How do these javascript obfuscators generate actual working code?

Question

There's this one and this one and they both generate completely unreadable code, one being more adorable than the other.

Now, I'm no expert in Javascript, but I fail to see how

ﾟωﾟﾉ= /｀ｍ´）ﾉ ~┻━┻   //*´∇｀*/ ['_']; o=(ﾟｰﾟ)  =_=3; c=(ﾟΘﾟ) =(ﾟｰﾟ)-(ﾟｰﾟ); (ﾟДﾟ) =(ﾟΘﾟ)= (o^_^o)/ (o^_^o);(ﾟДﾟ)={ﾟΘﾟ: '_' ,ﾟωﾟﾉ : ((ﾟωﾟﾉ==3) +'_') [ﾟΘﾟ] ,ﾟｰﾟﾉ :(ﾟωﾟﾉ+ '_')[o^_^o -(ﾟΘﾟ)] ,ﾟДﾟﾉ:((ﾟｰﾟ==3) +'_')[ﾟｰﾟ] }; (ﾟДﾟ) [ﾟΘﾟ] =((ﾟωﾟﾉ==3) +'_') [c^_^o];(ﾟДﾟ) ['c'] = ((ﾟДﾟ)+'_') [ (ﾟｰﾟ)+(ﾟｰﾟ)-(ﾟΘﾟ) ];(ﾟДﾟ) ['o'] = ((ﾟДﾟ)+'_') [ﾟΘﾟ];(ﾟoﾟ)=(ﾟДﾟ) ['c']+(ﾟДﾟ) ['o']+(ﾟωﾟﾉ +'_')[ﾟΘﾟ]+ ((ﾟωﾟﾉ==3) +'_') [ﾟｰﾟ] + ((ﾟДﾟ) +'_') [(ﾟｰﾟ)+(ﾟｰﾟ)]+ ((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+((ﾟｰﾟ==3) +'_') [(ﾟｰﾟ) - (ﾟΘﾟ)]+(ﾟДﾟ) ['c']+((ﾟДﾟ)+'_') [(ﾟｰﾟ)+(ﾟｰﾟ)]+ (ﾟДﾟ) ['o']+((ﾟｰﾟ==3) +'_') [ﾟΘﾟ];(ﾟДﾟ) ['_'] =(o^_^o) [ﾟoﾟ] [ﾟoﾟ];(ﾟεﾟ)=((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+ (ﾟДﾟ) .ﾟДﾟﾉ+((ﾟДﾟ)+'_') [(ﾟｰﾟ) + (ﾟｰﾟ)]+((ﾟｰﾟ==3) +'_') [o^_^o -ﾟΘﾟ]+((ﾟｰﾟ==3) +'_') [ﾟΘﾟ]+ (ﾟωﾟﾉ +'_') [ﾟΘﾟ]; (ﾟｰﾟ)+=(ﾟΘﾟ); (ﾟДﾟ)[ﾟεﾟ]='\\'; (ﾟДﾟ).ﾟΘﾟﾉ=(ﾟДﾟ+ ﾟｰﾟ)[o^_^o -(ﾟΘﾟ)];(oﾟｰﾟo)=(ﾟωﾟﾉ +'_')[c^_^o];(ﾟДﾟ) [ﾟoﾟ]='\"';(ﾟДﾟ) ['_'] ( (ﾟДﾟ) ['_'] (ﾟεﾟ+(ﾟДﾟ)[ﾟoﾟ]+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+((ﾟｰﾟ) + (ﾟΘﾟ))+ (c^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟｰﾟ)+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) - (ﾟΘﾟ))+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (o^_^o)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟΘﾟ)+ ((ﾟｰﾟ) + (o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ (ﾟｰﾟ)+ ((o^_^o) +(o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟｰﾟ)+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((ﾟｰﾟ) + (ﾟΘﾟ))+ ((ﾟｰﾟ) + (o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟΘﾟ)+ ((o^_^o) +(o^_^o))+ ((ﾟｰﾟ) + (o^_^o))+ (ﾟДﾟ)[ﾟεﾟ]+(ﾟｰﾟ)+ ((o^_^o) - (ﾟΘﾟ))+ (ﾟДﾟ)[ﾟεﾟ]+((ﾟｰﾟ) + (ﾟΘﾟ))+ (ﾟΘﾟ)+ (ﾟДﾟ)[ﾟoﾟ]) (ﾟΘﾟ)) ('_'); 

and

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$._$_+$._$$+$.__+$.$_$_+$.$$__+"\\"+$.__$+$.$_$+$._$$+"\\"+$.__$+$.__$+$.$$$+"\\"+$.__$+$.$$_+$.$$_+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.$$$$+(![]+"")[$._$_]+$._$+"\\"+$.__$+$.$$_+$.$$$+"\\\")"+"\"")())(); 

are actual valid javascript that do as expected. Seriously, run them. They're both alert("StackOverflow"). I could understand obfuscating some logic or string obfuscation, but there's no visible control statements. Is this obfuscator pulling some magic in the style of The Language Which Shall Not Be Named? I'm happy with my code looking happy too, but I'm completely not understanding the magic behind it.

