How does this obfuscated JavaScript work?

Question

How does the following JavaScript work?

I understand that it is minified code. I have tried de-obfuscating it a little, but I can\'t get a clear concept of how it achiev

Answer 1

Here is another manually deobfuscated version, moving all initialisation out of expression into own statements:

z='p="<"+"pre>"/* ,.oq#+     ,._, */;for(y in n="zw24l6k\
4e3t4jnt4qj24xh2 x/* =<,m#F^    A W###q. */42kty24wrt413n243n\
9h243pdxt41csb yz/* #K       q##H######Am */43iyb6k43pk7243nm\
r24".split(4)){/* dP      cpq#q##########b, */for(a in t=pars\
eInt(n[y],36)+/*         p##@###YG=[#######y */(e=x=r=[]))for\
(r=!r,i=0;t[a/*         d#qg `*PWo##q#######D */]>i;i+=.05)wi\
th(Math)x-= /*        aem1k.com Q###KWR#### W[ */.05,0>cos(o=\
new Date/1e3/*      .Q#########Md#.###OP  A@ , */+x/PI)&&(e[~\
~(32*sin(o)*/* ,    (W#####Xx######.P^     T % */sin(.5+y/7))\
+60] =-~ r);/* #y    `^TqW####P###BP           */for(x=0;122>\
x;)p+="   *#"/* b.        OQ####x#K           */[e[x++]+e[x++\
]]||(S=("eval"/* l         `X#####D  ,       */+"(z=\'"+z.spl\
it(B = "\\\\")./*           G####B" #       */join(B+B).split\
(Q="\'").join(B+Q/*          VQBP`        */)+Q+")//m1k")[x/2\
+61*y-1]).fontcolor/*         TP         */(/\\w/.test(S)&&"#\
03B");document.body.innerHTML=p+=B+"\\n"}setTimeout(z)';

p = "<" + "pre>";
n = ["zw2", "l6k", "e3t", "jnt", "qj2", "xh2 x/* =<,m#F^    A W###q. */", "2kty2", "wrt", "13n2", "3n9h2", "3pdxt", "1csb yz/* #K       q##H######Am */", "3iyb6k", "3pk72", "3nmr2", ""]
for (y in n) {
    e = [];
    x = 0;
    r = true;
    t = parseInt(n[y], 36) + "";
    for (a in t) {
        r = !r
        for (i = 0; i < t[a]; i += 0.05) {
             x -= 0.05;
             o = new Date / 1e3 + x / Math.PI
             if (Math.cos(o) < 0)
                 e[~~(32 * Math.sin(o) * Math.sin(0.5 + y / 7)) + 60] = -~r;
        }
    for (x = 0; x < 122;) {
        S = "eval" + "(z='" + z.split(B = "\\").join(B + B).split(Q = "'").join(B + Q) + Q + ")//m1k"
        p += "   *#"[e[x++] + e[x++]] || S[x/2+61*y-1]).fontcolor(/\w/.test(S[x/2+61*y-1]) && "#03B");
    }
    p += B + "\n";
    document.body.innerHTML = p;
}
setTimeout(z)

Here is what happens:

• z is a multiline string containing all of the code. It is evaled.
• At the end of the code, z is passed to setTimeout. It works like requestAnimationFrame and eval together, evaluating it in an interval at the highest possible rate.
• The code itself initialises p, the string buffer onto which the HTML will be appended, and n, an array of base-36-encoded numbers (joined into a string by "4", the comments being irrelevant garbage that is not considered by parseInt).
• each number in n does encode one line (n.length == 16). It is now enumerated.
• A bunch of variables is initialised, some disguised as the e array literal but they are then cast to numbers (x) or booleans (r) or strings (t) when used.
• Each digit in the number t is enumerated, inverting the boolean r each turn. For different angles x, and depending on the current time new Date / 1000 (so that it gives an animation), the array e is filled using some bitwise operators - with 1 when r is false and 2s when r is true at that time.
• Then a loop does iterate the 61 columns of the image, from x=0 to 122 in double steps, appending single characters to p.
• B being the backslash, the string S is built from the code string z by escaping backslashes and apostrophes, to get an accurate representation of what it looked in the source.
• Every two consecutive numbers from e are added and used to access a character from " *#", to build up the animated image. If one of the indices is not defined, the NaN index resolves to an undefined character and instead the respective character from the S string is taken (check out the formula x/2+61*y-1). If that character should be a word character, it is colored differently using the fontcolor String method.
• After each line, the trailing backspace and a linebreak are added to p, and the HTML string gets assigned to the document body.

---

How the same effect could be rewritten for a minimal example?

Here is an other example:

setInterval(z='s=("setInterval(z=\'"+\
z.replace(/[\\\\\']/g,"\\\\$&")+"\')"\
).match(/.{1,37}/g).join("\\\\\\n");d\
ocument.body.innerHTML=\"<\\pre>"+s.s\
lice(0, 175)+String( + new Date()).fo\
ntcolor("red")+s.slice(188)')

(demo at jsfiddle.net)

It has all the releveant things you need for this kind of animation:

• setInterval and Date for the animation

• A reconstruction of its own code (quine-like), in here:

  s = ( "setInterval(z='" // the outer invokation
        + z.replace(/[\\\']/g,"\\$&") // the escaped version
      + "\')" ) // the end of the assignment
      .match(/.{1,37}/g).join("\\\n"); // chunked into lines
  

• The output via document.body.innerHTML and a

   element
  

• Replacing some parts of the code with the animated string