++$__]+_$[++$__]+_$[++$__]+_$[++$__]]+[])[ $__+$__+--_]+__[++_]+_$[$__=_+--_]+_$_[_+++_]+_$[_/_]+$_[__$]); it basically is alert("I love you"), many thanks! If only I get the help yesterday, which I have not post this yet :(
JavaScript is beautiful, some varibles for your reference:
$_ = "true" __ = "false" _$ = "[object Object]" $$ = "rt" _$_ = "Infinity" _ = 3 = 4 = 3 = 4 = 3 $ = window $__ = 8 = 13 __$ = 0 = 2 Some variables are reused many times, will not try to leave details, it is not a fun job :) I am happy, we are finally here! This actually has lots of potential, as we now have "v", and lots of digits, we will in theory possible to eval() lots of... things easier. I will show this to my wife, hope she enjoys the _$-+()...
example as your reference: http://jsfiddle.net/Y4wqw/
btw, we can shorten the code a bit, as we already have reference to sort(), which can be used instead of window["Object"] to get the "native code" => "v", here it is:
($=($_$=($=[$=[]][(__=!$+$)[_=-~-~-~$]+(_$={}+$)[_/_]+ ($$=($_=!''+$)[_/_]+$_[+$])]))())[__[_/_]+__ [_+~$]+$_[_]+$$]((_$_=(__$=-~[])/--__$+[])[__$]+_$[_+++_]+__[__$=-~-~[]]+_$[-~[]]+($_$+[])[(__$<<__$<<__$)-_+~[]]+$_[--_]+_$[$__=_+++_]+_$_[_+--_]+_$[_/_]+$_[__$]); Again, it works only in Firefox, might not try to migrate to other browser. And I love Firefox.
594
Well at least in Firefox, JavaScript native objects return function Object() { [native code] }, which has 'v'. So if we have window and Object, then i suppose we could do:
(window["Object"]+0)[29]; If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
