Copy codeThe Code is as follows:
($ = [$ = [] [(__=! $ + $) [_ = -~ -~ -~ $] + ({}+ $) [_/_] +
($ = ($ _ =! ''+ $) [_/_] + $ _ [+ $]) () [_ [_/_] + __
[_ + ~ $] + $ _ [_] + $] (_/_)
Note that the code above seems confusing is not a line break, but three lines (of course, there is no error in writing it in the same line ). Compile a page and run it (it is said that it is not good for IE). Then you will find that the function of this Code is equivalent
Alert (1)
Why? Let's split this code for analysis.
$ = [] // $ Is assigned as an empty array, so! The value of $ is false.
_ =! $ + $ // The plus sign is displayed! $ And $ are converted to strings, so the value of _ is converted to the string "false"
_ = -~ -~ -~ $ // Here is ~ Operator, which represents-($ + 1), So -~ The value of $ is 1. _ and 3.
This can be deduced as follows:
Copy codeThe Code is as follows:
(_ =! $ + $) [_ = -~ -~ -~ $] => ("False") [_] => ("false") [3] => "false" [3] = "s"
({}+ $) [_/_] => ("[Object Object]") [_/_] => ("[object Object]") [1] => "[object Object]" [1] = "o"
Next, remove $ = ($ _ = !" + $) [_/_] + $ _ [+ $]:
$ _ = !" + $ // Note ,!" Contains two single quotes, that is, a non-operation on an empty string. Therefore, the variable $ _ is assigned the string "true ".
This can be pushed:
$ = ($ _ = !" + $) [_/_] + $ _ [+ $] =>$ $ = ("True ") [1] + "true" [0] => "r" + "t" = "rt"
So (__=! $ + $) [_ = -~ -~ -~ $] + ({}+ $) [_/_] + ($ = ($ _ = !" + $) [_/_] + $ _ [+ $]) Is "s" + "o" + "rt", that is, "sort ".
So the original expression
Copy codeThe Code is as follows:
($ = [$ = [] [(__=! $ + $) [_ = -~ -~ -~ $] + ({}+ $) [_/_] +
($ = ($ _ =! ''+ $) [_/_] + $ _ [+ $]) () [_ [_/_] + __
[_ + ~ $] + $ _ [_] + $] (_/_)
Can be replaced:
Copy codeThe Code is as follows:
($ = [[] ["Sort"]) () [_ [_/_] + __
[_ + ~ $] + $ _ [_] + $] (_/_)
Next let's look at [_ [_/_] + _ [_ + ~ $] + $ _ [_] + $] (_/_) Is something.
We have learned that:
_ = "False"
_ = 3
~ $=-1
$ _ = "True"
$ = "Rt"
Therefore, [_ [_/_] + _ [_ + ~ $] + $ _ [_] + $] (_/_) => ["False" [1] + "false" [3-1] + "true" [3] + "rt"] (3/3) => ["a" + "l" + "e" + "rt"] (1) => ["alert"] (1)
Therefore, the original expression can be replaced:
($ = [[] ["Sort"]) () ["alert"] (1)
How is this code executed? Let's analyze it step by step:
A = [[] // create an array
B = a ["sort"] // obtain the sort method of the array
C = B () // call the sort method of the array. Here, B () returns the window object.
D = c ["alert"] // obtain the window. alert Method
D (1) // call the window. alert method.
Therefore, the final execution result of the expression that caused this mess is window. alert (1 ).
For more information, see the original article and the discussion on Reddit.
Someone posted a tool written by a Japanese developer in the original comments. it can encode a piece of JavaScript code into various emojis and execute enjoy it.
BTW, the above Code does not play a major role in addition to XSS attacks, but you can learn a little about data type conversion from the analysis of this code, you can also appreciate the flexibility of JavaScript.
Detailed code analysis:
Copy codeThe Code is as follows:
(
$ = [$ = [] // $ = []
[
(__=! $ + $) // _ = "False"
[_ = -~ -~ -~ $] // _ = 3
// (_) [3] = "s"
+
({}+ $) // ({}+ $) = [Object Object]
[_/_]/_ = 1
+ // ([Object Object]) [1] = "o"
($ = //
($ _ =! ''+ $ )//! ''+ $ =" True "; $ _ =" true"
[_/_]/_ = 1;
// $ _ [1] = "r"
+
$ _ [+ $] // + $ = 0; $ _ [0] = "t"
) // $ = "Rt"
] // ["Sort"]
// [] ["Sort"] = []. sort = function sort () {[native code]}
// $ = [] ["Sort"]
) () // ($) () = [Object Window]
[
_ [_/_]/_ = "False ";
// _ [1] = ""
+
_ [_ + ~ $] // _ = 3 ;~ $ =-1; _ ++ ~ $ = 2
// _ [2] = "l"
+
$ _ [_] // $ _ = "True"; _ = 3;
// $ _ [3] = "e"
+
$ // $ = "Rt"
] (_/_); // _/_ = 1
// Window ["alert"] (1)
Notes:
1. $, _ in javascript can all be used as variable names
2. The function can also be called like this: for example, [,]. sort () can be written as [,] ["sort"] ();
3 .~ Bitwise inverse of a number
4. Rules in javascript when using + for different types of Variables
5. The last method written for some native code will return the window object for execution, such
Var s = []. sort; t = s (); then t is window