Unpack packed Javascript code

Skip intro and go straight to my unpacker tool!

You will have at some stage come across a piece of Javascript code that has been packed to compress as well as to obfusicate the code.

One of the best online tools for compressing, minifying and packing your code on demand is Dean Edwards packer tool. This lets you choose whether to compress (strip excess space and comments), minify (shortern variable names) and pack (encode the function so that it has to be run through an eval statement for it to run).

For example take the following function:

// Create a get elements by class name function
document.getElementsByClassName = function(clsName){
	var retVal = new Array();
	var elements = document.getElementsByTagName("*");	
	for(var i = 0;i < elements.length;i++){
		if(elements[i].className.indexOf(" ") >= 0){
			var classes = elements[i].className.split(" ");
			for(var j = 0;j < classes.length;j++){
				if(classes[j] == clsName){retVal.push(elements[i]);}
		else if(elements[i].className == clsName){	
	return retVal;

When run through Dean Edwards packer code with all options enabled so that excess space is removed and variables shortened it comes out like this:

eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('4.8=9(a){1 b=e f();1 c=4.g("*");5(1 i=0;i<c.6;i++){2(c[i].3.h(" ")>=0){1 d=c[i].3.k(" ");5(1 j=0;j<d.6;j++){2(d[j]==a){b.7(c[i])}}}l 2(c[i].3==a){b.7(c[i])}}m b}',23,23,'|var|if|className|document|for|length|push|getElementsByClassName|function|||||new|Array|getElementsByTagName|indexOf|||split|else|return'.split('|'),0,{}))

The reasons for doing this are to reduce the size of the original Javascript code as well as to make it harder for someone to work out what is going on inside the code and to steal it.

Obviously if you have spent time and effort writing a cool widget or piece of code you don't really want everyone coming along and ripping your code without paying you or even acknowledging that it was your work.

However due to the nature of the beast we work with this is never going to be possible, and someone who is determined to steal your client side code is going to, especially with modern browsers that allow users to easily modify the DOM, CSS and Javascript code on a page.

Until the web changes, and there are certain trends indicating that its going this way, so that your computer, phone, smart TV etc becomes just a dumb terminal - yes going back to the 80's!

Then all web based content is going to be downloaded (CSS, JavaScript, Images etc) to your computer where your browser application puts them together again. This means that you are always going to be able to get hold of client side code if you really want to and it's pointless trying to secure client side code.

You may think this won't happen but with the amount of piracy related to music, films and software it won't be long until something along these lines comes along and becomes mainstream.

You just have to look at how cloud based applications have increased over recent years.

The "Cloud" is slowly becoming a remote "server" and we are slowly handing over control of content as well our privacy to the big companies just as we already do when using GMail or Hotmail etc. All your emails are stored on Google's servers and they have full access to your innermost thoughts all to display adverts they think are relevant to you as you type.

A more legitamite reason for wanting to unpack compressed code is when your unsure whether the scripts being loaded on a site are malicious or not.

Using a plugin like Noscript or the Web Developer Toolbar so that you can load any page without running any JavaScript and then using a tool like this one to unpack the code to work out what its doing first maybe time consuming but could be a good idea if you are 100% safety conscious.

So to use this tool, just paste the packed code into the first box, hit the "Unpack" button and hey presto the code will appear unpacked, unencoded and now due to Einar Lielmanis great code beautifier also nicely formated in the second box.

Unpacker Tool

I have defaulted the packed box with an example function that I packed using Dean Edwards packer tool so that you can see the unpack action working without packing something first.

You should also notice that certain global variables such as document or window are not minified with the packer tool which would save some serious bytes in a large codebase. To read up about creating your own simple compressor tool and some simple steps for reducing your file size read my blog article about script compression.


This post is also available in the following langugages.

русском 汉语

Post Comments

As this script is not part of the blog if you would like to post comments please click this link and then respond to the following article.