I've tried picking through the sourcecode of both pages, and they're as confusing for me as the code they generate.

How does this work?

Answer 1

What fun! Here's my go at it. Basically what is happening here is a bunch of numbers and strings are being assigned to variables. Those variables are being concatenated to form an encoded string. That encoded string is decoded to form a string of JavaScript code. That code is set as the body of a function, which is then executed.

Let's take it line by line:

Line 1:

ﾟωﾟﾉ = /｀ｍ´）ﾉ ~┻━┻   //*´∇｀*/['_']; 

ﾟωﾟﾉ - a global variable
/｀ｍ´）ﾉ ~┻━┻ / - a regular expression
/*´∇｀*/ - a multi-line comment
['_'] - get the property _ of the regular expression.

Since a RegExp does not have a _ property, the variable ﾟωﾟﾉ contains the value undefined.

Line 2:

o = (ﾟｰﾟ) = _ = 3; 

Define the variables o, ﾟｰﾟ, and _, and set each of their values to 3.

Line 3:

c = (ﾟΘﾟ) = (ﾟｰﾟ) - (ﾟｰﾟ); 

Define the variables c and ﾟΘﾟ and set their values to 0. (ﾟｰﾟ is 3, so (ﾟｰﾟ) - (ﾟｰﾟ) is the same as ﾟｰﾟ - ﾟｰﾟ is the same as 3 - 3. Now c and ﾟΘﾟ both contain 1;

Line 4:

(ﾟДﾟ) = (ﾟΘﾟ) = (o ^ _ ^ o) / (o ^ _ ^ o); 

Define the variable ﾟДﾟ and redefine the variable ﾟΘﾟ. ^ is the bitwise XOR operator and o and _ are both 3.
o ^ _ ^ o is the same as 3 ^ 3 ^ 3.
3 ^ 3 is 0, 3 ^ 0 is 3.
Then 3 / 3 is 1.
ﾟДﾟ and ﾟΘﾟ both now contain 1.

Line 5:

(ﾟДﾟ) = { ﾟΘﾟ: '_', ﾟωﾟﾉ: ((ﾟωﾟﾉ == 3) + '_')[ﾟΘﾟ], ﾟｰﾟﾉ: (ﾟωﾟﾉ + '_')[o ^ _ ^ o - (ﾟΘﾟ)], ﾟДﾟﾉ: ((ﾟｰﾟ == 3) + '_')[ﾟｰﾟ] }; 

With line breaks and indentation:

(ﾟДﾟ) = {     ﾟΘﾟ: '_',     ﾟωﾟﾉ: ((ﾟωﾟﾉ == 3) + '_')[ﾟΘﾟ],     ﾟｰﾟﾉ: (ﾟωﾟﾉ + '_')[o ^ _ ^ o - (ﾟΘﾟ)],     ﾟДﾟﾉ: ((ﾟｰﾟ == 3) + '_')[ﾟｰﾟ] }; 

Redefine ﾟДﾟ as an object literal, with properties ﾟΘﾟ, ﾟωﾟﾉ, ﾟｰﾟﾉ, and ﾟДﾟﾉ.
ﾟДﾟ.ﾟΘﾟ is "_".
ﾟДﾟ.ﾟωﾟﾉ is ((undefined == 3) + "_")[1] which is "false_"[1] which is "a".
ﾟДﾟ.ﾟｰﾟﾉ is (undefined + "_")[3 ^ 3 ^ 3 - 1] which is "undefined_"[2] which is "d".
ﾟДﾟ.ﾟДﾟﾉ is ((3 == 3) + "_")[3] which is "true_"[3] which is "u".

Line 6:

(ﾟДﾟ)[ﾟΘﾟ] = ((ﾟωﾟﾉ == 3) + '_')[c ^ _ ^ o]; 

Is the same as:

ﾟДﾟ.ﾟΘﾟ = ((undefined == 3) + "_")[1 ^ 3 ^ 3]; 

Which is the same as:

ﾟДﾟ.ﾟΘﾟ = "false_"[1]; 

So ﾟДﾟ.ﾟΘﾟ is "a".

Lines 7 - 16:

And so it continues, assigning strings and numbers to variables and object properties. Until the last line:

Line 17:

(ﾟДﾟ)['_']((ﾟДﾟ)['_'](ﾟεﾟ + (ﾟДﾟ)[ﾟoﾟ] + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + (ﾟｰﾟ) + (ﾟΘﾟ) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((ﾟｰﾟ) + (ﾟΘﾟ)) + (ﾟｰﾟ) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + (ﾟｰﾟ) + ((ﾟｰﾟ) + (ﾟΘﾟ)) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((o ^ _ ^ o) + (o ^ _ ^ o)) + ((o ^ _ ^ o) - (ﾟΘﾟ)) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((o ^ _ ^ o) + (o ^ _ ^ o)) + (ﾟｰﾟ) + (ﾟДﾟ)[ﾟεﾟ] + ((ﾟｰﾟ) + (ﾟΘﾟ)) + (c ^ _ ^ o) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟｰﾟ) + ((o ^ _ ^ o) - (ﾟΘﾟ)) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + (ﾟΘﾟ) + (c ^ _ ^ o) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + (ﾟｰﾟ) + ((ﾟｰﾟ) + (ﾟΘﾟ)) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((ﾟｰﾟ) + (ﾟΘﾟ)) + (ﾟｰﾟ) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((ﾟｰﾟ) + (ﾟΘﾟ)) + (ﾟｰﾟ) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((ﾟｰﾟ) + (ﾟΘﾟ)) + ((ﾟｰﾟ) + (o ^ _ ^ o)) + (ﾟДﾟ)[ﾟεﾟ] + ((ﾟｰﾟ) + (ﾟΘﾟ)) + (ﾟｰﾟ) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟｰﾟ) + (c ^ _ ^ o) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + (ﾟΘﾟ) + ((o ^ _ ^ o) - (ﾟΘﾟ)) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + (ﾟｰﾟ) + (ﾟΘﾟ) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((o ^ _ ^ o) + (o ^ _ ^ o)) + ((o ^ _ ^ o) + (o ^ _ ^ o)) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + (ﾟｰﾟ) + (ﾟΘﾟ) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((o ^ _ ^ o) - (ﾟΘﾟ)) + (o ^ _ ^ o) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + (ﾟｰﾟ) + (o ^ _ ^ o) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((o ^ _ ^ o) + (o ^ _ ^ o)) + ((o ^ _ ^ o) - (ﾟΘﾟ)) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((ﾟｰﾟ) + (ﾟΘﾟ)) + (ﾟΘﾟ) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((o ^ _ ^ o) + (o ^ _ ^ o)) + (c ^ _ ^ o) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟΘﾟ) + ((o ^ _ ^ o) + (o ^ _ ^ o)) + (ﾟｰﾟ) + (ﾟДﾟ)[ﾟεﾟ] + (ﾟｰﾟ) + ((o ^ _ ^ o) - (ﾟΘﾟ)) + (ﾟДﾟ)[ﾟεﾟ] + ((ﾟｰﾟ) + (ﾟΘﾟ)) + (ﾟΘﾟ) + (ﾟДﾟ)[ﾟoﾟ])(ﾟΘﾟ))('_'); 

By this time, we have the following variables:

ﾟωﾟﾉ    // undefined o       // 3 ﾟｰﾟ     // 4 _       // 3 c       // 0 ﾟΘﾟ     // 1 ﾟДﾟ     /* {             "1": "f",             ﾟΘﾟ: "_",             ﾟωﾟﾉ: "a",             ﾟｰﾟﾉ: "d",             ﾟДﾟﾉ: "e",             c: "c",             o: "o",             return: "\\",             ﾟΘﾟﾉ: "b",             constructor: "\"",             _: Function         } */ ﾟoﾟ     // "constructor" ﾟεﾟ     // "return" oﾟｰﾟo   // "u" 

That line is mostly one big string concatenation. We can make it slightly more readable by removing the unnecessary parentheses and adding line breaks:

ﾟДﾟ['_'](     ﾟДﾟ['_'](         ﾟεﾟ +          ﾟДﾟ[ﾟoﾟ] +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ﾟｰﾟ +          ﾟΘﾟ +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          (ﾟｰﾟ + ﾟΘﾟ) +          ﾟｰﾟ +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ﾟｰﾟ +          (ﾟｰﾟ + ﾟΘﾟ) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ((o ^ _ ^ o) + (o ^ _ ^ o)) +          ((o ^ _ ^ o) - ﾟΘﾟ) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ((o ^ _ ^ o) + (o ^ _ ^ o)) +          ﾟｰﾟ +          ﾟДﾟ[ﾟεﾟ] +          (ﾟｰﾟ + ﾟΘﾟ) +          (c ^ _ ^ o) +          ﾟДﾟ[ﾟεﾟ] +          ﾟｰﾟ +          ((o ^ _ ^ o) - ﾟΘﾟ) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ﾟΘﾟ +          (c ^ _ ^ o) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ﾟｰﾟ +          (ﾟｰﾟ + ﾟΘﾟ) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          (ﾟｰﾟ + ﾟΘﾟ) +          ﾟｰﾟ +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          (ﾟｰﾟ + ﾟΘﾟ) +          ﾟｰﾟ +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          (ﾟｰﾟ + ﾟΘﾟ) +          (ﾟｰﾟ + (o ^ _ ^ o)) +          ﾟДﾟ[ﾟεﾟ] +          (ﾟｰﾟ + ﾟΘﾟ) +          ﾟｰﾟ +          ﾟДﾟ[ﾟεﾟ] +          ﾟｰﾟ +          (c ^ _ ^ o) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ﾟΘﾟ +          ((o ^ _ ^ o) - ﾟΘﾟ) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ﾟｰﾟ +          ﾟΘﾟ +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ((o ^ _ ^ o) + (o ^ _ ^ o)) +          ((o ^ _ ^ o) + (o ^ _ ^ o)) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ﾟｰﾟ +          ﾟΘﾟ +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ((o ^ _ ^ o) - ﾟΘﾟ) +          (o ^ _ ^ o) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ﾟｰﾟ +          (o ^ _ ^ o) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ((o ^ _ ^ o) + (o ^ _ ^ o)) +          ((o ^ _ ^ o) - ﾟΘﾟ) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          (ﾟｰﾟ + ﾟΘﾟ) +          ﾟΘﾟ +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ((o ^ _ ^ o) + (o ^ _ ^ o)) +          (c ^ _ ^ o) +          ﾟДﾟ[ﾟεﾟ] +          ﾟΘﾟ +          ((o ^ _ ^ o) + (o ^ _ ^ o)) +          ﾟｰﾟ +          ﾟДﾟ[ﾟεﾟ] +          ﾟｰﾟ +          ((o ^ _ ^ o) - ﾟΘﾟ) +          ﾟДﾟ[ﾟεﾟ] +          (ﾟｰﾟ + ﾟΘﾟ) +          ﾟΘﾟ +          ﾟДﾟ[ﾟoﾟ]     )(ﾟΘﾟ) )("_"); 

The value of that concatenated string is:

return"\141\154\145\162\164\50\42\110\145\154\154\157\54\40\112\141\166\141\123\143\162\151\160\164\42\51" 

So, replacing all the variables with literals, we end up with the following JavaScript which gets executed on that last line:

Function(Function("return\"\\141\\154\\145\\162\\164\\50\\42\\110\\145\\154\\154\\157\\54\\40\\112\\141\\166\\141\\123\\143\\162\\151\\160\\164\\42\\51\"")(1))("_") 

Breaking that line down, in the middle we see the concatenated string is passed to a Function constructor, making the string the function body:

Function("return\"\\141\\154\\145\\162\\164\\50\\42\\110\\145\\154\\154\\157\\54\\40\\112\\141\\166\\141\\123\\143\\162\\151\\160\\164\\42\\51\"") 

So, that string is evaluated as JavaScript, and the Function constructor returns this function:

function () {     return"\141\154\145\162\164\50\42\110\145\154\154\157\54\40\112\141\166\141\123\143\162\151\160\164\42\51"; } 

That function is immediately executed:

Function("return\"\\141\\154\\145\\...\\51\"")(1) 

And returns the string:

alert("Hello, JavaScript") 

Hey, that looks like JavaScript! But it's not yet. It's just a string. But that string is passed to another Function constructor, giving us a function that executes the string as JavaScript:

Function("alert(\"Hello, JavaScript\")") 

That is the same as:

function () {     alert("Hello, JavaScript"); } 

That function is immediately executed:

Function("alert(\"Hello, JavaScript\")")("_") 

And our unobfuscated code is finally called.