Javascript code obfuscation solution-Javascript online obfuscators

Source: Internet
Author: User
Tags net hash uppercase character

Source: javascriptOnlineObfuscator

Objective of Javascript code obfuscation

Javascript is a script language for interpretation and execution. It is mainly used in browsers of clients in the Web field. Due to the characteristics of Javascript interpretation and execution, the Code must be downloaded to the client in plain text, debugging is easy, making it very difficult to protect Javascript code;

Different people have different opinions on the protection of Javascript code. Some people who work hard on the code can be easily obtained by competitors, and they hope to have a solution to protect Javascript code, however, the existing scheme may not meet their requirements. Many people think that the Javascript language is very simple, and Javascript code has no protection value. It may be that their code is indeed simple, or they don't know the powerful functions of the Javascript language. Some people think that they are all open-source now, and they also want to protect the code. Of course, open-source people are admirable, however, the open source requirements for others' Code are not reasonable.

To improve user experience, Web 2.0 technology has emerged. With the development of AJAX and rich interface technology, Javascript becomes increasingly important in Web applications, javascript code is becoming increasingly complex, functional, and technical, and the need for Javascript code protection is becoming increasingly urgent.

Javascript online obfuscators are designed to protect Javascript code and provide a new comprehensive solution, including encoding rules and free online obfuscators.


Difference between obfuscation and Encryption

Many people discuss the two together. In fact, there are some differences in the purpose of the two, and there are also great differences in the methods used. Encryption is mainly used to prevent unauthorized use. In this case, even if encryption is cracked, it can only be used illegally and may not necessarily obtain the code logic of the software. However, for scripts, the measure to prevent code access is also encrypted. In this case, the code is obtained after the encryption is cracked. obfuscation means that the Code cannot be obtained by others, measures taken to protect the logic of code from others' understanding; for obfuscation code, it is hard for others to understand and cannot be modified or re-applied;
For languages that generate machine code, such as the C language, you only need to consider unauthorized access and almost do not need to consider code protection. For compiled software, you can only disassemble the code into assembly language code, almost no code logic can be analyzed.
For languages that generate intermediate code, such as Java and C #, unauthorized access and code protection must be considered, it is easy to decompile into a more advanced language, so that you can understand the logic in the Code and easily crack encryption. After obfuscation, it is difficult to understand the logic of the Code and to find the encryption point.
For scripting languages, such as Javascript, it can only be obfuscated and difficult to encrypt. Because scripts exist in plain text and are easy to debug, tracing can easily crack the encryption for the above two purposes. However, the obfuscated code is difficult to understand the logic of the Code.

We only involve obfuscation of Javascript scripts, not encryption. For encryption of systems involving Javascript, we recommend that you not place encryption points in Javascript scripts, but in the compiling program on the server, because Compilation Program Encryption can adopt more protection methods, and the encryption strength is higher.

First, we need to analyze the characteristics of Javascript language and obfuscation, and the shortcomings of existing obfuscation products, and then propose our solution to obfuscation of Javascript code, the last is our Javascript online obfuscator.

Javascript and obfuscation-related features

Javascript is a script language for interpretation and execution. Compared with compiling languages, Javascript has many features, and some of these features bring great difficulties to code obfuscation.

You cannot define whether the attributes and method names of a class need to be confused.

Javascript is a prototype-based language without strict Type Definitions. In a custom class, the attributes and methods that require external access cannot be confused. For internal access attributes and methods, obfuscation is required. However, the Javascript language itself, attributes and methods cannot be distinguished in this way. For this reason, we need to find a flexible mechanism to identify whether the names of attributes and methods need to be confused.

A large number of core and client methods and attributes defined by the system cannot be confused.

The Javascript language itself defines a large number of core classes, methods, and attributes; the browser also defines a large number of client classes, methods, and attributes; these classes, methods, and attributes cannot be confused. However, these classes, methods, and attributes are too large to be confused by enumeration; therefore, we need to find a way to identify these classes, attributes, and methods.

Cannot define whether global variables need to be confused

Global variables are the properties of window objects, and local variables are the properties of function objects. All local variables can be confused with those that should be, while some global variables need to be confused and some cannot be confused; however, global variables are the same as local variables and are difficult to distinguish. Moreover, global variables cannot define whether they need to be confused. To solve this problem, we need to find a way to distinguish between global variables that cannot be confused, global variables that need to be confused, and local variables.

These features of the Javascript language bring great difficulties to code obfuscation. If these problems are not solved, obfuscation of Javascript Code lacks practical value.


Existing Javascript obfuscation product problems

When we need to confuse the Javascipt code, we first examine the existing products on the market and the obfuscation ideas in some forums, but these products and ideas cannot meet our requirements.

There is a commercialized Javascript obfuscation product that uses a obfuscation similar to a C # obfuscation tool to analyze all the identifiers in the Code and does not confuse some preset identifiers of the system, obfuscation of others and the user selection and configuration of identifiers are also provided. Many features of this product are complicated, but there is a big problem, that is, the preset identifiers are limited, many system-defined attributes and methods used in the Code are confused. Therefore, you need to manually configure these attributes and methods to avoid confusion, this is almost an impossible task for large systems.

Obfuscation ideas are also discussed in some forums, including some examples. These ideas are more about changing the expression of identifiers, and some are about replacing attributes with correlated arrays of encoded strings, for example. dd is replaced with xx ["\ x64 \ x64"]. More complicated is to save "\ x64 \ x64" to a string array, and then call the string array as the subscript of the associated array; this approach can avoid the above problems, but there is a bigger problem: obfuscation is reversible, and obfuscation identifiers are only converted into hexadecimal forms, it can be easily restored.

