Decompress JavaScript compressed by /packer/ and other Compressors

Posted 2008-06-09 in JavaScript by Johann.

JavaScript code is frequently compressed. This is done to

It is often helpful to be able to uncompress JavaScript again. You could want to regain access to compressed code where the original code does no longer exist or you might want to understand what vulnerabilities crackers are exploiting.

JavaScript compressors

All JavaScript packers consist of two parts:

  1. A decompressor that uncompresses and loads the original JavaScript.
  2. A data segment that contains the compressed JavaScript code.

Dynamic JavaScript

JavaScript can be loaded dynamically using the following methods:

  1. eval. The eval function evaluates a string argument that contains JavaScript.
  2. Writing a new <script> element to the page using document.write.
  3. new Function(string). The Function constructor can be used to evaluate JavaScript code, in a similar way to eval.

In most packers, eval is used, followed by document.write.

Decompressing

To decompress JavaScript, simply replace the methods described above by one of the following:

  1. alert. The alert will simply print the code in a popup-window.
  2. If the JavaScript appears after the <body> element, you can add a <textarea> like so:
    <textarea id="code"></textarea>
    Then, replace eval(…); by document.getElementById("code").value=…;.

/packer/

A typical JavaScript compressed with /packer/ starts with the following code:

eval(function(p,a,c,k,e,r)…

eval can simply be replaced by alert.

JavaScript Utility

The JavaScript Utility decompressor/loader code looks like this:

eval((function(s){var a,c,e,i,j,o=""…

Again, eval can be replaced.

PSA

PSA by JSIntegration is another packer. It also uses the eval function which can be replaced by one of the methods described above.

eval(function(E,I,A,D,J,K,L,H)…

A Malware example

I found this code on a Ukrainian site that serves malware through Internet Explorer exploits.

function WKOOOz34(OrPv){… document.write(PWS);}WKOOOz34(unescape('…

Here, <textarea id="code"></textarea> can be added to the page and the document.write(PWS) be replaced by document.getElementById("code").value=PWS.

Summary

There is no way to encrypt JavaScript so compressed JavaScript code can always be uncompressed again.

4 comments

xslt.js version 3.2 released

Posted 2008-08-30 in JavaScript by Johann.

Version 3.2 of xslt.js, my JavaScript library to perform client-side XML transformations, is now available for download.

New Feature

I’ve added the often requested ability to use inline XML and XSLT as arguments in addition to using URIs to this version. Here’s an example.

// If using the regular code
new Transformation()
    .setXml('<?xml version="1.0"?><bla/>')
    .setXslt('<?xml version="1.0"?><xsl:stylesheet …')
    .transform('rofl');

// If using the jQuery plugin
$('#rofl').xslt('<?xml version="1.0"?><bla/>',
    '<?xml version="1.0"?><xsl:stylesheet …');

Thanks to a number of optimizations, the size of xslt.js has stayed pretty much the same.

Gotchas

One thing I spent considerable amounts of time on is on the way Gecko (the rendering engine behind Firefox) handles the MIME types in XMLHttpRequests. By default, my web server sent XSLT files as text/xsl, however, Gecko expects them to be delivered as text/xml (and possibly application/xml). If the MIME type doesn’t match, Gecko returns a null XMLResponse object.

6 comments

How to include a page onclick on the client side

Posted 2007-11-03 in JavaScript by Johann.

Here’s a simple example on how to include another page on the clientside using the inc clientside include plugin:

<div id="bla"></div>
<p onclick="$('#bla').inc('blob.txt')">Include stuff</p>

I’m using the onclick event handler here but you could use javascript:-URIs like <a href="javascript:"> as well.

Clientside includes have some limitations.

  • You can only include resources from the current domain (or sub-domain).
  • Mozilla-based browsers seem to only load content with MIME types text/* though I have to look this up.

Demo



Click here to include my robots.txt.


 


Google Translate bookmarklet: remove Translate links


Posted 2008-02-24 in JavaScript by Johann.


Google Translate is useful to read foreign websites. The only problem I have with the service is that all links are routed through Google Translate. Sometimes, this is not necessary.


I wrote a little bookmarklet that lets you remove the Google Translate link from all of the links on a web page.


Installing this bookmarklet


    

  • Windows users: Right-click on the link below and chose “Bookmark this link.”
    • 

  • Apple users: Do the same but restrict yourself to just one mouse button.
    • 



Google Translate: Remove links


 




Pages


Page 1  · Page 2  · Page 3  · Page 4 · Page 5 · Next Page »












 
Subscribe

 
RSS 2.0, Atom
  or subscribe by Email.



Top Posts


    
   
  1. DynaCloud - a dynamic JavaScript tag/keyword cloud with jQuery
    2. 
   
  2. 6 fast jQuery Tips: More basic Snippets
    3. 
   
  3. xslt.js version 3.2 released
    4. 
   
  4. xslt.js version 3.0 released XML XSLT now with jQuery plugin
    5. 
   
  5. Forum Scanners - prevent forum abuse
    6. 
   
  6. Automate JavaScript compression with YUI Compressor and /packer/
    7. 





 
Categories








 
Navigation