Home >Web Front-end >JS Tutorial >Comprehensive solution to Javascript code obfuscation

Comprehensive solution to Javascript code obfuscation

PHPz
PHPzOriginal
2016-05-16 19:23:121519browse

Javascript is a scripting language that is interpreted and executed. It is mainly used in client browsers in the Web field. Due to the characteristics of Javascript's interpreted execution, the code must be downloaded to the client in plain text and can be easily debugged. , making the protection of Javascript code very difficult;

Different people have different views on the protection of Javascript code; the code that some people work hard for can be easily obtained by competitors, and they very much hope to have it. There are solutions to protect Javascript code, but the existing solutions may not meet their requirements; many people think that the Javascript language is very simple and the Javascript code has no protection value. It may be that their code is really simple, or they do not understand the power of the Javascript language. Function; some people think that now that it is open source, why should we protect the code? Of course, open source people are worthy of admiration, but the open source requirement for other people's code is not reasonable.

In order to improve user experience, Web 2.0 technology emerged. With the development of AJAX and rich interface technology, Javascript is becoming more and more important in Web applications. The complexity, functionality and The technical content is getting higher and higher, and the need for Javascript code protection is becoming more and more urgent.

The purpose of Javascript Online Obfuscator is to provide a new comprehensive solution for Javascript code protection needs, including coding rules and a free online obfuscator.

The difference between obfuscation and encryption

Many people discuss the two together. In fact, there are certain differences in their purposes and the means they adopt. different. Encryption is mainly to prevent unauthorized use. In this case, even if the encryption is cracked, it can only be used illegally, and the code logic of the software may not be obtained; but for scripts, measures to prevent access to the code are It also belongs to encryption. In this case, if the encryption is cracked, the code is obtained; obfuscation is a measure taken to protect the logic of the code from being understood by others when it is impossible to prevent others from obtaining the code; for obfuscated code, others It is difficult to understand and cannot be modified and re-applied;
For languages ​​that generate machine code, such as C language, only unauthorized access needs to be considered, and there is almost no need to consider code protection; because for compiled software, only It can be disassembled into assembly language code, making it almost impossible to analyze the logic of the code.
For languages ​​that generate intermediate code, such as Java and C#, both unauthorized access and code protection need to be considered; because compiled software can be easily decompiled into a higher-level language , thereby understanding the logic in the code and easily cracking the encryption. After obfuscation, it is difficult to understand the logic of the code and find the encryption point.
For scripting languages, such as Javascript, they can only be confused and difficult to encrypt; because scripts exist in plain text, they are easy to debug, and the encryption for the above two purposes can be easily cracked through tracking. But obfuscated code makes it difficult to understand the logic of the code.

We only involve obfuscation of Javascript scripts, not encryption; for the encryption of systems involving Javascript, we recommend not to place the encryption point in the Javascript script, but in the server-side compiler Because the encryption of the compiler can use more protection methods, the encryption strength is also higher.

We will first analyze the characteristics of the Javascript language and obfuscation, and the shortcomings of existing obfuscation products, and then propose our solution to Javascript code obfuscation, and finally our Javascript online obfuscator.

Characteristics related to Javascript language and obfuscation

Javascript is a scripting language that is interpreted and executed. Compared with compiled languages, it has many own features, some of which It will bring great difficulties to code obfuscation.

It is impossible to define whether the names of properties and methods of a class need to be obfuscated

Javascript is a prototype-based language without strict type definitions. In a custom class, properties and methods that require external access cannot be confused; properties and methods that require internal access need to be confused; but the Javascript language itself cannot make such a distinction between properties and methods. For this reason, we need to find a flexible mechanism to identify whether the names of properties and methods need to be confused.

There are a large number of system-defined core and client-side methods and properties that cannot be confused

The Javascript language itself defines a large number of core classes, methods and properties; the browser also defines A large number of client classes, methods and properties; none of these classes, methods and properties can be confused. However, the number of these classes, methods and properties is too large to avoid confusion through enumeration; for this we need to find a way to identify these classes, properties, and methods.

Unable to define whether global variables need to be obfuscated

Global variables are attributes of the window object, and local variables are attributes of the function object; all local variables can and should be confused, and some global variables need to be confused, and some cannot be confused; but global variables and local variables The expression forms of variables are the same and difficult to distinguish; and the global variables themselves cannot be defined whether they need to be confused. For this reason, we need to find a way to distinguish global variables that cannot be confused, and global variables and local variables that need to be confused.

These characteristics of the Javascript language bring great difficulties to code obfuscation. If these problems are not solved, Javascript code obfuscation will lack practical value.

Problems with existing Javascript obfuscation products

When we need to obfuscate Javascript code, we first inspected the existing products on the market and discussed obfuscation in some forums ideas, but these products and ideas cannot meet our requirements.

