Introduction:
Front-end code is a direct burst in the browser, many web attacks are directly debug business logic to find vulnerabilities to attack, in addition to some like "for nothing" molecular violence to steal other people's web page simple modification to profit, overall is the front-end logic is too easy to read, This article mainly based on JavaScript obfuscator introduce the basic idea of front-end confusion.
First, JavaScript obfuscator introduction:
JavaScript Obfuscator is a JS obfuscation tool developed by Timofey Kachalov, and traditional obfuscation tools such as UFLIFYJS are mainly used to compress the code and reduce the load time of the resource. The main purpose of JavaScript Obfuscator is to protect the front-end code for security purposes.
Second, JavaScript Obfuscator features:
JavaScript Obfuscator The principle of confusion I do not introduce, is to use the tool to JS for the AST (Abstract syntax tree) analysis, modification, and then re-generated according to the AST JS can be, UGLIFYJS can also be implemented, to recommend Esprima http : There are a number of tools on the//esprima.org/,github that are useful for confusing and anti-aliasing.
Let me just talk about the features of JavaScript obfuscator, which include the following features:
- Keyword extraction to increase reading difficulty:
JavaScript obfuscator will be JS inside the key words, such as character constants extracted out into the array, called when the array subscript the way to call, so that directly read the basic impossibility, either anti-AST processing, or step by step debugging, the workload greatly increased.
var test = "Hello"; // after processing var _0x7deb=[' Hello '];(function(_0xdf8359,_0x2abb06) {var _0x4b8e4a=function( _0x3c281c) {while (--_0x3c281c) {_0xdf8359[' push '] (_0xdf8359[' shift '] ());}}; _0X4B8E4A (++_0X2ABB06);} (_0x7deb,0x94)); var _0xb7de=function(_0x4c7513,_0x1cb87c) {_0x4c7513=_0x4c7513-0x0; var _0x96ade5=_0x7deb[_0x4c7513]; return _0x96ade5;}; var test=_0xb7de (' 0x0 ');
Ps:javascript Obfuscator here do not actually enough, but also can be further optimized, business related not here said.
- Keyword coding to further increase the difficulty of reading:
From the above confusion can be seen, although the keyword extraction, but the array "Hello" is still clearly visible, in order to further increase the difficulty of reading code, JavaScript Obfuscator uses the features of JS in the 16 encoding will be decoded directly by the keyword Unicode 16 encoding.
var test = "Hello"; // after processing var _0x5f41=[' \x68\x65\x6c\x6c\x6f '];(function(_0x265fed,_0x59b917) {var _0x468703= function (_0x2e4674) {while (--_0x2e4674) {_0x265fed[' push '] (_0x265fed[' shift '] ());}}; _0x468703 (++_0x59b917);} (_0X5F41,0XDD)); var _0x15f4=function(_0x551d6e,_0x2697e4) {_0x551d6e=_0x551d6e-0x0; var _0x40c0ad=_0x5f41[_0x551d6e]; return _0X40C0AD;}; var test=_0x15f4 (' 0x0 ');
- Keyword encryption to increase the difficulty of manual debugging:
After doing the keyword extraction, if a person wants to crack then must be a single-step debugging to be able to (ignore the case of anti-AST), JavaScript Obfuscator here provides two kinds of keyword encryption to combat single-step debugging, base64 encryption and RC4 encryption, This will increase the cost of one-step debugging after processing.
