目前jsfuck使用以下代码来获取“C”字符
console.log(
Function("return escape")()(("")["italics"]())[2],
)
console.log( // after expansion
[]["flat"]["constructor"]("return escape")()(([]+[])["italics"]())[!![]+!![]]
)
console.log( // after final strings expansion we get pure jsfuck code
[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]][[]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+[][[]])[+!![]]+([]+![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[+!![]]+([]+!![])[!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+!![])[+!![]]]([]+([]+!![])[+!![]]+([]+!![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[!![]+!![]]+([]+!![])[+!![]]+([]+[][[]])[+!![]]+(+[![]]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[+([]+(+!![])+(+!![]))]+([]+!![])[!![]+!![]+!![]]+([]+![])[!![]+!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+![])[+!![]]+(+([]+(!![]+!![])+(!![]+!![]+!![]+!![]+!![])))[[]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+[])[[]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+[][[]])[+!![]]+([]+![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[+!![]]+([]+!![])[!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+!![])[+!![]]][[]+([]+[][[]])[+!![]]+([]+![])[+!![]]+((+[])[[]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+[][[]])[+!![]]+([]+![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[+!![]]+([]+!![])[!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+!![])[+!![]]]+[])[[]+(+!![])+(+!![])]+([]+!![])[!![]+!![]+!![]]]](+([]+(!![]+!![]+!![])+(+[])))+([]+!![])[!![]+!![]+!![]])()(([]+[])[[]+([]+[][[]])[!![]+!![]+!![]+!![]+!![]]+([]+!![])[+![]]+([]+![])[+!![]]+([]+![])[!![]+!![]]+([]+[][[]])[!![]+!![]+!![]+!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+![])[!![]+!![]+!![]]]())[!![]+!![]]
)但是这种方法使用了不推荐使用的函数"".italics (信息在这里)。我开发了一个小工具并试图找到一些基于的替代方案,btoa但我遗憾地发现 node.js 不支持(在线)
console.log(
Function("return btoa")()("t.")[1]
)
console.log( // after expansion
[]["flat"]["constructor"]("return btoa")()("t.")[+!![]]
)
console.log( // after full expansion
[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]][[]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+[][[]])[+!![]]+([]+![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[+!![]]+([]+!![])[!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+!![])[+!![]]]([]+([]+!![])[+!![]]+([]+!![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[!![]+!![]]+([]+!![])[+!![]]+([]+[][[]])[+!![]]+(+[![]]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[+([]+(+!![])+(+!![]))]+([][[]+([]+!![])[!![]+!![]+!![]]+([]+[][[]])[+!![]]+([]+!![])[+![]]+([]+!![])[+!![]]+([]+[][[]])[!![]+!![]+!![]+!![]+!![]]+([]+!![])[!![]+!![]+!![]]+([]+![])[!![]+!![]+!![]]]()+[])[!![]+!![]]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+![])[+!![]])()([]+([]+!![])[+![]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]])[+!![]]
)有没有办法(在当前版本的 chrome、safari、firefox 和 node.js 上工作)使用 jsfuck 但不使用不推荐使用的方法来获取字符“C”?
escape半弃用的事实一直困扰着我,所以我再次尝试了一下。让我们从头开始重建 JSFuck。
您可以获得以下值作为原语:
false ![]
true !![]
undefined [][[]]
NaN +[![]]
"" []+[]
0 +[]
1 +!+[]
2 +!+[]+!+[]
3 +!+[]+!+[]+!+[]
4 +!+[]+!+[]+!+[]+!+[]
5 +!+[]+!+[]+!+[]+!+[]+!+[]
6 +!+[]+!+[]+!+[]+!+[]+!+[]+!+[]
7 +!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]
8 +!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]
9 +!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]
有了上面的值和value+[]转换为字符串的事实,我们可以设置以下字符替换规则:
"0" 0+[]
"1" 1+[]
"2" 2+[]
"3" 3+[]
"4" 4+[]
"5" 5+[]
"6" 6+[]
"7" 7+[]
"8" 8+[]
"9" 9+[]
"a" (false+[])[1]
"d" (undefined+[])[2]
"e" (true+[])[3]
"f" (false+[])[0]
"i" ([false]+undefined)[1+[0]]
"l" (false+[])[2]
"n" (undefined+[])[1]
"r" (true+[])[1]
"s" (false+[])[3]
"t" (true+[])[0]
"u" (undefined+[])[0]
"N" (NaN+[])[0]
有了上面的字符,我们就可以构造出这四个字符串:
"11e100" +!+[]+[+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]
"1e1000" +!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]+[+[]]
"flat" (![]+[])[+[]]+(![]+[])[+!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]
"entries" (true+[])[3]+(undefined+[])[1]+(true+[])[0]+(true+[])[1]+([false]+undefined)[1+[0]]+(true+[])[3]+(false+[])[3]
有了它,我们可以获得另外三个值:
1.1e+101 +("11e100")
Infinity +("1e1000")
Array Iterator []["entries"]()
Array.prototype.flat []["flat"]
最后一个特别有用,因为当转换为字符串时,它会产生:
"function flat() {\n [native code]\n}"
或这个:
"function flat() { [native code] }"
使用这个有点不稳定,但是直到和包括 的字符{总是相同的,最后一个字符也是如此。
Array Iterator 将转换为更稳定的东西:
"[object Array Iterator]"
这为我们提供了更多的字符来使用:
" " ([false]+[]["flat"])[2+[0]]
"(" ([]+[]["flat"])[1+[3]]
")" ([]+[]["flat"])[1+[4]]
"+" (+("11e100")+[])[4]
"." (+("11e100")+[])[1]
"[" ([]+[]["entries"]())[0]
"]" ([]+[]["entries"]())[2+[2]]
"{" ([true]+[]["flat"])[2+[0]]
"c" ([]["flat"]+[])[3]
"j" ([]+[]["entries"]())[3]
"o" ([true]+[]["flat"])[1+[0]]
"y" (true+[Infinity])[1+[1]]
"A" ([NaN]+([]+[]["entries"]()))[1+[1]]
"I" (Infinity+[])[0]
结合级别 1 和 2 的字符和值,我们现在可以构建三个新字符串:
".0000001" (+("11e100")+[])[1]+[0]+[0]+[0]+[0]+[0]+[0]+[1]
"constructor" ([]["flat"]+[])[3]+([true]+[]["flat"])[1+[0]]+(undefined+[])[1]+(false+[])[3]+(true+[])[0]+(true+[])[1]+(undefined+[])[0]+([]["flat"]+[])[3]+(true+[])[0]+([true]+[]["flat"])[1+[0]]+(true+[])[1]
这让我们可以访问更多的值:
1e-7 +(".0000001")
Boolean (![])["constructor"]
Number (+[])["constructor"]
String ([]+[])["constructor"]
Function []["flat"]["constructor"]
通过转换为字符串,我们得到了更多的字符:
"-" (+(".0000001")+[])[2]
"b" ([]+(+[])["constructor"])[1+[2]]
"g" (false+[0]+([]+[])["constructor"])[2+[0]]
"m" ([]+(+[])["constructor"])[1+[1]]
"B" ([NaN]+(![])["constructor"])[1+[2]]
"F" ([NaN]+[]["flat"]["constructor"])[1+[2]]
"S" ([NaN]+([]+[])["constructor"])[1+[2]]
