Deobfuscating self-encrypted Javascript - how to check what is being executed

Question

I'm trying to 'disassemble' javascript code that is sending spam to places. It is using eval() to run parts of the code from an obfuscated string.

My question is: what can I use to check what commands are actually running through the interpreter? Trying to undo evals "by hand" is quite tedious.

Here is the code I'm struggling with:

eval(function (p, a, c, k, e, d) {
    e = function (c) {
        return (c35 ? String.fromCharCode(c + 29) : c.toString(36));
    }
    while (c--) {
        if (k[c]) {
            p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
        }
    }
    return p;
}('//loooong encrypted part here//'.split(|)))

Answer 1

Like minitech said, console.log("There is an error here").

You can check for the message by using the Javascript console. If you are on Google Chrome, Menu -> Tools -> Javascript Console. Or Ctrl Shift J.

The old, traditional method would be to use alert("Error!"). Not recommended, but you can use it if you find delight in immediate response.

Answer 2

Replace eval with console.log. Repeat.