This is a generic question
I've seen javascript on some websites which is obfuscated
When you try to deobfuscate the code using standard deobfuscators (deobfuscatejavascript, jsnice and jsbeautifier) , the code is not easily deobfuscated
I know it's practically impossible to avoid deobfuscation. I want to make it really tough for an attacker to deobfuscate it
Please suggest some ways I can acheive this
Should I write my own obfuscator, then obfuscate the output with another online obfuscator. Will this beat it?
Thanks in advance
P.S: I tried google closure piler, uglifyjs, js-obfuscator and a bunch of other tools. None of them (used individually or in bination) are able to beat the deobfuscators
This is a generic question
I've seen javascript on some websites which is obfuscated
When you try to deobfuscate the code using standard deobfuscators (deobfuscatejavascript., jsnice and jsbeautifier) , the code is not easily deobfuscated
I know it's practically impossible to avoid deobfuscation. I want to make it really tough for an attacker to deobfuscate it
Please suggest some ways I can acheive this
Should I write my own obfuscator, then obfuscate the output with another online obfuscator. Will this beat it?
Thanks in advance
P.S: I tried google closure piler, uglifyjs, js-obfuscator and a bunch of other tools. None of them (used individually or in bination) are able to beat the deobfuscators
Share Improve this question asked May 13, 2016 at 18:18 Sai ReddySai Reddy 631 silver badge4 bronze badges 6- 1 What do you mean by attacker? Because if your code is open to attack (are you storing passwords client-side, for example) then obfuscating the JS is not going to help. – Andy Commented May 13, 2016 at 18:23
- 2 What are you trying to defend against? Obfuscators are only good for preventing code stealing... – Eugene Sh. Commented May 13, 2016 at 18:25
- 1 Is this really necessary? IMO minifying is the only valid use for obfuscating JS code. As you said yourself, you can't avoid deobfuscation. If you're trying to prevent people from "stealing" your source code, then stop developing for the web or make your client site static with all the important logic on the server. Lastly, as web developers or, really, as programmers in general, we have to realize that none of us are special snowflakes. Many programmers and panies (including Microsoft now!), which are far more successful than we will ever be, intentionally publish even their piled code. – Michael L. Commented May 13, 2016 at 18:29
- 3 Want to hide code? Keep it server-side. – Paul S. Commented May 13, 2016 at 18:36
- 1 You may find The case for code obfuscation? over at Programmers SE interesting. The answers there pretty much say the same thing as folks here: You can slow down folks trying to read your JavaScript, but you can't make it impossible. – BSMP Commented May 13, 2016 at 18:37
4 Answers
Reset to default 3Obfuscation can be acplished at several levels of sophistication.
Most available obfuscators scramble (shrink?) identifiers and remove whitespace. Prettyprinting the code can restore nice indentation; sweat and lots of guesses can restore sensible identifier names with enough effort. So people say this is weak obfuscation. They're right; sometimes it is enough. [Encryption is not obfuscation; it is trivially reversed].
But one can obfuscate code in more plex ways. In particular, one can take advantage of the Turing Tarpit and the fact that reasoning about the obfuscated program can be hard/impossible in practice. One can do this by scrambling the control flow and injecting opaque control-flow control predicates that are Turing-hard to reason about; you can construct such predicates in a variety of ways. For example, including tests based on constructing artificial pointer-aliasing (or array subscripting, which is equivalent) problems of the form of "*p==*q" for p and q being pointers puted from messy plicated graph data structures.
Such obfuscated programs are much harder to reverse engineer because they build on problems that are Turing hard to solve.
Here's an example paper that talks about scrambling control flow. Here's a survey on control flow scrambling, including opaque predicates.
What OP wants is an obfuscator that operates at this more plex level. These are available for Java and C#, I believe, because building program analyzers to determine (and harness) control flow is relatively easy once you have a byte code representation of the program rather than just its text. They are not so available for other languages. Probably just a matter of time.
(Full disclosure: my pany builds the simpler kind of obfuscators. We think about the fancier ones occasionally but get distracted by shiny objects a lot).
The public de-obfuscators listed by you use not much more than a simple eval() followed by a beautifier to de-obfuscate the code. This might need several runs. It works because the majority of obfuscators do their thing and add a function at the end to de-obfuscate it enough to allow the engine to run it. It is a simple character replacement (a kind of a Cesar cipher) in most cases and an eval() is enough to get some code, made more or less readable by a beautifier after that.
To answer your question: you can make it tougher ("tougher" in the sense that just c&p'ing it into a de-obfuscator doesn't work anymore) by using some kind of "encryption" that uses a password the the code gets from the server after the first round of de-obfuscation and uses a relative path that the browser pletes instead of a full path. That would need manual intervention. Build that path in a plicated and non-obvious way and you have a deterrent for the average script-kiddie.
In general: you need something to de-obfuscate the script that is not in the script itself.
But beware: it does only answer your question, that is, it makes it impossible to de-obfuscate by simple c&p into one of those public de-obfuscators and not more. See Ira's answer for the more plex stuff.
Please be aware of the reasons to obfuscate code:
- hide malicious intent/content
- hide stolen code
- hide bad code
- a pointy haired boss/investor
- other (I know what that is, but I am too polite to say)
Now, what do the people think, if they see your obfuscated code? That your investor insisted on it to give you money to write that little browser game everyone loves so much?
JavaScript is interpreted from clear text by your browser. If a browser can do it, so can you. It's the nature of the beast. There are plenty of other programming languages out there that allow you to pile/black box before distribution. If you are hell-bent on protecting your intellectual property, pile the server side data providers that your JavaScript uses.
No JavaScript obfuscation or protection can say it makes it impossible to reverse a piece of code. That being said there are tools that offer a very simple obfuscation that is easy to reverse and others that actually turn your JavaScript into something that is extremely hard and unfeasible to reverse. The most advanced product I know that actually protects your code is Jscrambler. They have the strongest obfuscation techniques and they add code locks and anti-debugging features that turn the process of retrieving your code into plete hell. I've used it to protect my apps and it works, it's worth checking out IMO