鉴于大写S,我们现在可以"toString手动构建字符串。但是,如果我们首先构建 string "name",我们可以实现一个整体更短的代码:
"name" (undefined+[])[1]+(false+[])[1]+([]+(+[])["constructor"])[1+[1]]+(true+[])[3]
"toString" (true+[])[0]+([true]+[]["flat"])[1+[0]]+([]+[])["constructor"]["name"]
有了它,我们可以调用Number.toString(),给我们所有剩余的小写字母:
"h" (+(1+[0]+[1]))["toString"](2+[1])[1]
"k" (+(2+[0]))["toString"](2+[1])
"p" (+(2+[1]+[1]))["toString"](3+[1])[1]
"q" (+(2+[1]+[2]))["toString"](3+[1])[1]
"v" (+(3+[1]))["toString"](3+[2])
"w" (+(3+[2]))["toString"](3+[3])
"x" (+(1+[0]+[1]))["toString"](3+[4])[1]
"z" (+(3+[5]))["toString"](3+[6])
同时,我们可以再构造两个字符串:
"slice" (false+[])[3]+(false+[])[2]+([false]+undefined)[1+[0]]+([]["flat"]+[])[3]+(true+[])[3]
"-1" (+(".0000001")+[])[2]+[+!+[]]
这为我们提供了下一个级别所需的最后一个角色:
"}" ([true]+[]["flat"])["slice"]("-1")
此时,我们获得了一个尚未使用Function的原语:用作 eval 原语:
[]["flat"]["constructor"](...)()
由于我们现在有所有小写字母以及空格+、.、[、]、{和},我们可以构建:
"try{String().normalize(false)}catch(f){return f}"
通过:
(true+[])[0]+(true+[])[1]+(true+[Infinity])[1+[1]]+([true]+[]["flat"])[2+[0]]+([]+[])["constructor"]["name"]+([]+[]["flat"])[1+[3]]+([]+[]["flat"])[1+[4]]+(+("11e100")+[])[1]+(undefined+[])[1]+([true]+[]["flat"])[1+[0]]+(true+[])[1]+([]+(+[])["constructor"])[1+[1]]+(false+[])[1]+(false+[])[2]+([false]+undefined)[1+[0]]+(+(3+[5]))["toString"](3+[6])+(true+[])[3]+([]+[]["flat"])[1+[3]]+![]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])["slice"]("-1")+([]["flat"]+[])[3]+(false+[])[1]+(true+[])[0]+([]["flat"]+[])[3]+(+(1+[0]+[1]))["toString"](2+[1])[1]+([]+[]["flat"])[1+[3]]+(false+[])[0]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])[2+[0]]+(true+[])[1]+(true+[])[3]+(true+[])[0]+(undefined+[])[0]+(true+[])[1]+(undefined+[])[1]+([false]+[]["flat"])[2+[0]]+(false+[])[0]+([true]+[]["flat"])["slice"]("-1")
String.prototype.normalize()使用不是有效 Unicode 规范化形式的值进行调用将抛出一个RangeError,我们将其捕获并返回给调用者。因此我们有:
RangeError []["flat"]["constructor"]("try{String().normalize(false)}catch(f){return f}")()
请注意,上面是一个实例 - 我们必须使用它["constructor"]来获取函数/构造函数,但我们可以将其按原样转换为字符串,再给我们两个大写字母:
"E" ([false]+[]["flat"]["constructor"]("try{String().normalize(false)}catch(f){return f}")())[1+[0]]
"R" ([]+[]["flat"]["constructor"]("try{String().normalize(false)}catch(f){return f}")())[0]
解锁另外两个字符后,我们现在可以构造这个字符串:
"return RegExp" (true+[])[1]+(true+[])[3]+(true+[])[0]+(undefined+[])[0]+(true+[])[1]+(undefined+[])[1]+([false]+[]["flat"])[2+[0]]+([]+[]["flat"]["constructor"]("try{String().normalize(false)}catch(f){return f}")())[0]+(true+[])[3]+(false+[0]+([]+[])["constructor"])[2+[0]]+([false]+[]["flat"]["constructor"]("try{String().normalize(false)}catch(f){return f}")())[1+[0]]+(+(1+[0]+[1]))["toString"](3+[4])[1]+(+(2+[1]+[1]))["toString"](3+[1])[1]
