7

目前jsfuck使用以下代码获取“C”字符

console.log(
    Function("return escape")()(("")["italics"]())[2],
)
   
console.log(  // after expansion
    []["flat"]["constructor"]("return escape")()(([]+[])["italics"]())[!![]+!![]]
)

console.log(  // after final strings expansion we get pure jsfuck code
    [][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]][[]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+[][[]])[+!![]]+([]+![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[+!![]]+([]+!![])[!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+!![])[+!![]]]([]+([]+!![])[+!![]]+([]+!![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[!![]+!![]]+([]+!![])[+!![]]+([]+[][[]])[+!![]]+(+[![]]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[+([]+(+!![])+(+!![]))]+([]+!![])[!![]+!![]+!![]]+([]+![])[!![]+!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+![])[+!![]]+(+([]+(!![]+!![])+(!![]+!![]+!![]+!![]+!![])))[[]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+[])[[]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+[][[]])[+!![]]+([]+![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[+!![]]+([]+!![])[!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+!![])[+!![]]][[]+([]+[][[]])[+!![]]+([]+![])[+!![]]+((+[])[[]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+[][[]])[+!![]]+([]+![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[+!![]]+([]+!![])[!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+!![])[+!![]]]+[])[[]+(+!![])+(+!![])]+([]+!![])[!![]+!![]+!![]]]](+([]+(!![]+!![]+!![])+(+[])))+([]+!![])[!![]+!![]+!![]])()(([]+[])[[]+([]+[][[]])[!![]+!![]+!![]+!![]+!![]]+([]+!![])[+![]]+([]+![])[+!![]]+([]+![])[!![]+!![]]+([]+[][[]])[!![]+!![]+!![]+!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+![])[!![]+!![]+!![]]]())[!![]+!![]]
)

但是这种方法使用了不推荐使用的功能"".italics (这里的信息)。我开发了一个小工具并尝试找到一些基于btoa但我遗憾地发现node.js(在线)不支持的替代方法

console.log(
  Function("return btoa")()("t.")[1]
)

console.log( // after expansion
  []["flat"]["constructor"]("return btoa")()("t.")[+!![]]
)

console.log( // after full expansion
  [][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]][[]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+[][[]])[+!![]]+([]+![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[+!![]]+([]+!![])[!![]+!![]]+([]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[!![]+!![]+!![]]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+!![])[+!![]]]([]+([]+!![])[+!![]]+([]+!![])[!![]+!![]+!![]]+([]+!![])[+![]]+([]+!![])[!![]+!![]]+([]+!![])[+!![]]+([]+[][[]])[+!![]]+(+[![]]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[+([]+(+!![])+(+!![]))]+([][[]+([]+!![])[!![]+!![]+!![]]+([]+[][[]])[+!![]]+([]+!![])[+![]]+([]+!![])[+!![]]+([]+[][[]])[!![]+!![]+!![]+!![]+!![]]+([]+!![])[!![]+!![]+!![]]+([]+![])[!![]+!![]+!![]]]()+[])[!![]+!![]]+([]+!![])[+![]]+(!![]+[][[]+([]+![])[+[]]+([]+![])[!![]+!![]]+([]+![])[+!![]]+([]+!![])[+![]]])[[]+(+!![])+(+[])]+([]+![])[+!![]])()([]+([]+!![])[+![]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]])[+!![]]
)

有没有办法(在当前版本的 chrome、safari、firefox 和 node.js 上工作)使用 jsfuck 但不使用过时的方法来获取字符“C”?

4

5 回答 5

10

半弃用的事实escape一直困扰着我,所以我又试了一下。让我们从头开始重建 JSFuck。

0级

您可以获得以下值作为原语:

false           ![]
true            !![]
undefined       [][[]]
NaN             +[![]]
""              []+[]
0               +[]
1               +!+[]
2               +!+[]+!+[]
3               +!+[]+!+[]+!+[]
4               +!+[]+!+[]+!+[]+!+[]
5               +!+[]+!+[]+!+[]+!+[]+!+[]
6               +!+[]+!+[]+!+[]+!+[]+!+[]+!+[]
7               +!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]
8               +!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]
9               +!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]

1级

有了上面的值和转换为字符串的事实value+[],我们可以设置以下字符替换规则:

