Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Decoding JavaScript
05-18-2013, 01:28 AM (This post was last modified: 05-18-2013 02:42 AM by Cyko.)
Post: #1
Decoding JavaScript
The principle is fairly simple, all encoded JavaScript can be decoded (whether tough or not), simply because:

  1. It is client-side.
  2. It can be disabled.

All encoded JavaScript is using either one or both of the following techniques:
  • Packing - Used to compact, compress and reduce the number of lines in code.
  • Obfuscating - Used to conceal and obscure code.

Manual Decoding

Caution: Encoded JavaScript is often malicious therefore doing so manually could be dangerous (if done incorrectly).

I can not be specific seeing as there are different variations out there, but most seem to follow the same pattern - they generally contain an 'eval'.
Therefore to decode you can surround it with 'textarea' tags (to grab the output) and replace the 'eval' with 'document.write' (so it does not execute the code but prints/writes it) - doing this (may need to do it repeatedly until you do not see any encoded code anymore) - should give you the decoded.

Note: To all you familiar with decoding PHP you will find similarities when doing this...

Below is an example - hoping it will improve your understanding (it might be best if you follow the steps below and give it a go/try!):

You will need the following to give it a go:
  • A code editor (with search and replace).
  • A browser.
  • A WAMP package (like XAMPP) - optional.
  • An open mind (a must!).

Here is our encoded JavaScript code (which we will be decoding):

Code:
http://pastebin.com/BdYkkzda

1. The decoder (the code to actually decode this all) is within the encoded code, in the first part:

Code:
http://pastebin.com/KUNBat6j

2. Decode the code from step 1 using PHP's urldecode() function (my preferred method, can also be done with JavaScript or via an online function website), as so:

PHP Code:
http://pastebin.com/tzZNPTaz 

3. Run/execute the code from step 2 in your browser, which would output the following (the decode function):

Code:
http://pastebin.com/2J5YZf2f

4. Overwrite the encoded code in step 1 with the decode function in step 3, and it should now look like the following:

Code:
http://pastebin.com/ujjAj5fL

5. Wrap script tags around the code from step 4, as follows:

Code:
http://pastebin.com/tkaABXMM

6. Now we are going to surround the second part of the encoding (the encoded code) with textarea tags (to grab the output) and replace the 'eval' with 'document.write' (so it does not execute the code but prints/writes it), it should now look like the following:

Code:
http://pastebin.com/krk0dcLS

7. Run/execute the code from step 6 in your browser, and you should see some eval(function.... code within a textarea, right click within the textarea and 'Select All', then once the code is highlighted, right click again and select 'Copy', you should now have copied the following code:

Code:
http://pastebin.com/1Nhnnc6U

8. Do what you did in step 5 and step 6 to the code in step 7, by now it should look like the following:

Code:
http://pastebin.com/czvJ9Sgq

9. Run/execute the code from step 8 in your browser and you should see the final decoded code:

Code:
http://pastebin.com/SJGQKEgL

10. Lastly and optionally to improve readability run the code from step 9 through jsbeautifier (just remember to add the script tags Wink):

Code:
http://pastebin.com/7AnzsKq3

Was not so hard after all was it?

Automatic Decoding

Luckily there are some automated solutions which are not only quick but are also the safest (as they are doing all the work therefore there are no risks on your side).
  • jsunpack - A great online tool, where you can paste JavaScript code, direct link to a JavaScript file or upload a JavaScript file and it will indicate whether it believes it is malicious and will provide a download link to the decoded (you may find a number of files within the archive, this is possibly because it is the process it got decoded in - there should be 1 which contains the source).
  • jsbeautifer - Another online tool and probably the most popular, it allows you to paste your JavaScript code and it will attempt to decode (if it believes it is encoded) and beautify (for readability) it.
  • Malzilla - This is a Windows application, which comes with a collection of different built-in tools to decode and analyse encoded JavaScript.
  • NoScript - Yes, this is a Firefox add-on and no this one will not decode JavaScript but can help in preventing malicious JavaScript being executed!.

Do let me know if this helped at all!

Note: This is an old article written by me in 2010/2011? (it was originally on my now non-existent website). Sorry about me using paste-bin for all code - forums tend to have character limits. Big Grin
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | Homepage | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication