In JavaScript programming, eval is often used to protect privacy, encrypt code execution, and run scripts that one does not want others to know about, such as common practices like eval encryption, U encryption, JJEncode encryption, all of which utilize eval for code execution.
However, the string "eval" itself is a very obvious characteristic, making it too easy to search for, and then replace with console.log, alert, thereby achieving reverse engineering and obtaining the content executed by eval.
Is there a way to also hide eval so that it's not so easily discovered? Of course, the following introduces one method: Base-32 Encryption.
The principle is as follows: eval is a member function of window in browsers; in the Node.js environment, it is a member function of global. Therefore, eval can also be written as:
window.eval, global.eval, or window["eval"], global["eval"].
This means that eval has been transformed into a string form. Since it is a string, it becomes easier to encrypt. For example, the "eval" string can take on another form:
(14).toString(32)+(31).toString(32)+(10).toString(32)+(21).toString(32)
Or, to avoid having a uniform feature after encryption, the value passed to toString can also be altered, such as changing 14 to 10+1+3:
window[(10+1+3).toString(32)+(20+1+10).toString(32)+(10).toString(32)+(21).toString(32)]
This uses the toString(base) method to convert a number to its string representation in the specified base. In the above example code, the base is 32, meaning numbers will be converted to strings in base 32.
(14).toString(32): The number 14 is converted to base 32, which is "e". (31).toString(32): The number 31 is converted to base 32, which is "v". (10).toString(32): The number 10 is converted to base 32, which is "a". (21).toString(32): The number 21 is converted to base 32, which is "l".
When concatenated with plus signs, they form the string "eval".
Further Base-32 character correspondence:
a: (10).toString(32) -> "a"
b: (11).toString(32) -> "b"
c: (12).toString(32) -> "c"
d: (13).toString(32) -> "d"
e: (14).toString(32) -> "e"
f: (15).toString(32) -> "f"
g: (16).toString(32) -> "g"
h: (17).toString(32) -> "h"
i: (18).toString(32) -> "i"
j: (19).toString(32) -> "j"
k: (20).toString(32) -> "k"
l: (21).toString(32) -> "l"
m: (22).toString(32) -> "m"
n: (23).toString(32) -> "n"
o: (24).toString(32) -> "o"
p: (25).toString(32) -> "p"
q: (26).toString(32) -> "q"
r: (27).toString(32) -> "r"
s: (28).toString(32) -> "s"
t: (29).toString(32) -> "t"
u: (30).toString(32) -> "u"
v: (31).toString(32) -> "v"
Of course, besides this, other algorithms can also be used, for example, in browsers, the base64 string “ZXZhbA==” can be decoded using atob to get “eval”: Expanding on this, this method can be used not only to hide eval but also to conceal other methods. For instance, consider this line of code suitable for browser execution:
window[(10).toString(32)+(21).toString(32)+(14).toString(32)+(27).toString(32)+atob("dA==")]("moc.rotacsufbo-sj".split("").reverse().join(""));
What would this output? Try it out yourself.
Top comments (0)