Bru*_*oLM 12 javascript obfuscation
此代码输出D.问题是如何?
alert([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(![]+[])[+!+[]]](+[]+[+[]])[+!+[]]);
我知道它![]被评估为false或0等等,但它是如何执行的?我怎样才能将此转换为人类可以理解的东西而不仅仅是Jon Skeet?
有人可以打破这段代码并解释我发生了什么吗?
CMS*_*CMS 11
那么,在部分中评估表达式,最后它相当于:
[]['sort']['call']()["btoa"]("00")[1]; // "D"
哪个可以简化为:
btoa("00")[1]; // "D"
你怎么能"解码"?
简单地检查所使用的运算符,例如,我们首先可以看到使用了数组文字,然后完成了几个括号表示法属性访问,以及几个调用.
它是如何工作的?
诀窍是链接多个类型的转换,例如,获取f字母:
(![]+[])[+[]]
如果我们检查第一部分,在括号中![]+[],我们会看到一个布尔否定,它将返回,false因为数组对象总是真实的,然后是连接.
这产生了字符串"false",然后,第二部分,我们看到一个括号应用于该字符串,访问一个字符,以及表达式+[],导致0.
+[]给出零,因为Array的toString方法返回一个空字符串,对于一个像这样的空数组,空字符串在转换为数字时产生为零(+本例中为一元运算符).
只是有这样的招数,产生一个字符串的东西,比如"true","false","null","undefined",等...更多的技巧来获得数值.
例如,为了获得一个数字 - 访问一个字符,他们再次使用神秘的类型转换:
+[]; // 0, equivalent to +""
+!+[]; // 1, equivalent to +true
!+[]+!+[]; // 2, equivalent to +true+true
!+[]+!+[]+!+[]; // 3, equivalent to +true+true+true