CODEWITHSUNDEEP
javascriptobfuscation
ToniG
ToniG

Reputation: 41

How does this kind of javascript obfuscation work?

I always was curious how this type of obfuscation can be achieved in JavaScript and how it can be decoded (deobfuscated). Below is an example code: 

var _0x4e9d=["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x77\x72\x69\x74\x65"];document[_0x4e9d[0x1]](String[_0x4e9d[0x0]](0x3c,0x62,0x75,0x74,0x74,0x6f,0x6e,0x20,0x6f,0x6e,0x63,0x6c,0x69,0x63,0x6b,0x3d,0x27,0x6a,0x61,0x76,0x61,0x73,0x63,0x72,0x69,0x70,0x74,0x3a,0x69,0x66,0x20,0x28,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x22,0x70,0x61,0x73,0x73,0x22,0x29,0x2e,0x76,0x61,0x6c,0x75,0x65,0x3d,0x3d,0x22,0x6a,0x30,0x30,0x77,0x31,0x6e,0x22,0x29,0x7b,0x61,0x6c,0x65,0x72,0x74,0x28,0x22,0x59,0x6f,0x75,0x20,0x57,0x49,0x4e,0x21,0x22,0x29,0x3b,0x77,0x69,0x6e,0x64,0x6f,0x77,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x20,0x2b,0x3d,0x20,0x22,0x3f,0x6c,0x76,0x6c,0x5f,0x70,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x3d,0x22,0x2b,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x22,0x70,0x61,0x73,0x73,0x22,0x29,0x2e,0x76,0x61,0x6c,0x75,0x65,0x7d,0x65,0x6c,0x73,0x65,0x20,0x7b,0x61,0x6c,0x65,0x72,0x74,0x28,0x22,0x57,0x52,0x4f,0x4e,0x47,0x21,0x20,0x54,0x72,0x79,0x20,0x61,0x67,0x61,0x69,0x6e,0x21,0x22,0x29,0x7d,0x27,0x3e,0x43,0x68,0x65,0x63,0x6b,0x20,0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x3c,0x2f,0x62,0x75,0x74,0x74,0x6f,0x6e,0x3e));

Addendum: Thank you for de-obfuscating it, but I'm only interested in how I can obfuscate my own code like this.

Upvotes: 3

Views: 6234

Answers (5)

ToniG
ToniG

Reputation: 41

Actually I have now figured out the real way to obfuscate the javascript like that, without having to make each character separately.

http://javascriptobfuscator.com/default.aspx

This is the obfuscator.

Upvotes: 1

Dejan Marjanović
Dejan Marjanović

Reputation: 19380

PHP, assuming $string contains data. So you can obfuscate by running reverse process.

echo preg_replace('~((0|\\\)x([0-9a-f]+))~ei', 'chr(hexdec("\\1"))', $string);

You will get this...

var _�=["fromCharCode","write"];document[_�[]](String[_�[]](<,b,u,t,t,o,n, ,o,n,c,l,i,c,k,=,',j,a,v,a,s,c,r,i,p,t,:,i,f, ,(,d,o,c,u,m,e,n,t,.,g,e,t,E,l,e,m,e,n,t,B,y,I,d,(,",p,a,s,s,",),.,v,a,l,u,e,=,=,",j,0,0,w,1,n,",),{,a,l,e,r,t,(,",Y,o,u, ,W,I,N,!,",),;,w,i,n,d,o,w,.,l,o,c,a,t,i,o,n, ,+,=, ,",?,l,v,l,_,p,a,s,s,w,o,r,d,=,",+,d,o,c,u,m,e,n,t,.,g,e,t,E,l,e,m,e,n,t,B,y,I,d,(,",p,a,s,s,",),.,v,a,l,u,e,},e,l,s,e, ,{,a,l,e,r,t,(,",W,R,O,N,G,!, ,T,r,y, ,a,g,a,i,n,!,",),},',>,C,h,e,c,k, ,P,a,s,s,w,o,r,d,<,/,b,u,t,t,o,n,>));

Upvotes: 1

Matt Ellen
Matt Ellen

Reputation: 11612

Each \xnn is a character code as hexadecimal.

So \x63 will give you an 'a'

To do it to your own code you need to have something that will translate each character to it's hex code point:

var aAsHex = '\\x'+'a'.charCodeAt(0).toString(16)

Then copy and paste the output to a file.

Upvotes: 4

Raynos
Raynos

Reputation: 169551

var _0x4e9d = ["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65", "\x77\x72\x69\x74\x65"];

is ["fromCharCode", "write"]

document[_0x4e9d[0x1]](String[_0x4e9d[0x0]]

is document.write(String.fromCharCode

String.fromCharCode(0x3c, 0x62, ...)

Is 

<button 
  onclick='javascript:if (document.getElementById("pass").value=="j00w1n"){alert("You WIN!");window.location += "?lvl_password="+document.getElementById("pass").value}else {alert("WRONG! Try again!")}'
>
  Check Password
</button>

The JavaScript in the onclick is

if (document.getElementById("pass").value=="j00w1n") {
  alert("You WIN!");
  window.location += "?lvl_password=" + document.getElementById("pass").value
} else {
  alert("WRONG! Try again!")
}

Upvotes: 3

Nayuki
Nayuki

Reputation: 18552

Note that in JavaScript, someobject["xyz"] is about the same as someobject.xyz.

First statement:

_0x4e9d is an array with two strings:

  • "fromCharCode"
  • "write"

Second statement decodes to document.write(String.fromCharCode(0x3c,0x62,...,0x3e)).

Finally, the string being written is this piece of HTML:

<button onclick='javascript:if (document.getElementById("pass").value=="j00w1n"){alert("You WIN!");window.location += "?lvl_password="+document.getElementById("pass").value}else {alert("WRONG! Try again!")}'>Check Password

Upvotes: 7

Related Questions