There is a commercial Javascript obfuscation product that uses an obfuscation method similar to a C# obfuscation tool. It analyzes all identifiers in the code and does not obfuscate some system-preset identifiers, but does not obfuscate others. obfuscation, and at the same time provide users with the choice and configuration of identifier obfuscation; this product has many complex functions, but there is a big problem, that is, the preset identifiers are limited, and for a large number of systems used in the code The defined properties and methods will be confused, so you need to configure them manually to avoid confusion about these properties and methods. This is almost an impossible task for large systems.

Some forums have also discussed obfuscation ideas, including some examples. These ideas are more about changing the representation of identifiers, and some are replacing attributes with associative arrays of encoded strings, such as replacing xx.dd Replace with xx["x64x64"]; more complicated is to save "x64x64" and the like to a string array, and then call the string array as the subscript of the associative array; this idea can avoid the above problem, but there is a more The big problem is that obfuscation is reversible. The obfuscated identifier is only converted into hexadecimal form and can be easily restored.

It is the shortcomings of existing products that force us to research our own solutions. Our solution also went through several versions. The initial version was much more complicated and took a lot of work, but the results were not ideal. It took several revisions to find the existing solution. Although a lot of work was done at the beginning, In the end, almost all of them were abandoned, but without the previous work, there would be no subsequent results; so even if you may think that our solution is simple, it is only the result of our efforts, not the process; and simple things are often effective of.

Comprehensive solution for Javascript code obfuscation

Through the previous analysis of the characteristics of Javascript and related obfuscation products, we realized that if we only work on the obfuscator is not enough; because the Javascript language itself has great limitations on the obfuscation function, it cannot be solved. To this end, we have designed a comprehensive solution, which is the Javascript online obfuscator rule. As long as the Javascript code is written according to the rules, it can be obfuscated using the Javascript online obfuscator.

The rules of Javascript online obfuscator are not complicated, but they can solve the characteristics of Javascript language itself and the problems encountered by other obfuscation products.

Rule 1: All classes, variables and functions constrained by window are not confused, and other classes, variables and functions are confused.

Global classes, variables and functions themselves are properties of window. Whether or not window constraints are used is the same from a logical perspective. But we can borrow the constraints of window to distinguish whether global classes, variables and functions need to be confused.

Constraints using window must be consistent, including not only the definition of classes, variables and functions, but also the calls of classes, variables and functions.

Local classes, variables and functions are confused because they have no window constraints.

类型 混淆 不混淆
类定义 function Class1(){...} window.Class1 = function(){...}
函数定义 function Method1(){...} window.Method1 = function(){...}
变量定义 var Param1 = 1; window.Param1 = 1;
生成类的实例 var object1 = new Class1(); var object1 = new window.Class1();
函数调用 Method1(); window.Method1()
变量引用 var newParam = Param1; var newParam = window.Param1;

Rule 2. All properties and methods starting with lowercase characters are not confused. Properties and methods starting with other letters are confused. Use window-constrained properties and methods to apply. Rule one.

There are a large number of system-defined methods and properties in JavaScript core and client that cannot be confused, and most of these methods and properties start with lowercase letters. This rule ensures that system-defined methods and properties Properties are not obfuscated. In the Javascript client, there are only a very few system-defined methods and properties starting with uppercase characters. In this case, you can use an associative array to avoid confusion, such as object1["Method1"](); this method It also applies to methods and properties that may start with uppercase characters in third-party controls.

This rule also allows us to identify whether methods and properties are obfuscated in custom classes. For methods and properties that need to be called externally and cannot be obfuscated, start with a lowercase letter. For internal methods and properties, Start with another letter.

Type Confused Not confused
Class method definition Class1.Method1 = function(){...} Class1.method1 = function(){...}
类型 混淆 不混淆
类方法定义 Class1.Method1 = function(){...} Class1.method1 = function(){...}
Class1["Method1"] = function(){...}
对象方法定义 Class1.prototype.Method1 = function(){...} Class1.prototype.method1 = function(){...}
Class1.prototype["Method1"] = function(){...}
类属性定义 Class1.Prop1 = 1; Class1.prop1 = 1;
Class1["Prop1"] = 1;
对象属性定义 object1.Prop1 = 1; object1.prop1 = 1;
object1["Prop1"] = 1;
类方法调用 Class1.Method1(); Class1.method1 ();
Class1["Method1"]();
对象方法调用 object1.Method1(); object1.method1 ();
object1["Method1"]();
Class1["Method1"] = function(){...}
Object method definition Class1.prototype.Method1 = function(){...} Class1.prototype.method1 = function(){...}

Class1.prototype["Method1"] = function(){...}

Class attribute definition Class1.Prop1 = 1; Class1.prop1 = 1;Class1["Prop1 "] = 1;
Object attribute definition object1. Prop1 = 1; object1.prop1 = 1;

object1["Prop1"] = 1;

Class method call Class1.Method1(); Class1.method1 ();Class1["Method1"]();
Object method call object1.Method1(); object1 .method1 ();object1["Method1"]();

For more related tutorials, please visit

JavaScript Video Tutorial
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn