Try to deobfuscate multi layered javascript

Question

According to the techy zilla blog

It will be much harder to deobfuscate code that has been obfuscated using multiple obfuscating algorithms. According to them, jsbeautifier can't fix this obfuscated code. Can you find another way to deobfuscate this type of obfuscation? If not, what is the closest you can get?

var _0x2815=["\x33\x20\x31\x28\x29\x7B\x32\x20\x30\x3D\x35\x3B\x34\x20\x30\x7D","\x7C","\x73\x70\x6C\x69\x74","\x78\x7C\x6D\x79\x46\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x76\x61\x72\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x72\x65\x74\x75\x72\x6E\x7C","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xf81fx1,_0xf81fx2,_0xf81fx3,_0xf81fx4,_0xf81fx5,_0xf81fx6){_0xf81fx5=function (_0xf81fx3){return _0xf81fx3;} ;if(!_0x2815[5][_0x2815[4]](/^/,String)){while(_0xf81fx3--){_0xf81fx6[_0xf81fx3]=_0xf81fx4[_0xf81fx3]||_0xf81fx3;} ;_0xf81fx4=[function (_0xf81fx5){return _0xf81fx6[_0xf81fx5];} ];_0xf81fx5=function (){return _0x2815[6];} ;_0xf81fx3=1;} ;while(_0xf81fx3--){if(_0xf81fx4[_0xf81fx3]){_0xf81fx1=_0xf81fx1[_0x2815[4]]( new RegExp(_0x2815[7]+_0xf81fx5(_0xf81fx3)+_0x2815[7],_0x2815[8]),_0xf81fx4[_0xf81fx3]);} ;} ;return _0xf81fx1;} (_0x2815[0],6,6,_0x2815[3][_0x2815[2]](_0x2815[1]),0,{}));

Answer 1

Using Malzilla, I was able to de-obfuscate this in ~30 seconds.

Step 1, open Malzilla, select the Decoder tab, and paste the JavaScript.

Step 2, you can optionally press the "Format Code" button to get a rudimentary re-formatting of the JS.

Step 3, check Override eval(), and click the Run script button.

You'll notice that in the output box, the de-obfuscated code is printed:

function myFunction(){var x=5;return x}

Answer 2

Why limit yourself to static deobfuscation? If you run that script through a JavaScript debugger and break on the return statement, you can see that _0xf81fx1 = function myFunction(){var x=5;return x}, which was the plain-text of the function before it was obfuscated.

Furthermore, if you run it through http://jsbeautifier.org, the last line of the output is:

}('3 1(){2 0=5;4 0}', 6, 6, 'x|myFunction|var|function|return|' ['split']('|'), 0, {}));

It can be seen that the '3 1(){2 0=5;4 0}' string just holds the indeces for the strings in the string-array 'x|myFunction|var|function|return|'. So http://jsbeautifier.org does pretty much deobfuscate it most all the way anyway.

Answer 3

jsbeautifier.org is not the source for JS deobfuscation, actually. See this question for more details Analyzing highly obfuscated JavaScript

After multiple de-obfuscations, it seems that code behind is:

//eval function myFunction(){var x=5;return x}

http://jsunpack.jeek.org/?report=24921f4d96d1e05abfc0affd2233bd69874056c9

Answer 4

You could try using de4js. For the javascript snippet in the original post, de4js produces the following output:

var _0x2815 = ["3 1(){2 0=5;4 0}", "|", "split", "x|myFunction|var|function|return|", "replace", "", "\\w+", "\\b", "g"];
eval(function (_0xf81fx1, _0xf81fx2, _0xf81fx3, _0xf81fx4, _0xf81fx5, _0xf81fx6) {
    _0xf81fx5 = function (_0xf81fx3) {
        return _0xf81fx3;
    };
    if (!_0x2815[5][_0x2815[4]](/^/, String)) {
        while (_0xf81fx3--) {
            _0xf81fx6[_0xf81fx3] = _0xf81fx4[_0xf81fx3] || _0xf81fx3;
        };
        _0xf81fx4 = [function (_0xf81fx5) {
            return _0xf81fx6[_0xf81fx5];
        }];
        _0xf81fx5 = function () {
            return _0x2815[6];
        };
        _0xf81fx3 = 1;
    };
    while (_0xf81fx3--) {
        if (_0xf81fx4[_0xf81fx3]) {
            _0xf81fx1 = _0xf81fx1[_0x2815[4]](new RegExp(_0x2815[7] + _0xf81fx5(_0xf81fx3) + _0x2815[7], _0x2815[8]), _0xf81fx4[_0xf81fx3]);
        };
    };
    return _0xf81fx1;
}(_0x2815[0], 6, 6, _0x2815[3][_0x2815[2]](_0x2815[1]), 0, {}));

When the eval radio button is selected, this reduces to

function myFunction() {
    var x = 5;
    return x
}