Better Javascript Obfuscating Method To Protect Your Code

The thing that I've come across from time to time is unprotected javascript code. Most of the javascript codes are not worth stealing because they don't represent a full program but if you have an online service that's entirely based on javascript code? And what if the service is a premium service then you have to protect your code from getting in to other people's hands.

The best example for this is the SETT Decoder that's entirely based on Javascript settdeco.bhasha.lk

Because javascript is a client side language, unlike PHP which is a server side language in javascipt anyone can read the code. So the best way is to obfuscate your code.

Obfuscation (or beclouding) is the hiding of intended meaning in communication, making communication confusing, wilfully ambiguous, and harder to interpret. - Wikipedia

There are free tools to obfuscate javascript code, one such popular tool is www.javascriptobfuscator.com there are so many popular obfuscating tools out there, but the unfortunate thing is that there are ways to get through this obfuscation and revealing the code.The best de-obfuscate tool that I've come across on the Internet is jsbeautifier.org. This can even decode obfuscation by www.javascriptobfuscator.com.

I was making a javascript that I wanted the code to be protected and I needed a better obfuscation method, I searched the and came across this question at StackOverflow : http://stackoverflow.com/questions/194397/how-can-i-obfuscate-javascript

There are many obfuscation tools are given in the answer to the question but all of the obfuscation by these tools can be de-obfuscated using jsbeautifier.org. So how can I protect my code? There is a simple way to make de-obfuscation nearly impossible.

The trick here is to use two different obfuscation methods on the same code. Let's take this code for example.

Original Code : 

function myFunction()
{
var x=5;
return x;
}

Let's first obfuscate the code using www.javascriptobfuscator.com.

Obfuscated code :

var _0x7275=[];function myFunction(){var _0x49f5x2=5;return _0x49f5x2;} ;

Now let's try to de-obfuscate the code using http://jsbeautifier.org/ 

I get the original code in return, but the only difference is that the variables are hidden but that won't make any difference because we got the good part of the code

Output de-obfuscated code :




function myFunction() {
    var _0x49f5x2 = 5;
    return _0x49f5x2;
};

Now let's obfuscate the code using http://www.daftlogic.com/projects-online-javascript-obfuscator.htm I found this tool from the answer from stackoverflow.

Obfuscated code :

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('3 1(){2 0=5;4 0}',6,6,'x|myFunction|var|function|return|'.split('|'),0,{}))


They obfuscate the code in a different method than www.javascriptobfuscator.com. But when you try to de-obfuscate the code using http://jsbeautifier.org 

Output de-obfuscated code :

function myFunction() {
    var x = 5;
    return x
}


You get the exact original code as in return. So what can we do to protect our javascript? Other obfuscated code using different tools can be de-obfuscated using http://jsbeautifier.org in the same way.

The thing that you can see clearly is that http://www.daftlogic.com/projects-online-javascript-obfuscator.htm and www.javascriptobfuscator.com use two different methods to obfuscate the javascript.

So first obfuscate your original javascirpt using http://www.daftlogic.com/projects-online-javascript-obfuscator.htm.

Original Javascript :

function myFunction() {
    var x = 5;
    return x
}


Obfuscated code using http://www.daftlogic.com/projects-online-javascript-obfuscator.htm:

Obfuscated code using  :

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('3 1(){2 0=5;4 0}',6,6,'x|myFunction|var|function|return|'.split('|'),0,{}))

Now obfuscate the encrypted code that you get as the output from http://www.daftlogic.com/projects-online-javascript-obfuscator.htm using www.javascriptobfuscator.com.

