3

As we all know, obfuscated javascript code with things like "packer" and "eval" can easily be decoded by a variety of tools provided on the Internet, but recently I encountered a piece of javascript code that is obfuscated with things like []['filter']['constructor']....., which seems to have no solution to decoding. The example is as follows:

[]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[true + true] + "N" + "S" + "S" + "{" + "I" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] +
    "5" + "f") + 101["toString"]("!0!01")[+true] + "a" + (+"false" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["fontcolor"]()["!01"])[true + true] + "a" + "t" + "e")()())["!0!0!00"] + "e" + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" +
    "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "5" + "f") + []["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "59" + "") + "o" + "u" + []["filter"]["constructor"]("r" +
    "e" + "t" + "u" + "r" + "n" + " " + "u" + "n" + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()([]["filter"]["constructor"]("r" + "e" + "t" + "u" + "r" + "n" + " " + "e" + "s" + "c" + "a" + 211["toString"]("!0!0!01")[+true] + "e")()("" ["italics"]()[0])[0] + "7" + "d");

How to decode javascript like that?

emerson.marini
  • 9,331
  • 2
  • 29
  • 46
Su Excelle
  • 141
  • 1
  • 6

1 Answers1

5

That seems very much like Non-alphanumeric obfuscation, but in an intermediate form. Look here for an example.

The principle is the same: 1. It relies on an alternative form of evaluating the code, which in your case is the Array filter constructor 2. Uses subscript notation (to transform object names into strings) 3. Break the strings into single-char strings, and then transform each char into non-alphanumeric symbol sequences using type coercion.

Decoding this is very easy, but it requires hard work if you do it manually. I think it would take less than an hour to write a tool to revert this automatically. It may seem like a good obfuscation at first, but it is not resilient and can be easily defeated.

No obfuscation is 100% bullet proof, but modern JS obfuscators such as JScrambler go much deeper than basic encoding techniques (be it eval or eval-less).

See this presentation for more details on Non-alphanumeric obfuscation (slides 33-38). See the rest of it, if you are interested in JavaScript obfuscation.

Oliver Tony
  • 101
  • 2