Obfuscation & Deobfuscation · 2 min read

JavaScript Deobfuscation Techniques

JavaScript obfuscation rewrites code to hide its true purpose while keeping it functionally identical. Malware authors, phishing kits, and exploit packs all use it to evade detection. Deobfuscation reverses the process, turning unreadable code back into something a human can analyze. The techniques range from simple string encoding to complex control flow transformations.

Try it now

JS Deobfuscator

Runs in your browser, nothing leaves your device.

Most obfuscated scripts stack multiple techniques. String encoding replaces readable text with hex escapes, unicode sequences, or Base64. Array packing moves all strings into a single array, then references them by index. String rotation shuffles the array at runtime, so static analysis of the array order is useless. Eval wrapping compresses the entire script into a string that gets decoded and executed at runtime.

Work from the outside in. If the script starts with eval(), replace eval with console.log to see what it would execute. Decode hex and unicode escapes to reveal string literals. Replace array references with their actual values. Rename meaningless variable names (like _0x3f2a) to descriptive ones once you understand what they do. Automated tools handle the mechanical parts. Your job is interpreting what the clean code actually does.

Legitimate minification shortens names but preserves structure. Obfuscation actively hides intent. Watch for: eval() or Function() constructor calls, strings assembled character by character, document.write with encoded content, XMLHttpRequest to unexpected domains, and scripts that create iframes pointing to external URLs.

Eval-packed script

Input
eval(String.fromCharCode(97,108,101,114,116,40,49,41))
Result
alert(1)

Hex-encoded function call

Input
window["\x65\x76\x61\x6c"]("\x61\x6c\x65\x72\x74(1)")
Result
window["eval"]("alert(1)")

Security context

If someone obfuscated their JavaScript, ask why. Legitimate code uses minification for performance. Multi-layer obfuscation with string encoding, eval wrapping, and anti-debugging tricks is almost always hiding something malicious.

Minification removes whitespace and shortens variable names to reduce file size. The code is still readable if you format it. Obfuscation intentionally makes code unreadable by encoding strings, restructuring control flow, and adding dead code. Minified code can be prettified in seconds. Obfuscated code requires actual reverse engineering.

Never run obfuscated scripts directly. Use a browser-based deobfuscator tool that processes the code as text without executing it. Replace eval() calls with console.log() or a variable assignment to see decoded output without execution. Work in an isolated environment.

Go deeper

Continue in the Web Security Academy

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description