Inspired by Ryan Barnett's PPT of BlackHat DC 2011, especially the code below:
($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+ ($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__ [_+~$]+$_[_]+$$](_/_)
Yesterday was special day for lovers, so I tried to write something similar. Which basically alert "I love you" without any character or digits.
e.g. "I" can be obtained from ((_=-~[])/--_+[])[_]
we have "[object Object]", "true", "false", "NaN", "Infinity" to use, I cannot figure out a way to get "v" this way.
I tried to think of String.fromCharCode() , (Ryan already get window reference for us, so in theory, we can window["String"]["fromCharCode"](118) ) however I miss "S" and "C" character here. Also think about window["eval"](...) , again, I have no "v".
Just try to explain a little bit, [] is empty, when apply +/-/~ operate to it, it converts to number 0 , and ~[] gives 1 , 1/0 gives Infinitey . Then it comes to 1/0 + [] , they will both converted to string for the add, which gives "Infinity" , and "Infinity"[_] == "Infinity"[0] == "I" ...
The original code of Ryan is more complex, it utilized a lot more, includes scope, special return value, etc. (this is another story)
This might not seem to be a great idea to do things, but just very interesting.
With help with meze, I was able to produce this for Firefox:
($=($=[$=[]][(__=!$+$)[_=-~-~-~$]+(_$={}+$)[_/_]+ ($$=($_=!''+$)[_/_]+$_[+$])])())[__[_/_]+__ [_+~$]+$_[_]+$$]((_$_=(__$=-~[])/--__$+[])[__$]+_$[_+++_]+__[__$=-~-~[]]+_$[-~[]]+($[_$[$__=_+_]+_$[++$__]+_$[++$__]+_$[++$__]+_$[++$__]+_$[++$__]]+[])[
$__+$__+--_]+__[++_]+_$[$__=_+--_]+_$_[_+++_]+_$[_/_]+$_[__$]);
it basically is alert("I love you") , many thanks! If only I get the help yesterday, which I have not post this yet :(
JavaScript is beautiful, some varibles for your reference:
$_ = "true"
__ = "false"
_$ = "[object Object]"
$$ = "rt"
_$_ = "Infinity"
_ = 3 = 4 = 3 = 4 = 3
$ = window
$__ = 8 = 13
__$ = 0 = 2
Some variables are reused many times, will not try to leave details, it is not a fun job :) I am happy, we are finally here! This actually has lots of potential, as we now have "v", and lots of digits, we will in theory possible to eval() lots of... things easier. I will show this to my wife, hope she enjoys the _$-+()...
example as your reference: http://jsfiddle.net/Y4wqw/
btw, we can shorten the code a bit, as we already have reference to sort() , which can be used instead of window["Object"] to get the "native code" => "v", here it is:
($=($_$=($=[$=[]][(__=!$+$)[_=-~-~-~$]+(_$={}+$)[_/_]+ ($$=($_=!''+$)[_/_]+$_[+$])]))())[__[_/_]+__ [_+~$]+$_[_]+$$]((_$_=(__$=-~[])/--__$+[])[__$]+_$[_+++_]+__[__$=-~-~[]]+_$[-~[]]+($_$+[])[(__$<<__$<<__$)-_+~[]]+$_[--_]+_$[$__=_+++_]+_$_[_+--_]+_$[_/_]+$_[__$]);
Again, it works only in Firefox, might not try to migrate to other browser. And I love Firefox.
Source: Tips4all, CCNA FINAL EXAM
Well at least in Firefox, JavaScript native objects return function Object() { [native code] }, which has 'v'. So if we have window and Object, then i suppose we could do:
ReplyDelete(window["Object"]+0)[29];
Same message, but different spelling.
ReplyDelete// "I <3 u"
_= +~[]; // 1
__= -[]; // 0
___= +(-~[] -~[] -~[]); // 3
$=''
+(''+(_/__))[__] // i
+' ' // space
+'<'+___ // <3
+' ' // space
+(''+(_<__))[+(-~[] -~[])]; // u
alert($);
jsfiddle link
try this code:
ReplyDelete$=(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[È=++Å-~Å]+Ç[È+È]+µ[Å]+µ[Å-Å]])();
_=$[Ç[È+È+Å]+µ[Å-Å]+Ç[È+È]+Ç[Å]]("¾");
console.info( _[+[]] ); // concole is used just to show result ;)
if you run it, on the console you will get "v" :), more info about it can be found there
there is a way to avoid "¾", but result will be "V" (actually nothing bad for such a word like love :):
$=(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[È=++Å-~Å]+Ç[È+È]+µ[Å]+µ[Å-Å]])(); // we get window object
_=$[Ç[È+È+Å]+µ[Å-Å]+Ç[È+È]+Ç[Å]]( $ ); // we use btoa function with argument "[object Window]",
// and it returns "W29iamVjdCBXaW5kb3dd" - as you see there is V
$$=-~!''; // 2
$$$=-~$$; // 3
console.info( _[$$*$$$] ); // "V";
btoa creates encoded data from the given string, using base-64 encoding. Actually playing with that function and changing arguments you can get different characters :)
alert("\u2665"); // results in ♥
ReplyDelete