 I have a modified version of SpiderMonkey that I've shown before. So SpiderMonkey is the JavaScript interpreter from Mozilla. And what I did here, so it's js.exe here on Windows. This is the folder with the files. Now if I run SpiderMonkey, I have modified some of the commands like the eval command when I do 1 plus 2. So the expression 1 plus 2 is evaluated and we see that we have a tree as a result. But if we exit and we go have a look in the folder, we see that two new files have been created, eval.log files. And those files contain the argument that was passed on to eval, so 1 plus 2. So this is something I use to debug and analyze obfuscated JavaScript that often uses eval, but also document.write and also window navigate. So those three functions I've implemented. And when you call those functions, the arguments are written to file.log. Now the new thing that I did here is that you can choose where the output goes. So it no long has to go to a log file. You can also decide to dump it as ASCII or HEX or its raw values. So let's see how this works. I start js.exe and then I select my output. And this is something I added to the document object. So it's the output property of the document object. And here we are going to say lowercase a and that means that we want an ASCII dump. So now if I do an eval, for example 1 plus, well let's do 1 plus 3 this time. The output is not written to disk, but this output here to the screen. So first of all you have the size of the string and then you have a HEX dump and an ASCII dump of the string that was passed as an argument to eval. So you have HEX dump like this with an X. Then you just get an HEX dump, an ASCII dump. And you can also select just to dump the raw output. And then you get the output here 1 plus 3. All the letters here are lowercase. You can also use uppercase letter and that has a different meaning. With uppercase letters there is no metadata like the eval size that is removed. So you just get the pure dump like this and just get the ASCII dump here. And of course if you want to have it back to file you can do this here with output F to send it back to the file like this. Now I use this to analyze obfuscated javascript like this javascript here. This sample. You can see this is a concatenation of strings and those are produced from converting a number to a character code. And in the end the string is evaluated. So we can run, well first let's delete the files here, the log files like this. So we can run javascript on this sample. We get an error and we have eval file. You see here it's up alert, hello from PDFJavascript. So that is why we got an error here. Up is not defined because the object up is not defined in this spider monkey. So this is again something we had already. Output to files. And now let's do a dump here. So I'm going to run javascript. And I'm going to pass it in a statement, document.output for an ASCII dump. And then you can pass it the sample like this. And then you see that you get the ASCII hex dump of the execution of sample.js. Of course here you can select all the output types. And the last thing that you can do, say that sample.js is inside a password protected zip file. Like this one here, sample.js.zip. Then you can use my zipdump utility to extract it and then pipe it into JS. So let's run zipdump on the sample zip. We want to dump the content of the zip file here to standard out like this. And then we pipe this into spider monkey. The spider monkey with a statement, document.output to ASCII like this. And then here just a dash to indicate that we want to parse the input from standard in. Like this here. And this way here you have analyzed obfuscated javascript script. And without that script being stored literally on disk because it is saved in a password protected zip file. And also the output is not written to disk. It is here dumped to the screen. So by doing this you can analyze obfuscated javascript scripts without having to store them on disk.