tags:

views:

151

answers:

3
+8  Q: 

Obfuscated javascript code with binary values?

This code outputs D. The question is HOW?

alert([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(![]+[])[+!+[]]](+[]+[+[]])[+!+[]]);

I understand that ![] is evaluated to false or 0 and so on, but how does it execute? And how can I convert this to something humans can understand and not only Jon Skeet?

Can someone break some piece of this code and explain me what's happening?

+8  A: 

Well, evaluating the expression in parts, at the end it is equivalent to:

[]['sort']['call']()["btoa"]("00")[1]; // "D"

Which can be simplified to :

btoa("00")[1]; // "D"

How you can "decode it"?

Simply examine the operators used, for example, we can see at first that an array literal is used, then several bracket notation property accesses are done, and a couple of invocations.

How does it work?

The trick is to chain multiple type conversions, for example, to get the f letter:

(![]+[])[+[]]

If we examine the first part, in parentheses, ![]+[], we see a boolean negation, which will return false because an array object is always truthy, and then a concatenation.

That produces the string "false", then, the second part, we see a brackets applied to that string, to access a character, and the expression +[], which results in 0.

+[] gives zero because the Array's toString method returns an empty string, for an empty array like that one, and an empty string produces to zero when it is converted to number (the unary + operator in this example).

There are just tricks like that, things that produce a string, such "true", "false", "null", "undefined", etc... and more tricks to get the numerically.

For example to get a number -to access a character-, they use again cryptic type conversion:

+[];            // 0, equivalent to +""
+!+[];          // 1, equivalent to +true
!+[]+!+[];      // 2, equivalent to +true+true
!+[]+!+[]+!+[]; // 3, equivalent to +true+true+true
CMS  2010-10-11 22:29:21
How did you get to it? Is there some tool to convert this code?
BrunoLM  2010-10-11 22:30:25
try the different parts in an interactive javascript shell (built into chrome and ie8, and can be obtained for firefox (the addon firebug) or you can install node.js or many other tools.
ormuriauga  2010-10-11 22:33:21
Thank you. I get how it works now. But I'm still wondering how did you solve it so fast :P
BrunoLM  2010-10-11 23:20:49
A: 

![] is false. ![] + [] evaluates to 'false'. +[] is 0 so !+[] is true, etc. javascript is very strange with its implied type conversions

ormuriauga  2010-10-11 22:30:28
Please refrain from using swear words in your answers, we're trying to keep SO for General Audiences without Parental Guidance.
Marko  2010-10-11 22:32:54
ok, sorry. I am not from a country where we think in those terms. fixed it
ormuriauga  2010-10-11 22:34:35
+2  A: 

It does some tricks with the javascript type conversions. As CMS pointed out, it's equivalent to: []['sort']['call']()["btoa"]("00")[1];

They build the strings by pulling them out of things like false, etc.

For example, to get the s in "sort":

Get a "false": (![]+[]) -- ![] returns false and +[] converts it to a string.

Get the value 3 with: !+[]+!+[]+!+[] - each !+[] returns true, but when you add booleans you get an integer representation. e.g. true + true = 2

Get the s with string index access notation ("false"[3] = 's'): (![]+[]) [!+[]+!+[]+!+[]]

And now you have an s. They keep doing that until they have enough to access whichever method or property they want.

CD Sanchez  2010-10-11 22:48:06
+1 nice explanation. Thanks!
BrunoLM  2010-10-11 23:19:39

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript