In the modern web development landscape, JavaScript is the undisputed king of client-side logic. However, with great power comes great obfuscation. Developers (and malware authors alike) use obfuscation to protect intellectual property, hide malicious payloads, or simply reduce file size. For security researchers, penetration testers, and curious developers, the ability to reverse this process is critical.
<!DOCTYPE html> <html> <head><title>Portable JS Deobfuscator</title></head> <body> <textarea id="code" rows="10" cols="80" placeholder="Paste obfuscated JS here"></textarea><br> <button onclick="deob()">Deobfuscate</button> <button onclick="unpack()">Unpack (eval)</button> <pre id="output"></pre> <script> function deob() let code = document.getElementById('code').value; try // Basic: unpack simple eval let unpacked = code.replace(/eval\(([^)]+)\)/g, (_, m) => eval(m)); // JSFuck? Not fully but remove most easy obf let pretty = unpacked.replace(/\s+/g, ' ').trim(); document.getElementById('output').innerText = pretty; catch(e) document.getElementById('output').innerText = e.toString();
Here is a typical workflow for safely unpacking and cleaning a suspicious JavaScript file using a portable analysis environment.
: Simplify complex math like 0x2 * 0x109e + -0xc into its literal result (e.g., 0 ). Source
specializes in reverse engineering JavaScript through multiple channels. It can deobfuscate Obfuscator.IO-obfuscated code, unminify compressed scripts, transpile modern JavaScript to compatible formats, and even unpack Webpack and Browserify bundles. The tool provides both command-line and online playground options, with the CLI version offering true portability.
: Resolves complex function chains used to hide original API calls. Usage Tips Security Note
None provide a architecture that can run in constrained environments (e.g., IoT edge devices, sandboxed iframes) while supporting recursive unpacking.