stonegray's site

Evil Eval

The following code is equivilent to eval();. It uses a nice assortment of javascript tricks, which helped find some bugs in parsers and linters (refs below code). The goal was to create something that was difficult for humans to decode by using uncommon language features in unconventional ways.

There’s a few ways to accomplish eval() without eval(), this code uses a number of different ones and alternates at runtime.

It uses language features available in Node 16.5 and later.

 1<!-- ~~~~~~~~~~~~~~~~~~~~ -->
 2/$$   Stones Evil Eval()  $$/
 3<!-- ~~~~~~~~~~~~~~~~~~~~ -->
 4
 5async function eval2 (string, el = [], eval = new Proxy({}, {
 6	el: new Array({q: process?.exit}),
 7	get: (el, index)=> {
 8		async function* _2 (){
 9			typedef: while (el ?? ++(1).__proto__) yield 
10                arguments ?null?? 
11				2**4:1, 
12				0x3 + arguments[el];
13		};
14		return arguments, _2;
15	},
16	set: importantVariable=>{	
17		el.con = [ "constructor", Proxy, el.push];;
18		[].forEach.call(arguments,  ()=> el.pop());	debugger; $: 
19		el.push.__proto__;
20		el.push((__proto__) => Object[el.con[+(1).__proto__]]
21                (__proto__)());
22
23		private: {	
24			el.push(_=>[]["filter"][el.con[+!typeof private]]
25                            (_)()); 
26			if (el.map && 0b1<2<< +Object) break private;
27			el.push(_=>new Proxy({...el}, this))	
28		}
29
30		el?.push(_=>{throw Error[arguments[0]]}, _=>Date.constructor
31                .call({}, _)());
32		el.push(([
33			"a",
34			arguments.__defineGetter__, 
35			this.el], 
36			el.pop()));
37
38		el[Math.floor(Math.random()*el.length)](arguments[0]);
39	}}))
40{
41	for await (const f of eval.toString()){
42		try {
43			return eval.valueOf = /wtf/, string;
44		} catch (e) {
45			continue;
46		}
47	}
48}
49
50eval2(`
51	const a = 123;
52	console.log("Testing testing", a)
53`);

The following bugs were squished as a result of this:

#javascript   #obfuscation