[adam-a]

It's quite clever, the script gets a reference to the function prototype by making the string "constructor" and calling (0)["constructor"]["constructor"]. Calling Function on a string returns a new function with the string as the body, which you can then execute.

Partially deobfuscated: http://jsbin.com/qiwib/1/edit?js,output

[dioltas]

Just tried to understand the last bit myself.

So he's doing 0["constructor"] which gives the constructor of a number, Number. Then he's 0["constructor"]["constructor"] gives the constructor of Number, which is like a function, so he gets Function.

    var y = (0)["constructor"]["constructor"];
    y == Function;                                 // true

Then he basically does this ($.$ == Function):

    Function(
        Function(
            "return \"alert('I love you');\""
        )()
    )();

The inner function just returns the string "alert('I love you');", which then becomes the body for the outer function.

I don't know why they didn't make it:

Function ("alert('I love you');")();

Maybe they needed more chars for the heart. That was a good little crash course in javascript Function constructors!

[adam-a]

I was a bit confused by the double Function call too. The string input to the first Function is:

    "return"ale\162t(\"\111\40lo\166e\40\171ou.\"\40)""

which when evaluated becomes:

    "alert("I love you." )"

He gets the other letters from names of types and other JS native things. I guess he couldn't get 'r', 'I', ' ', 'v' or 'y' and so had to make them using the octal escape codes.