Decode this strange Javascript

Question

I came across this code in a .js file. What is this code ??

I have downloaded that file onto my localhost webserver.Keeping this code in the .js file redirects me to google.com and when i am commenting this code the page runs perfectly !!

I can understand that this is done to enforce that the page is to be executed from a server link only !!!

How can i decode this js ???

[]['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72']['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'](self['\x75\x6e\x65\x73\x63\x61\x70\x65']('%69%66%28%7e%6c%6f%63%61%74%69%6f%6e%2e%70%72%6f%74%6f%63%6f%6c%2e%69%6e%64%65%78%4f%66%28%27%68%74%74%70%3a%27%29%26%26%7e%6c%6f%63%61%74%69%6f%6e%2e%68%6f%73%74%2e%69%6e%64%65%78%4f%66%28%27%74%65%6d%70%6c%61%74%65%2d%68%65%6c%70%2e%63%6f%6d%27%29%29%7b%7d%65%6c%73%65%28%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%29'))()

Answer 1

Python happens to use the same way of encoding, so I just threw it at a Python shell.

>>> '\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'
'constructor'
>>> '\x75\x6e\x65\x73\x63\x61\x70\x65'
'unescape'
>>> import urllib
>>> urllib.unquote('%69%66%28%7e%6c%6f%63%61%74%69%6f%6e%2e%70%72%6f%74%6f%63%6f%6c%2e%69%6e%64%65%78%4f%66%28%27%68%74%74%70%3a%27%29%26%26%7e%6c%6f%63%61%74%69%6f%6e%2e%68%6f%73%74%2e%69%6e%64%65%78%4f%66%28%27%74%65%6d%70%6c%61%74%65%2d%68%65%6c%70%2e%63%6f%6d%27%29%29%7b%7d%65%6c%73%65%28%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%29')
"if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}else(location.href='http://www.google.com')"

So this code boils down to (adding whitespace for clarity):

[]['constructor']['constructor'](
  "if (~location.protocol.indexOf('http:') &&
       ~location.host.indexOf('template-help.com'))
     {}
   else
     (location.href='http://www.google.com')")()

So what does this actually do? Node.js to the rescue:

> [].constructor
[Function: Array]
> [].constructor.constructor
[Function: Function]
> 

So [] is simply an empty array, [].constructor gives us the array constructor (which is a Function object), and finally, [].constructor.constructor gives us the constructor of the Function object. That constructor accepts a string containing some code, and turns it into a callable function, that then gets called (note the () at the very end). So this eventually just executes this code:

if (~location.protocol.indexOf('http:') &&
    ~location.host.indexOf('template-help.com'))
  {}
else
  (location.href='http://www.google.com')

Yeah, if I wrote code like that, I'd obfuscate it too! ;)

Answer 2

Try this...

<html>
<head>
<script type="text/javascript">
var a="[]['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72']['\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72'](self['\x75\x6e\x65\x73\x63\x61\x70\x65'](" + unescape('%69%66%28%7e%6c%6f%63%61%74%69%6f%6e%2e%70%72%6f%74%6f%63%6f%6c%2e%69%6e%64%65%78%4f%66%28%27%68%74%74%70%3a%27%29%26%26%7e%6c%6f%63%61%74%69%6f%6e%2e%68%6f%73%74%2e%69%6e%64%65%78%4f%66%28%27%74%65%6d%70%6c%61%74%65%2d%68%65%6c%70%2e%63%6f%6d%27%29%29%7b%7d%65%6c%73%65%28%6c%6f%63%61%74%69%6f%6e%2e%68%72%65%66%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%27%29') + "))()";
</script>
</head>
<body>
<input type=button value=click onclick="javascript:alert(a);">
</body>
</html>

The answer, as already pointed out, is...

[]['constructor']['constructor'](self['unescape'](if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}else(location.href='http://www.google.com')))()

Answer 3

It is doubly-coded, first as %nn URL-style characters, then as \xnn string characters. It decodes to

[]['constructor']['constructor'](
  self['unescape']('
    if(~location.protocol.indexOf('http:')&&~location.host.indexOf('template-help.com')){}
    else(location.href='http://www.google.com')
  '))()

Note that the quotes no longer nest properly after decoding, and the ['unescape'] has already been done.

Answer 4

That js file you are talking about is a piece of js code that http://templates.entheosweb.com/ uses to secure it's web scripts and themes from being stolen from their website. Wherever you got that file means that the theme or files it was included with was stolen from that website.