The Spanner logo

    Decoding non-alphanumeric code with Hackvertor

    Back to articles

    hackvertor

    Author:

    Gareth Heyes

    @hackvertor

    Published: Wed, 03 Aug 2011 11:53:47 GMT

    Updated: Sat, 22 Mar 2025 15:38:17 GMT

    I saw this post from Thomas Stig Jacobsen. He uses eval to decompile the code, I thought there has to be a better way :) so in literally about 30 minutes I managed to do it after a few tweaks to the JSReg code base. What does non-alphanumeric JavaScript look like?

    
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$.__$+$.___+$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+$._$+",\\"+$.$__+$.___+"\\"+$.__$+$.__$+$._$_+$.$_$_+"\\"+$.__$+$.$$_+$.$$_+$.$_$_+"\\"+$.__$+$._$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\\"\\"+$.$__+$.___+")"+"\"")())();

    Produced by my friend Yosuke Hasegawa using his JJEncode.

    How the hell do you decode that Gareth? (I hear you say). Quite easily actually. First off I extend the Hackvertor environment to allow sandboxed code to call the JSReg parser.

    
parser.extendWindow("$sandbox$", function(code){});

    This makes "sandbox" a global function within each tag, I need to do this because I want to listen for any calls to "Function" and instead of eval'ing the results I simply want to return the string generated. To do this I add more code to the "sandbox" function to create an instance of JSReg and execute the code:-

    
parser.extendWindow("$sandbox$", function(code){	
	var js = JSReg.create(), result; 
	js.setDebugObjects({doNotFunctionEval:true,functionCode: function(code) {
			code = code.replace("J.F();var $arguments$=J.A(arguments);",'');
			result = code;						
	}});
	try {
	  js.eval(code);
	} catch(e){
	   return e;
	}
	return result;
});

    So as you can see the magic happens in the debug objects of JSReg, I use the "doNotFunctionEval" to listen to Function but not eval the code sent. Then I use another listener to "functionCode" to intercept the results.

    The final Hackvertor tag is dead simple:-

    
(function(){
    return sandbox(code);
})();

    The final results can be seen here:- Decode non-alpha please feel free to go whoa now. That's sandboxed code calling a unsandboxed function, sending a non-alpha string, sandboxing it, listening to the results and returning the decoded code. In the blink of an eye :)

    Credits as always to Lever one and Jonas Magazinius for testing JSReg and making this possible.

    Back to articles