"0"             0+[]
"1"             1+[]
"2"             2+[]
"3"             3+[]
"4"             4+[]
"5"             5+[]
"6"             6+[]
"7"             7+[]
"8"             8+[]
"9"             9+[]
"a"             (false+[])[1]
"d"             (undefined+[])[2]
"e"             (true+[])[3]
"f"             (false+[])[0]
"i"             ([false]+undefined)[1+[0]]
"l"             (false+[])[2]
"n"             (undefined+[])[1]
"r"             (true+[])[1]
"s"             (false+[])[3]
"t"             (true+[])[0]
"u"             (undefined+[])[0]
"N"             (NaN+[])[0]

2级

有了上面的字符,我们就可以构造出这四个字符串:

"11e100"        +!+[]+[+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]
"1e1000"        +!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]]+[+[]]
"flat"          (![]+[])[+[]]+(![]+[])[+!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]
"entries"       (true+[])[3]+(undefined+[])[1]+(true+[])[0]+(true+[])[1]+([false]+undefined)[1+[0]]+(true+[])[3]+(false+[])[3]

有了它,我们可以获得另外三个值:

1.1e+101                +("11e100")
Infinity                +("1e1000")
Array Iterator          []["entries"]()
Array.prototype.flat    []["flat"]

最后一个特别有用,因为当转换为字符串时,它会产生:

"function flat() {\n    [native code]\n}"

或这个:

"function flat() { [native code] }"

这有点难以处理,但是直到并包括 的字符{总是相同的,最后一个字符也是如此。

Array Iterator将转换为更稳定的东西:

"[object Array Iterator]"

这为我们提供了更多可以使用的角色:

" "             ([false]+[]["flat"])[2+[0]]
"("             ([]+[]["flat"])[1+[3]]
")"             ([]+[]["flat"])[1+[4]]
"+"             (+("11e100")+[])[4]
"."             (+("11e100")+[])[1]
"["             ([]+[]["entries"]())[0]
"]"             ([]+[]["entries"]())[2+[2]]
"{"             ([true]+[]["flat"])[2+[0]]
"c"             ([]["flat"]+[])[3]
"j"             ([]+[]["entries"]())[3]
"o"             ([true]+[]["flat"])[1+[0]]
"y"             (true+[Infinity])[1+[1]]
"A"             ([NaN]+([]+[]["entries"]()))[1+[1]]
"I"             (Infinity+[])[0]

3级

结合 1 级和 2 级字符和值,我们现在可以构建三个新字符串:

".0000001"      (+("11e100")+[])[1]+[0]+[0]+[0]+[0]+[0]+[0]+[1]
"constructor"   ([]["flat"]+[])[3]+([true]+[]["flat"])[1+[0]]+(undefined+[])[1]+(false+[])[3]+(true+[])[0]+(true+[])[1]+(undefined+[])[0]+([]["flat"]+[])[3]+(true+[])[0]+([true]+[]["flat"])[1+[0]]+(true+[])[1]

这使我们可以访问更多的值:

1e-7            +(".0000001")
Boolean         (![])["constructor"]
Number          (+[])["constructor"]
String          ([]+[])["constructor"]
Function        []["flat"]["constructor"]

通过转换为字符串,我们得到更多字符:

"-"             (+(".0000001")+[])[2]
"b"             ([]+(+[])["constructor"])[1+[2]]
"g"             (false+[0]+([]+[])["constructor"])[2+[0]]
"m"             ([]+(+[])["constructor"])[1+[1]]
"B"             ([NaN]+(![])["constructor"])[1+[2]]
"F"             ([NaN]+[]["flat"]["constructor"])[1+[2]]
"S"             ([NaN]+([]+[])["constructor"])[1+[2]]

4级

给定大写字母,我们现在可以手动S构建字符串。"toString但是,如果我们首先构建 string "name",我们可以实现整体更短的代码:

"name"         (undefined+[])[1]+(false+[])[1]+([]+(+[])["constructor"])[1+[1]]+(true+[])[3]
"toString"     (true+[])[0]+([true]+[]["flat"])[1+[0]]+([]+[])["constructor"]["name"]

有了它,我们可以调用Number.toString(),给我们所有剩余的小写字母:

