Decompress JavaScript compressed by /packer/ and other Compressors
Posted 2008-06-09 in JavaScript by Johann.
JavaScript code is frequently compressed. This is done to
- transmit JavaScript faster,
- make pages load faster by
- reducing the number of HTTP requests and
- making the JavaScript harder to read (obfuscate it).
It is often helpful to be able to uncompress JavaScript again. You could want to regain access to compressed code where the original code does no longer exist or you might want to understand what vulnerabilities crackers are exploiting.
JavaScript compressors
All JavaScript packers consist of two parts:
- A decompressor that uncompresses and loads the original JavaScript.
- A data segment that contains the compressed JavaScript code.
Dynamic JavaScript
JavaScript can be loaded dynamically using the following methods:
eval
. Theeval
function evaluates a string argument that contains JavaScript.- Writing a new
<script>
element to the page usingdocument.write
. new Function(string)
. TheFunction
constructor can be used to evaluate JavaScript code, in a similar way toeval
.
In most packers, eval
is used, followed by document.write
.
Decompressing
To decompress JavaScript, simply replace the methods described above by one of the following:
alert
. Thealert
will simply print the code in a popup-window.- If the JavaScript appears after the
<body>
element, you can add a<textarea>
like so:
<textarea id="code"></textarea>
Then, replaceeval(…);
bydocument.getElementById("code").value=…;
.
/packer/
A typical JavaScript compressed with /packer/ starts with the following code:
eval(function(p,a,c,k,e,r)…
eval
can simply be replaced by alert
.
JavaScript Utility
The JavaScript Utility decompressor/loader code looks like this:
eval((function(s){var a,c,e,i,j,o=""…
Again, eval
can be replaced.
PSA
PSA by JSIntegration is another packer. It also uses the eval
function which can be replaced by one of the methods described above.
eval(function(E,I,A,D,J,K,L,H)…
A Malware example
I found this code on a Ukrainian site that serves malware through Internet Explorer exploits.
function WKOOOz34(OrPv){… document.write(PWS);}WKOOOz34(unescape('…
Here, <textarea id="code"></textarea>
can be added to the page and the document.write(PWS)
be replaced by document.getElementById("code").value=PWS
.
Summary
There is no way to encrypt JavaScript so compressed JavaScript code can always be uncompressed again.
4 comments
#1 2008-06-11 by Awesome AnDrEw
It is just another fine example why web developers cannot, and should not rely solely on client-side coding and scripts in the context of security. The eval function is one of the most useful "tools" in the language, but another method for extracting values would be using the Javascript protocol/URI hander (as in javascript:alert(functionname(value))).
#2 2008-06-16 by Alphane Moon
Hello Johann,
There is another tool for analyzing JavaScript code: Malzilla. It can be downloaded from sourceforge.
I was wondering if there is a text compressor/decompressor in javascript (in crude way, a gzip utility written in javascript)? Alas, my search on google yahoo lead me to javascript compressions on apache/tomcat and all other techniques for faster delivery on a website! :D
Sumit,
there is an implementation of Huffman Coding in JavaScript but since you can't have binary blocks in JavaScript (need to escape this and that), the savings will be offset by encoding.
Subscribe
RSS 2.0, Atom or subscribe by Email.
Top Posts
- DynaCloud - a dynamic JavaScript tag/keyword cloud with jQuery
- 6 fast jQuery Tips: More basic Snippets
- xslt.js version 3.2 released
- xslt.js version 3.0 released XML XSLT now with jQuery plugin
- Forum Scanners - prevent forum abuse
- Automate JavaScript compression with YUI Compressor and /packer/