Monthly Archives

December 2011

Unpacking Packed JavaScript Code

I’m sure if you are reading this, you too, as I have many times, come across packed JavaScript code that you needed either to check for maliciousness, modification, curiosity, or perhaps even something more sinister. Don’t judge me, I won’t judge you. Either way, you’ve probably had the same cringing look on your face the first time you saw this.

So, of course, I went about to figure out how to decipher, unscramble, or generally “decrypt” this annoyance. I’ve come across several methods while surfing the Internet, and I’d like to share what I’ve found.

As there are many different methods for JS packing, your mileage may vary greatly on the usefulness of the functionality here for unpacking. However, there are only so many ways to skin a cat and invariably most people have their code packed with the same method.

There are several ways to go about unpacking the code, and I’ll go ahead and list my quick and dirty favorites.

Method 1

The following method (by the guys at http://www.strictly-software.com/unpacker), of course their code needs to be decoded itself by looking at their reformat.js

function unpack()
{
    var p = G('txtPacked').value, c="";
    if (p != "")
    {
        c = p;
        if (/eval(+function(/.test(c))
        {
            var _e = eval;
            var s = "eval = function(v) { c = v; };" + c + "; eval = _e;";
            eval(s);
        }
        c = R(c,{indent_size: 1, indent_char: 't'});
    }

    G('txtUnpacked').value = unescape(c);
}

Method 2

Another method supposed is to replace the eval() function call with a document.write() call


eval(code);

to

document.write(code);

Of course, that is just enough to get you started, but it was enough for me, and I hope it helps out others. Good luck, happy hunting & happy hacking!