De-obfuscate Javascript code to make it readable again [duplicate]

Asked 16/10, 2012 at 19:4 Answered 5/1, 2019 at 2:27

I hate to bring this here, while doing the learning of obfuscating the JS code, I encoded my code and then over wrote the orginal one without any backup :) Following is my obfuscated code.

var _0xf17f=["\x28","\x29","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x53\x74\x75\x64\x65\x6E\x74\x5F\x6E\x61\x6D\x65","\x73\x74\x75\x64\x65\x6E\x74\x5F\x64\x6F\x62","\x3C\x62\x3E\x49\x44\x3A\x3C\x2F\x62\x3E","\x3C\x61\x20\x68\x72\x65\x66\x3D\x22\x2F\x6C\x65\x61\x72\x6E\x69\x6E\x67\x79\x69\x69\x2F\x69\x6E\x64\x65\x78\x2E\x70\x68\x70\x3F\x72\x3D\x73\x74\x75\x64\x65\x6E\x74\x2F\x76\x69\x65\x77\x26\x61\x6D\x70\x3B\x20\x69\x64\x3D","\x22\x3E","\x3C\x2F\x61\x3E","\x3C\x62\x72\x2F\x3E","\x3C\x62\x3E\x53\x74\x75\x64\x65\x6E\x74\x20\x4E\x61\x6D\x65\x3A\x3C\x2F\x62\x3E","\x3C\x62\x3E\x53\x74\x75\x64\x65\x6E\x74\x20\x44\x4F\x42\x3A\x3C\x2F\x62\x3E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x63\x6C\x61\x73\x73","\x76\x69\x65\x77","\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x70\x72\x65\x70\x65\x6E\x64","\x2E\x69\x74\x65\x6D\x73","\x66\x69\x6E\x64","\x23\x53\x74\x75\x64\x65\x6E\x74\x47\x72\x69\x64\x56\x69\x65\x77\x49\x64"];function call_func(_0x41dcx2){var _0x41dcx3=eval(_0xf17f[0]+_0x41dcx2+_0xf17f[1]);var _0x41dcx4=document[_0xf17f[3]](_0xf17f[2]);var _0x41dcx5=_0x41dcx3[_0xf17f[4]];var _0x41dcx6=_0x41dcx3[_0xf17f[5]];var _0x41dcx7=_0x41dcx3[_0xf17f[6]];var _0x41dcx8=_0xf17f[7];_0x41dcx8+=_0xf17f[8]+_0x41dcx5+_0xf17f[9]+_0x41dcx5+_0xf17f[10];_0x41dcx8+=_0xf17f[11];_0x41dcx8+=_0xf17f[12];_0x41dcx8+=_0x41dcx6;_0x41dcx8+=_0xf17f[11];_0x41dcx8+=_0xf17f[13];_0x41dcx8+=_0x41dcx7;_0x41dcx8+=_0xf17f[11];_0x41dcx4[_0xf17f[14]]=_0x41dcx8;_0x41dcx4[_0xf17f[17]](_0xf17f[15],_0xf17f[16]);$(_0xf17f[21])[_0xf17f[20]](_0xf17f[19])[_0xf17f[18]](_0x41dcx4);} ;

Can anyone guide me the URL or any method to make it readable. I did this from this website and they seemingly provide on one way obfuscation services available on their website...this was my test code during a learning so would be greatful if anyone could help me out.

Clutch answered 16/10, 2012 at 19:4 Comment(7)

Lesson learned, use a VCS so you can revert your mistakes. – Thera 16/10, 2012 at 19:6

I hate for you to bring this here, too. This is rather off topic on SO. (For future reference, though, if you were using a version control system you wouldn't be in this situation.) – Rader 16/10, 2012 at 19:8

yeah..agree..I always use that but since this was learning project, so I am facing the music....:) – Clutch 16/10, 2012 at 19:10

There's no way to deobfuscate code back to it's original condition, since all variable names are lost. The best you can do is beautify it and work backwards by using mass replace on variable names. Short answer: you have to deobfuscate it manually. – Cohette 16/10, 2012 at 19:13

Dropping just the initial array into chrome's dev tools leads me to:

["(", ")", "div", "createElement", "id", "Student_name", "student_dob", "<b>ID:</b>", "<a href="/learningyii/index.php?r=student/view&amp; id=", "">", "</a>", "<br/>", "<b>Student Name:</b>", "<b>Student DOB:</b>", "innerHTML", "class", "view", "setAttribute", "prepend", ".items", "find", "#StudentGridViewId"]

, which needs a couple escape characters on quotes, but is otherwise deobfuscated. – Thera 16/10, 2012 at 19:15

@Cohette That would be true if this code was merely minified, but it seems like it was also encoded in some nonobvious way. – Beak 16/10, 2012 at 19:18

@Beak it's latin-1 hexidecimal encoding, just run it through a decoder. like i said, it's manual. – Cohette 16/10, 2012 at 19:21

Try this: http://jsbeautifier.org/

I tested with your code and worked as good as possible. =D

Shangrila answered 16/10, 2012 at 19:7 Comment(1)

rbonito's answer to this question is also worth checking out: https://mcmap.net/q/423720/-de-obfuscate-javascript-code-to-make-it-readable-again-duplicate. – Psilomelane 10/12, 2022 at 15:50

Here's a new automated tool, JSNice, to try to deobfuscate/deminify it. The tool even tries to guess the variable names, which is unbelievably cool. (It mines Javascript on github for this purpose.)

