Decoding non-alphanumeric code with Hackvertor

By Gareth Heyes (@hackvertor)

Published 14 years 10 months ago • Last updated March 22, 2025 • ⏱️ 2 min read

I saw this post from Thomas Stig Jacobsen. He uses eval to decompile the code, I thought there has to be a better way :) so in literally about 30 minutes I managed to do it after a few tweaks to the JSReg code base. What does non-alphanumeric JavaScript look like?


$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$.__$+$.___+$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+$._$+",\\"+$.$__+$.___+"\\"+$.__$+$.__$+$._$_+$.$_$_+"\\"+$.__$+$.$$_+$.$$_+$.$_$_+"\\"+$.__$+$._$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\\"\\"+$.$__+$.___+")"+"\"")())();

Produced by my friend Yosuke Hasegawa using his JJEncode.

How the hell do you decode that Gareth? (I hear you say). Quite easily actually. First off I extend the Hackvertor environment to allow sandboxed code to call the JSReg parser.


parser.extendWindow("$sandbox$", function(code){});

This makes "sandbox" a global function within each tag, I need to do this because I want to listen for any calls to "Function" and instead of eval'ing the results I simply want to return the string generated. To do this I add more code to the "sandbox" function to create an instance of JSReg and execute the code:-


parser.extendWindow("$sandbox$", function(code){	
	var js = JSReg.create(), result; 
	js.setDebugObjects({doNotFunctionEval:true,functionCode: function(code) {
			code = code.replace("J.F();var $arguments$=J.A(arguments);",'');
			result = code;						
	}});
	try {
	  js.eval(code);
	} catch(e){
	   return e;
	}
	return result;
});

So as you can see the magic happens in the debug objects of JSReg, I use the "doNotFunctionEval" to listen to Function but not eval the code sent. Then I use another listener to "functionCode" to intercept the results.

The final Hackvertor tag is dead simple:-


(function(){
    return sandbox(code);
})();

The final results can be seen here:- Decode non-alpha please feel free to go whoa now. That's sandboxed code calling a unsandboxed function, sending a non-alpha string, sandboxing it, listening to the results and returning the decoded code. In the blink of an eye :)

Credits as always to Lever one and Jonas Magazinius for testing JSReg and making this possible.

← Back to articles