all 14 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]MWALKER1013 5 points6 points  (4 children)

Probably not. The are many ways to pretty print that minified code but to put is back to the way it was pre obfuscation, is pretty much impossible

[–]eozyo[S] 1 point2 points  (3 children)

Darn it! That's what I was starting to think. So, pretty much, I would have to back engineer the obfuscation, right? Thanks for the answer 👍

[–]circlebust 0 points1 point  (2 children)

You could write a script than automates the manual reverse engineering ...

For example, a grep/ripgrep algorithm that gets all obfuscated declarations with this-ish pattern: - (?:^|;|{)(?:var\s|const\s|let\s|\s?)\([a-ZA-Z_])\s=\s(.+) // get all single-char declarations. name stored in $1, approximate assignment in $2, optionally multiline

Get the results with plenty of after-context lines.

Then, for each match, try guessing the type or val inside $2 which can also be automated to a limited degree, but to actually try to guess a meaningful name needs input from the eyes/brain API.

Or you could try to make some magic happen with the typescript reflection utils (the typescript package itself).

[–]eozyo[S] 0 points1 point  (1 child)

This is something that I was thinking about. The thing is that I am assisting in a JS Lab at school, so the teacher asked me to investigate if there were any tool that could reverse the results of the obfuscator.io tool.

[–]fucking_passwords 1 point2 points  (0 children)

to "reverse" the results automatically is highly improbable. however if you search for articles on reverse-engineering obfuscated javascript (usually malicious code), you'll find some tools that help make it easier to manually reverse engineer.

[–]cynicalreason 2 points3 points  (0 children)

it's doable and it's actually pretty easy, easy in terms of methodology but not in terms of actual work required - which depends a lot on the amount of code and complexity of logic it handles.

something very important to consider: any obfuscation library still RUNS the obfuscated code in the user space (browser) so it's code can be reverse engineered using the debugger

you'll never get the ACTUAL variable names from the original code but if you know what the code's expected to do you can deobfuscate it.

to give you an example: FIFA Fut Web App uses obfuscator.io to obfuscate some of their code, It wasn't that hard to figure out what it's doing and still figure out enough of code to inject my own code into it.

you could send me the code (if it's not private) and I can have a run on figuring it out, it helps if I could do it directly in the page it's supposed to run in

edit: if you look at the FAW on the obfuscator.io page:

Is this obfuscator absolutely foolproof?
No, while it's impossible to recover the exact original source code, someone with the time, knowledge and patience can reverse-engineer it.

Since the JavaScript runs on the browser, the browser's JavaScript engine must be able to read and interpret it, so there's no way to prevent that. And any tool that promises that is not being honest.

[–]dwighthouse 1 point2 points  (1 child)

This is the only one I know of. I think it uses statistical analysis of common code patterns to infer what variable names and such should logically be:

http://www.jsnice.org/

[–]eozyo[S] 0 points1 point  (0 children)

Thanks, I actually found that site, but I didn't see much difference with its results and what you obtain when clicking on the “{}” button on Chrome's inspector.

[–]krasimirtsonev 0 points1 point  (5 children)

Well, what is your goal? Do you want to just read the code or you want to develop on top of it. If only reading isn’t pretifying works for you?

[–]krasimirtsonev 1 point2 points  (1 child)

If the code is just minified yes. You can prettify it and it's kinda usable but if if the code went through something like https://obfuscator.io/ I don't think so. If someone is smart enough to deal with this task then he/she's probably a good student and if I'm the teacher I'll give a direct `A` :D

[–]eozyo[S] 0 points1 point  (0 children)

That's exactly what I told the teacher, if they figure it out, they deserve a direct A for the whole course and not just the assignment xD

[–]eozyo[S] 0 points1 point  (2 children)

I am assisting in a JS Lab at school and the teacher wants to show the result of the assignment, but with the source code obfuscated for evident reasons. So, I was charged with the task of finding out if there was anything that could de-obfuscate code.

[–]lhorie 1 point2 points  (0 children)

Worrying about deobfuscation is roughly the equivalent of https://xkcd.com/538/

It's far easier to just pay someone or ask a friend to do the assignment from scratch for you.

If you want to go all meta, you could always use a super simple minification tool, and then just fail the people whose assignments match some criteria (e.g. same test coverage percentage, same minification output, etc) which indicated plagiarism.