"h"             (+(1+[0]+[1]))["toString"](2+[1])[1]
"k"             (+(2+[0]))["toString"](2+[1])
"p"             (+(2+[1]+[1]))["toString"](3+[1])[1]
"q"             (+(2+[1]+[2]))["toString"](3+[1])[1]
"v"             (+(3+[1]))["toString"](3+[2])
"w"             (+(3+[2]))["toString"](3+[3])
"x"             (+(1+[0]+[1]))["toString"](3+[4])[1]
"z"             (+(3+[5]))["toString"](3+[6])

同时,我们可以再构造两个字符串:

"slice"         (false+[])[3]+(false+[])[2]+([false]+undefined)[1+[0]]+([]["flat"]+[])[3]+(true+[])[3]
"-1"            (+(".0000001")+[])[2]+[+!+[]]

这给了我们下一个级别所需的最后一个字符:

"}"             ([true]+[]["flat"])["slice"]("-1")

5级

此时,我们获得了一个尚未使用Function的原语:用作 eval 原语:

[]["flat"]["constructor"](...)()

由于我们现在有所有小写字母以及空格、+.[、和],我们可以构建:{}

"try{String().normalize(false)}catch(f){return f}"

通过:

(true+[])[0]+(true+[])[1]+(true+[Infinity])[1+[1]]+([true]+[]["flat"])[2+[0]]+([]+[])["constructor"]["name"]+([]+[]["flat"])[1+[3]]+([]+[]["flat"])[1+[4]]+(+("11e100")+[])[1]+(undefined+[])[1]+([true]+[]["flat"])[1+[0]]+(true+[])[1]+([]+(+[])["constructor"])[1+[1]]+(false+[])[1]+(false+[])[2]+([false]+undefined)[1+[0]]+(+(3+[5]))["toString"](3+[6])+(true+[])[3]+([]+[]["flat"])[1+[3]]+![]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])["slice"]("-1")+([]["flat"]+[])[3]+(false+[])[1]+(true+[])[0]+([]["flat"]+[])[3]+(+(1+[0]+[1]))["toString"](2+[1])[1]+([]+[]["flat"])[1+[3]]+(false+[])[0]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])[2+[0]]+(true+[])[1]+(true+[])[3]+(true+[])[0]+(undefined+[])[0]+(true+[])[1]+(undefined+[])[1]+([false]+[]["flat"])[2+[0]]+(false+[])[0]+([true]+[]["flat"])["slice"]("-1")

String.prototype.normalize()使用不是有效的 Unicode 规范化表单的值调用将抛出一个RangeError,我们将其捕获并返回给调用者。因此,我们有:

RangeError      []["flat"]["constructor"]("try{String().normalize(false)}catch(f){return f}")()

请注意,上面是一个实例——我们必须使用它["constructor"]来获取函数/构造函数,但我们可以将它原样转换为字符串,再给我们两个大写字母:

"E"             ([false]+[]["flat"]["constructor"]("try{String().normalize(false)}catch(f){return f}")())[1+[0]]
"R"             ([]+[]["flat"]["constructor"]("try{String().normalize(false)}catch(f){return f}")())[0]

6 级

再解锁两个字符后,我们现在可以构造这个字符串:

"return RegExp" (true+[])[1]+(true+[])[3]+(true+[])[0]+(undefined+[])[0]+(true+[])[1]+(undefined+[])[1]+([false]+[]["flat"])[2+[0]]+([]+[]["flat"]["constructor"]("try{String().normalize(false)}catch(f){return f}")())[0]+(true+[])[3]+(false+[0]+([]+[])["constructor"])[2+[0]]+([false]+[]["flat"]["constructor"]("try{String().normalize(false)}catch(f){return f}")())[1+[0]]+(+(1+[0]+[1]))["toString"](3+[4])[1]+(+(2+[1]+[1]))["toString"](3+[1])[1]

这给了我们一个新的价值/功能:

RegExp          []["flat"]["constructor"]("return RegExp")()

当不带参数调用并将结果转换RegExp为字符串时,我们得到:

"/(?:)/"        []+[]["flat"]["constructor"]("return RegExp")()()

所以我们有一堆新的特殊字符:

