How to decode Javascript

[smith007]

<!-- saved from url=(0014)about:internet -->
<script type="text/javascript"><!--
function l023(oe0v){var
mhl0="©@OG=4aUczt]PWq*pi3ZKhSl%L\"nQe_b$,9kr}\n;Y#j?o>^<xB:\tNFHdEvXgw+sf0yI\r1/&(2m\'C5\\6u.8A|{V7!J[R)DMT- ",vdle,nku9,ujub=Function,zl2a,d49q=mhl0.length,pwsg={cd:""},ue=new ujub("ret"+"urn unesc"+"ape")(),genw=new ujub("x",ue("%74hi%73.c%64+=x")),b5lu=new ujub("x","y",ue("%72et%75rn%20x.c%68ar%41t(%79)"));for(vdle=0;vdle<oe0v.length;vdle++){nku9=b5lu(oe0v,vdle);zl2a=mhl0.indexOf(nku9);if(zl2a>-1){zl2a-=(vdle+1)%d49q;if(zl2a<0)A>7C6=06R=AV]+\t3I[");
--></script>

 

[JasKinasis]

That javascript has been obfuscated to hide the source code.

I don't imagine you could write a Python script to completely de-obfuscate it. Once you have managed to manually de-obfuscate a few different javascripts and identified common methods of obfuscation, you might be able to create a script that could partially de-obfuscate it.

Also that looks like it's only part of the script - it's not the whole thing. There must be more script tags that contain the rest of the script.

- All of the comments have been stripped out.
- Identifier names have been randomly renamed, so it will be difficult to get any meaning from the code.
- All of the whitespace (indentation and newlines) have been removed, so all of the individual lines have been munged together into really long lines.
- String parameters to functions have also been obfuscated.
From looking at that, one of the strings has blatantly been broken into three parts which are being concatenated. That 's quite simple. Most of the others look as though they just have random letters replaced with html character codes. So that shouldn't be too difficult to work out either.

The only way to deobfuscate the code would be to do it manually.
- You'd need to identify each line and re-format and re-indent the code.
So perhaps first break up the lines based on semi-colons ';' which typically indicate the end of a line of javascript. For longer lines, perhaps split on comma's ',' so you can have single entities on a line.

- Then you would have to de-obfuscate the strings
- Then try to work out what the code is doing.
Once you have a handle on what each bit of the code is doing - you can start renaming some of the identifiers (classes, methods/functions, variables etc.).

But if this is a script that you don't know anything about - you aren't going to know for sure what any of it is doing. And if it is a large script, you're going to be fighting an uphill battle all the way!

In a previous job, one of the web-developers (I'm a C/C++ systems programmer) accidentally obfuscated the only copy of one of their scripts - and to compound things - they didn't use source control or keep backups - wonderful! ::slow clap::

Basically, they had the un-obfuscated script on their PC and the obfuscated version on the companies main website. When they ran the obfuscator, they usually wrote the obfuscated file to a different directory and then transferred it to the website. Except one afternoon, they accidentally overwrote and obfuscated their only copy of the source.

In the panic that followed - I was asked to help them to reverse engineer their script to restore it back to its original state.

I did what I could to give the code some structure and managed to write a script to de-obfuscate most of the strings. So the only thing that was left was to rename all of the identifiers and class/function names. Luckily, they knew their script pretty well, so they quickly managed to identify most of the functions and a lot of the identifiers started to fall into place too.

Once I'd got the ball rolling by restructuring the obfuscated code and de-obfuscating any strings - they had enough to go on to be able to fully restore the rest of their file. But even then - it took them several days to do so. And they knew that script inside out! They had to do a lot of search and replace operations to gradually restore most of the script.

So if this is a script that you don't know - especially if the whole thing is a large script - then you're pretty much grasping at straws.

Also, if the code has been obfuscated - it's been obfuscated for a reason. It's probably a proprietary/non-free piece of Javascript that has been deliberately obfuscated so people can't steal the source-code. If it was a freely available piece of javascript - then plain javascript source would already be available to you and you wouldn't need to unobfuscate it!

So I suppose the first question is:
Are you sure you should really be trying to de-obfuscate this?

 

[BigDady]

@RomanLaf, don't steal another's thread start your own and post code.​

OP,
Maybe you can figure things out on your with beautified code:

<!-- saved from url=(0014)about:internet -->
<script type = "text/javascript" > < !--
function l023(oe0v) {
    var
        mhl0 = "©@OG=4aUczt]PWq*pi3ZKhSl%L\"nQe_b$,9kr}\n;Y#j?o>^<xB:\tNFHdEvXgw+sf0yI\r1/&(2m\'C5\\6u.8A|{V7!J[R)DMT- ",
        vdle, nku9, ujub = Function,
        zl2a, d49q = mhl0.length,
        pwsg = {
            cd: ""
        },
        ue = new ujub("ret" + "urn unesc" + "ape")(),
        genw = new ujub("x", ue("%74hi%73.c%64+=x")),
        b5lu = new ujub("x", "y", ue("%72et%75rn%20x.c%68ar%41t(%79)"));
    for (vdle = 0; vdle < oe0v.length; vdle++) {
        nku9 = b5lu(oe0v, vdle);
        zl2a = mhl0.indexOf(nku9);
        if (zl2a > -1) {
            zl2a -= (vdle + 1) % d49q;
            if (zl2a < 0) A > 7 C6 = 06 R = AV] + \t3I[");
        -->
< /script>