In the modern web development landscape, JavaScript is the undisputed king of client-side logic. However, with great power comes great obfuscation. Developers (and malware authors alike) use obfuscation to protect intellectual property, hide malicious payloads, or simply reduce file size. For security researchers, penetration testers, and curious developers, the ability to reverse this process is critical.
// save as unpack.js and run: node unpack.js obf.js
const fs = require('fs');
const vm = require('vm');
let code = fs.readFileSync(process.argv[2], 'utf8');
try {
let unpacked = vm.runInNewContext(code, {});
console.log(unpacked);
} catch(e) console.log(e);
As obfuscators become more sophisticated (using WebAssembly, async packing, and proxy re-encryption), portable deobfuscators must evolve. Look for these trends: javascript+deobfuscator+and+unpacker+portable