JavaScript Deobfuscation - HTB Academy
Published: December 18, 2025
Download cheatsheet here
Code Deobfuscation is important for code analysis and reverse engineering.
- locate JavaScript code
- Intro to Code Obfuscation
- How to Deobfuscate JavaScript code
- How to decode encoded messages
- Basic Code Analysis
- Sending basic HTTP requests
Code Obfuscation
Obfuscation is a technique used to make a script more difficult to read by humans but allows it to function the same from a technical point of view.
Usually, code is turned into a dictionary of all the words and symbols used within the code and then attempt to rebuild the original code during execution by referring to each word and symbol from the dictionary.
People obfuscate their code to:
- hide code’s original functionality
- provide security layer when dealing with authentication or encryption
- malicious actions
Basic Obfuscation
Code minification means having the entire code in a single line.
BeautifyTools for code obfuscation
JSONConsole for code testing after obfuscation
Advanced Obfuscation
Deobfuscation
Code Analysis
'use strict';
function generateSerial() {
...SNIP...
var xhr = new XMLHttpRequest;
var url = "/serial.php";
xhr.open("POST", url, true);
xhr.send(null);
};- variable
xhrcreates an object ofXMLHttpRequest. XMLHttpRequesthandles web requestsurlcontains URL to/serial.php- the next lines opens and sends the HTTP request to the URL
N2gxNV8xNV9hX3MzY3IzN19tMzU1NGcz
Decoding
S-Tier Tool Box: CyberChef
To encode any text into base64 :
echo https://www.hackthebox.eu/ | base64To decode any base64 encoded string:
echo aHR0cHM6Ly93d3cuaGFja3RoZWJveC5ldS8K | base64 -dTo encode any string into hex:
echo https://www.hackthebox.eu/ | xxd -pTo decode any hex encoded string:
echo 68747470733a2f2f7777772e6861636b746865626f782e65752f0a | xxd -p -rROT13
echo https://www.hackthebox.eu/ | tr 'A-Za-z' 'N-ZA-Mn-za-m'curl -s http://94.237.120.137:45888/serial.php -X POST -d "serial=7h15_15_a_s3cr37_m3554g3"