HTML Deobfuscator

How to Use the HTML Deobfuscator

1. Paste Obfuscated Code: Copy the obfuscated HTML or JavaScript into the input textarea. This can be Base64-encoded payloads, unicode-escaped strings, eval(atob()) wrappers, or hex-escaped content.
2. Deobfuscate: Click "Deobfuscate" for automatic detection — the tool tries multiple decoding strategies (eval/atob unwrapping, unicode unescaping, hex decoding, Base64 detection) and applies the appropriate one.
3. Base64 Only: Click "Base64 Decode Only" if you know the input is pure Base64 and want a direct decode without other transformations.
4. Review & Copy: The decoded output appears with a badge showing which method was used (e.g., "eval(atob()) Unwrapped", "Base64 Decoded"). Click "Copy" to copy the clean result.

Technical Overview & Use Cases

This deobfuscator applies a cascade of decoding techniques: it first detects eval(atob('...')) patterns (the most common obfuscation wrapper), then tries standalone atob() calls, then raw Base64 strings, and finally processes unicode escapes (\u0041), hex escapes (\x41), and escape sequences (\n, \t). The output is auto-beautified by inserting line breaks after semicolons and braces to improve readability. This multi-pass approach handles layered obfuscation common in phishing pages and malicious scripts.

Real-world use cases:

• Malware analysis: Decode suspicious email attachments, phishing page sources, or injected JavaScript to understand what malicious code actually does before it executes.
• Web security research: Reverse-engineer obfuscated scripts found in compromised websites to identify data exfiltration endpoints, C2 servers, or credential harvesting logic.
• Code recovery: Decode obfuscated source code from websites that use tools like phpkobo, JScrambler, or custom eval() wrappers to hide their implementation.

Privacy & Security Guarantee

This tool is part of the FAK LAB ecosystem, founded by Faizan Ahmad Khan Khichi. All deobfuscation runs 100% in your browser. Suspicious code you paste is decoded locally — it is never executed (no eval() is actually called) and never transmitted to any server. This means you can safely analyze potentially malicious code without risk of execution or data leakage. The tool only performs string transformations.

Frequently Asked Questions

Does the tool actually execute the obfuscated code?

No. The deobfuscator uses regex pattern matching and string decoding — it never calls eval() or executes any part of the pasted code. This is critical for safe malware analysis. The code is treated purely as text data, decoded through string operations, and displayed as readable output.

Can it decode multi-layered obfuscation?

The tool handles single-layer obfuscation effectively (Base64, eval/atob, unicode escapes). For multi-layered encoding (e.g., Base64 inside eval inside another Base64 wrapper), run the output through the tool again — each pass peels one layer. Professional-grade obfuscators (like JScrambler or Obfuscator.io) may require specialized AST-based deobfuscation tools.

What types of obfuscation does it handle?

It handles: eval(atob('...')) wrappers, raw Base64 strings, \uXXXX unicode escapes (common in Asian-character obfuscation), \xXX hex escapes, HTML entity escapes, and escape sequence normalization. It does NOT handle: control flow flattening, dead code injection, variable renaming, or string array rotation — those require AST analysis.