Once again about obfuscation javascript or tale about how i obfuscator wrote. Part 1
There was a task here, to write code in php, which accepts js-code and obfusts it on the very least. After smoking google and habr (including, as the monolithed correctly prompts, here is this article ), I set to work. As it should, I started by running the JS console in chrome and starting to try to get strings from a mash of characters, that's what happened (with explanations):
"False"
[] - empty array
! - the operation is a logical NOT, a feature of js (and not only), in the case of boolean operations if the operand is 0, false, undefined, null, '' (empty string), then it is reduced to false. In all other cases - to true. (thanks to oshibka404 for the amendments)
That is, (! []) = False
+ Is the operation of addition and union of strings, if both operands are numbers, then addition will occur, otherwise it will be a union of strings with a cast. By the way, there is a special magic of types, but this later.
"True"
Absolutely the same principle, only double negation was added array => false => true => “true”
Now we need to get two numbers at our disposal, who will guess which ones?
0
Here we again have empty arrays passed through bitwise OR, the point is simply to skip any empty elements - we get zero
')
one
But here everything is a bit more complicated, as we remember [] is an empty array, and we take it and deny it, and not just like that, but bitwise, but [] in the bit representation it will be something like 00000000, and if you invert 11111111 It would seem to be 255, but this is not so, without going into details on the representation of numbers and all sorts of wilds (mantissas, sign digits), suffice to say that in the bit representation the machine stores not only the number, but also the sign, though, if it is necessary, you read that I explain it, the Roskomnadzor has not yet banned Google. Thus from 0 we get -1, and so, as u already has one minus sign, it turns out --1 = 1
Dear vitvad in the comments kindly gave a link to the video , where they explain the "magic" of numbers
Hmm, we certainly got quite a few, but the more the better!
"[object Object]"
Here again, everything is simple, to the gnashing of teeth, an empty array plus an empty object, the union of strings. BUT! Stop! I wanted to tell you a little about this - if, when concatenating strings, one of the operands is an object, then "[object% object_name%]" is returned for its place.
"NaN"
How much is zero divided by zero? And hell knows, so JavaScript doesn't know either, but those who invented it were smart people (however, the creators of other languages ​​are never more stupid, but often have less inclination for masochism) and introduced a special number into the language (and not one , but this is slightly lower), so that NaN is a number, which is not equal to anything, even to itself and means “but the hell knows”. What have we done here? We divided the empty array into an empty array, the type cast worked, and it got equal to the division of 0 by 0. Then as usual
"Infinity"
Let's think about how much it will be -1 / -0? Infinity and to designate infinity in JS also has its own number. Basically, I think you already guessed how it works ...
"Undefined"
Here, the case takes an interesting turn, as we remember [] - an empty array, but by turning to it, we allocated a place for it, and we can refer to its elements, which we were not slow to use by turning to an array element by index ... an empty array , but, as before our conversion, there was nothing there that returns undefined, a special type denoting “there could be something here, but it wasn’t until I looked, but now it’s here, but inside is empty” or in short, "not given."
Well, let's summarize the first part, the survey and write a simple script:
Analyze in rows
1) _ = [] [“sort”] - save in a variable a link to the sort method array
2) _ = _ (); - execute the sort method, get the Window object reference
3) _ ['alert'] ('cool') - using the reference to the alert method in the Window object, execute it with the argument 'cool'
(![]+[]) "False"
[] - empty array
! - the operation is a logical NOT, a feature of js (and not only), in the case of boolean operations if the operand is 0, false, undefined, null, '' (empty string), then it is reduced to false. In all other cases - to true. (thanks to oshibka404 for the amendments)
That is, (! []) = False
+ Is the operation of addition and union of strings, if both operands are numbers, then addition will occur, otherwise it will be a union of strings with a cast. By the way, there is a special magic of types, but this later.
(!(![])+[]) "True"
Absolutely the same principle, only double negation was added array => false => true => “true”
Now we need to get two numbers at our disposal, who will guess which ones?
([]|[]) 0
Here we again have empty arrays passed through bitwise OR, the point is simply to skip any empty elements - we get zero
')
(-~[]) one
But here everything is a bit more complicated, as we remember [] is an empty array, and we take it and deny it, and not just like that, but bitwise, but [] in the bit representation it will be something like 00000000, and if you invert 11111111 It would seem to be 255, but this is not so, without going into details on the representation of numbers and all sorts of wilds (mantissas, sign digits), suffice to say that in the bit representation the machine stores not only the number, but also the sign, though, if it is necessary, you read that I explain it, the Roskomnadzor has not yet banned Google. Thus from 0 we get -1, and so, as u already has one minus sign, it turns out --1 = 1
Dear vitvad in the comments kindly gave a link to the video , where they explain the "magic" of numbers
Hmm, we certainly got quite a few, but the more the better!
([]+{}) "[object Object]"
Here again, everything is simple, to the gnashing of teeth, an empty array plus an empty object, the union of strings. BUT! Stop! I wanted to tell you a little about this - if, when concatenating strings, one of the operands is an object, then "[object% object_name%]" is returned for its place.
([]/[]+[]) "NaN"
How much is zero divided by zero? And hell knows, so JavaScript doesn't know either, but those who invented it were smart people (however, the creators of other languages ​​are never more stupid, but often have less inclination for masochism) and introduced a special number into the language (and not one , but this is slightly lower), so that NaN is a number, which is not equal to anything, even to itself and means “but the hell knows”. What have we done here? We divided the empty array into an empty array, the type cast worked, and it got equal to the division of 0 by 0. Then as usual
(~[]/-[]+[]) "Infinity"
Let's think about how much it will be -1 / -0? Infinity and to designate infinity in JS also has its own number. Basically, I think you already guessed how it works ...
([][[]]+[]) "Undefined"
Here, the case takes an interesting turn, as we remember [] - an empty array, but by turning to it, we allocated a place for it, and we can refer to its elements, which we were not slow to use by turning to an array element by index ... an empty array , but, as before our conversion, there was nothing there that returns undefined, a special type denoting “there could be something here, but it wasn’t until I looked, but now it’s here, but inside is empty” or in short, "not given."
Well, let's summarize the first part, the survey and write a simple script:
alert('cool') _=[][(![]+[])[(-~[])+(-~[])+(-~[])]+([]+{})[(-~[])]+(!(![])+[])[(-~[])]+(!(![])+[])[([]|[])]]; _=_(); _[(![]+[])[(-~[])]+(![]+[])[(-~[])+(-~[])]+(![]+[])[(-~[])+(-~[])+(-~[])+(-~[])]+(!(![])+[])[(-~[])]+(!(![])+[])[([]|[])]](([]+{})[(-~[])+(-~[])+(-~[])+(-~[])+(-~[])]+([]+{})[(-~[])]+([]+{})[(-~[])]+(![]+[])[(-~[])+(-~[])]); Analyze in rows
1) _ = [] [“sort”] - save in a variable a link to the sort method array
2) _ = _ (); - execute the sort method, get the Window object reference
3) _ ['alert'] ('cool') - using the reference to the alert method in the Window object, execute it with the argument 'cool'
Source: https://habr.com/ru/post/201682/
All Articles