Magic Decoder
Paste any encoded string and this tool auto-detects the encoding and peels it layer by layer — Base64, Base64URL, URL/percent-encoding, hex, and gzip/zlib — until it reaches readable text. Useful for CTFs, malware analysis, and "what is this string I found". Runs locally; nothing is uploaded.
How the magic decoder works
The decoder runs a small loop. On each pass it looks at the current string and tries, in order: URL / percent-decoding (if it sees %XX escapes), then hex (if the string is all hex digits and even-length), then Base64 / Base64URL — and if the Base64 decodes to bytes that start with a gzip or zlib magic number, it gunzips them too. It applies the first transform that produces valid, mostly-printable text, feeds that result back into the loop, and repeats until nothing else decodes. Paste your string above and read the final text in the output, with every layer listed under Steps.
What encodings does it detect?
The magic decoder recognises and unwraps:
- Base64 and Base64URL — standard (
+/) and URL-safe (-_) alphabets, with or without padding. - URL / percent-encoding —
%20,%3D, and other percent escapes, including double-encoded ones. - Hex — even-length strings of hex digits, decoded to their underlying bytes.
- gzip / zlib / deflate — compressed payloads hidden inside Base64, decompressed with the browser's native
DecompressionStream.
Each layer it removes is shown in the Steps list, so you can see exactly how the original string was constructed.
Decoding nested / multi-layer strings
Encoded strings are often wrapped more than once — that's the whole point of the recursion. In CTF challenges you'll routinely hit Base64 of Base64, or hex of a URL-encoded blob; obfuscated malware and phishing payloads love to stack Base64 → gzip → Base64 to slip past filters. Because the decoder feeds each result back into itself, it peels those layers automatically and stops when it reaches stable, readable text (or after a safety cap of 12 passes, with a loop guard so it never spins forever). The Steps list is effectively a decoded recipe of how the string was built.
Is this private?
Yes. Every step — detection, Base64/hex/URL decoding, and gzip decompression via the native DecompressionStream API — runs fully in your browser. Your string is processed locally and nothing is uploaded to any server. You can confirm in DevTools → Network: decoding fires no request. That matters for CTF flags, malware samples, and anything else you'd rather not paste into a remote service.
Frequently asked questions
How do I decode a string when I don't know the encoding?
Paste it into the tool above. It auto-detects by trying URL/percent-decoding, hex, and Base64 (including gzip or zlib inside), applies whichever fits, then repeats on the result. The Steps list shows which transforms were applied, so you can see how the string was built.
Can it decode multiple layers?
Yes. It runs recursively — after each successful decode it feeds the result back in and tries again, peeling nested layers like Base64 of Base64 or URL-encoded Base64 of gzip. It stops when nothing else decodes or after a safety cap, and lists every layer it removed.
What if it can't decode my string?
If no known encoding is detected it leaves the input unchanged and says so. The string may already be plaintext, or use a scheme this tool doesn't cover — a custom cipher, ROT13, or a non-standard alphabet. Reach for a dedicated tool for that specific format.
Is my data uploaded?
No. All detection and decoding, including gzip decompression, runs locally in your browser. Nothing is sent to any server, which you can verify in DevTools.
Need plain Base64 encode/decode?
The main base64.dev tool handles text, files, and URL-safe mode with auto-detect.
Open base64.dev →