it is basically various ways of making javascript return things like "NaN", "undefined", or "false", and then using a numbered index to return a particular character of that word after it is converted to a string.

so "NaN"[1] would be "a". "false"[0] would be "f".

since they are trying to do it without numbers, they can create them using things like "++[[]][+[]]" which returns a 1. by adding up different numbers you can get the digits you need.

Making strings out of nothing is hard, but how did they managed to execute that string out of nothing?

By deriving an eval-equivalent and indexing [] (read the comments).

Yes, I know how to make "eval", but how could it convert "eval" to eval() ?

Edit: by using []["sort"]["call"]()["eval"]

Yes, but why does that work? I don't get:

+[]

or

[]['sort']

or

[]['eval']

for that matter, why does []['sort']['call'] work but []['call'] doesn't.

All of these look like they should be syntax errors to me. What am I missing?

Here's the breakdown:

  []["sort"]["call"]()["eval"]

is the same in javascript as

  ([].sort.call()).eval

The part in parentheses calls Array.sort with an undefined this object, defaulting it to window. Array.sort returns this after it's done. Global functions like eval are stored on window, so you end up with window.eval.

Ah. Thanks!

Because [] doesn't have a 'call' attribute, but does have 'sort' attribute (remember that Javascript has a funky object notation, which is why people have to do elaborate dances to iterate over objects), and because the 'sort' attribute of [] itself is an object with a 'call' attribute.

Not sure, but at first glance it seems to evoke results like "undefined" or "NaN", and cast them to a String. The trickier part might be creating the index into the String.

Indices are easy:

  0: 3: +[]
  1: 11: ++[[]][+[]]
  2: 20: ++[++[[]][+[]]][+[]]
  3: 29: ++[++[++[[]][+[]]][+[]]][+[]]
  (etc)