varTest = "Hello";//keyword RC4 encryptionvar_0x13b4=[' \x77\x70\x4d\x72\x77\x36\x6a\x44\x67\x54\x4d\x3d '];(function(_0X5F376F,_0X4EE5E1) {var_0x45c6a7=function(_0x40c574) { while(--_0x40c574) {_0x5f376f[' push '] (_0x5f376f[' shift '] ());}; _0x45c6a7 (++_0X4EE5E1);} (_0x13b4,0x174));var_0x413b=function(_0x3d9922,_0x37e804) {_0x3d9922=_0x3d9922-0x0;var_0XBFA147=_0X13B4[_0X3D9922];if(_0x413b[' initialized ']===undefined) {(function(){var_0x3e4f10=function(){var_0x1699ce;Try{_0x1699ce=function (' return\x20 (Function () \x20 ' + ' {}.constructor (\x22return\x20this\x22) (\x20) ' + '); ();}Catch(_0X2D7A15) {_0x1699ce=window;}return_0x1699ce;};var_0X3E7B6B=_0X3E4F10 ();var_0x2e450c= ' abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/= '; _0x3e7b6b[' Atob ']| | (_0x3e7b6b[' Atob ']=function(_0X4FEDCE) {var_0x185f31=string (_0X4FEDCE) [' Replace '] (/=+$/, '); for(var_0x3c6eda=0x0,_0x48064a,_0x5a5e47,_0x1c810e=0x0,_0x3443c2= '; _0x5a5e47=_0x185f31[' charAt '] (_0x1c810e++); ~_ 0x5a5e47&& (_0x48064a=_0x3c6eda%0x4?_0x48064a*0x40+_0x5a5e47:_0x5a5e47,_0x3c6eda++%0x4)? _0x3443c2+= string[' fromCharCode ' (0xff&_0x48064a>> ( -0x2*_0x3c6eda&0x6)): 0x0) {_0x5a5e47=_0x2e450c[' indexOf '] (_0x5a5e47);}return_0X3443C2;});} ());var_0x834c2=function(_0x56e849,_0x2be38f) {var_0x3aca38=[],_0x1c774d=0x0,_0x49ad4c,_0x595dd4= ", _0x5e8aba="; _0x56e849=atob (_0x56e849); for(var_0x295cae=0x0,_0xfbcfa1=_0x56e849[' length '];_0x295cae<_0xfbcfa1;_0x295cae++) {_0x5e8aba+= '% ' + (' xx ' +_0x56e849 [' charCodeAt '] (_0X295CAE) [' ToString '] (0x10)) [' Slice '] ( -0x2);} _0x56e849=decodeuricomponent (_0x5e8aba); for(var_0x51a9e3=0x0;_0x51a9e3<0x100;_0x51a9e3++) {_0x3aca38[_0x51a9e3]=_0x51a9e3;} for(_0x51a9e3=0x0;_0x51a9e3<0x100;_0x51a9e3++) {_0x1c774d= (_0x1c774d+_0x3aca38[_0x51a9e3]+_0x2be38f[' charCodeAt '] (_0x51a9e3%_0x2be38f[' length '))%0x100;_ 0X49AD4C=_0X3ACA38[_0X51A9E3];_0X3ACA38[_0X51A9E3]=_0X3ACA38[_0X1C774D];_0X3ACA38[_0X1C774D]=_0X49AD4C;} _0x51a9e3=0x0;_0x1c774d=0x0; for(var_0x4b8de1=0x0;_0x4b8de1<_0x56e849[' length '];_0x4b8de1++) {_0x51a9e3= (_0x51a9e3+0x1)%0x100;_0x1c774d= (_ 0X1C774D+_0X3ACA38[_0X51A9E3])%0x100;_0x49ad4c=_0x3aca38[_0x51a9e3];_0x3aca38[_0x51a9e3]=_0x3aca38[_0x1c774d]; _0x3aca38[_0x1c774d]=_0x49ad4c;_0x595dd4+=string[' fromCharCode ' (_0x56e849[' charCodeAt ') (_0x4b8de1) ^_0x3aca38[ (_0x3aca38[_0x51a9e3]+_0x3aca38[_0x1c774d])%0x100]);}return_0x595dd4;}; _0x413b[' RC4 ']=_0x834c2;_0x413b[' data ']={};_0x413b[' initialized ']=!! [];}var_0x1cc8d3=_0x413b[' data '][_0x3d9922];if(_0x1cc8d3===undefined) {if(_0x413b[' once ']===undefined) {_0x413b[' once ']=!! [];} _0xbfa147=_0x413b[' RC4 ' (_0xbfa147,_0x37e804); _0x413b[' data '][_0x3d9922]=_0xbfa147;}Else{_0xbfa147=_0x1cc8d3;}return_0xbfa147;};vartest=_0x413b (' 0x0 ', ' \x29\x38\x24\x34 ');
- Control flow transformation, increase the difficulty of manual debugging:
From the above JS look in fact, the difficulty of manual debugging is not high enough, JavaScript Obfuscator provides a control flow flattening ability, can use control flow to control logic, increase the complexity of debugging, so processing will find that the modern code is very large when manual debug difficult is very large.
