Question

147

How to decode this hex code javascript?

rated 0 times [ 148] [ 1] / answers: 1 / hits: 16456 / 9 Years ago, tue, may 12, 2015, 12:00:00

I just came across a bit of code par my understanding can anyone help me in decoding the code .

var _0x98fd = [x2Ex6Fx76x65x72x6Cx61x70x62x6Cx61x63x6Bx62x67x2Cx20x2Ex73x6Cx69x64x65x4Cx65x66x74, x2Ex77x73x6Dx65x6Ex75x63x6Fx6Ex74x65x6Ex74, x6Dx65x6Ex75x6Fx70x65x6E, x61x64x64x43x6Cx61x73x73, x6Dx65x6Ex75x63x6Cx6Fx73x65, x72x65x6Dx6Fx76x65x43x6Cx61x73x73, x68x61x73x43x6Cx61x73x73, x63x6Cx69x63x6B, x23x6Ex61x76x54x6Fx67x67x6Cx65, x6Dx72x67x69x6Ex6Cx65x66x74, x74x6Fx67x67x6Cx65x43x6Cx61x73x73, x2Ex77x73x6Dx65x6Ex75x63x6Fx6Ex74x61x69x6Ex65x72, x6Fx6E, x23x6Ex61x76x54x6Fx67x67x6Cx65x2Cx2Ex6Fx76x65x72x6Cx61x70x62x6Cx61x63x6Bx62x67, x3Cx73x70x61x6Ex20x63x6Cx61x73x73x3Dx22x77x73x6Dx65x6Ex75x2Dx63x6Cx69x63x6Bx22x3Ex3Cx69x20x63x6Cx61x73x73x3Dx22x77x73x6Dx65x6Ex75x2Dx61x72x72x6Fx77x20x66x61x20x66x61x2Dx61x6Ex67x6Cx65x2Dx64x6Fx77x6Ex22x3Ex3Cx2Fx69x3Ex3Cx2Fx73x70x61x6Ex3E, x70x72x65x70x65x6Ex64, x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75x2Cx20x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75x2Dx73x75x62x2Cx20x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75x2Dx73x75x62x2Dx73x75x62, x68x61x73, x2Ex77x73x6Dx65x6Ex75x2Dx6Cx69x73x74x20x6Cx69, x2Ex6Dx65x67x61x6Dx65x6Ex75, x73x6Cx6Fx77, x73x6Cx69x64x65x54x6Fx67x67x6Cx65, x2Ex77x73x6Dx65x6Ex75x2Dx6Cx69x73x74, x2Ex77x73x6Dx65x6Ex75x2Dx6Dx6Fx62x69x6Cx65, x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75, x73x69x62x6Cx69x6Ex67x73, x77x73x6Dx65x6Ex75x2Dx72x6Fx74x61x74x65, x2Ex77x73x6Dx65x6Ex75x2Dx61x72x72x6Fx77, x63x68x69x6Cx64x72x65x6E, x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75x2Dx73x75x62, x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75x2Dx73x75x62x2Dx73x75x62, x2Ex77x73x6Dx65x6Ex75x2Dx63x6Cx69x63x6B];

$(function() {

    var _0x5c8dx1 = $(_0x98fd[0]);

    var _0x5c8dx2 = $(_0x98fd[1]);

    var _0x5c8dx3 = function() {

        $(_0x5c8dx1)[_0x98fd[5]](_0x98fd[4])[_0x98fd[3]](_0x98fd[2])

    };

    var _0x5c8dx4 = function() {

        $(_0x5c8dx1)[_0x98fd[5]](_0x98fd[2])[_0x98fd[3]](_0x98fd[4])

    };

    $(_0x98fd[8])[_0x98fd[7]](function() {

        if (_0x5c8dx2[_0x98fd[6]](_0x98fd[2])) {

            $(_0x5c8dx4)

        } else {

            $(_0x5c8dx3)

        }

    });

    _0x5c8dx2[_0x98fd[7]](function() {

        if (_0x5c8dx2[_0x98fd[6]](_0x98fd[2])) {

            $(_0x5c8dx4)

        }

    });

    $(_0x98fd[13])[_0x98fd[12]](_0x98fd[7], function() {

        $(_0x98fd[11])[_0x98fd[10]](_0x98fd[9])

    });

    $(_0x98fd[18])[_0x98fd[17]](_0x98fd[16])[_0x98fd[15]](_0x98fd[14]);