And www.javascriptobfuscator.com will give you and output of some code like this as the result

Multiplie obfuscated output :

var _0x2815=["\x33\x20\x31\x28\x29\x7B\x32\x20\x30\x3D\x35\x3B\x34\x20\x30\x7D","\x7C","\x73\x70\x6C\x69\x74","\x78\x7C\x6D\x79\x46\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x76\x61\x72\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x72\x65\x74\x75\x72\x6E\x7C","\x72\x65\x70\x6C\x61\x63\x65","","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xf81fx1,_0xf81fx2,_0xf81fx3,_0xf81fx4,_0xf81fx5,_0xf81fx6){_0xf81fx5=function (_0xf81fx3){return _0xf81fx3;} ;if(!_0x2815[5][_0x2815[4]](/^/,String)){while(_0xf81fx3--){_0xf81fx6[_0xf81fx3]=_0xf81fx4[_0xf81fx3]||_0xf81fx3;} ;_0xf81fx4=[function (_0xf81fx5){return _0xf81fx6[_0xf81fx5];} ];_0xf81fx5=function (){return _0x2815[6];} ;_0xf81fx3=1;} ;while(_0xf81fx3--){if(_0xf81fx4[_0xf81fx3]){_0xf81fx1=_0xf81fx1[_0x2815[4]]( new RegExp(_0x2815[7]+_0xf81fx5(_0xf81fx3)+_0x2815[7],_0x2815[8]),_0xf81fx4[_0xf81fx3]);} ;} ;return _0xf81fx1;} (_0x2815[0],6,6,_0x2815[3][_0x2815[2]](_0x2815[1]),0,{}));

You might think this code won't work because of multiple obfuscation, but trust me the code still works as a charm even if it's obfuscated multiple times.

Now try de-obfuscating this code using using http://jsbeautifier.org and the output from http://jsbeautifier.org would be like this

De-obfuscated output :

3 1() {
    2 0 = 5;
    4 0
}

Purely useless numbers and letters. So the output code from http://jsbeautifier.org is useless and our code is protected. Now to make sure I'll try the code with a different de-obfuscator javascriptbeautifier.com which is not as good as jsbeautifier.org and when I try to de-obfuscate the code this is the output I get from javascriptbeautifier.com is this :

var _0x2815 = ["\x33\x20\x31\x28\x29\x7B\x32\x20\x30\x3D\x35\x3B\x34\x20\x30\x7D", "\x7C", "\x73\x70\x6C\x69\x74", "\x78\x7C\x6D\x79\x46\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x76\x61\x72\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x72\x65\x74\x75\x72\x6E\x7C", "\x72\x65\x70\x6C\x61\x63\x65", "", "\x5C\x77\x2B", "\x5C\x62", "\x67"];
eval(function(_0xf81fx1, _0xf81fx2, _0xf81fx3, _0xf81fx4, _0xf81fx5, _0xf81fx6) {
    _0xf81fx5 = function(_0xf81fx3) {
        return _0xf81fx3;
    };
    if (!_0x2815[5][_0x2815[4]](/^/, String)) {
        while (_0xf81fx3--) {
            _0xf81fx6[_0xf81fx3] = _0xf81fx4[_0xf81fx3] || _0xf81fx3;
        };
        _0xf81fx4 = [function(_0xf81fx5) {
            return _0xf81fx6[_0xf81fx5];
        }];
        _0xf81fx5 = function() {
            return _0x2815[6];
        };
        _0xf81fx3 = 1;
    };
    while (_0xf81fx3--) {
        if (_0xf81fx4[_0xf81fx3]) {
            _0xf81fx1 = _0xf81fx1[_0x2815[4]](new RegExp(_0x2815[7] + _0xf81fx5(_0xf81fx3) + _0x2815[7], _0x2815[8]), _0xf81fx4[_0xf81fx3]);
        };
    };
    return _0xf81fx1;
} (_0x2815[0], 6, 6, _0x2815[3][_0x2815[2]](_0x2815[1]), 0, {}));

This too is useless code and your code is still protected. This is pretty simple and a good way to protect your javascript code. The trick is to use two obfuscating methods one on top of another. And the end obfuscated code still works.

Sourav

1 Comment

Blogger, Tools

Monday, August 31, 2015

• Share

Related Posts