Decoding String.fromCharCode in Malicious Scripts
String.fromCharCode() converts numeric character codes to their string representation. `String.fromCharCode(72,101,108,108,111)` returns "Hello". Malware authors use it to build strings character by character, defeating pattern-based detection. The numbers are just ASCII/Unicode code points, trivial to decode but effective against simple scanners.
Try it now
JS Deobfuscator
Runs in your browser, nothing leaves your device.
Look for `String.fromCharCode(` followed by comma-separated numbers, typically in the 32-126 range for ASCII text. Some variants split the numbers across multiple calls or store them in arrays first. You might see `var a=[72,101,108]; String.fromCharCode.apply(null,a)` or individual characters joined with `+`.
Examples
Hidden document.write call
String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101)
document.write
Security context
String.fromCharCode is one of the most common obfuscation techniques in XSS payloads and JavaScript malware. It's trivial to reverse but still bypasses many basic WAF rules and content filters that look for literal string matches.
Frequently asked
Paste the code into a JavaScript deobfuscator or run it through a tool that evaluates the fromCharCode call and shows the resulting string. You can also manually look up each number in an ASCII table, but tools are much faster for long sequences.
Go deeper
Continue in the Web Security Academy
Related techniques
JavaScript Deobfuscation Techniques
How to deobfuscate JavaScript malware, phishing scripts, and browser exploits. Reverse eval packing, string rotation, array shuffling, and control flow flattening.
Unpacking eval() in Malicious JavaScript
How to unpack eval-wrapped JavaScript used in malware droppers, exploit kits, and obfuscated phishing scripts. Safe techniques for revealing hidden code.
Hex Encoding in Malware and Obfuscated Code
Decode hex-encoded strings in malware samples, obfuscated JavaScript, and network traffic. Identify file signatures by magic bytes.