Unpack packed Javascript code

Skip intro and go straight to my unpacker tool!

You will have at some stage come across a piece of Javascript code that has been packed to compress as well as to obfusicate the code. One of the best online tools for compressing, minifying and packing your code on demand is Dean Edwards packer tool which lets you choose whether to compress (strip excess space and comments), minify (shortern variable names) and pack (encode the function so that it has to be run through an eval statement for it to run) for example the following function:


// Create a get elements by class name function
document.getElementsByClassName = function(clsName){
	var retVal = new Array();
	var elements = document.getElementsByTagName("*");	
	for(var i = 0;i < elements.length;i++){
		if(elements[i].className.indexOf(" ") >= 0){
			var classes = elements[i].className.split(" ");
			for(var j = 0;j < classes.length;j++){
				if(classes[j] == clsName){retVal.push(elements[i]);}
			}
		}
		else if(elements[i].className == clsName){	
			retVal.push(elements[i]);
		}
	}	
	return retVal;
}

When run through Dean Edwards packer code with all options enabled so that excess space is removed and variables shortened comes out like this:


eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('4.8=9(a){1 b=e f();1 c=4.g("*");5(1 i=0;i<c.6;i++){2(c[i].3.h(" ")>=0){1 d=c[i].3.k(" ");5(1 j=0;j<d.6;j++){2(d[j]==a){b.7(c[i])}}}l 2(c[i].3==a){b.7(c[i])}}m b}',23,23,'|var|if|className|document|for|length|push|getElementsByClassName|function|||||new|Array|getElementsByTagName|indexOf|||split|else|return'.split('|'),0,{}))

The reasons for this will be to reduce the size of the original Javascript code as well as make it harder for someone to work out what is going on and to steal it. Obviously if you have spent time and effort writing a cool widget or piece of code you don't really want every tom dick and harry coming along and ripping your code without payment or even acknowledgement. However due to the nature of the beast we work with this is never going to be possible and someone who is determined to modify your DOM, CSS and Javascript code is going to get your source code whatever barriers you put in the way on the client. Until the web changes, and there are certain trends indicating that its going this way, so that your computer, phone, skybox etc becomes a dumb terminal that doesn't hold any local files and is purely just an interface to a server based application where all content is streamed and never stored locally on your device then its pointless trying to secure client side code.

You may think this won't happen but with the amount of piracy related to music, films and software it won't be long until something along these lines comes along and becomes mainstream.

A more legitamite reason for wanting to unpack compressed code is when your unsure whether the scripts being loaded on a site are malicious or not. Using Noscript to load the page without running any JavaScript and then using a tool like mine to unpack the code to work out what its doing is a good idea. Just paste the packed code into the first box, hit the button and hey presto the code will appear unpacked, unencoded and now due to Einar Lielmanis great beautifier nicely reformated in the second box.

Unpacker Tool

I have defaulted the packed box with the example function that I packed using Dean Edwards packer tool so that you can see the unpack action working.

You should also notice that certain global variables such as document or window are not minified with the packer tool which would save some serious bytes in a large codebase. To read up about creating your own simple compressor tool and some simple steps for reducing your file size read my blog article about script compression.

 
 
 
 

This post is also available in the following langugages.

русском 汉语

Post Comments

As this script is not part of the blog if you would like to post comments please click this link and then respond to the following article.