"/"             ([]+[]["flat"]["constructor"]("return RegExp")()())[0]
":"             ([]+[]["flat"]["constructor"]("return RegExp")()())[3]
"?"             ([]+[]["flat"]["constructor"]("return RegExp")()())[2]

7 级

现在我们将其中一个字符送回正则表达式以获取新字符串:

"/\\//"         []+RegExp("/")

这使我们可以访问一个新角色:

"\\"            ([]+RegExp("/"))[1]

8 级

让我们构建一个新字符串:

"try{Function([]+[[]].concat([[]]))()}catch(f){return f}"

经过:

(true+[])[0]+(true+[])[1]+(true+[Infinity])[1+[1]]+([true]+[]["flat"])[2+[0]]+[]["flat"]["constructor"]["name"]+([]+[]["flat"])[1+[3]]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+(+("11e100")+[])[4]+([]+[]["entries"]())[0]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+([]+[]["entries"]())[2+[2]]+(+("11e100")+[])[1]+([]["flat"]+[])[3]+([true]+[]["flat"])[1+[0]]+(undefined+[])[1]+([]["flat"]+[])[3]+(false+[])[1]+(true+[])[0]+([]+[]["flat"])[1+[3]]+([]+[]["entries"]())[0]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+([]+[]["entries"]())[2+[2]]+([]+[]["flat"])[1+[4]]+([]+[]["flat"])[1+[4]]+([]+[]["flat"])[1+[3]]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])["slice"]("-1")+([]["flat"]+[])[3]+(false+[])[1]+(true+[])[0]+([]["flat"]+[])[3]+(+(1+[0]+[1]))["toString"](2+[1])[1]+([]+[]["flat"])[1+[3]]+(false+[])[0]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])[2+[0]]+(true+[])[1]+(true+[])[3]+(true+[])[0]+(undefined+[])[0]+(true+[])[1]+(undefined+[])[1]+([false]+[]["flat"])[2+[0]]+(false+[])[0]+([true]+[]["flat"])["slice"]("-1")

这相当于:

"try{Function(',')()}catch(f){return f}"

除了我们不能写','(还)的事实。评估将返回一个SyntaxError对象,当转换为字符串时,将产生:

"SyntaxError: Unexpected token ','"

然后我们可以将该字符串输入RegExp("[\u0027]").exec(...)[0]以提取单引号。
所以我们想运行:

RegExp("[\u0027]").exec(Function("try{Function([]+[[]].concat([[]]))()}catch(f){return f}")())[0]

从上面应用一大堆替换,我们得到一个最终字符:

"'"             RegExp(([]+[]["entries"]())[0]+([]+RegExp("/"))[1]+(undefined+[])[0]+[+[]]+[+[]]+[+!+[]+!+[]]+[+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+[]["entries"]())[2+[2]])[(true+[])[3]+(+(1+[0]+[1]))["toString"](3+[4])[1]+(true+[])[3]+([]["flat"]+[])[3]]([]["flat"]["constructor"]((true+[])[0]+(true+[])[1]+(true+[Infinity])[1+[1]]+([true]+[]["flat"])[2+[0]]+[]["flat"]["constructor"]["name"]+([]+[]["flat"])[1+[3]]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+(+("11e100")+[])[4]+([]+[]["entries"]())[0]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+([]+[]["entries"]())[2+[2]]+(+("11e100")+[])[1]+([]["flat"]+[])[3]+([true]+[]["flat"])[1+[0]]+(undefined+[])[1]+([]["flat"]+[])[3]+(false+[])[1]+(true+[])[0]+([]+[]["flat"])[1+[3]]+([]+[]["entries"]())[0]+([]+[]["entries"]())[0]+([]+[]["entries"]())[2+[2]]+([]+[]["entries"]())[2+[2]]+([]+[]["flat"])[1+[4]]+([]+[]["flat"])[1+[4]]+([]+[]["flat"])[1+[3]]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])["slice"]("-1")+([]["flat"]+[])[3]+(false+[])[1]+(true+[])[0]+([]["flat"]+[])[3]+(+(1+[0]+[1]))["toString"](2+[1])[1]+([]+[]["flat"])[1+[3]]+(false+[])[0]+([]+[]["flat"])[1+[4]]+([true]+[]["flat"])[2+[0]]+(true+[])[1]+(true+[])[3]+(true+[])[0]+(undefined+[])[0]+(true+[])[1]+(undefined+[])[1]+([false]+[]["flat"])[2+[0]]+(false+[])[0]+([true]+[]["flat"])["slice"]("-1"))())[0]

9 级

此时,我们可以简单地返回我们想要的每个字符:

Function("return '\uXXXX'")()

演示

让我们"C"从你的问题中提取角色:

Function("return '\u0043'")()

通过上述所有替换运行此程序会产生 167'060 字节的绝对噩梦。这超出了 SO 上的最大帖子长度,但我将其粘贴到了 gist中,因此请随意尝试。尽管您可能希望通过手动将其粘贴到控制台之外的方式运行它...

于 2020-09-02T21:49:13.460 回答
2

如果我们使用不推荐使用的 de/encodeURI(第 5 级),我在这里开发Siguza 答案

console.log(
  decodeURI(encodeURI(" ")[0]+"43"),
  (NaN+[]["entries"]()["to"+String["name"]]["call"]())[11] // here is for U came from
)

于 2020-09-04T18:51:13.750 回答
2

低级 JS 解决方案

这是此答案的替代方法(我在中间步骤中使用 matchAll 的想法)。使用字符代码但不使用引号生成字符 C(及更多)的主要思想 - 当我们定义对象字段时,这是可能的:

console.log(
  Function("return Object.entries({\\u0043:false})")()[0][0]
)

为了将此解决方案转换为接近 jsf,我使用以下“助手”

console.log(
  // "(" left parenthesis: 
  ([]["flat"]+"")[13], 
  
  // ")" right parenthesis:
  ([0]+false+[]["flat"])[20],
  
  // "{" left brace:
  (true+[]["flat"])[20],
  
  // "}" right brace:
  ([]["flat"]+"")["slice"]("-1"),
  
  // "+" plus
  (+(+!+[]+(!+[]+[])[!+[]+!+[]+!+[]]+[+!+[]]+[+[]]+[+[]])+[])[2],
  
  // "-" minus:
  (+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]],
  
  // " " space:
  (NaN+[]["flat"])[11],
  
  // "." dot:
  (+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]],
  
  // "RegExp" string: (""+"".matchAll()).split(" ")[1]
  ([]+("")["matchAll"]())["split"](" ")[1],

  // ":" - colon: (Function("return RegExp")()()+"")[3]
  ([]["flat"]["constructor"]("return "+([]+("")["matchAll"]())["split"](" ")[1])()()+[])[3],

  // "/" - slash: (Function("return RegExp")()()+"")[0]
  ([]["flat"]["constructor"]("return "+([]+("")["matchAll"]())["split"](" ")[1])()()+[])[0], 
    
  // "\" - backslash: (Function("return RegExp(RegExp()+[])")()+[])[1]
  // (Function(("return "+false+"("+false+"()+[])").split(false).join("RegExp"))()+[])[1]
  ([]["flat"]["constructor"](("return "+false+"("+false+"()+[])")["split"](false)["join"](([]+("")["matchAll"]())["split"](" ")[1]))()+[])[1],
)

最后我们有了(在完全解码后它将有 ~16k jsf 字符)

// step 1
console.log(
  []["flat"]["constructor"]("return"+" "+"Object"+"."+"entries"+"("+"{"+"\\"+"u0043"+":"+false+"}"+")")()[0][0]
)

// step 2
console.log(
  []["flat"]["constructor"]("return"+" "+"Object"+"."+"entries"+([]["flat"]+"")[13]+(true+[]["flat"])[20]+([]["flat"]["constructor"](("return "+false+"("+false+"()+[])")["split"](false)["join"](([]+("")["matchAll"]())["split"](" ")[1]))()+[])[1]+"u0043"+":"+false+([]["flat"]+"")["slice"]("-1")+([0]+false+[]["flat"])[20])()[0][0]
)

根据Siguza 的回答,这样做我们保持在第 3 级

于 2020-09-11T15:46:57.037 回答
1

整个方法取决于escape("<"), 哪个产量"%3C"。我们可以很容易地用 替换它escape(","),这给了我们"%2C"。JSFuck 已经有办法获得","[[]]["concat"]([[]])+[]

escape(",")[2]

