Skip to content

walfud/zhuangbility

1 Branch7 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

walfudwalfud
doc
Feb 14, 2018
be43e97 · Feb 14, 2018

History

30 Commits
.vscode
.vscode
Feb 12, 2018
doc
doc
Feb 5, 2018
.gitignore
.gitignore
Jan 31, 2018
.travis.yml
.travis.yml
Feb 1, 2018
README.md
README.md
Feb 14, 2018
index.js
index.js
Feb 12, 2018
index.test.js
index.test.js
Feb 6, 2018
package-lock.json
package-lock.json
Feb 5, 2018
package.json
package.json
Feb 12, 2018

Repository files navigation

zhuangbility

Transform string/code into "(([]+{})[+!![]+!![]+!![]])+(([]+![])[+!![]+!![]+!![]])".

Support both Browser and Node.js environment.

NPM page

Travis page

Usage

npm install -g zhuangbility

To String

zhuangbility "foo bar"

Output(may change between different version):

(([]+![])[+[]])+(([]+{})[+!![]])+(([]+{})[+!![]])+(([]+{})[+!![]+!![]+!![]+!![]+!![]+!![]+!![]])+(([]+{})[+!![]+!![]])+(([]+![])[+!![]])+(([]+!![])[+!![]])

then, run the magic (([]+![]...)) code in any JS engine, you will get the input string back:

To Code

Use --runtime if you want generate a runnable code:

# Generate magic code to a file
zhuangbility --runtime "for (let i = 0; i < 100; i++) console.log(`foo-${i}-bar`)" > test.js

# Run the magic code directly
node test.js

NOTE: your code can NOT require other module in code mode. That means:

# Wrong !!!
zhuangbility --runtime "require('fs'); console.log(fs)" > test.js

will get undefined result. It's really a painful restrict for now.

Under the Hood

Hack 1: JS Implicit Conversion

Thanks(F*ck) to the JS Implict Conversion. There lots of magic, such as:

  • +[] => 0 (Number)
  • []+[] => '' (String)
  • ![] => false (Boolean)

To String

[]+... means ''+.... we can get a String value zero with ([]+[]) + (+[]). In JS, String plus a Number, will get number in String version. Also, String plus Boolean will get 'true' or 'false'.

To Number

Easy... true + true === 2. It's says: (!![] + !![]) === 2.

Get a character from string

Now, We can get 'f' by ([]+ ![]) [+[]] (front part []+![] is string 'false', second part +[] is number 0, the whole magic is get first char from a string --- 'false'[0] => 'f')

Let's take full advantage of the above rule:

  • []+{}, // '[object Object]'
  • []+![], // 'false'
  • []+!![], // 'true'
  • []+[][[]], // 'undefined'
  • []+(+[]+[][[]]), // 'NaN'

Now we have many character: 'abcdefj...' and all number.

Hack 2: Call unescape

You must know that we can't get 'h' with above method. It's lucky that unescape can do. But the problem is how can we call a function with '([...])...' ???

This is the second trick:

  1. '[]' is Array object, '[].sort' is a function, '[].sort.constructor' is built-in Function object
  2. Function('...') can create a callable object

Keep in mind: [].sort.constructor(...) can create a callable object.

Then, we want have a callable 'unescape':

  1. [].sort.constructor('return unescape') is equal to Function('return unescape')
  2. Function('return unescape')('%6a') is equal to unescape('%6a')

The last trick is [].sort === []['sort'].

Let's combine all of above:

[]['sort']['constructor']('return unescape')('%...')

You can get all you want...

For more detail, please read the fucking source code.

FAQ

RangeError: Maximum call stack size exceeded

Our magic string ([()][]{}...) is equal to a long expression, which is easily to exceed the default stack size. Use --stack-size=10000000 (such as: node --stack-size=1000000 -f *magic file*) to specify a larger size.

Ref

What the f*ck JavaScript?

Liscence

MIT

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

31 stars

Watchers

1 watching

Forks

9 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages