Revelo Updated

I’ve been noticing obfuscated Javascript using a function that returns the deobfuscated result more and more lately so I added a new method to catch this.


Here’s an obfuscated script. It’s not that difficult but it does look intimidating!


First I loaded the script and made sure that the “<script></script>” tags are present. This is important to Revelo because it uses this exact string as a marker to add content before or after the opening or closing script tag.

Next, I click on the “Highlight Decryption Clues” button. This gives you hints to look for in the script — functions, variable accumulators, and now returns. What this shows is the variable “IBq” is accumulating a result. (This is the only accumulator in the entire script.) Then the results get returned to the calling function.


Just choose the new method called “Intercept Return and Variable” and paste in the actual return statement “return(IBq)”. You need to paste the “return” keyword too because there’s other combinations.


Click on the “Execute” button and go the Results tab to get the deobfuscated text. (Note: the results contain escaped characters but it is essentially deobfuscated.)


The other change was that I updated the JSBeautify script with the latest version from .

You can find Revelo here.

This entry was posted in Malscript, Tools and tagged , . Bookmark the permalink.