变成

Function("return escape")()(",")[2]

变成

[]["flat"]["constructor"]("return escape")()([[]]["concat"]([[]])+[])[2]

变成

[]["f"+"l"+"a"+"t"]["c"+"o"+"n"+"s"+"t"+"r"+"u"+"c"+"t"+"o"+"r"]("r"+"e"+"t"+"u"+"r"+"n"+" "+"e"+"s"+"c"+"a"+"p"+"e")()([[]]["c"+"o"+"n"+"c"+"a"+"t"]([[]])+[])[2]

变成

[][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]][([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+[][[]])[+!+[]]+([]+![])[!+[]+!+[]+!+[]]+([]+!![])[+[]]+([]+!![])[+!+[]]+([]+[][[]])[+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]]+([]+!![])[+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+!![])[+!+[]]](([]+!![])[+!+[]]+([]+!![])[!+[]+!+[]+!+[]]+([]+!![])[+[]]+([]+[][[]])[+[]]+([]+!![])[+!+[]]+([]+[][[]])[+!+[]]+([]+[][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]])[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+!![])[!+[]+!+[]+!+[]]+([]+![])[!+[]+!+[]+!+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]]+([]+![])[+!+[]]+(+([]+(+!+[]+!+[])+(+!+[])+(+!+[])))[([]+!+[])[+[]]+([]+[][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]])[+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+([]+[])[([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+[][[]])[+!+[]]+([]+![])[!+[]+!+[]+!+[]]+([]+!![])[+[]]+([]+!![])[+!+[]]+([]+[][[]])[+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]]+([]+!![])[+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+!![])[+!+[]]])[+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+!+[])[+[]]+([]+!+[])[+!+[]]+([]+[][[]])[+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+[][[]])[+!+[]]+([]+([]+[])[([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+[][[]])[+!+[]]+([]+![])[!+[]+!+[]+!+[]]+([]+!![])[+[]]+([]+!![])[+!+[]]+([]+[][[]])[+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]]+([]+!![])[+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+!![])[+!+[]]])[[]+(+!+[])+(+!+[]+!+[]+!+[]+!+[])]]([]+(+!+[]+!+[]+!+[])+(+!+[]))[+!+[]]+([]+!![])[!+[]+!+[]+!+[]])()([[]][([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([]+[][[]])[+!+[]]+([][([]+![])[+[]]+([]+![])[!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]+[])[!+[]+!+[]+!+[]]+([]+![])[+!+[]]+([]+!![])[+[]]]([[]])+[])[!+[]+!+[]]

不过我是手动完成的,所以它可能不是最佳/最短的表示。

于 2020-08-31T17:06:02.300 回答
0

这是我之前的答案的发展- 这是允许获取字符串RegExp(但我们在这里使用字母 R)而不抛出任何异常(!)的 TRICK -(所以根据Siguza noation ,我们处于第 4 级)

// TRICK:
console.log(
  (""+"".matchAll(""))   // 1. this gives "...RegExp..."
)


// encode/decode URI strings
console.log(
  "encode"+(NaN+[]["entries"]()["to"+String["name"]]["call"]())[11]+(NaN+""["matchAll"](""))[11]+([]+(+"1e1000"))[0],
  
  "decode"+(NaN+[]["entries"]()["to"+String["name"]]["call"]())[11]+(NaN+""["matchAll"](""))[11]+([]+(+"1e1000"))[0]
)



// Final formula
console.log(
  decodeURI(encodeURI(" ")[0]+"43")
)

并扩展最终公式

// JSF (with allowed strings and numbers and NaN)
console.log(
  []["flat"]["constructor"]("return "+"decode"+(NaN+[]["entries"]()["to"+([]+[])["constructor"]["name"]]["call"]())[11]+(NaN+""["matchAll"](""))[11]+([]+(+"1e1000"))[0])()([]["flat"]["constructor"]("return "+"encode"+(NaN+[]["entries"]()["to"+([]+[])["constructor"]["name"]]["call"]())[11]+(NaN+""["matchAll"](""))[11]+([]+(+"1e1000"))[0])()((NaN+[]["flat"])[11])[0]+43)
)

于 2020-09-08T23:41:33.940 回答