The Alert to Life, the Universe and Everything, Part 3 – There are no strings on me.

Hello again. In the last two posts we’ve been looking at this amazing piece of code and breaking it down, bit by bit:

[][(__=”+!!(_=+[]))[_$=-~-~-~_]+($$=”+{})[$=-~_]+($_=”+!_)[$]+$_[_]][$$[-~($+_$)]+$$[$]+(”+$/_)[$]+__[_$]+$_[_]+$_[$]+$_[$+$]+$$[-~($+_$)]+$_[_]+$$[$]+$_[$]](__[$]+__[$+$]+$_[_$]+$_[$]+$_[_]+”(“+((($<<($<<$)^$)<<($<<$)^$)<<$)+”)”)()

This is valid JavaScript code that provides an alert with the number 42 in it. Now, those looking at this for the first time will have heart palpitations and scream to the high heavens “What the f[CENSORED]k is this sorcery?” But, if you’ve been following my blog for some time now and read through my last post in particular, you’ll know that we’ve been decoding various aspects of code, piece by piece. Last post, were focused our efforts on numbers. As a result, our crazy code above was converted to the following:

[][(__=”+!!(_=0))[_$=3]+($$=”+{})[$=1]+($_=”+!_)[1]+$_[0]][$$[5]+$$[1]+(”+Infinity)[1]+__[3]+$_[0]+$_[1]+$_[2]+$$[5]+$_[0]+$$[1]+$_[1]](__[1]+__[2]+$_[3]+$_[1]+$_[0]+”(“+42+”)”)()

which albeit, is a little more legible, doesn’t give the full gist of what’s being executed. So, let’s decode it further. We tackled numbers in the previous post. Today, we’re going to look at strings.

Looking at our semi-digested code here, we can spot a number of references to empty strings:

  • (__=”+!!(_=0))
  • ($$=”+{})
  • ($_=”+!_)
  • (”+Infinity)

And two references to non-empty strings, “(” and “)”. Let’s take a look at the four code examples above and see what they’re all about.

(__=”+!!(_=0)), self-encapsulated variable assignments so that the values can be used straight away, we already determined the value of _ in the previous post as zero. Now, we have the double-not operator operating on zero, which you may remember from my previous post coerces the operand (the zero) to its equivalent Boolean. As zero is a falsy value, !!0 is coerced to the Boolean false. So far, so good. Next to the newly determined false we have an empty string and a concatenation operator. This empty string and the concatenation operator serve one purpose and one purpose only – to coerce the object they’d act upon to a string representation of it. In the case of false, it gets coerced to the string “false”, the value for __. Let’s put it aside for now, and move onto the next piece of code.

($$=”+{}), also self-encapsulated for immediate use. But this time we have the empty string and concatenation operator dynamic duo acting upon an empty object. Objects are weird things, and so, accordingly, the result is about as weird; the string result is not “object”, but rather “[object Object]”. I currently do not have the reasons for why this is at the moment, but I promise I’ll have a look and let you readers know in a future post. Just check it out for yourself. So that’s the value of $$ sorted. We’ll put that aside as well, age move on.

($_=”+!_), once again, self-encapsulated for immediate use of the value. This is similar to our first piece of code, save for a single-not operator acting on the zero value held by the _ variable. As a result !0 coerces the zero to a Boolean first, false, before applying the not, which results in $_ equalling ”+true, which is again coerced to “true”, the string equivalent of the Boolean true. Moving on to our final piece of code.

(”+Infinity), self-encapsulated (sensing a pattern?)… But this time, no assignment, so this is a one-off. This is a simple conversion of the object name to a string, rather much like true and false are. So, long story short, this code is equivalent to “Infinity”, the string.

So, with our newly discovered strings, and hoisting the variables to the top, let’s see what were get when we plug those in:

[][‘false'[3]+(‘[object Object]’)[1]+’true'[1]+’true'[0]][‘[object Object]'[5]+'[object Object]'[1]+’Infinity'[1]+’false'[3]+’true'[0]+’true'[1]+’true'[2]+'[object Object]'[5]+’true'[0]+'[object Object]'[1]+’true'[1]](‘false'[1]+’false'[2]+’true'[3]+’true'[1]+’true'[0]+”(“+42+”)”)()
This makes it somewhat more legible, but a bit of a mouthful, as well as a bit repetitive in places. We still have these array references everywhere… I promised in my previous post I would reveal the mystery of these array references, and here it is – Strings, in the eyes of JavaScript, are arrays of single character strings. For example, in the string “string”, “string”[0] is the first character “s”, “string”[1] is the second character “t”, and so on. The only exception is where you try to get the nth character of an empty string, like ”[0], which logically comes back as undefined.

Strings, in the eyes of JavaScript, are arrays of single character strings.

Using this knowledge, if you plug and chug this into our updated code we get the following:

[][‘s’+’o’+’r’+’t’][‘c’+’o’+’n’+’s’+’t’+’r’+’u’+’c’+’t’+’o’+’r’](‘a’+’l’+’e’+’r’+’t’+”(“+42+”)”)()

which when we apply all the concatenation operators gives us:

[][‘sort’][‘constructor’](‘alert(42)’)()

Very legible, but the syntax is probably unfamiliar to you, But, if you were to run this you would still get your alert with 42; why is that?

Let’s look from left to right here.

You have an empty array [], followed by an array reference of “sort”. This is actually referring to the array object’s native method of sort. If you ran:

[2,1,3][“sort”]()

You would get the same result as if you had run:

[2,1,3].sort()

As non-alphanumeric JavaScript is unable to provide a way that would allow you to access methods or properties in dot format like x.y or x.y(), JavaScript has these alternative forms, x[“y”] and x[“y”]() available for you to use.

But note that a) we have an empty array in use, and b) we have a second chained array reference. Why is that? I’ll answer (b) first: x[“y”][“z”] is the same as x.y.z, so the more and more array references is equivalent to more and more dot references until you get to the property or method you are trying to access. In this case, you’re accessing the constructor property of the empty array’s sort method.

But here’s the thing, [][‘sort’][‘constructor’] gives rise to JavaScript’s native Function method on the window object:

function Function() { [native code] }

In fact, if you were to execute:

window.Function(“alert(42)”)()

You’d be doing the exact same thing as:

[][‘sort’][‘constructor’](‘alert(42)’)()

The Function method then takes the first parameter which is basically what we want it to do, and then the () ensures the execution.

You can conclude this is an alternative form of getting a JavaScript statement to execute. As to (a), the empty array is for simplicity.

So, given all this, let’s look into some other crazy crap that could be achieved this way. This concludes Part 3. There won’t be Part 4, but I promise to make the next few posts just as interesting. Until then, stay quirky!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s