这给了我们一个新的价值/功能:
RegExp []["flat"]["constructor"]("return RegExp")()
当不带参数调用并将结果转换RegExp为字符串时,我们得到:
"/(?:)/" []+[]["flat"]["constructor"]("return RegExp")()()
所以我们有一堆新的特殊字符:
"/" ([]+[]["flat"]["constructor"]("return RegExp")()())[0]
":" ([]+[]["flat"]["constructor"]("return RegExp")()())[3]
"?" ([]+[]["flat"]["constructor"]("return RegExp")()())[2]
现在我们将这些字符之一送回正则表达式以获得一个新字符串:
"/\\//" []+RegExp("/")
这使我们可以访问一个新字符:
"\\" ([]+RegExp("/"))[1]
让我们构建一个新字符串:
"try{Function([]+[[]].concat([[]]))()}catch(f){return f}"
经过:
(true+[])[0]+(true+[])[1]+(true+[Infinity])[1+[1]]+([true]+[]["flat"])[2+[0]]+[]["flat"]["constructor"]["name"]+([]+[]["flat"])[1+[3]]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+(+("11e100")+[])[4]+([]+[]["entries"]())[0]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+([]+[]["entries"]())[2+[2]]+(+("11e100")+[])[1]+([]["flat"]+[])[3]+([true]+[]["flat"])[1+[0]]+(undefined+[])[1]+([]["flat"]+[])[3]+(false+[])[1]+(true+[])[0]+([]+[]["flat"])[1+[3]]+([]+[]["entries"]())[0]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+([]+[]["entries"]())[2+[2]]+([]+[]["flat"])[1+[4]]+([]+[]["flat"])[1+[4]]+([]+[]["flat"])[1+[3]]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])["slice"]("-1")+([]["flat"]+[])[3]+(false+[])[1]+(true+[])[0]+([]["flat"]+[])[3]+(+(1+[0]+[1]))["toString"](2+[1])[1]+([]+[]["flat"])[1+[3]]+(false+[])[0]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])[2+[0]]+(true+[])[1]+(true+[])[3]+(true+[])[0]+(undefined+[])[0]+(true+[])[1]+(undefined+[])[1]+([false]+[]["flat"])[2+[0]]+(false+[])[0]+([true]+[]["flat"])["slice"]("-1")
这相当于:
"try{Function(',')()}catch(f){return f}"
除了我们不能写','(还)的事实。评估将返回一个SyntaxError对象,当转换为字符串时,将产生:
"SyntaxError: Unexpected token ','"
然后我们可以将该字符串输入RegExp("[\u0027]").exec(...)[0]以提取单引号。
所以我们想运行:
RegExp("[\u0027]").exec(Function("try{Function([]+[[]].concat([[]]))()}catch(f){return f}")())[0]
从上面应用一大堆替换,我们得到一个最终字符:
"'" RegExp(([]+[]["entries"]())[0]+([]+RegExp("/"))[1]+(undefined+[])[0]+[+[]]+[+[]]+[+!+[]+!+[]]+[+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+[]["entries"]())[2+[2]])[(true+[])[3]+(+(1+[0]+[1]))["toString"](3+[4])[1]+(true+[])[3]+([]["flat"]+[])[3]]([]["flat"]["constructor"]((true+[])[0]+(true+[])[1]+(true+[Infinity])[1+[1]]+([true]+[]["flat"])[2+[0]]+[]["flat"]["constructor"]["name"]+([]+[]["flat"])[1+[3]]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+(+("11e100")+[])[4]+([]+[]["entries"]())[0]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+([]+[]["entries"]())[2+[2]]+(+("11e100")+[])[1]+([]["flat"]+[])[3]+([true]+[]["flat"])[1+[0]]+(undefined+[])[1]+([]["flat"]+[])[3]+(false+[])[1]+(true+[])[0]+([]+[]["flat"])[1+[3]]+([]+[]["entries