JavaScript DeObfuscator - Free Online Tool

JavaScript DeObfuscator decodes \xNN, \uNNNN, and \u{NNNN} escape sequences in your JS — both inside string literals and inside identifier characters — then reformats the result so you can actually read what the code does.

Deobfuscate JavaScript

Reformat with beautifier after decoding

Obfuscated JavaScript

Readable JavaScript

What is JavaScript DeObfuscator?

JavaScript DeObfuscator is a free, browser-based tool that takes obfuscated JavaScript and produces a readable, properly formatted equivalent. It decodes every common escape sequence used by simple obfuscators — \xNN hex escapes, \uNNNN unicode escapes, and \u{NNNN} extended unicode escapes — and then runs the result through the same beautifier we publish as a standalone tool.

JavaScript DeObfuscator is most useful when you encounter a script that looks unreadable but you suspect was produced by a casual obfuscation pass rather than a heavy production minifier with control-flow flattening. The most common case is encoded string literals: a function that calls `fetch("\x68\x74\x74\x70\x73://example.com")` becomes readable as `fetch("https://example.com")` after one pass through the tool.

Typical users are security engineers reviewing third-party tags, developers reverse-engineering a script they wrote some time ago without source maps, and educators showing the symmetry between obfuscation and deobfuscation as cryptographic friction rather than security. Because the tool runs entirely on your device, the scripts you decode never leave the browser.

How to Use This JavaScript DeObfuscator

Paste the obfuscated JavaScript into the input textarea. Snippets with \xNN or \uNNNN escape sequences inside strings or identifiers are the primary target.
Decide whether to reformat the decoded output. Reformatting runs the beautifier afterwards so the result reads like normal code; turning it off keeps the structure of the obfuscated source.
Click Deobfuscate. The tool walks the input, decodes every escape sequence inside strings and identifiers, and emits the result.
Read the decoded output. Encoded strings become readable words, and identifier escape sequences become normal variable names.
Click Copy to send the decoded JS to your clipboard, then paste it into your editor or audit notes.
Use Clear when you want to decode another snippet so the input, output, and error states reset together.
For deeply obfuscated production code that uses control-flow flattening or dead-code injection, this tool will help only with the surface layer; deeper analysis requires dedicated reverse-engineering work.

Why Use This JavaScript DeObfuscator?

Turns escape-encoded string literals like "\x68\x65\x6c\x6c\x6f" back into readable text such as "hello".
Decodes unicode-escaped identifier characters (\uNNNN) so variable names become normal words again.
Reformats the decoded output with the standard beautifier so the result reads like maintained source.
Runs locally in your browser, so the scripts you investigate never leave the device during analysis.
Pairs with JavaScript Beautifier and JavaScript Obfuscator on the same site for a complete round-trip workflow.
Provides a quick first pass for security review or code archaeology before deciding whether deeper reverse engineering is needed.

When to Use JavaScript DeObfuscator

Reviewing a third-party analytics tag that uses encoded strings to hide its endpoints from view-source.
Recovering the structure of a script you wrote and obfuscated some time ago without keeping the readable source.
Auditing a JavaScript bookmarklet to confirm it is safe to use before pasting it into your browser.
Decoding sample obfuscated scripts in a CTF or training challenge to access the underlying logic.
Investigating a piece of JavaScript shared in a chat or forum that looks unreadable but is suspected to be a simple obfuscation.
Teaching the symmetry between obfuscation and deobfuscation in a workshop or class.

JavaScript DeObfuscator Features

Hex escape decoding (\xNN)

Every \xNN escape sequence is decoded to its character equivalent, both inside string literals and inside identifiers where JavaScript syntax allows.

Unicode escape decoding (\uNNNN)

Standard \uNNNN escapes are decoded to their corresponding characters. The tool also handles the extended \u{NNNN} syntax introduced in ES6 for code points beyond the BMP.

Identifier normalisation

When variable or function names are encoded as \uNNNN sequences (a common JavaScript-syntax trick), the decoder normalises them back to readable identifiers.

Built-in reformat

After decoding, the tool runs the result through the same beautifier we publish as a standalone tool. The output is properly indented and easy to scan.

Preserves string semantics

Characters that already require escaping (like quotes inside the same-quote string) are re-escaped after decoding, so the output remains valid JavaScript.

Local-only processing

All decoding happens in your browser. Scripts you investigate are never uploaded, which matters when reviewing third-party or potentially malicious code.

How simple JavaScript obfuscation works (and how decoding reverses it)

JavaScript syntax allows characters inside string literals to be expressed in several forms: a literal character, a hex escape (\xNN), a 4-digit unicode escape (\uNNNN), or an extended unicode escape (\u{NNNN}). All four forms are equivalent at parse time, which means a string like "hello" can be written as "\x68\x65\x6c\x6c\x6f" without changing its value. Simple obfuscators take advantage of this by rewriting every printable character in every string as an escape sequence.

Identifiers receive the same treatment. JavaScript allows a variable name to be written with unicode escapes — `foo` and `\u0066\u006f\u006f` reference the same variable. Naive obfuscators rewrite identifier characters this way so that variable and function names no longer look like words to a casual reader.

