Decompress JavaScript compressed by /packer/ and other Compressors

Posted 2008-06-09 in JavaScript by Johann.

JavaScript code is frequently compressed. This is done to

It is often helpful to be able to uncompress JavaScript again. You could want to regain access to compressed code where the original code does no longer exist or you might want to understand what vulnerabilities crackers are exploiting.

JavaScript compressors

All JavaScript packers consist of two parts:

  1. A decompressor that uncompresses and loads the original JavaScript.
  2. A data segment that contains the compressed JavaScript code.

Dynamic JavaScript

JavaScript can be loaded dynamically using the following methods:

  1. eval. The eval function evaluates a string argument that contains JavaScript.
  2. Writing a new <script> element to the page using document.write.
  3. new Function(string). The Function constructor can be used to evaluate JavaScript code, in a similar way to eval.

In most packers, eval is used, followed by document.write.

Decompressing

To decompress JavaScript, simply replace the methods described above by one of the following:

  1. alert. The alert will simply print the code in a popup-window.
  2. If the JavaScript appears after the <body> element, you can add a <textarea> like so:
    <textarea id="code"></textarea>
    Then, replace eval(…); by document.getElementById("code").value=…;.

/packer/

A typical JavaScript compressed with /packer/ starts with the following code:

eval(function(p,a,c,k,e,r)…

eval can simply be replaced by alert.

JavaScript Utility

The JavaScript Utility decompressor/loader code looks like this:

eval((function(s){var a,c,e,i,j,o=""…

Again, eval can be replaced.

PSA

PSA by JSIntegration is another packer. It also uses the eval function which can be replaced by one of the methods described above.

eval(function(E,I,A,D,J,K,L,H)…

A Malware example

I found this code on a Ukrainian site that serves malware through Internet Explorer exploits.

function WKOOOz34(OrPv){… document.write(PWS);}WKOOOz34(unescape('…

Here, <textarea id="code"></textarea> can be added to the page and the document.write(PWS) be replaced by document.getElementById("code").value=PWS.

Summary

There is no way to encrypt JavaScript so compressed JavaScript code can always be uncompressed again.

4 comments

#1 2008-06-11 by Awesome AnDrEw

It is just another fine example why web developers cannot, and should not rely solely on client-side coding and scripts in the context of security. The eval function is one of the most useful "tools" in the language, but another method for extracting values would be using the Javascript protocol/URI hander (as in javascript:alert(functionname(value))).

#2 2008-06-16 by Alphane Moon

Hello Johann,

There is another tool for analyzing JavaScript code: Malzilla. It can be downloaded from sourceforge.

#3 2010-02-01 by Sumit

I was wondering if there is a text compressor/decompressor in javascript (in crude way, a gzip utility written in javascript)? Alas, my search on google yahoo lead me to javascript compressions on apache/tomcat and all other techniques for faster delivery on a website! :D

#4 2010-02-01 by Johann

Sumit,

there is an implementation of Huffman Coding in JavaScript but since you can't have binary blocks in JavaScript (need to escape this and that), the savings will be offset by encoding.

Subscribe

RSS 2.0, Atom or subscribe by Email.

Top Posts

  1. DynaCloud - a dynamic JavaScript tag/keyword cloud with jQuery
  2. 6 fast jQuery Tips: More basic Snippets
  3. xslt.js version 3.2 released
  4. xslt.js version 3.0 released XML XSLT now with jQuery plugin
  5. Forum Scanners - prevent forum abuse
  6. Automate JavaScript compression with YUI Compressor and /packer/

Categories

Navigation