JS script obfuscation and encryption discussion page 1/2

New Year! Study a special issue that you are concerned about. Be sure to speak enthusiastically if you are interested.

First of all, I have introduced myself.

"Obfuscation" or "encryption" are all designed to enhance code security, prevent arbitrary access by people, and protect resources to a certain extent.

Please note that in the title of this topic, I have combined the concepts of "Confusion" and "encryption" to focus on the purpose, from the perspective of practice, we reject any means subjectively. All obfuscation techniques are used to reduce the readability of the Code. All encryption techniques are executed only after the code is restored through the decryption computation process.

However, discussing "obfuscation | encryption" together does not mean that we need to confuse concepts. Here, we want to prevent the theme from being deviated from the topic due to unclear concepts in the subsequent discussions, the scope discussed here does not include the encode encoding format of the Code (<script language = "JScript. encode "> ). This is neither "obfuscation" nor "encryption", but "encoding". The corresponding decoding process is familiar to the industry, so it has little protection significance, A maximum of one procedure is required. Of course, we can regard it as the last step of "obfuscation | encryption", in order to block people who do not know it or let people who know it charge more procedures. Similarly, you can simply use the escape or encodeURI Method for encoding. Of course, it is understandable to use these encoding methods as a step.

The ideal "obfuscation | encryption" should have the following features:
1. There is no definite attack mode;

2. It is difficult to compile an automatic cracking program (only manual cracking is supported );

3. the cracking process is cumbersome and time-consuming;

4. The "obfuscation | encryption" code is shorter than the original code length;
It is easy to imagine that if there are no 4th restrictions, the first three are easy to implement, as long as you add characters unrelated to the code execution part frantically.

The above four are the most basic requirements. As for "confusing people from the subjective perspective", it can be considered as an implementation method of 3rd entries. Restoring code readability may be one of the main tasks in the cracking process.

Next, I hope you can sum up the existing "obfuscation | encryption" skills to serve as the basis for further research. The knowledge of any individual is always limited. Only by brainstorming can we truly make breakthroughs and create a classic.

I have seen some "obfuscation | encryption" techniques like this:

1. Remove indentation, blank lines, line breaks, and comments

This is the basic means of obfuscation. It's too basic. Code can be shortened. Generally, based on ";", restoring line breaks is the most common cracking technique.

2. Replace variable names

Replace all the variable names in the JavaScript file with a random string of the combination method, so that they do not have the ability to describe themselves, thus interfering with reading.

There are two replacement methods: "shorten" and "Change chaos.

For example: http://pub.idr.gov.cn/dujid/projects/jsdisturber/, this is a mess.

There is a software called Javascript Obfuscator, which is full of software download stations, large and small. You may have used it too.

Many parameters can be set for obfuscators of this type. We don't know whether to cry or laugh.

This technique is more effective for long and complex code, that is, it can make the originally obscure code more difficult to understand. However, there is no protection significance for short code. There is no definite cracking mode, but as long as you replace the variable names of "shortened" and "Unaltered" with regular characters, although the self-descriptive nature of the variable names cannot be restored, the readability of the code can be restored.

3. Reference JS keywords using custom variable names

For example, var d = document;

All the keywords in the following code are replaced by "d.

This technique can shorten the code. Replace them in the opposite direction to restore them.

4. By adding a blank section of a large segment, the code is separated for a long time, thus interfering with reading.
The white space added here is generally \ x00, rather than the so-called "space" (\ x20 ).

Copy codeThe Code is as follows:

<H e a d>

<M e t a h t p-e q u I v = "C on t e n t-L a n gu ag e" c o n t e n t =" z h-c n ">

<Me t a h t p-e q ui v = "C o nt e n t-Ty p e" co n t e n t = "t ex t/h t m l; c h a r s e t = g B 2 3 1 2 ">

<T I t l e> Web page Hybrid Routing </t I t l e>
<Met a n a me = "g e n e r a t o r" co nt e n t = "Mi c r o so f t Fron tP a g e 4. 0 ">

<Me t a n a m e = k e y w o r d s c on t e n t = "">

<M et a n a m e = "d e s c r I p ti o n" co n te n t = "Web page obfuscation">

<M e t a h t p-e q u I v = "r e f r e s h" c o nt e n t = "8; ur l = h t tp: // s a ge. 6 8 a B. c o m ">

<S t y l e> {

F o n t-s I Z E: 1 2 p x; C O LO R: #0 0 0 0 0 0; t ex t-d e c o r a t I ON: n o n e

