De-obfuscate Javascript code to make it readable again

Question

I hate to bring this here, while doing the learning of obfuscating the JS code, I encoded my code and then over wrote the orginal one without any backup :) Following is my obfuscated code.

var _0xf17f=["\x28","\x29","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x53\x74\x75\x64\x65\x6E\x74\x5F\x6E\x61\x6D\x65","\x73\x74\x75\x64\x65\x6E\x74\x5F\x64\x6F\x62","\x3C\x62\x3E\x49\x44\x3A\x3C\x2F\x62\x3E","\x3C\x61\x20\x68\x72\x65\x66\x3D\x22\x2F\x6C\x65\x61\x72\x6E\x69\x6E\x67\x79\x69\x69\x2F\x69\x6E\x64\x65\x78\x2E\x70\x68\x70\x3F\x72\x3D\x73\x74\x75\x64\x65\x6E\x74\x2F\x76\x69\x65\x77\x26\x61\x6D\x70\x3B\x20\x69\x64\x3D","\x22\x3E","\x3C\x2F\x61\x3E","\x3C\x62\x72\x2F\x3E","\x3C\x62\x3E\x53\x74\x75\x64\x65\x6E\x74\x20\x4E\x61\x6D\x65\x3A\x3C\x2F\x62\x3E","\x3C\x62\x3E\x53\x74\x75\x64\x65\x6E\x74\x20\x44\x4F\x42\x3A\x3C\x2F\x62\x3E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x63\x6C\x61\x73\x73","\x76\x69\x65\x77","\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x70\x72\x65\x70\x65\x6E\x64","\x2E\x69\x74\x65\x6D\x73","\x66\x69\x6E\x64","\x23\x53\x74\x75\x64\x65\x6E\x74\x47\x72\x69\x64\x56\x69\x65\x77\x49\x64"];function call_func(_0x41dcx2){var _0x41dcx3=eval(_0xf17f[0]+_0x41dcx2+_0xf17f[1]);var _0x41dcx4=document[_0xf17f[3]](_0xf17f[2]);var _0x41dcx5=_0x41dcx3[_0xf17f[4]];var _0x41dcx6=_0x41dcx3[_0xf17f[5]];var _0x41dcx7=_0x41dcx3[_0xf17f[6]];var _0x41dcx8=_0xf17f[7];_0x41dcx8+=_0xf17f[8]+_0x41dcx5+_0xf17f[9]+_0x41dcx5+_0xf17f[10];_0x41dcx8+=_0xf17f[11];_0x41dcx8+=_0xf17f[12];_0x41dcx8+=_0x41dcx6;_0x41dcx8+=_0xf17f[11];_0x41dcx8+=_0xf17f[13];_0x41dcx8+=_0x41dcx7;_0x41dcx8+=_0xf17f[11];_0x41dcx4[_0xf17f[14]]=_0x41dcx8;_0x41dcx4[_0xf17f[17]](_0xf17f[15],_0xf17f[16]);$(_0xf17f[21])[_0xf17f[20]](_0xf17f[19])[_0xf17f[18]](_0x41dcx4);} ;

Can anyone guide me the URL or any method to make it readable. I did this from this website and they seemingly provide on one way obfuscation services available on their website...this was my test code during a learning so would be greatful if anyone could help me out.

Lesson learned, use a [VCS](http://en.wikipedia.org/wiki/Revision_control) so you can revert your mistakes. — zzzzBov, Oct 16 '12 at 19:06
I hate for you to bring this here, too. This is rather off topic on SO. (For future reference, though, if you were using a version control system you wouldn't be in this situation.) — cHao, Oct 16 '12 at 19:08
yeah..agree..I always use that but since this was learning project, so I am facing the music....:) — FaisalKhan, Oct 16 '12 at 19:10
There's no way to deobfuscate code back to it's original condition, since all variable names are lost. The best you can do is beautify it and work backwards by using mass replace on variable names. Short answer: you have to deobfuscate it manually. — jbabey, Oct 16 '12 at 19:13
Dropping just the initial array into chrome's dev tools leads me to: `["(", ")", "div", "createElement", "id", "Student_name", "student_dob", "ID:", "", "", "
", "Student Name:", "Student DOB:", "innerHTML", "class", "view", "setAttribute", "prepend", ".items", "find", "#StudentGridViewId"]`, which needs a couple escape characters on quotes, but is otherwise deobfuscated. — zzzzBov, Oct 16 '12 at 19:15
@jbabey That would be true if this code was merely minified, but it seems like it was also encoded in some nonobvious way. — millimoose, Oct 16 '12 at 19:18
@millimoose it's latin-1 hexidecimal encoding, just run it through a decoder. like i said, it's manual. — jbabey, Oct 16 '12 at 19:21
Hello Dennis, this is your JS teacher, I see how you managed to solve your assignments and still do so bad on the exam. We should revisit that diploma you received. — Johan Van Wambeke, Jan 31 '21 at 13:04

score 52 · Answer 1 · edited Dec 10 '22 at 15:50

52

Here's a new automated tool, JSNice, to try to deobfuscate/deminify it. The tool even tries to guess the variable names, which is unbelievably cool. (It mines Javascript on github for this purpose.)

