Deobfuscating Javascript

Question

What is this monstrosity? Anyone know of a way to make it readable?

<script type="text/javascript"> 
    //<![CDATA[
    <!--
    var x="function f(x){var i,o=\"\",l=x.length;for(i=0;i<l;i+=2) {if(i+1<l)o+=" +
    "x.charAt(i+1);try{o+=x.charAt(i);}catch(e){}}return o;}f(\"ufcnitnof x({)av" +
    " r,i=o\\\"\\\"o,=l.xelgnhtl,o=;lhwli(e.xhcraoCedtAl(1/)3=!76{)rt{y+xx=l;=+;" +
    "lc}tahce({)}}of(r=i-l;1>i0=i;--{)+ox=c.ahAr(t)i};erutnro s.buts(r,0lo;)f}\\" +
    "\"(0),9\\\"\\\\$.;(.34U03\\\\\\\\16\\\\0E\\\\NSCZhC24\\\\03\\\\01\\\\\\\\St" +
    "DEMPbM02\\\\0C\\\\x#opms58aJ}qb<jb7`17\\\\\\\\hc7s17\\\\\\\\rzEeljdp7m03\\\\"+
    "\\\\36\\\\0F\\\\24\\\\06\\\\01\\\\\\\\25\\\\01\\\\02\\\\\\\\26\\\\03\\\\03\\"+
    "\\\\\\(W4N02\\\\\\\\24\\\\02\\\\00\\\\\\\\07\\\\0N\\\\14\\\\0P\\\\BI07\\\\0" +
    "4\\\\00\\\\\\\\02\\\\02\\\\02\\\\\\\\14\\\\06\\\\02\\\\\\\\24\\\\0L\\\\25\\" +
    "\\06\\\\01\\\\\\\\3:?(>4\\\"\\\\f(;} ornture;}))++(y)^(iAtdeCoarchx.e(odrCh" +
    "amCro.fngriSt+=;o27=1y%i;+=)y90==(iif){++;i<l;i=0(ior;fthnglex.l=\\\\,\\\\\\"+
    "\"=\\\",o iar{vy)x,f(n ioctun\\\"f)\")"                                      ;
    while(x=eval(x));
    //-->
    //]]>
</script> 

Answer 1

There are two main reasons for obfuscating ones code:

1. The person who wrote it didn't want to provide the code in readable form to avoid from stealing his intellectual property
2. Virus, Spyware, ...

In the first case I would suggest you asking the author to provide you the source code.

Answer 2

You'll have to get it out of that string to unpack it, and much of that work will be manual, since some of it appears to be encoded.

But I agree with Darin. Ask the author for unobfuscated source.

Answer 3

It is doing something like this:

document.writeln("< a href=\"mailto:[email protected]\" title=\"Contact\">Contact");

So something like a copyright notice

Full source

function f(x, y) {
    var i, o = "", l = x.length;
    for (i = 0; i < l; i++) {
        if (i == 90) {
            y += i;
        }
        y %= 127;
        o += String.fromCharCode(x.charCodeAt(i) ^ y++);
    }
    return o;
}

f(">4?(3:\x0E\x15L\x14\x16\f\x12\x02\x04\x07BIP\fN\x07\x02\x14\x14N(W\x1B\x16\x11\x15\x0E\x14F\x1E\x1FmdpljEerz\x7Fshc\x7F`jbb<}qaJ58msopx#C\x02bMMPDESt\v\x14hCCZNSE\x0E\x1CU.3;($.", 90);

Done with Firefox addon "Javascript Deobfuscator"

Answer 4

This a really obfuscated version of:

document.writeln("<a href=\"mailto:[email protected]\" title=\"Contact\">Contact</a>");

I assume it is obfuscated this much to avoid spammers. But of course spambots could just render the page with Webkit and traverse the DOM for email addresses ... ;)

So.. how to deobfuscate?

1. Go to http://jsbeautifier.org/
2. Paste the source and beautify it
3. Edit the function f(x) so it does console.log(o) instead of return o
4. Execute the modified code and beautify its output.
5. Repeat steps 2-4 until it is readable.

Answer 5

Edit: Looks like some people beat me to it after all. Thanks!

---

After the unhelpful "Answers" received from some of the big guns (5 digit rep score) I decided to de-obfuscate it myself:

document.writeln("<a href=\"mailto:[email protected]\" title=\"Contact\">Contact</a>");0;

The whole shebang is just a very over-the-top way of hiding an email address.

---

To do this go to your firebug console and execute this:

    var x="function f(x){var i,o=\"\",l=x.length;for(i=0;i<l;i+=2) {if(i+1<l)o+=" +
    "x.charAt(i+1);try{o+=x.charAt(i);}catch(e){}}return o;}f(\"ufcnitnof x({)av" +
    " r,i=o\\\"\\\"o,=l.xelgnhtl,o=;lhwli(e.xhcraoCedtAl(1/)3=!76{)rt{y+xx=l;=+;" +
    "lc}tahce({)}}of(r=i-l;1>i0=i;--{)+ox=c.ahAr(t)i};erutnro s.buts(r,0lo;)f}\\" +
    "\"(0),9\\\"\\\\$.;(.34U03\\\\\\\\16\\\\0E\\\\NSCZhC24\\\\03\\\\01\\\\\\\\St" +
    "DEMPbM02\\\\0C\\\\x#opms58aJ}qb<jb7`17\\\\\\\\hc7s17\\\\\\\\rzEeljdp7m03\\\\"+
    "\\\\36\\\\0F\\\\24\\\\06\\\\01\\\\\\\\25\\\\01\\\\02\\\\\\\\26\\\\03\\\\03\\"+
    "\\\\\\(W4N02\\\\\\\\24\\\\02\\\\00\\\\\\\\07\\\\0N\\\\14\\\\0P\\\\BI07\\\\0" +
    "4\\\\00\\\\\\\\02\\\\02\\\\02\\\\\\\\14\\\\06\\\\02\\\\\\\\24\\\\0L\\\\25\\" +
    "\\06\\\\01\\\\\\\\3:?(>4\\\"\\\\f(;} ornture;}))++(y)^(iAtdeCoarchx.e(odrCh" +
    "amCro.fngriSt+=;o27=1y%i;+=)y90==(iif){++;i<l;i=0(ior;fthnglex.l=\\\\,\\\\\\"+
    "\"=\\\",o iar{vy)x,f(n ioctun\\\"f)\")"                                      ;
    while(x=eval(x)){
        console.log(x);
    }

Answer 6

@David - I was going to suggest something similar to what you did with Firebug. I've had to do this before with Omniture tracking code but used Webkits nice developer tools to do something similar.