JavaScript code obfuscation Comprehensive solution

Source: Internet
Author: User
Tags class definition execution function definition functions hash net hash variables window
Javascript| to solve the confusion of Javascript code

JavaScript is a scripting language that interprets execution and is used primarily in browsers in Web-domain clients; Because JavaScript interprets the characteristics of execution, code must be downloaded to the client in clear text and easily debugged, making the protection of JavaScript code very difficult ;

Different people have different views on the protection of JavaScript code, some hard work of code, but can be easily obtained by competitors, they are very much want to have the program to protect JavaScript code, but the existing solution may not meet their requirements; many people think JavaScript language is simple, JavaScript code is not protected value, may be their code is really simple, or they do not understand Javascript language powerful features, and some people think that now open source, but also protect the code, of course, open source people are worthy of admiration, But it's not reasonable to ask for open source for someone else's code.

To improve the user experience, the advent of Web 2.0 technology, and with AJAX and rich interface technology, JavaScript in the importance of Web applications more and more high, JavaScript code complexity, functionality and technical content is increasing, the JavaScript The need for code protection is also becoming increasingly urgent.

The purpose of the JavaScript online obfuscation is to provide a new comprehensive solution for JavaScript code protection requirements, including coding rules and free online obfuscation.

The difference between obfuscation and encryption

Many people mix the two together to discuss, in fact, the purpose of the two has a certain difference, the means adopted are very different. Encryption is primarily intended to prevent unauthorized use, in this case, even if the encryption is cracked, can only be used illegally, and not necessarily get the software code logic, but for the script, to prevent access to the code is also encrypted, in this case, the encryption, the code is obtained While obfuscation is a measure of the logic of protecting the code that is not understood by others when it is not possible to prevent others from acquiring the code; for confusing code, it is difficult for others to understand and to modify and reapply;
For languages that generate machine code, such as C, you only need to consider unauthorized access, almost without the protection of the Code, because the compiled software can only be disassembled as assembly language code, and can hardly parse the logic of the code.
For the language that generates the intermediate code, for example, Java and C #, you need to consider unauthorized access, but also to consider the protection of the Code, because of the compiled software, it can be easily decompile to a higher level of the language, so as to understand the logic in the code, and easier to crack encryption. Confusing, that is, it is difficult to understand the logic of the code, it is not easy to find the encryption point.
Scripting languages, such as Javascript, can only be confusing and hard to encrypt, because scripts are plaintext and easy to debug, and it's easier to track the encryption of the above two purposes by tracking. But confusing code is difficult to understand the logic of the code.

We only involve confusing JavaScript scripts without involving encryption, and we recommend that you do not place the encryption point inside a JavaScript script, but rather in a server-side compiler, for encryption of a system that involves JavaScript. Because the encryption of the compiler can use more protection methods, encryption is more intense.

We will first analyze the JavaScript language and confusing features, and the existing confusion of products, and then put forward our solution to the JavaScript code confusion, and finally our JavaScript online obfuscation.


Javascript language and obfuscation-related features

Javascript is a scripting language that interprets execution, and a language with a compiled type has many features of its own, some of which can be difficult to confuse code.

Cannot define the name of a class's properties and methods to be confused

Javascript is a prototype based language with no strict type definitions. In a custom class, you cannot confuse properties and methods that require external access, and you need to confuse the properties and methods of internal access, but the JavaScript language itself cannot differentiate between properties and methods. We are looking for a workaround to identify whether the names of properties and methods need to be confused.

There are a large number of system-defined core and client-side methods and attributes that cannot be confused

The Javascript language itself defines a large number of core classes, methods, and properties, and a large number of client classes, methods, and properties are also defined in the browser, and these classes, methods, and properties cannot be confused, but the number of classes, methods, and properties is too large to be used to avoid confusion by enumerating To do so, we need to find a way to identify these classes, properties, and methods.

Cannot define whether global variables need to be confused

The global variable is the property of the Window object, the local variable is the property of the function object, all the local variables can and should be confused, and the global variables need to be confused, some can not be confused; but the representation of global variables and local variables is the same, it is difficult to distinguish , and the global variable itself is less able to define whether it needs to be confused. For this reason we need to find a way to distinguish between global variables that cannot be confused and global variables and local variables that need to be confused.

These characteristics of the JavaScript language, all of the confusion of the code has brought great difficulties, if not solve these problems, the confusion of JavaScript code is a lack of practical value.

Problems with existing Javascript confusing products

When we need to confuse Javascipt code, we first look at the existing products on the market, and some of the Forum on the confusion of ideas, but these products and ideas can not meet our requirements.

There is a commercialized Javascript obfuscation product, which uses a confusing method similar to a C # obfuscation tool, analyzes all identifiers in the code, does not confuse some system preset identifiers, confuses other, and provides users with the option of confusing identifiers and configuring The function of this product is very complex, but there is a big problem, is that the default identifier is limited, for the code used in a large number of system-defined properties and methods, will be confused, for this need to manually configure themselves to avoid the confusion of these properties and methods, which for large systems is almost impossible to complete the task.

Confusing ideas are also discussed in some forums, including examples that change the representation of identifiers, or replace attributes with associative arrays of coded strings, such as replacing XX.DD with xx["\x64\x64"; more complicated is the "\x64\x64" Save to an array of strings, the string array is then invoked as the subscript of the associative array; this idea avoids the above problem, but there is a bigger problem, that is, the confusion is reversible, the confused identifier is only converted into a 16 form and can be easily recovered.

