Home >Web Front-end >JS Tutorial >JavaScript ( (__ = !$ $)[ $] ({} $)[_/_] ({} $)[_/_] )_javascript skills

JavaScript ( (__ = !$ $)[ $] ({} $)[_/_] ({} $)[_/_] )_javascript skills

WBOY
WBOYOriginal
2016-05-16 18:10:20974browse
Copy code The code is as follows:

($=[$=[]][(__=!$ $)[_=-~-~-~$] ({} $)[_/_]
($$=($_=!'' $)[_/_] $_[ $]) ])()[__[_/_] __
[_ ~$] $_[_] $$](_/_)

Note that the above paragraph looks very The confusing code is not automatically wrapped, but three lines (of course, there is nothing wrong with you writing it on the same line). Write a page and run it (it is said that it does not work under IE), and you will find that the function of this code is equivalent to
alert(1)
Why is this? Let's take this code apart and analyze it.
$=[] // $ is assigned an empty array, so the value of !$ is false.
__ = !$ $ // The plus sign will convert both !$ and $ into strings, so The value of __ becomes the string "false"
_ = -~-~-~$ // There is a ~ operator here, which means -($ 1), so the value of -~$ is 1. The value of _ is 3.
This can be deduced:
Copy code The code is as follows:

(__ = !$ $ )[ _ = -~-~-~$] => ("false")[_] => ("false")[3] => "false"[3 ] = "s"
({} $)[_/_] => ("[object Object]")[_/_] => ("[object Object]")[1] => ; "[object Object]"[1] = "o"

Next, split it $$=($_=!" $)[_/_] $_[$]:
$_=!" $ // Note that there are two single quotation marks in !", which means a NOT operation is performed on an empty string, so the variable $_ is assigned the string "true". Can be deduced:
$$=($_=!” $)[_/_] $_[ $] => $$ = ( “true”)[1] “true”[0] => “r” “t” = “rt”
So (__=!$ $)[_=-~-~-~$] ({} $)[_/_] ($$=($_= !" $)[_/_] $_[ $]) is "s" "o" "rt", which is "sort".
So the original expression

Copy code The code is as follows:
($=[$=[]][(__=!$ $)[_=-~ -~-~$] ({} $)[_/_]
($$=($_=!'' $)[_/_] $_[ $])])()[__[ _/_] __
[_ ~$] $_[_] $$](_/_)

can be replaced with:

Copy code The code is as follows:
($=[[]]["sort"])()[__[_/_] __
[_ ~$] $_[_] $$](_/_)

Next we look at [__[_/_] __[_ ~$] $_ [_] $$](_/_) What is it.
We have learned earlier:
__ = “false”
_ = 3
~$ = -1
$_ = “true”
$$ = “rt”
So [__[_/_] __[_ ~$] $_[_] $$](_/_) => ["false"[1] "false"[3-1] "true" [3] "rt"](3/3) => ["a" "l" "e" "rt"](1) => ["alert"](1)
So the original expression The formula can finally be replaced with:
($=[[]]["sort"])()["alert"](1)
How is this code executed? Let's analyze it step by step:
a = [[]] // Create an array
b = a["sort"] // Get the sort method of the array
c = b() // Call the array's sort method sort method, here b() returns the window object
d = c["alert"] // Get the window.alert method
d(1) // Call the window.alert method.
So the final execution result of this mess of expressions is window.alert(1).
For more, please see the original article and the discussion on Reddit.
Someone in the original comments also posted a small tool written by a Japanese developer, which can encode a piece of JavaScript code into various emoticons, and it can be executed. Enjoy it.
BTW, the above code does not only do It has little effect except for XSS attacks, but you can learn something about data type conversion from analyzing this code, and you can also appreciate the flexibility of JavaScript.
Detailed code analysis:

Copy code The code is as follows:
(
$ =[$=[]] // $ = []
[
(__= !$ $) // __ = "false"
[_=-~-~-~$] // _ = 3
// (__)[3] = "s"

({} $) // ({} $) = [object Object]
[_/_] / / _/_ = 1
// ([object Object])[1] = "o"
($$ = //
($_=!'' $) // !'' $ = "true" ; $_ = "true"
[_/_] // _/_ = 1;
// $_[1] = "r"

$_ [ $] // $ = 0; $_[0] = "t"
) // $$= "rt"
] // ["sort"]
// [][" sort"] = [].sort = function sort() { [native code] }
// $ = []["sort"]
)() // ($)() = [object Window ]
[
__[_/_] // __ = "false";
// __[1] = "a"

__ [_ ~$] //_ = 3; ~$ = -1; _ ~$ = 2
// __[2] = "l"

$_[_] // $_ = "true" ; _ = 3 ;
// $_[3] = "e"

$$ // $$ = "rt"
](_/_); // _ / _ = 1
// window["alert"](1)


몇 가지 주의할 점:
1. JavaScript에서는 $와 _를 변수 이름으로 사용할 수 있습니다
2. 함수는 다음과 같이 호출할 수도 있습니다. 1,9,1] .sort()는 [1,2,4,1,9,1]["sort"]()로 작성할 수 있습니다.
3 ~ 숫자의 비트 단위 반전
4. 자바스크립트의 다양한 유형 변수 사용 규칙
5. 일부 기본 코드에 대해 작성된 마지막 메소드는 실행 시
var s = [].sort; 창문이야
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn