How to decrypt this javascript code

Question

I can't decrypt it.

Please advise me.

javascript code

var _$_5e56=["\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D","\x69\x6E\x64\x65\x78\x4F\x66","\x75\x72\x6C","\x69\x64","\x6D\x75\x6B\x61\x2E\x6F\x70\x65\x6E\x28\x29","\x65\x78\x65\x63\x75\x74\x65\x53\x63\x72\x69\x70\x74","\x74\x61\x62\x73","\x73\x68\x6F\x77","\x23\x6E\x6F\x74\x2D\x66\x62\x2D\x70\x61\x67\x65","\x71\x75\x65\x72\x79","\x72\x65\x61\x64\x79"]

$(document)[_$_5e56[10]](function()
{
    chrome[_$_5e56[6]][_$_5e56[9]]({active:true},function(a)
    {
        if(a[0][_$_5e56[2]][_$_5e56[1]](_$_5e56[0])!= -1)
        {
            chrome[_$_5e56[6]][_$_5e56[5]](a[0][_$_5e56[3]],{code:_$_5e56[4]})
        }
        else 
        {
            $(_$_5e56[8])[_$_5e56[7]]()
        }

Answer 1

This code isn't encrypted, though it slightly obfuscated. The first line of the code:

var _$_5e56=["\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D","\x69\x6E\x64\x65\x78\x4F\x66","\x75\x72\x6C","\x69\x64","\x6D\x75\x6B\x61\x2E\x6F\x70\x65\x6E\x28\x29","\x65\x78\x65\x63\x75\x74\x65\x53\x63\x72\x69\x70\x74","\x74\x61\x62\x73","\x73\x68\x6F\x77","\x23\x6E\x6F\x74\x2D\x66\x62\x2D\x70\x61\x67\x65","\x71\x75\x65\x72\x79","\x72\x65\x61\x64\x79"]

simply defines an array of strings by using hex-encoded ASCII. (E.g., \x66 is f, etc.). Thus that line simplifies to

_$_5e56 = ["facebook.com", "indexOf", "url", "id", "muka.open()", "executeScript", "tabs", "show", "#not-fb-page", "query", "ready"].

The variable name _$_5e56 is a tad odd, so I'm just going to rename it arr for array. Then the rest of the script is (after adding a few characters that appear to have been forgotten by the OP):

$(document)[arr[10]](function()
{
    chrome[arr[6]][arr[9]]({active:true},function(a)
    {
        if(a[0][arr[2]][arr[1]](arr[0])!= -1)
        {
            chrome[arr[6]][arr[5]](a[0][arr[3]],{code:arr[4]})
        }
        else 
        {
            $(arr[8])[arr[7]]()
        }
    })})

If we then perform the substitutions of the various values of arr

$(document)["ready"](function()
{
    chrome["tabs"]["query"]({active:true},function(a)
    {
        if(a[0]["url"]["indexOf"]("facebook.com")!= -1)
        {
            chrome["tabs"]["executeScript"](a[0]["id"],{code:"muka.open()"})
        }
        else 
        {
            $("#not-fb-page")["show"]()
        }
})})

Very roughly, this is using jquery $(document).ready to run the code inside the function when the document is run. It uses the chrome.tabs permission (specifically chrome.tabs.query of a chrome javascript extension to get all the active tabs, and then on check if the URL of the first active tab has "facebook.com" anywhere in it. (a is an array of all the active tabs, a[0] is the first active tab, a[0]["url"] is a string of the full URL of that tab and on a string the function indexOf returns -1 if the string parameter ("facebook.com" in this case) isn't present.

You should note in javascript that the more common dot notation is basically equivalent to the array lookup notation (the array lookup is slightly more general as you can use special characters inside the string being looked up that you couldn't use in the dot-notation). For example, if you have a some_str defined, you can get the length or run the indexOf function on it by two methods:

> var some_str = "Hello world"
> some_str.length
11
> some_str["length"]
11
> some_str.indexOf("world")
6
> some_str["indexOf"]("world")
6

This would allow us further to simplify the code to:

$(document).ready(function() {
    chrome.tabs.query({active:true}, function(active_tabs) {
        if(active_tabs[0].url.indexOf("facebook.com")!= -1) {
            chrome.tabs.executeScript(active_tabs[0].id,{code:"muka.open()"})
        } else {
            $("#not-fb-page").show()
        }
    })
})

When facebook.com is the first active tab, it executes the script muka.open() inside that tab, otherwise it shows the DOM element with the ID not-fb-page (that may have previously been hidden). I'm not familiar with any muka javascript library; presumably this is defined elsewhere in the extension.