It is the inadequacy of existing products that prompts us to study our own solutions. Our solution is also a few versions, the initial version is much more complicated, and it costs a lot of work, but the results are not ideal; several modifications have been made to find existing solutions; Although the bulk of the work started, it was almost deserted, but without the previous work, there was no subsequent results. So even though you might think our program is simple, it's just the result of our efforts, not the process, and the simple things are often effective.


Javascript Code Obfuscation Comprehensive solution

By analyzing the characteristics of the JavaScript and the related confusing products, we realize that it is not enough to work on the obfuscation, because the JavaScript language itself has great limitations on the confusing function. For this we have designed a comprehensive solution, that is, JavaScript online obfuscation rules, as long as the Javascipt code written in accordance with the rules can be confused by using JavaScript online obfuscation.

The rules of the JavaScript online obfuscation are not complex, but are capable of addressing the characteristics of the JavaScript language itself and other confusing product problems.

Rule one, all classes, variables, and functions that are constrained by Windows are not confused, and other classes, variables, and functions are confused.

The global class, variables, and functions themselves are window properties, and are logically the same with no window constraints. But we can use window constraints to distinguish between global classes, variables, and functions that need to be confused.

The constraints of Windows must be consistent, not only with the definition of classes, variables, and functions, but also with the invocation of classes, variables, and functions.

Local classes, variables, and functions are confusing because they have no window constraints.

Type Confuse Not confusing
Class definition function Class1() {...} window. Class1 = function () {...}
function definition function Method1() {...} window. Method1 = function () {...}
Variable definition var Param1 = 1; window. Param1 = 1;
To generate an instance of a class var object1 = new Class1(); var object1 = new window. Class1();
Function call Method1 (); window. Method1()
Variable reference var newparam = Param1; var newparam = window. PARAM1;

Rule two, all properties and methods that start with lowercase characters are not confused, and properties and methods that begin with other letters are confused, using the properties and methods of window constraints to apply Rule one.

There are a number of system-defined methods and properties in the JavaScript core and the client that cannot be confused, and most of these methods and properties start with lowercase letters, and this rule guarantees that the system-defined methods and properties are not confused. There are only a handful of system-defined methods and properties in the Javascript client that start with uppercase characters, in which case an associative array can be used to avoid confusion, such as object1["Method1"] () This method also applies to cases where a third party control might have methods and properties that start with uppercase characters.

This rule also allows us to identify whether methods and properties are confused in a custom class, start with lowercase letters, and use other letters for internal methods and properties for methods and properties that cannot be confused by external calls.

Type Confuse Not confusing
class method definition Class1. Method1 = function () {...} Class1. method1 = function () {...}
Class1["Method1"] = function () {...}
Object method Definition Class1.prototype. Method1 = function () {...} Class1.prototype. method1 = function () {...}
Class1.prototype["Method1"] = function () {...}
Class attribute definition Class1. Prop1 = 1; Class1. Prop1 = 1;
class1["Prop1"] = 1;
Object attribute Definition Object1. Prop1 = 1; Object1. Prop1 = 1;
object1["Prop1"] = 1;
class method call Class1. Method1 (); Class1. method1 ();
Class1["Method1"]();
Object method call Object1. Method1 (); Object1. method1 ();
Object1["Method1"]();

The core rule of Javascript online obfuscation is the above two points, as well as a few other explanations.

The confusion of identifiers is based on the Hash algorithm, irreversible

The hash algorithm is irreversible, so it is not possible to introduce the ambiguous identifier directly after the confusing identifier, but the hash algorithm relies on the implementation of the. NET system, most of the time, the. NET Hash algorithm is invariant, that is, the same identifier confusion result is the same If you can enumerate enough identifiers, you may still know the identifier before the confusion based on the same confusing result.

How to invoke a confused class, method, and property

Internal calls to confusing code can be invoked correctly as long as the same rules are used, either confused or confused.

There are two ways to make an external call to confuse code, one is not confusing, the code is not confused within the rules, the external use of understandable identifiers are not confused to call, the other is confusing, the code inside the confusion of the rules, the external also uses the ambiguous identifier call, but this way depends on. Net hash algorithm implementation, in different versions of the. Net implementation of the hash algorithm may be different, even confused identifiers inconsistent, resulting in confusion, the need to replace the original confused identifier.

Why do I have the option to "clear a space, and leave a return after a semicolon"

Javascript syntax requires that the end of a global function must have a semicolon or a carriage return, if the semicolon is omitted, and all the carriage returns are cleared, the first line is always prompted for the missing semicolon, and the error is not positioned; This option can help you find the location of the missing semicolon.

The following Javascript language's reserved words are not confused

Break, case, catch, continue, debugger, default, delete, does, else, false, finally, for, function, if, in, instanceof, new, NULL, return, switch, this, throw, true, try, typeof, Var, while, with

The obfuscation has predefined properties and methods for some windows

Javascript core classes and functions can not be confused, they are essentially window properties and methods, according to the rules should use window constraints to avoid confusion, but for Object, Array, Date, ActiveXObject and other core classes, The obfuscation has been predefined and does not need to be confused with window constraints. It is also predefined for Windows commonly used methods such as alert, and for Windows commonly used client properties such as document. Other classes and methods that need to be predefined are added incrementally; there are no predefined global classes and functions and, if not confusing, you must use window constraints.

The following global classes, variables, and methods are not confused

ActiveXObject, alert, Array, Boolean, Date, document, Math, number, Object, REGEXP, String, window



Related Article

Beyond APAC's No.1 Cloud

19.6% IaaS Market Share in Asia Pacific - Gartner IT Service report, 2018

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.