}

A: h o v e r {

C o l or: # f c 0 0

}

A. B l u e {
C o l o r: d a r k B l u e

}

B o d y, p, td {

F o nt-s iz e: 1 2 p x
} </S t y l e>

</He a d>

<B o d y s t y l e = "B o r d e r-r ig h t: # c 1 px so l I d; B o r d e r-t o p: #0 0 00 0 1 p x s o l I d; m a r g I N: 0 p t; o v e r f l o w: h I dde n; B o r d e r-l e ft: # c cc c 1 p x s o l I d; bo r d e r-B O T O M: # c cc c 1 p x s o li d "B g c o l o r =" # F1 F 2 F 4 "le f t M a r g in =" 0 "t o p M ar g I n =" 1 0 ">

<D I v a l I g n = "ce n t e r">

<C e n te r>

<P> </p>

<P> </p>

<T a B l e B o r d e r = "1" ce l p a d I ng = "0" c e l s p a c I n g = "0" s t y l e = "B o r d e r-c o l a p se: c o l a p s e; B o r d e r-s t y l e: d o t e d; bo r d e r-w idth: 1 "B o r d e r c o l o r =" #0 0 0 0 0 "w I d t h =" 6 1 0 "h e I g h t = "2 8 8" I d = "A u toN u m B e r 1">

<T r>

<Td w I d t h = "6 1 0" he I g h t = "2 0" B g c o l o r = "#4 A 4 A 4">

<P a l I g n = "c en t er"> <f o n t c o l o r = "# f ff"> & n B s p; "mixed web pages 』

</F on t> </p>

</T d>

</T r>

<Tr>

<T d wid t h = "6 1 0" h ei gh t = "2 5 2" B g c o l o r = "# F1 F 2 F 4" v l I g n = "t o p"> <B r>

& N B s p; & n bs p; mixed network page (<a h r e f = "htt p: // s a g e. 6 8 a B. c o m "> h t p: // s a g e. 6 8 a B. c o m </a>) <B r>

<P> & n B s p; & nb sp; <a> </a> <I> <a h r e f = "h t p: // s a g e. 6 8 a B. c o m "> Web page Hybrid Routing <f o n t s I ze =" 2 "> <B> <f o n t c o l o r =" # F 0 0 0 0 ">! </F o n t> <f o n t c o l o r = "# F 0 0">! </F o n t> <f o n t c o l o r = "#0 0 9 a c e">! </F o n t> </B> </f o n t> </a> </I> </p>

</T d>

</T r>

<T r>

<T d w I d t h = "6 1 0" he I gh t = "1 6" B g c o lo r = "# F 1 F 2 F 4" B o r de r c o l o r = "#0 0 8 0 0 0"> <m ar q ue e o n m ou s e o v e r = "t h I s. s t o p () "on m o u s e o u t =" th is. s t a r t () "SC r o l a m o u n t =" 5 0 "s c r o l d e l a y =" 1 00 "B e h a v I o r = "s l I d e" l o p = "1">

<A h r e f = "h t p: // s a g e. 6 8 a B. c o m "> h t p: // s a g e. 6 8 AB. c o m & n B s p </a> & n B s p; & n B sp; & n B s p; & n B s p; & nb s p; & n B sp; & n B s p; & n B sp; & n B s p; & n B s p; & n bs p;

</M a r q u e> </t d>

</T r>

</T a B l e>

<P> & n B s p; </p> </ce n t e r>

</D I v>

</B o dy>

</Ht ml>

Remove unnecessary blank spaces in batches.

5. Mixed eye Method

There are also two types:

One is to add characters irrelevant to the code function by using [\], [", '], and variable definition statements;

The other is to add operation statements irrelevant to the code function.

The following section is a comprehensive example. This is from the old post of the favorite, but the Code does not seem complete and cannot be run. That's what it means.
[Ctrl + A select all Note: If you need to introduce external Js, You need to refresh it to execute]

Undoubtedly, from a obfuscation perspective, this technique can effectively protect relatively short code because it increases the length and complexity of the Code. Of course, increasing the length is quite helpless. If the original code is long, obfuscation may become intolerable.

6. encrypt the original code and attach the decrypted code.

The code is decrypted at run time, and then the code is released through document. write (), eval (), or innerHTML for execution.

For this type of data, encryption and decryption may be complicated and obfuscated. However, all of this is just like what is sung in the sentence of "Dream of Red Mansions ": this is because the last step to release the code for execution is usually clear code, and there is no confusion. This reminds us of the conventional "Barrel Principle". The water holding capacity of a bucket made of wooden boards depends on the shortest piece of wood board, the protection strength of code encryption depends on the weakest link.

When cracking, you only need to change the code in the last step. Who cares about how sophisticated and complex the process is?

The following is an example:

Here, I randomly added a textarea named kc to the webpage and changed document. write (xxx) to kc. value = xxx. Therefore, the Code is not executed when it is finally released after decryption, but is directly thrown into textarea.<Meta name = "Encoder" content = "cirock"> <textarea name = "kc" style = "background: # EEEEEE; width: 800px; height: 600px; overflow: auto "> <br/> <noscript> <B> Delete the rough remarks of the author on the original page </B> </noscript> <p>