Brilliant Javascript Obfuscation Technique

One of the guys over at BreakingPoint Systems detailed a cool, new Javascript obfuscation technique. You can click here to view his blog post.

The technique he described is based on Javascript’s toString method and a base 36 radix. For those of you who don’t know, the toString function allows you to convert a number object into a string. Here’s an example:

What I didn’t know was that you can do this with it:

Isn’t that clever?! With this technique, you can hide key functions like “eval” in plain sight!

Now that you know how this technique works, you can practice what you’ve learned in a Javascript obfuscation contest. BreakingPoint will be giving you a chance to win an iPad if you can deobfuscate their script. You have until September 14, so get cracking! Here’s the link to their contest!

By the way, their obfuscated script is pretty challenging. You can crack it with a debugger but notepad and IE works just fine too.

Update (5/21/16): Greek translation provided by Nikolaos Zinas
Update (2/27/17): Estonian translation provided by Arija Liepkalnietis

This entry was posted in Malscript and tagged , , . Bookmark the permalink.

5 Responses to Brilliant Javascript Obfuscation Technique

  1. a says:

    method is old. seen it on slackers.

  2. Tim Walker says:

    Thanks for pointing to our contest post, Darryl. We’re continuing to get good entries, some of them containing their own neat obfuscation tricks.

    It will be fun to see who wins the contest!

  3. jon says:

    I wasn’t sure, but the statement: a={}.valueOf,a();

    doesn’t equate to anything right? It’s just extra non-sense?

  4. tom says:

    Thanks for posting. This was a fun one 🙂

Leave a Reply