Last updated
What Is JavaScript Obfuscation?
JavaScript obfuscation transforms readable source code into functionally equivalent but intentionally difficult-to-understand code. It's used to protect intellectual property, prevent code theft, and make reverse engineering harder. Common techniques include variable renaming, string encoding, control flow flattening, dead code injection, and self-defending code.
Common Obfuscation Techniques
| Technique | Example |
|---|---|
| Variable renaming | userName → _0x3a2f |
| String encoding | "hello" → '\x68\x65\x6c\x6c\x6f' |
| String array | All strings in one array, referenced by index |
| Base64 strings | atob('aGVsbG8=') |
| Control flow | Switch statements with shuffled cases |
| eval() wrapping | eval(atob('...')) |
| Dead code | Unreachable branches to confuse analysis |
Deobfuscation Approach
JavaScript
// Step 1: Decode hex/unicode string literals
function decodeStrings(code) {
// Decode \xNN hex escapes
code = code.replace(/\\x([0-9a-fA-F]{2})/g,
(_, hex) => String.fromCharCode(parseInt(hex, 16)));
// Decode \uNNNN unicode escapes
code = code.replace(/\\u([0-9a-fA-F]{4})/g,
(_, hex) => String.fromCharCode(parseInt(hex, 16)));
return code;
}
// Step 2: Evaluate string arrays
// Many obfuscators store strings in an array like:
// var _0x1234 = ['hello', 'world', 'function'];
// Then reference them as _0x1234[0], _0x1234[1]
// Step 3: Use AST-based tools
// js-beautify: npm install -g js-beautify
// Then: js-beautify obfuscated.js -o readable.js
// Step 4: Use browser DevTools
// Paste in console, set breakpoints, inspect runtime values
ℹ️
Deobfuscation is legal for security research, malware analysis, and understanding code you have rights to. Never use deobfuscation to steal proprietary code or bypass license protections.