Skip to main content

Introduction to bet365-re-js

What is bet365-re-js?

bet365-re-js is a reverse engineering project that deobfuscates the heavily obfuscated JavaScript code used by bet365.com. The project intercepts network traffic using mitmproxy and applies a series of AST (Abstract Syntax Tree) transformations to convert obfuscated code into readable, understandable JavaScript.

Why Does This Project Exist?

bet365.com employs sophisticated JavaScript obfuscation techniques to protect their client-side code. This project aims to:
  • Understand obfuscation patterns: Study real-world JavaScript obfuscation techniques used by major online platforms
  • Enable code analysis: Make it possible to analyze and understand the behavior of obfuscated code
  • Educational purposes: Demonstrate reverse engineering techniques and AST manipulation using tools like jscodeshift
  • Handle code rotation: bet365 frequently updates their obfuscated code, sometimes based on location, time, or other factors. This project maintains a CI/CD pipeline to track when changes occur
Educational Purposes OnlyThis repository is strictly for educational purposes. It is distributed as-is with no warranty expressed or implied, and no guarantee for accuracy or applicability to any purpose.

Key Features

Automated Interception

Uses mitmproxy to intercept and modify JavaScript payloads in real-time as they’re served from bet365.com

AST Transformations

Applies multiple jscodeshift transformations to deobfuscate code by manipulating the Abstract Syntax Tree

Code Rotation Handling

Tracks and handles frequent obfuscated code updates with a maintained repository of obfuscated versions

Real-time Replacement

Replaces obfuscated code with deobfuscated versions on-the-fly during browser requests

How It Works

The deobfuscation process follows these steps:
1

Intercept Network Traffic

mitmproxy intercepts HTTPS requests to bet365.com’s /Api/1/Blob endpoint where obfuscated JavaScript is served
2

Detect Obfuscated Code

The Python addon identifies obfuscated JavaScript by detecting the characteristic starting pattern: (function(){ var _0x123a=
3

Apply Transformations

Node.js executes a series of jscodeshift transformations (numbered 0-10) to deobfuscate the code, including:
  • Simplifying comma operators
  • Resolving array destructuring
  • Inlining variables
  • Removing dead code
4

Inject Deobfuscated Code

The deobfuscated code is wrapped with pre-transform and post-transform code, then sent back to the browser

Technology Stack

The project uses a hybrid Python and Node.js approach: Python Components:
  • mitmproxy: For intercepting and modifying HTTPS traffic
  • jsbeautifier: For formatting JavaScript output
  • rjsmin: For minifying JavaScript
  • playwright/pytest: For automated testing
Node.js Components:
  • jscodeshift: AST transformation framework
  • recast: JavaScript parser and code generator
  • escodegen: ECMAScript code generator
  • jest: Testing framework

Privacy & Anonymity

The owner(s) of this repository wish to remain anonymous at this stage. Support for this project is provided on a best-efforts basis.

Future Work

The project aims to expand beyond JavaScript deobfuscation:
  • Reverse engineer the “tape” data structure that controls JavaScript execution flow
  • Detect how bet365 identifies when DevTools is open
  • Detect how bet365 identifies webdriver/Playwright automation
  • Reverse engineer WebSocket protocols for more efficient data access
Even if detection methods are discovered, web scraping via WebSocket is recommended over browser automation for efficiency.

No Warranty or License

There is no license at this point, although applying GPL or MIT license in the future might be a possibility. This software is provided as-is with no warranty of any kind.

Build docs developers (and LLMs) love

Get started for freeTalk to us