    $(_0x98fd[18])[_0x98fd[17]](_0x98fd[19])[_0x98fd[15]](_0x98fd[14]);

    $(_0x98fd[23])[_0x98fd[7]](function() {

        $(_0x98fd[22])[_0x98fd[21]](_0x98fd[20])

    });

    $(_0x98fd[31])[_0x98fd[7]](function() {

        $(this)[_0x98fd[25]](_0x98fd[24])[_0x98fd[21]](_0x98fd[20]);

        $(this)[_0x98fd[28]](_0x98fd[27])[_0x98fd[10]](_0x98fd[26]);

        $(this)[_0x98fd[25]](_0x98fd[29])[_0x98fd[21]](_0x98fd[20]);

        $(this)[_0x98fd[25]](_0x98fd[30])[_0x98fd[21]](_0x98fd[20]);

        $(this)[_0x98fd[25]](_0x98fd[19])[_0x98fd[21]](_0x98fd[20]);

    });

});

I am not new to Javascript and its confusing for me

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

breap

Add To Favorites

Follow

Total Points: 606

Total Questions: 96

Total Answers: 108

Location: Djibouti

Member since Sun, Feb 27, 2022

2 Years ago

breap questions

1 Chain query/mutation calls with RTK Query using React Hooks

Thu, Jun 24, 21, 00:00, 3 Years ago

1 How to go to another screen in top tab navigation in react native

Wed, Nov 11, 20, 00:00, 4 Years ago

1 React Storybook not Recognizing a Story

Wed, Mar 18, 20, 00:00, 4 Years ago

1 How to call javascript Function in Oracle APEX on button click in dynamic action?

Tue, Nov 5, 19, 00:00, 5 Years ago

1 Issue with Discord.js avatarURL

Mon, Oct 7, 19, 00:00, 5 Years ago

View All

answered 9 Years ago katieh · Accepted Answer

That is obfuscated & minified JavaScript. The array of Hex characters decodes to an array of method names, class names, and jQuery selectors:

".overlapblackbg, .slideLeft"

".wsmenucontent"

"menuopen"

"addClass"

"menuclose"

"removeClass"

"hasClass"

"click"

"#navToggle"

"mrginleft"

"toggleClass"

".wsmenucontainer"

"on"

"#navToggle,.overlapblackbg"

"<span class="wsmenu-click"><i class="wsmenu-arrow fa fa-angle-down"></i></span>"

"prepend"

".wsmenu-submenu, .wsmenu-submenu-sub, .wsmenu-submenu-sub-sub"

"has"

".wsmenu-list li"

".megamenu"

"slow"

"slideToggle"

".wsmenu-list"

".wsmenu-mobile"

".wsmenu-submenu"

"siblings"

"wsmenu-rotate"

".wsmenu-arrow"

"children"

".wsmenu-submenu-sub"

".wsmenu-submenu-sub-sub"

".wsmenu-click"

I also wrote a quick decoder, in a JSFiddle,

http://jsfiddle.net/TrueBlueAussie/1jwb60pe/1/

that came up with this:

$(function() {

    var $menu = $(".overlapblackbg, .slideLeft");

    var $wsmenucontent = $(".wsmenucontent");

    var openMenu = function() {

        $($menu).removeClass("menuclose").addClass("menuopen")

    };

    var closeMenu = function() {

        $($menu).removeClass("menuopen").addClass("menuclose")

    };

    $("#navToggle").click(function() {

        if ($wsmenucontent.hasClass("menuopen")) {

            $(closeMenu)

        } else {

            $(openMenu)

        }

    });

    $wsmenucontent.click(function() {

        if ($wsmenucontent.hasClass("menuopen")) {

            $(closeMenu)

        }

    });

    $("#navToggle,.overlapblackbg").on(click, function() {

        $(".wsmenucontainer").toggleClass("mrginleft")

    });

    $(".wsmenu-list li").has(".wsmenu-submenu, .wsmenu-submenu-sub, .wsmenu-submenu-sub-sub").prepend("<span class="wsmenu-click"><i class="wsmenu-arrow fa fa-angle-down"></i></span>");

    $(".wsmenu-list li").has(".megamenu").prepend("<span class="wsmenu-click"><i class="wsmenu-arrow fa fa-angle-down"></i></span>");

    $(".wsmenu-mobile").click(function() {

        $(".wsmenu-list").slideToggle("slow")

    });

    $(".wsmenu-click").click(function() {

        $(this).siblings(".wsmenu-submenu").slideToggle("slow");

        $(this).children(".wsmenu-arrow").toggleClass("wsmenu-rotate");

        $(this).siblings(".wsmenu-submenu-sub").slideToggle("slow");

        $(this).siblings(".wsmenu-submenu-sub-sub").slideToggle("slow");

        $(this).siblings(".megamenu").slideToggle("slow");

    });

});

The advantage of the decoder of course is that you can keep tweaking it to do more decoding without having to redo it manually.

It is interesting to note that the decoded version actually shows that they have made errors, like wrapping jQuery objects a second time!

e.g.

var _0x5c8dx1 = $(".overlapblackbg, .slideLeft");

then

$(_0x5c8dx1).removeClass("menuclose").addClass("menuopen")

It also uses obscure side effects to run functions like:

$(closeMenu)

Which is a shortcut for $(document).ready(closeMenu) which will fire the function immediately.

Working de-obfuscation demo

const variableMap = {

  _0x5c8dx1: $menu,

  _0x5c8dx2: $wsmenucontent,

  _0x5c8dx3: openMenu,

  _0x5c8dx4: closeMenu

};



var obfuscatedCode   = document.querySelector('#source-code').value;

var deobfuscatedCode = decode(obfuscatedCode);



let editor = ace.edit(ace-editor);

editor.setTheme(ace/theme/github);

editor.session.setMode(ace/mode/javascript);

editor.setValue(deobfuscatedCode);

editor.clearSelection();



// Beautify the code...

editor.getSession().setValue(js_beautify(editor.getValue(), {

  indent_size: 2

}));



function decode(script) {

  var decoded = parseAscii(script);

  decoded = replaceWithStrings(decoded, parseStringArray(decoded));

  decoded = replaceVariables(decoded.substring(decoded.indexOf('n') + 1), variableMap);

  decoded = bracketToDotNotation(decoded);

  return decoded;

}



function parseAscii(input) {

  return input.replace(/\x([0-9A-F]{2})/g, (g, g1) => {

    return String.fromCharCode(parseInt(g1, 16));

  });

}



function parseStringArray(input) {

  return input.substring(input.indexOf('[') + 2, input.indexOf('];')).split(/s*,s*/g);

}



function replaceWithStrings(input, arr) {

  return input.replace(/_0x[0-9a-f]+[(d+)]/g, (m, m1) => {

    return `${escapeQuotes(arr[parseInt(m1, 10)])}`;

  });

}



function escapeQuotes(input) {

  return input.replace(//g, \);

}



function replaceVariables(input, variableMap) {

  return Object.keys(variableMap).reduce((decoded, key) => {

    return decoded.replace(new RegExp('\b' + key + '\b', 'g'), () => {

      return variableMap[key];

    });

  }, input);

}



function bracketToDotNotation(input) {

  return input.replace(/[(w+)]/g, '.$1');

}

#ace-editor { 

  position: absolute;

  top: 0;

  right: 0;

  bottom: 0;

  left: 0;

}

<script src=https://cdnjs.cloudflare.com/ajax/libs/ace/1.4.8/ace.js></script>

<script src=https://cdnjs.cloudflare.com/ajax/libs/ace/1.4.8/mode-javascript.min.js></script>

<script src=https://cdnjs.cloudflare.com/ajax/libs/ace/1.4.8/theme-github.min.js></script>

<script src=https://cdnjs.cloudflare.com/ajax/libs/js-beautify/1.10.2/beautify.min.js></script>

