How does this kind of javascript obfuscation work?

I always was curious how this type of obfuscation can be achieved in JavaScript and how it can be decoded (deobfuscated). Below is an example code:

var _0x4e9d=["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x77\x72\x69\x74\x65"];document[_0x4e9d[0x1]](String[_0x4e9d[0x0]](0x3c,0x62,0x75,0x74,0x74,0x6f,0x6e,0x20,0x6f,0x6e,0x63,0x6c,0x69,0x63,0x6b,0x3d,0x27,0x6a,0x61,0x76,0x61,0x73,0x63,0x72,0x69,0x70,0x74,0x3a,0x69,0x66,0x20,0x28,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x22,0x70,0x61,0x73,0x73,0x22,0x29,0x2e,0x76,0x61,0x6c,0x75,0x65,0x3d,0x3d,0x22,0x6a,0x30,0x30,0x77,0x31,0x6e,0x22,0x29,0x7b,0x61,0x6c,0x65,0x72,0x74,0x28,0x22,0x59,0x6f,0x75,0x20,0x57,0x49,0x4e,0x21,0x22,0x29,0x3b,0x77,0x69,0x6e,0x64,0x6f,0x77,0x2e,0x6c,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x20,0x2b,0x3d,0x20,0x22,0x3f,0x6c,0x76,0x6c,0x5f,0x70,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x3d,0x22,0x2b,0x64,0x6f开发者_如何学运维,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x22,0x70,0x61,0x73,0x73,0x22,0x29,0x2e,0x76,0x61,0x6c,0x75,0x65,0x7d,0x65,0x6c,0x73,0x65,0x20,0x7b,0x61,0x6c,0x65,0x72,0x74,0x28,0x22,0x57,0x52,0x4f,0x4e,0x47,0x21,0x20,0x54,0x72,0x79,0x20,0x61,0x67,0x61,0x69,0x6e,0x21,0x22,0x29,0x7d,0x27,0x3e,0x43,0x68,0x65,0x63,0x6b,0x20,0x50,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x3c,0x2f,0x62,0x75,0x74,0x74,0x6f,0x6e,0x3e));

Addendum: Thank you for de-obfuscating it, but I'm only interested in how I can obfuscate my own code like this.

---

Note that in JavaScript, someobject["xyz"] is about the same as someobject.xyz.

First statement:

_0x4e9d is an array with two strings:

• "fromCharCode"
• "write"

Second statement decodes to document.write(String.fromCharCode(0x3c,0x62,...,0x3e)).

Finally, the string being written is this piece of HTML:

<button onclick='javascript:if (document.getElementById("pass").value=="j00w1n"){alert("You WIN!");window.location += "?lvl_password="+document.getElementById("pass").value}else {alert("WRONG! Try again!")}'>Check Password

---

Each \xnn is a character code as hexadecimal.

So \x63 will give you an 'a'

To do it to your own code you need to have something that will translate each character to it's hex code point:

var aAsHex = '\\x'+'a'.charCodeAt(0).toString(16)

Then copy and paste the output to a file.

---

var _0x4e9d = ["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65", "\x77\x72\x69\x74\x65"];

is ["fromCharCode", "write"]

document[_0x4e9d[0x1]](String[_0x4e9d[0x0]]

is document.write(String.fromCharCode

String.fromCharCode(0x3c, 0x62, ...)

Is

<button 
  onclick='javascript:if (document.getElementById("pass").value=="j00w1n"){alert("You WIN!");window.location += "?lvl_password="+document.getElementById("pass").value}else {alert("WRONG! Try again!")}'
>
  Check Password
</button>

The JavaScript in the onclick is

if (document.getElementById("pass").value=="j00w1n") {
  alert("You WIN!");
  window.location += "?lvl_password=" + document.getElementById("pass").value
} else {
  alert("WRONG! Try again!")
}

---

PHP, assuming $string contains data. So you can obfuscate by running reverse process.

echo preg_replace('~((0|\\\)x([0-9a-f]+))~ei', 'chr(hexdec("\\1"))', $string);

You will get this...

var _�=["fromCharCode","write"];document[_�[]](String[_�[]](<,b,u,t,t,o,n, ,o,n,c,l,i,c,k,=,',j,a,v,a,s,c,r,i,p,t,:,i,f, ,(,d,o,c,u,m,e,n,t,.,g,e,t,E,l,e,m,e,n,t,B,y,I,d,(,",p,a,s,s,",),.,v,a,l,u,e,=,=,",j,0,0,w,1,n,",),{,a,l,e,r,t,(,",Y,o,u, ,W,I,N,!,",),;,w,i,n,d,o,w,.,l,o,c,a,t,i,o,n, ,+,=, ,",?,l,v,l,_,p,a,s,s,w,o,r,d,=,",+,d,o,c,u,m,e,n,t,.,g,e,t,E,l,e,m,e,n,t,B,y,I,d,(,",p,a,s,s,",),.,v,a,l,u,e,},e,l,s,e, ,{,a,l,e,r,t,(,",W,R,O,N,G,!, ,T,r,y, ,a,g,a,i,n,!,",),},',>,C,h,e,c,k, ,P,a,s,s,w,o,r,d,<,/,b,u,t,t,o,n,>));

---

Actually I have now figured out the real way to obfuscate the javascript like that, without having to make each character separately.

http://javascriptobfuscator.com/default.aspx

This is the obfuscator.