Analyzing and Removing Dead Code and Flower‑Instruction Obfuscation from JavaScript

Many developers encounter large blocks of obfuscated JavaScript that contain useless code, making reverse engineering difficult. This article guides you through understanding two common obfuscation methods—dead code and flower instructions—and shows how to systematically remove them.

Fundamentals

Dead code originally refers to code that is never executed and is removed by compilers to reduce size. Security researchers have repurposed dead code as an obfuscation technique that inflates the code size without affecting program logic, making it easy to distinguish because it never interacts with the rest of the code.

Flower instructions are a legacy anti‑disassembly technique used in malware. They insert jump or call instructions such as jmp and call into the normal execution flow, confusing static analysis tools. Unlike dead code, flower instructions are executed but do not change the program’s intended behavior, though they incur a performance penalty.

Summary

Both techniques rely on inserting large amounts of meaningless statements. By carefully observing the code structure and identifying statements that never affect global variables or program state, you can strip them away and recover the original logic.

Practical Walkthrough

We use the online tool Obfuscator.io to generate heavily obfuscated JavaScript. The configuration enables three options:

Compact code – removes line breaks, producing a dense, unreadable script.

Self Defending – inserts self‑check code that breaks the script if it is reformatted.

Dead Code Injection – adds the dead‑code we aim to eliminate.

Below is the original sample code that we feed into the tool:

// Paste your JavaScript code here
function hi() {
    console.log("Hello World!");
}
hi();

After obfuscation the output becomes a massive, compressed script that still runs correctly. The first step is to run it with Node.js to confirm it works, then attempt to format it, which typically breaks execution because the inserted dead code interferes with normal parsing.

Static analysis reveals several patterns. For example, a self‑executing function receives an array (named _0x2831 ) and a numeric seed. Inside, a helper function repeatedly shifts and pushes array elements, but this loop never influences the program’s output.

var _0x1b0e99 = function(_0x5beb46) {
    while (--_0x5beb46) {
        _0x528cba['push'](_0x528cba['shift']());
    }
};

The real logic is hidden in a single call that increments the seed and passes it to the helper:

_0x1b0e99(++_0x283138);

All other statements in the surrounding function are junk and can be removed. After pruning, the self‑executing wrapper collapses to:

(function(_0x528cba, _0x283138) {
    var _0x1b0e99 = function(_0x5beb46) {
        while (--_0x5beb46) {
            _0x528cba['push'](_0x528cba['shift']());
        }
    };
    _0x1b0e99(++_0x283138);
}(_0x2831, 0x1bf));

Further analysis of conditional branches shows that the only meaningful assignment occurs when a certain object property is undefined, leading to the final effective statement:

_0x1b0e99 = _0x1b0e['SmClCt'](_0x1b0e99, _0x283138);

Finally, the original hi function is reduced to three lines after all dead code is stripped:

function hi() {
    console[_0x1b0e('0xc', '^G6o')](_0x1b0e('0xd', 'Bi36'));
}

Running this cleaned‑up version confirms that the script executes without errors.

Conclusion

When faced with large, obfuscated code, start by identifying and removing dead code and flower instructions. The remaining logic is often only a few lines. More complex obfuscation may require automated tools and abstract syntax‑tree (AST) manipulation, so learning AST techniques is highly recommended.