functionTestfn () {varTest = "Hello"; if(test) {test= "Hello Devinn"; } returntest;}//after the treatment for everyone to see the above methods are removed here only the control flow is processed and formattedfunctionTestfn () {var_0X25AC20 = { ' ROSCJ ': ' Hello ', ' BJRCW ': ' Hello\x20devinn ' }; var_0x52a030 = _0x25ac20[' ROSCJ ']; if(_0x52a030) {_0x52a030= _0x25ac20[' BJRCW ']; } return_0x52a030;}
- Waste code injection, increase the difficulty of manual debugging:
If the above transformation and control flow difficulty is not enough, JavaScript Obfuscator also provides the mechanism of the Waste code injection, can randomly inject the scrap code, increase the difficulty of manual debugging.
- Debug protection, no manual commissioning:
The above thinking is to increase the difficulty of manual debugging, debug protection can allow the user to open the console has been stuck in the debugger console, where the realization of the idea of violence, has been called debugger, can actually do some time on the control logic, we can freely play.
varTest = "Hello";//formatted after processing(function () { var_0x4ca286 =NewRegExp (' function\x20*\x5c (\x20*\x5c) '); var_0X4C73BA =NewRegExp (' \x5c+\x5c+\x20*_0x ([a-f0-9]) {4,6} '); var_0X215CC4 = _0x203654 (' init '); if(!_0x4ca286[' test '] (_0x215cc4 + ' chain ') | |!_0x4c73ba[' Test '] (_0x215cc4 + ' input ')) {_0x215cc4 (' 0 '); } Else{_0x203654 (); }} ());varTest = ' Hello ';function_0x203654 (_0x53ac71) {function_0x13f874 (_0x10526b) {if(typeof_0x10526b = = = ' String ') { return function(_0X1146DE) {} [' Constructor ' (' while\x20 (True) \x20{} ') [' Apply '] (' counter '); } Else { if((' + _0x10526b/_0x10526b) [' length ']!== 0x1 | | _0x10526b% 0x14 = = = 0x0) { (function () { return!![]; } [' Constructor ' (' Debu ' + ' gger ') [' Call '] (' action '))); } Else { (function () { return![]; } [' Constructor ' (' Debu ' + ' gger ') [' Apply '] (' stateobject '))); }} _0x13f874 (++_0x10526b); } Try { if(_0x53ac71) {return_0x13f874; } Else{_0x13f874 (0x0); } } Catch(_0x2c3b47) {}}
- Selfdefending No beautification code:
Malicious in the trial debugging code will use Devtools beautification function, code beautification after debugging, JavaScript Obfuscator for this situation provides selfdefending function, if beautify code the entire JS will error can not be executed, The principle is a CRC check, not detailed said.
- Domain lock, prevent JS to modify debugging locally:
The above debug protection, code beautification are in the JS inside add control code implementation, if JS dragged to the local removed after you can continue to crack, JavaScript Obfuscator also do a domain lock function, that is, determine whether the current domain name is set domain name, not can not be executed.
The above is the key features of JavaScript obfuscator, although do the above various processing, in fact, a single static JS can be cracked, such as "prevent drag JS to local modification debugging", in fact, the relevant code removal or can be modified locally debugging, Even the advanced point can be used in the anti-AST way to crack debugging. The private think of this problem to look at the three-dimensional, the whole complexity of the cost of debugging is very high, in addition, if the anti-AST cracked case can be JS adjusted to dynamic, the most secure encryption is a secret, JS made the same can be.
Third, development recommendations:
All of the obfuscation is available, all global variables, and variables referenced by global variables are not confused by the obfuscation, such as object properties (which can also be handled and error prone), and can be more thoroughly confused by the use of functional programming on key code when developing. In addition, if compatibility allows you to try the next asm.js, another idea.
Iv. Summary:
This article mainly introduces the key features of JavaScript obfuscator, actually just want to use this tool as an example to say the front-end code protection of some ideas, thinking is not limited to JS. In addition, there are some tools, such as: Jsfuck, and so on, the thinking of related treatment can be used for reference, everyone free to play, have the idea of the words welcome communication.
Front End obfuscation--javascript obfuscator