Because of the shortcomings of existing products, we had to study our own solutions. Our solution has also gone through several versions. The first version was much more complicated and took a lot of work, but the results were not satisfactory. The existing solution was found only after several modifications; although a lot of work has been done at the end, there will be no subsequent results without the previous work. Even if you may think that our solution is simple, it is only the result of our efforts, not the process. Simple things are often effective.

Javascript code obfuscation Solution

Through the analysis of Javascript features and related obfuscation products, we realized that it is not enough to work on obfuscators; because the Javascript language itself imposes great restrictions on obfuscation functions, it cannot be solved. For this reason, we have designed a comprehensive solution, that is, Javascript online obfuscators rules. Javascript online obfuscators can be used for obfuscation as long as they are written in accordance with the Rules.

The rules of the Javascript online obfuscators are not complex, but they can solve the problems encountered by the features of the Javascript language and other obfuscators.

Rule 1: all classes, variables, and functions restricted by windows are not obfuscated. Other classes, variables, and functions are obfuscated.

Global classes, variables, and functions are the properties of windows. They are logically the same from the perspective of window. However, we can use the window constraints to distinguish whether global classes, variables, and functions need to be confused.

The constraints on window must be consistent, including not only the definitions of classes, variables and functions, but also the calls of classes, variables and functions.

Local classes, variables, and functions are obfuscated because there is no window constraint.

Type Obfuscation Not obfuscated
Class Definition FunctionClass1(){...} Window. Class1= Function (){...}
Function Definition Function MEthod1(){...} Window. Method1= Function (){...}
Variable definition VarParam1= 1; Window. Param1= 1;
Generate a class instance Var object1 = newClass1(); Var object1 = newWindow.Class1();
Function call Method1(); Window. Method1()
Variable reference Var newParam =Param1; Var newParam =Window. Param1;

Rule 2: All attributes and Methods Starting with lowercase characters are not obfuscated. All attributes and Methods Starting with other letters are obfuscated. Rule 1 is applied using the properties and Methods restricted by window.

Many system-defined methods and attributes in the JavaScript core and client cannot be confused. Most of these methods and attributes begin with lowercase letters, this rule ensures that the methods and attributes defined by the system are not confused. In the Javascript client, there are only a few methods and attributes defined by the system to start with an uppercase/lowercase character. In this case, you can use an array to avoid confusion, for example, object1 ["Method1"] (); this method is also applicable to methods and attributes that may start with an uppercase character in a third-party control.

This rule also allows us to identify whether methods and attributes are obfuscated in custom classes. For methods and attributes that require external calls that cannot be obfuscated, Use lowercase letters to start, for internal methods and attributes, start with another letter.

Type Obfuscation Not obfuscated
Class method definition Class1.Method1= Function (){...} Class1.Method1= Function (){...}
Class1["Method1"]= Function (){...}
Object method definition Class1.prototype.Method1= Function (){...} Class1.prototype.Method1= Function (){...}
Class1.prototype["Method1"]= Function (){...}
Class Attribute Definition Class1.Prop1= 1; Class1.Prop1= 1;
Class1 ["Prop1"] = 1;
Object Property Definition Object1.Prop1= 1; Object1.Prop1= 1;
Object1 ["Prop1"] = 1;
Class method call Class1.Method1(); Class1.Method1();
Object method call Object1.Method1(); Object1.Method1();

The core rule of Javascript online obfuscators is the preceding two points.

Obfuscation of identifiers adopts the Hash algorithm, which is irreversible.

The Hash algorithm is irreversible, so the pre-obfuscation identifier cannot be directly introduced based on the obfuscation identifier. However, the Hash algorithm depends on. net system, most of the time ,. the Hash algorithm of. Net is unchanged, that is, the obfuscation results of the same identifier are the same. If there are enough identifiers that can be enumerated, the same obfuscation result may still be used, the identifier before the obfuscation.

How to call obfuscated classes, methods, and attributes

For internal calls to obfuscation code, you only need to use the same rules, both of them are obfuscated, or both are not obfuscated, and the call can be correct.

There are two methods for external calls to obfuscation code. One is not obfuscation, the Code adopts non-obfuscation rules internally, and the outside uses non-obfuscation and understandable identifiers for calls; the other is obfuscation. The Code uses obfuscation rules internally, and the external uses obfuscation-incomprehensible identifiers for calling. However, this method depends on. net Hash algorithm implementation in different versions. the Hash algorithms in the Net implementation may be different, and even the obfuscated identifiers may be inconsistent. As a result, after re-obfuscation, you must replace the original obfuscated identifiers.

Why does the option "clear spaces and retain the carriage return after the Semicolon" exist?

The Javascript syntax requires that the global function must end with a semicolon or carriage return. If a semicolon is omitted and all carriage return is cleared, the system always prompts that the first line lacks a semicolon and the error cannot be located; using this option can help you find the missing semicolon location.

Reserved Words in the following Javascript languages are not obfuscated

Break, case, catch, continue, debugger, default, delete, do, else, false, finally, for, function, if, in, instanceof, new, null, return, switch, this, throw, true, try, typeof, var, while,

Obfuscators predefine the properties and methods of some windows

Javascript core classes and functions cannot be confused. They are essentially the properties and methods of windows. According to the rules, window constraints should be used to avoid confusion; however, for core classes such as Object, Array, Date, and ActiveXObject, obfuscators are pre-defined and do not need to use window constraints. Common Methods of windows such as alert and client properties of windows such as document are also predefined. For other classes and methods that need to be predefined, we will gradually add them. If there are no predefined global classes and functions, if they cannot be confused, we must use window constraints.

The following global classes, variables, and methods are not obfuscated:

ActiveXObject, alert, Array, Boolean, Date, document, Math, Number, Object, RegExp, String, window


Javascript online obfuscators


Visit the

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.