How to unpack eval function javascript

How to unpack eval function javascript

Javascript eval() function

eval() is function available for javascript php and other language the main idea of eval() is to evaluate and execute string as a code what this mean that you can write your javascript code as a text and you can evaluate it as javascript code this function still used in javascript but in php it's not recommended because it's unsecured function.

eval() how it works

As we said that eval() is evaluating function that combine text and variable and try to execute them, example
var x = 10;
var y = 20;
var result = eval("x * y");
the result here will be 200 as you see the "x * y" is string but eval("x * y") it because operation.

Use eval() function to encrypting

As you see eval() not an encryption function, but most designer use eval() inside eval inside eval() ... and make their code look like encrypted.

How to unpack eval()

the easiest way to unpack eval() is to trace the return value of the function or trace the variable before get modified inside the script.

Example for eval() function

This following code result is alert("hello");
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('A(o(p,a,c,k,e,d){e=o(c){q c.u(C)};s(!\'\'.t(/^/,x)){r(c--){d[c.u(a)]=k[c]||c.u(a)}k=[o(e){q d[e]}];e=o(){q\'\\\\w+\'};c=1};r(c--){s(k[c]){p=p.t(z B(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c])}}q p}(\'j(3(4,a,c,k,e,d){e=3(c){5 c};6(!\\\'\\\'.8(/^/,i)){7(c--){d[c]=k[c]||c}k=[3(e){5 d[e]}];e=3(){5\\\'\\\\\\\\9+\\\'};c=1};7(c--){6(k[c]){4=4.8(m f(\\\'\\\\\\\\b\\\'+e(c)+\\\'\\\\\\\\b\\\',\\\'g\\\'),k[c])}}5 4}(\\\'0("1");\\\',2,2,\\\'n|l\\\'.h(\\\'|\\\'),0,{}))\',v,v,\'|||o|p|q|s|r|t|w||||||B||y|x|A||E|z|D\'.y(\'|\'),0,{}))',41,41,'||||||||||||||||||||||||function||return|while|if|replace|toString|24||String|split|new|eval|RegExp|36|alert|hello'.split('|'),0,{}))

Download javascript eval() unpacker

To download js unpacker check link below:

Open and unpack eval() first child

The following code is just alert("hello"); and whole that code is just obfuscation, this example we have three eval() inside each others, something like this eval(eval(eval())) at every step we hide eval() content inside second eval() content... The easiest way to open this code it's just trace the return value of the eval() function, to do that just search of the first return after this code replace(new RegExp( and there its is return p. the variable p is the return value before function get obfuscate, to get the return value: before return p add this following code :
document.write(String(p).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;'));
and open the html page you will get another eval result: eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('j(3(4,a,c,k,e,d){e=3(c){5 c};6(!\'\'.8(/^/,i)){7(c--){d[c]=k[c]||c}k=[3(e){5 d[e]}];e=3(){5\'\\\\9+\'};c=1};7(c--){6(k[c]){4=4.8(m f(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c])}}5 4}(\'0("1");\',2,2,\'n|l\'.h(\'|\'),0,{}))',24,24,'|||function|p|return|if|while|replace|w||||||RegExp||split|String|eval||hello|new|alert'.split('|'),0,{}))

Open and unpack eval() second child

The second steps repeat the last step and search for the first return after replace(new RegExp( in the new code (not in the first code) and there it is also return p before return p add
document.write(String(p).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;'));
and open the html page you will get another eval result:

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0("1");',2,2,'alert|hello'.split('|'),0,{}))

Open and unpack eval() third child

Again next step also we have to find return function after replace(new RegExp( in the new code(not the first code) and again it's return p and add again
document.write(String(p).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;'));
now open the html page, this time there is no eval() and we got our result alert('hello');

Notice it's not always 3 eval() it can be 4,5.. eval you have to repeat those steps until you get your code.

Leave comment