JavaScript DeObfuscator reverses both transformations. It walks the source token by token, converts escape sequences back to their character equivalents inside string literals, normalises unicode-escaped identifiers, and then runs the cleaned output through the beautifier. The result is a properly formatted, readable version of the original code — useful for security review, audit, or simply understanding code without source maps.

Decision Guide

Best for

Security engineers reviewing third-party tags and bookmarklets.
Developers recovering scripts without source maps.
CTF and training participants working through obfuscation challenges.

Avoid when

The source uses control-flow flattening or aggressive transformations beyond escape encoding.
You need to run the decoded result — only execute decoded code in a sandboxed environment.

Example

Decode an obfuscated string

Input

fetch("\x68\x74\x74\x70\x73://example.com")

Output

fetch("https://example.com")

JavaScript DeObfuscator Best Practices

Verify recovered code still parses

Some aggressive obfuscators add control-flow tricks that this tool will not reverse. After decoding, paste the result into a parser (or your editor) to confirm it still parses cleanly.

Combine with beautify and minify round-tripping

For maximum readability, run DeObfuscator first, then Beautifier, then optionally Minifier on the readable result if you need to ship it.

Treat decoded malware with care

If you are decoding code suspected to be malicious, run the analysis in a sandbox VM or isolated browser profile. Decoded strings can include URLs and command-and-control endpoints that you do not want to visit accidentally.

Keep your own decoded copy for audits

When auditing a third-party tag, save both the obfuscated and decoded forms. The decoded form is easier to share with reviewers; the obfuscated form is the artifact you should reference in the bug or finding.

Use as a first pass, not a final answer

Some obfuscators also encode property accesses through string lookups (obj["\x66\x6f\x6f"]). DeObfuscator decodes the strings; you still have to recognise the pattern to fully restore intent. Treat the tool as a productivity boost, not a complete reverse-engineering solution.

Troubleshooting

Output still has \uNNNN sequences.

Some sequences are inside template literals or comments that the decoder preserves verbatim. Copy the relevant substring into a fresh run for further decoding.

My code still looks unreadable.

It is likely obfuscated with control-flow flattening or string-array lookups, not just escapes. Manual reverse engineering is required from this point.

Common deobfuscation goals

Endpoint discovery in third-party scripts

Marketing tags often encode their network endpoints. Decoding makes the URLs visible so you can decide whether to allow the script and whether it complies with your privacy policy.

Reading a script you wrote long ago

Without a source map or the original file, an obfuscated bundle is unreadable. The tool gives you a first pass at recovering structure before manual reverse engineering.

Reviewing a suspect bookmarklet

Bookmarklets that look like noise can be inspected after decoding. The decoded form often reveals whether the script does what it claims or something else.

CTF and training challenges

Obfuscation is a common entry-level CTF mechanic. The tool reverses the obvious layer so the underlying puzzle becomes accessible.

Educational comparison

Teaching obfuscation alongside deobfuscation makes clear how reversible the technique is and why it should not be used as a security control.

FAQs

Will this decode any obfuscated JavaScript?

It decodes the most common escape-based obfuscation: \xNN, \uNNNN, and \u{NNNN} sequences. It does not reverse control-flow flattening, dead-code injection, runtime self-defending, or string-array packing produced by aggressive obfuscators like javascript-obfuscator with full features turned on.

Is the decoded code guaranteed to be valid JavaScript?

Yes. The decoder only replaces escape sequences with their character equivalents in places where JavaScript syntax allows it (string literal contents, identifier characters). The output is still parseable as JavaScript.

Does the tool send the script to a server?

No. All decoding happens in your browser. The scripts you investigate — including potentially malicious code — never leave the device during analysis.

How is this different from JavaScript Beautifier?

The beautifier only reformats whitespace; it does not decode escape sequences. DeObfuscator decodes the escapes first and then reformats. For unencoded but minified code, the standalone Beautifier is the right tool; for escape-encoded code, this one is.

Can I run this on production code that I do not own?

Decoding code is generally legal for personal review, security analysis, and academic study. Redistributing the decoded result may be restricted by the licence of the source. When in doubt, consult a lawyer.

Why does my output still look obscure after decoding?

Some obfuscators do more than encode strings — they replace identifier names with random short letters, introduce dead code, or use string-array lookups. This tool handles the encoding layer; deeper obfuscation requires dedicated reverse-engineering work.

Can I disable the reformat step?

Yes. Turn off "Reformat with beautifier after decoding" if you only want the decoded characters without the surrounding indentation changes. This is useful when you need to keep the line structure for audit purposes.

Is decoding malware safe?

Pasting code into the tool is safe — it never executes the script. Avoid actually running the decoded result on your real machine; visit any extracted URLs only from a sandboxed environment.

JavaScript DeObfuscator turns escape-encoded code into readable JavaScript in one click — useful for security review, audit, and recovering scripts you lost the original source for.

Javascript Obfuscator

Live

Obscure JavaScript by encoding string literals and identifiers into escape sequences.

JavaScript Beautifier

Live

Format and indent minified JavaScript for reading, auditing, and debugging.

JavaScript Minifier

Live

Compress JavaScript by removing comments and unnecessary whitespace.

Base64 Decode

Live

Decode Base64 strings back to readable text.