<div id=ace-editor></div>

<textarea id=source-code style=display:none>var _0x98fd = [x2Ex6Fx76x65x72x6Cx61x70x62x6Cx61x63x6Bx62x67x2Cx20x2Ex73x6Cx69x64x65x4Cx65x66x74, x2Ex77x73x6Dx65x6Ex75x63x6Fx6Ex74x65x6Ex74, x6Dx65x6Ex75x6Fx70x65x6E, x61x64x64x43x6Cx61x73x73, x6Dx65x6Ex75x63x6Cx6Fx73x65, x72x65x6Dx6Fx76x65x43x6Cx61x73x73, x68x61x73x43x6Cx61x73x73, x63x6Cx69x63x6B, x23x6Ex61x76x54x6Fx67x67x6Cx65, x6Dx72x67x69x6Ex6Cx65x66x74, x74x6Fx67x67x6Cx65x43x6Cx61x73x73, x2Ex77x73x6Dx65x6Ex75x63x6Fx6Ex74x61x69x6Ex65x72, x6Fx6E, x23x6Ex61x76x54x6Fx67x67x6Cx65x2Cx2Ex6Fx76x65x72x6Cx61x70x62x6Cx61x63x6Bx62x67, x3Cx73x70x61x6Ex20x63x6Cx61x73x73x3Dx22x77x73x6Dx65x6Ex75x2Dx63x6Cx69x63x6Bx22x3Ex3Cx69x20x63x6Cx61x73x73x3Dx22x77x73x6Dx65x6Ex75x2Dx61x72x72x6Fx77x20x66x61x20x66x61x2Dx61x6Ex67x6Cx65x2Dx64x6Fx77x6Ex22x3Ex3Cx2Fx69x3Ex3Cx2Fx73x70x61x6Ex3E, x70x72x65x70x65x6Ex64, x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75x2Cx20x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75x2Dx73x75x62x2Cx20x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75x2Dx73x75x62x2Dx73x75x62, x68x61x73, x2Ex77x73x6Dx65x6Ex75x2Dx6Cx69x73x74x20x6Cx69, x2Ex6Dx65x67x61x6Dx65x6Ex75, x73x6Cx6Fx77, x73x6Cx69x64x65x54x6Fx67x67x6Cx65, x2Ex77x73x6Dx65x6Ex75x2Dx6Cx69x73x74, x2Ex77x73x6Dx65x6Ex75x2Dx6Dx6Fx62x69x6Cx65, x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75, x73x69x62x6Cx69x6Ex67x73, x77x73x6Dx65x6Ex75x2Dx72x6Fx74x61x74x65, x2Ex77x73x6Dx65x6Ex75x2Dx61x72x72x6Fx77, x63x68x69x6Cx64x72x65x6E, x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75x2Dx73x75x62, x2Ex77x73x6Dx65x6Ex75x2Dx73x75x62x6Dx65x6Ex75x2Dx73x75x62x2Dx73x75x62, x2Ex77x73x6Dx65x6Ex75x2Dx63x6Cx69x63x6B];

$(function(){var _0x5c8dx1=$(_0x98fd[0]);var _0x5c8dx2=$(_0x98fd[1]);var _0x5c8dx3=function(){$(_0x5c8dx1)[_0x98fd[5]](_0x98fd[4])[_0x98fd[3]](_0x98fd[2])};var _0x5c8dx4=function(){$(_0x5c8dx1)[_0x98fd[5]](_0x98fd[2])[_0x98fd[3]](_0x98fd[4])};$(_0x98fd[8])[_0x98fd[7]](function(){if(_0x5c8dx2[_0x98fd[6]](_0x98fd[2])){$(_0x5c8dx4)}else{$(_0x5c8dx3)}});_0x5c8dx2[_0x98fd[7]](function(){if(_0x5c8dx2[_0x98fd[6]](_0x98fd[2])){$(_0x5c8dx4)}});$(_0x98fd[13])[_0x98fd[12]](_0x98fd[7],function(){$(_0x98fd[11])[_0x98fd[10]](_0x98fd[9])});$(_0x98fd[18])[_0x98fd[17]](_0x98fd[16])[_0x98fd[15]](_0x98fd[14]);$(_0x98fd[18])[_0x98fd[17]](_0x98fd[19])[_0x98fd[15]](_0x98fd[14]);$(_0x98fd[23])[_0x98fd[7]](function(){$(_0x98fd[22])[_0x98fd[21]](_0x98fd[20])});$(_0x98fd[31])[_0x98fd[7]](function(){$(this)[_0x98fd[25]](_0x98fd[24])[_0x98fd[21]](_0x98fd[20]);$(this)[_0x98fd[28]](_0x98fd[27])[_0x98fd[10]](_0x98fd[26]);$(this)[_0x98fd[25]](_0x98fd[29])[_0x98fd[21]](_0x98fd[20]);$(this)[_0x98fd[25]](_0x98fd[30])[_0x98fd[21]](_0x98fd[20]);$(this)[_0x98fd[25]](_0x98fd[19])[_0x98fd[21]](_0x98fd[20])})});</textarea>