The tagline on the page is "Statistical renaming, Type inference and Deobfuscation".

http://www.jsnice.org

edited Dec 10 '22 at 15:50

nishanthshanmugham

2,967
1
25
29

answered Jun 04 '14 at 12:09

rbonito

537
1
4
2

score 29 · Accepted Answer · answered Oct 16 '12 at 19:07

29

Try this: http://jsbeautifier.org/

I tested with your code and worked as good as possible. =D

answered Oct 16 '12 at 19:07

Alcides Queiroz

9,456
3
28
43

rbonito's answer to this question is also worth checking out: https://stackoverflow.com/a/24037080/3309046. – nishanthshanmugham Dec 10 '22 at 15:50

score 16 · Answer 3 · answered Oct 16 '12 at 19:27

16

Here it is:

function call_func(input) {
    var evaled = eval('(' + input + ')');
    var newDiv = document.createElement('div');
    var id = evaled.id;
    var name = evaled.Student_name;
    var dob = evaled.student_dob;
    var html = '<b>ID:</b>';
    html += '<a href="/learningyii/index.php?r=student/view&amp; id=' + id + '">' + id + '</a>';
    html += '<br/>';
    html += '<b>Student Name:</b>';
    html += name;
    html += '<br/>';
    html += '<b>Student DOB:</b>';
    html += dob;
    html += '<br/>';
    newDiv.innerHTML = html;
    newDiv.setAttribute('class', 'view');
    $('#StudentGridViewId').find('.items').prepend(newDiv);
};

answered Oct 16 '12 at 19:27

Trevor Dixon

23,216
12
72
109

1

How did you decoded it? I also accidentally replaced my original code with obfuscated code – Saurabh Sharma Feb 04 '16 at 18:45
1

Something like the other answers mention, jsnice or jsbeautifier. Then I studied it to figure out what it was doing and renamed the variables. – Trevor Dixon Feb 05 '16 at 23:06
Wow @TrevorDixon where you learn decode obfuscate? please give me link – Rohman HM Oct 13 '16 at 01:35
Hi @Trevor Dixon, where did I get in touch with you to do a job? – Marcial Cahuaya Mar 16 '17 at 03:55
@MarzCT I sent you an email. – Trevor Dixon Mar 16 '17 at 16:01

score 1 · Answer 4 · answered Oct 16 '12 at 19:09

From the first link on google;

function call_func(_0x41dcx2) {
 var _0x41dcx3 = eval('(' + _0x41dcx2 + ')');
 var _0x41dcx4 = document['createElement']('div');
 var _0x41dcx5 = _0x41dcx3['id'];
 var _0x41dcx6 = _0x41dcx3['Student_name'];
 var _0x41dcx7 = _0x41dcx3['student_dob'];
 var _0x41dcx8 = '<b>ID:</b>';
 _0x41dcx8 += '<a href="/learningyii/index.php?r=student/view&amp; id=' + _0x41dcx5 + '">' + _0x41dcx5 + '</a>';
 _0x41dcx8 += '<br/>';
 _0x41dcx8 += '<b>Student Name:</b>';
 _0x41dcx8 += _0x41dcx6;
 _0x41dcx8 += '<br/>';
 _0x41dcx8 += '<b>Student DOB:</b>';
 _0x41dcx8 += _0x41dcx7;
 _0x41dcx8 += '<br/>';
 _0x41dcx4['innerHTML'] = _0x41dcx8;
 _0x41dcx4['setAttribute']('class', 'view');
 $('#StudentGridViewId')['find']('.items')['prepend'](_0x41dcx4);
};

It won't get you all the way back to source, and that's not really possible, but it'll get you out of a hole.

How did you do that? I couldn't find this first link on google. I tried all links and programs from google but your deobfuscation is better. It substituted values in place of array indexes! Is it auto-deobfuscation? — traxium, Oct 07 '16 at 01:36

score -2 · Answer 5 · answered Jan 05 '19 at 02:27

I have tried both of online jsbeautifier(jsbeautifier, jsnice), these tools gave me beautiful js code,

but couldn't copy for very large js (must be bug, when i copy, copied buffer contains only one character '-').

I found that only working solution was prettyjs:

http://www.thaoh.net/prettyjs/

De-obfuscate Javascript code to make it readable again

5 Answers5

Linked

Related