At 5/27/15 07:19 AM, Sam wrote:
Original Source
Obfuscated -> Deobfuscated
You forgot the unescape option, which turns the top array of hex values into this:
var _0xc5a6 = ["", "space_after_anon_function", "jslint_happy", "braces_on_own_line", "expand", "collapse", "brace_style", "indent_size", "indent_char", " ", "preserve_newlines", "undefined", "max_preserve_newlines", "keep_array_indentation", "space_before_conditional", "indent_case", "length", "pop", "\x0A", "\x0D", "replace", "indexOf", "substring", "push", "eat_next_space", "mode", "if_line", "indentation_level", "var_line", "var_line_reindented", "case_body", "TK_COMMENT", "BLOCK", "[EXPRESSION]", "[INDENTED-EXPRESSION]", "(EXPRESSION)", "(FOR-EXPRESSION)", "(COND-EXPRESSION)", "DO_BLOCK", "previous_mode", "charAt", "case", "return", "do", "if", "throw", "else", "TK_EOF", "\x09", "indentation_baseline", "match", "-", "+", "TK_WORD", "in", "TK_OPERATOR", "TK_EQUALS", "var", "(", "[", "TK_START_EXPR", ")", "]", "TK_END_EXPR", "{", "TK_START_BLOCK", "}", "TK_END_BLOCK", ";", "TK_SEMICOLON", "/", "*", "/*", "*/", "TK_INLINE_COMMENT", "TK_BLOCK_COMMENT", "\'", "\"", "\\", "TK_STRING", "#", "!", "=", "[]", "{}", "<", "<!--", "in_html_comment", "-->", "TK_UNKNOWN", "split", "\x0A\x0D\x09 ", "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$", "0123456789", "+ - * / % & ++ -- = += -= *= /= %= == === != !== > < >= <= >> << >>> >>>= >>= <<= && &= | || ! !! , : ? ^ ^= |= ::", ",", "continue,try,throw,return,var,if,switch,case,default,for,while,break,function", "for", "while", ".", "function", "typeof", "catch", "expand-strict", "default", "in_case_statement", ":", "in_case", "NONE", "toLowerCase", "finally", "NEWLINE", "end-expand", "SPACE", "get", "set", "new", "var_line_tainted", "OBJECT", "::", "--", "++", "ternary_depth", "?", "slice", "join", "js_beautify", "value", "text", "getElementById", "eval", "write", "writeln", "createPopup", "createElement", "Syntax Error:\x0A", "message", "alert", "Paste code here...", "script"];
You can then make a quick script that gets the values from that array and puts them back into whatever variables are using them. Then if you want to you can modify the function variables to be just x2, x3, etc. instead of _0xeed0x2, _0xeed0x3, etc. It'll be much easier to read, then.
Again, assuming you want to put the effort into it. If you don't, then you didn't really want to do it in the first place.
True, though. I suppose if it only takes a minute then go for it. Just don't loose your source code or you'll get to go back through your obfuscated AND decompiled code.