The tagline on the page is "Statistical renaming, Type inference and Deobfuscation".

http://www.jsnice.org

Halt answered 4/6, 2014 at 12:9 Comment(0)

Try this: http://jsbeautifier.org/

I tested with your code and worked as good as possible. =D

Shangrila answered 16/10, 2012 at 19:7 Comment(1)

rbonito's answer to this question is also worth checking out: https://mcmap.net/q/423720/-de-obfuscate-javascript-code-to-make-it-readable-again-duplicate. – Psilomelane 10/12, 2022 at 15:50

Here it is:

function call_func(input) {
    var evaled = eval('(' + input + ')');
    var newDiv = document.createElement('div');
    var id = evaled.id;
    var name = evaled.Student_name;
    var dob = evaled.student_dob;
    var html = '<b>ID:</b>';
    html += '<a href="/learningyii/index.php?r=student/view&amp; id=' + id + '">' + id + '</a>';
    html += '<br/>';
    html += '<b>Student Name:</b>';
    html += name;
    html += '<br/>';
    html += '<b>Student DOB:</b>';
    html += dob;
    html += '<br/>';
    newDiv.innerHTML = html;
    newDiv.setAttribute('class', 'view');
    $('#StudentGridViewId').find('.items').prepend(newDiv);
};

I used one of the deobfuscating tools like in other answers, then read the code to understand what it was doing and renamed variables to convey the meaning.

Pinprick answered 16/10, 2012 at 19:27 Comment(6)

How did you decoded it? I also accidentally replaced my original code with obfuscated code – Tamatamable 4/2, 2016 at 18:45

Something like the other answers mention, jsnice or jsbeautifier. Then I studied it to figure out what it was doing and renamed the variables. – Pinprick 5/2, 2016 at 23:6

Wow @TrevorDixon where you learn decode obfuscate? please give me link – Babbler 13/10, 2016 at 1:35

Hi @Trevor Dixon, where did I get in touch with you to do a job? – Tzong 16/3, 2017 at 3:55

@MarzCT I sent you an email. – Pinprick 16/3, 2017 at 16:1

This would be a great answer if you explained how you did it. – Buskined 15/12, 2023 at 14:50

From the first link on google;

function call_func(_0x41dcx2) {
 var _0x41dcx3 = eval('(' + _0x41dcx2 + ')');
 var _0x41dcx4 = document['createElement']('div');
 var _0x41dcx5 = _0x41dcx3['id'];
 var _0x41dcx6 = _0x41dcx3['Student_name'];
 var _0x41dcx7 = _0x41dcx3['student_dob'];
 var _0x41dcx8 = '<b>ID:</b>';
 _0x41dcx8 += '<a href="/learningyii/index.php?r=student/view&amp; id=' + _0x41dcx5 + '">' + _0x41dcx5 + '</a>';
 _0x41dcx8 += '<br/>';
 _0x41dcx8 += '<b>Student Name:</b>';
 _0x41dcx8 += _0x41dcx6;
 _0x41dcx8 += '<br/>';
 _0x41dcx8 += '<b>Student DOB:</b>';
 _0x41dcx8 += _0x41dcx7;
 _0x41dcx8 += '<br/>';
 _0x41dcx4['innerHTML'] = _0x41dcx8;
 _0x41dcx4['setAttribute']('class', 'view');
 $('#StudentGridViewId')['find']('.items')['prepend'](_0x41dcx4);
};

It won't get you all the way back to source, and that's not really possible, but it'll get you out of a hole.

Taryn answered 16/10, 2012 at 19:9 Comment(1)

How did you do that? I couldn't find this first link on google. I tried all links and programs from google but your deobfuscation is better. It substituted values in place of array indexes! Is it auto-deobfuscation? – Gibbons 7/10, 2016 at 1:36

-2

I have tried both of online jsbeautifier(jsbeautifier, jsnice), these tools gave me beautiful js code,

but couldn't copy for very large js (must be bug, when i copy, copied buffer contains only one character '-').

I found that only working solution was prettyjs:

http://www.thaoh.net/prettyjs/

Frayne answered 5/1, 2019 at 2:27 Comment(0)

Recommended topics

Hot tags