Obfuscation & Deobfuscation · 1 min read

Decoding String.fromCharCode in Malicious Scripts

String.fromCharCode() converts numeric character codes to their string representation. `String.fromCharCode(72,101,108,108,111)` returns "Hello". Malware authors use it to build strings character by character, defeating pattern-based detection. The numbers are just ASCII/Unicode code points, trivial to decode but effective against simple scanners.

Try it now

JS Deobfuscator

Runs in your browser, nothing leaves your device.

Look for `String.fromCharCode(` followed by comma-separated numbers, typically in the 32-126 range for ASCII text. Some variants split the numbers across multiple calls or store them in arrays first. You might see `var a=[72,101,108]; String.fromCharCode.apply(null,a)` or individual characters joined with `+`.

Hidden document.write call

Input
String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101)
Result
document.write

Security context

String.fromCharCode is one of the most common obfuscation techniques in XSS payloads and JavaScript malware. It's trivial to reverse but still bypasses many basic WAF rules and content filters that look for literal string matches.

Paste the code into a JavaScript deobfuscator or run it through a tool that evaluates the fromCharCode call and shows the resulting string. You can also manually look up each number in an ASCII table, but tools are much faster for long sequences.

Go deeper

Continue in the Web Security Academy

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description