How to decode this javascript?

Question

My question is how can I decode this JavaScript and how is encoded (with which program or online tool).

Here is the JavaScript that I want to decode: http://pastebin.com/hZvKySjj

Answer 1

Have a look at: http://www.labnol.org/software/deobfuscate-javascript/19815/

They show you how can you do something like that, it's basically a matter of using chrome debugger to "beautify" the code and make it easier to read.

Some versions of chrome don't have the command on a context menu, just look for the command "Pretty print" (has a icon like -> {})

Once done that, you can use a javascript console to evaluate small snippets of code to reverse engineer it. Eg. the expression (at the beginning of your code)

1) (s\u0065lf + ([] * 0) * 1)
2) '\x5B'
3) ((s\u0065lf + ([] * 0) * 1)[0 ^ 0] == '\x5B')

returns this string on my browser

1) "[object Window]0"
2) "["
3) true

Just find the starting point and follow from there. Obfuscated code follows the same rules as normal one, it's just all messed up.

Answer 2

Every obfuscated script needs some kind of eval. In here, the lines

_L = 'constr\x75\x63\x74\x6F\x72';
[][_L][_L](_Z[_h._t4](_F))();

are doing this. _L is the string "constructor", and [].constructor.constructor is the Function constructor. It will be called with the decoded script, and the resulting function will be called. We can substitute it with an alert, paste the script in the console*, and wait for the result - we don't even need to understand how the decoding works. In your case, the result is (yes, including all the comments and linebreaks):

var alarm ="0";
var content = document;

if ((content.getElementById("wrapper") != null))
{
    document.getElementById('wrapper').style.display = 'block';
}

function a ()
{
    if ((content.getElementById("links") != null))
    {
        var temp = content.getElementById("links").innerHTML;
        if ((temp.indexOf('nofollow')+1) > 0)  alarm = "1";
        else if ((temp.indexOf('noindex')+1) > 0)  alarm = "1";
    }
    else alarm = "1";
}

function b ()
{
    if ((content.getElementById("aa") != null) && (content.getElementById("ab") != null))
    {
        temp = document.getElementById("aa").href;
        if ("http://uc-portaller.ru/" != temp) alarm = "1";

        temp = document.getElementById("ab").innerHTML;
        if ("скрипты для ucoz" != temp) alarm = "1";
    }
    else alarm = "1";
}

function c ()
{
    if ((content.getElementById("ba") != null) && (content.getElementById("bb") != null))
    {

        temp = content.getElementById("ba").href;
        if ("http://austere.ru/" != temp) alarm = "1";

        temp = content.getElementById("bb").innerHTML;
        if ("доска объявлений" != temp) alarm = "1";
    }
    else alarm = "1";
}

function d ()
{
    if ((content.getElementById("ca") != null) && (content.getElementById("cb") != null))
    {

        temp = content.getElementById("ca").href;
        if ("http://www.for-creative.com/" != temp) alarm = "1";

        temp = content.getElementById("cb").innerHTML;
        if ("темы для ucoz" != temp) alarm = "1";
    }
    else alarm = "1";
}

a ();

if (alarm == "0") b ();
if (alarm == "0") c ();
if (alarm == "0") d ();

if (alarm == "1") prompt('Нарушены условия использования, по всем вопросам обращайтесь в ICQ:', '376880395');












$(document).ready(function(){

    //When you click on a link with class of poplight and the href starts with a # 
    $('a.poplight[href^=#]').click(function() {
        var popID = $(this).attr('rel'); //Get Popup Name
        var popURL = $(this).attr('href'); //Get Popup href to define size

        //Pull Query & Variables from href URL
        var query= popURL.split('?');
        var dim= query[1].split('&');
        var popWidth = dim[0].split('=')[1]; //Gets the first query string value

        //Fade in the Popup and add close button
        $('#' + popID).fadeIn().css({ 'width': Number( popWidth ) }).prepend('');

        //Define margin for center alignment (vertical + horizontal) - we add 80 to the height/width to accomodate for the padding + border width defined in the css
        var popMargTop = ($('#' + popID).height() + 80) / 2;
        var popMargLeft = ($('#' + popID).width() + 80) / 2;

        //Apply Margin to Popup
        $('#' + popID).css({ 
            'margin-top' : -popMargTop,
            'margin-left' : -popMargLeft
        });

        //Fade in Background
        $('body').append('<div id="fade"></div>'); //Add the fade layer to bottom of the body tag.
        $('#fade').css({'filter' : 'alpha(opacity=0)'}).fadeIn(); //Fade in the fade layer 

        return false;
    });


    //Close Popups and Fade Layer
    $('a.close, #fade').live('click', function() { //When clicking on the close or fade layer...
        $('#fade , .popup_block').fadeOut(function() {
            $('#fade, a.close').remove();  
    }); //fade them both out

        return false;
    });


});




        $.fn.tabs = function () {
            return this.each(function () {
               var $tabwrapper = $(this); 

               var $panels = $tabwrapper.find('> div');
               var $tabs = $tabwrapper.find('> ul a');

               $tabs.click(function () {  
                   $tabs.removeClass('selected');
                   $(this).addClass('selected');

                   $panels
                    .hide() // hide ALL the panels
                    .filter(this.hash) // filter down to 'this.hash'
                        .show(); // show only this one

                   return false;
               }).filter(window.location.hash ? '[hash=' + window.location.hash + ']' : ':first').click();
            });
        };

        $(document).ready(function () {
            // console.log(window.location.hash);

            $('div.tabs').tabs();
        });

_{*) Of course you need to be sure what you're doing. There's always a small risk that it's a malicious script, and you might have not found all evals. @jfriend00's tip on executing the decoding snippets line-by-line is a safer way.}

Answer 3

The only way I know of to understand what this code does is to find a safe environment (in case the code has malicious intent) and execute it line-by-line in a debugger and watch what it does as it deobfuscates itself to turn itself into normal javascript. The variable names will often stay obscured, but the giant string in _O will get decoded into something (probably javascript code).