"]())[0]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+([]+[]["entries"]())[2+[2]]+([]+[]["flat"])[1+[4]]+([]+[]["flat"])[1+[4]]+([]+[]["flat"])[1+[3]]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])["slice"]("-1")+([]["flat"]+[])[3]+(false+[])[1]+(true+[])[0]+([]["flat"]+[])[3]+(+(1+[0]+[1]))["toString"](2+[1])[1]+([]+[]["flat"])[1+[3]]+(false+[])[0]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])[2+[0]]+(true+[])[1]+(true+[])[3]+(true+[])[0]+(undefined+[])[0]+(true+[])[1]+(undefined+[])[1]+([false]+[]["flat"])[2+[0]]+(false+[])[0]+([true]+[]["flat"])["slice"]("-1"))())[0]
此时,我们可以简单地通过执行以下操作来返回我们想要的每个字符:
Function("return '\uXXXX'")()
让我们"C"从您的问题中获取角色:
Function("return '\u0043'")()
通过上述所有替换运行它会产生 167'060 字节的绝对噩梦。这超出了 SO 上的最大帖子长度,但我将其粘贴到 gist 中,因此请随意尝试。尽管您可能希望通过手动将其粘贴到控制台以外的方式来运行它...
这是这个答案的替代方案(我在中间步骤中使用了 matchAll 的想法)。使用 char 代码但不使用引号生成字符 C (以及更多)的主要思想 - 当我们定义对象字段时这是可能的:
console.log(
Function("return Object.entries({\\u0043:false})")()[0][0]
)为了将此解决方案转换为接近 jsf,我使用以下“帮助程序”
console.log(
// "(" left parenthesis:
([]["flat"]+"")[13],
// ")" right parenthesis:
([0]+false+[]["flat"])[20],
// "{" left brace:
(true+[]["flat"])[20],
// "}" right brace:
([]["flat"]+"")["slice"]("-1"),
// "+" plus
(+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]])+[])[2],
// "-" minus:
(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]],
// " " space:
(NaN+[]["flat"])[11],
// "." dot:
(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]],
// "RegExp" string: (""+"".matchAll()).split(" ")[1]
([]+("")["matchAll"]())["split"](" ")[1],
// ":" - colon: (Function("return RegExp")()()+"")[3]
([]["flat"]["constructor"]("return "+([]+("")["matchAll"]())["split"](" ")[1])()()+[])[3],
// "/" - slash: (Function("return RegExp")()()+"")[0]
([]["flat"]["constructor"]("return "+([]+("")["matchAll"]())["split"](" ")[1])()()+[])[0],
// "\" - backslash: (Function("return RegExp(RegExp()+[])")()+[])[1]
// (Function(("return "+false+"("+false+"()+[])").split(false).join("RegExp"))()+[])[1]
([]["flat"]["constructor"](("return "+false+"("+false+"()+[])")["split"](false)["join"](([]+("")["matchAll"]())["split"](" ")[1]))()+[])[1],
)最后我们得到了(完全解码后它将有大约 16k jsf 字符)
// step 1
console.log(
[]["flat"]["constructor"]("return"+" "+"Object"+"."+"entries"+"("+"{"+"\\"+"u0043"+":"+false+"}"+")")()[0][0]
)
// step 2
console.log(
[]["flat"]["constructor"]("return"+" "+"Object"+"."+"entries"+([]["flat"]+"")[13]+(true+[]["flat"])[20]+([]["flat"]["constructor"](("return "+false+"("+false+"()+[])")["split"](false)["join"](([]+("")["matchAll"]())["split"](" ")[1]))()+[])[1]+"u0043"+":"+false+([]["flat"]+"")["slice"]("-1")+([0]+false+[]["flat"])[20])()[0][0]
)