Ludochaordic
Fantaisies programatico-ludiques

Fun with Javascript string obfuscation

Inspired by this tweeter post by Marcus Lagergren and the JS1K competition, here is a valid Javascript code snippet for you obfuscated code lovers:

=!+[]+!+[]+!+[]+!+[],ߺ=+,ǀ=ߺ+ߺ,=!+[]+[],ǃ=!+[]+!+[]+!+[],=[+[]],=+[ǃ]+(![]+[])[ǃ]+,=/,/[]+[],=ǀ+ߺ+!+[]+!+[],=[ǃ]+[+!+[]+!+[]],ǃ=+[],=+!+[],ǃ=[ǃ]+[]+([][[]]+[])[]+(![]+[])[!+[]+!+[]+]+(!+[]+[])[ǃ]+(!+[]+[])[]+([][[]]+[])[ǃ]+[ǃ]+(!+[]+[])[ǃ]+[]+(!+[]+[])[],=ǃ[ǃ]+[],ǃ=!+[]+!+[],=(!+[]+[])[+[]]+[+!+[]]+[ߺ+!+[]]+[ߺ+ǃ]+[ߺ+ǃ+!+[]]+[ߺ+]+[ߺ++!+[]]+[ߺ++ǃ],ǃ=ǀ+ǀ+,(+[]+!+[]+!+[]++ߺ)[](ǃ)+(+[]+!+[]+!+[]++ǀ)[](ǃ)+(!+[]+!+[]+!+[]+ߺ)[](ǃ)+(+[]+!+[]+!+[]+ߺ)[](ǃ)+(+[]+!+[]+!+[]++ߺ+ǀ)[](ǃ)+(+[]++ߺ)[](ǃ)+(!+[]+ǀ)[](ǃ)+(+[]+!+[]+!+[]++ߺ)[](ǃ)+(!+[]+!+[]+!+[]+ǀ+ǀ)[](ǃ)+[ߺ]+(+[]+!+[]+!+[]++ǀ)[](ǃ)+(+[]+ߺ+ǀ)[](ǃ)+(+[]+!+[]+!+[]+ǀ)[](ǃ)+[ߺ]+(+[]+ߺ)+[ǀ]

Just click here to check on http://repl.it what this snippet evaluates to.

This snippet has been generated by an home-made algorithm, whose goal is to produce Javascript code containing ZERO character, that outputs a string when evaluated. Maybe not very useful, but it's a kind of constrained code writing I guess :) I won't reveal all the tricks I used here, maybe in a later post. There is another one for you:

=!+[]+!+[]+!+[]+!+[],ߺ=+,ǀ=ߺ+ߺ,=!+[]+[],ǃ=!+[]+!+[]+!+[],=[+[]],=+[ǃ]+(![]+[])[ǃ]+,=/,/[]+[],=ǀ+ߺ+!+[]+!+[],=[ǃ]+[+!+[]+!+[]],ǃ=+[],=+!+[],ǃ=[ǃ]+[]+([][[]]+[])[]+(![]+[])[!+[]+!+[]+]+(!+[]+[])[ǃ]+(!+[]+[])[]+([][[]]+[])[ǃ]+[ǃ]+(!+[]+[])[ǃ]+[]+(!+[]+[])[],=ǃ[ǃ]+[],ǃ=!+[]+!+[],=(!+[]+[])[+[]]+[+!+[]]+[ߺ+!+[]]+[ߺ+ǃ]+[ߺ+ǃ+!+[]]+[ߺ+]+[ߺ++!+[]]+[ߺ++ǃ],ǃ=ǀ+ǀ+,(!+[]+ǀ)[](ǃ)+(!+[]+!+[]++ߺ)[](ǃ)+(!+[]++ǀ)[](ǃ)+(!+[]++ǀ)[](ǃ)+(ߺ+ǀ)[](ǃ)+[ߺ]+(ǀ+ǀ)[](ǃ)+(ߺ+ǀ)[](ǃ)+(!+[]+!+[]+!+[]+ߺ+ǀ)[](ǃ)+(!+[]++ǀ)[](ǃ)+(!+[]++ߺ)[](ǃ)

Again, click here to check its execution on http://repl.it




EDIT [26/11/2014] : Actually, I found out this is not breaking ground at all, there are actually plenty of similar crazy "NoAlnum" hacks & contests : http://security.stackexchange.com/a/8265. Thanks to Thibault for finding out !

Now, the commented source code of my own generic ASCII-to-NoAlnum translator can be found on GitHub.

EDIT[19/12/2014] : there is an equivalent one for Python : http://benkurtovic.com/2014/06/01/obfuscating-hello-world.html

EDIT[3/03/2016] : funnily, the recent vulnerability Ebay has been exposed to relies on the very same trick, except that with JSFuck or hieroglyphy you only need 6 non-alphanumeric characters !

EDIT[27/11/2017] : more creative coding : http://aem1k.com