JavaScript is a universal language widely used in web development. However, JS code is open and can be easily copied or analyzed. To protect their intellectual property and complicate script analysis, developers employ obfuscation – the process of making code unreadable.
Code obfuscation is the transformation of readable JavaScript into an unreadable format that is difficult to understand and modify but works exactly like the original code.
A simple example of obfuscation:
// Before obfuscation
function greeting(name) {
console.log('Hello ' + name);
}
// After obfuscation
function _0x4a12(_0x5980d5){
console['log']('Hello\x20'+_0x5980d5);
}
As we can see, in the obfuscated code:
- function and variable names are replaced with meaningless character sequences
- strings are encoded in hexadecimal format
- code structure is changed and obfuscated
But the functionality remains the same. Calling _0x4a12('John') will produce the same output as greeting('John').
Why is Obfuscation Needed
Code obfuscation solves several tasks:
Hiding script logic. It helps protect confidential algorithms and key functions from being copied by competitors.
Hindering code analysis and vulnerability discovery. Obfuscated code is hard to understand and debug, making it difficult for hackers to find security flaws and inject malicious code.
Reducing script size. Obfuscators remove comments, spaces, line breaks and employ various tricks to compress the code. This speeds up page loading.
Evading malicious script detection systems. Antiviruses use signatures to detect malware. Obfuscation allows masking malicious code.
But there’s a flip side. Obfuscation slows down script execution as it requires additional computations for unpacking. Moreover, obfuscated code is difficult for developers themselves to maintain and debug. Therefore, obfuscation should be used wisely and only where really needed.
Main JavaScript Obfuscation Methods
There are several basic approaches to JS code obfuscation:
1. Identifier Renaming
Variable and function names are replaced with random meaningless character sequences:
// Before obfuscation
var number = 10;
function add(x, y) {
return x + y;
}
// After obfuscation
var _0x7daa1 = 0xa;
function _0x514a(_0x2abf1a, _0x12c6a2) {
return _0x2abf1a + _0x12c6a2;
}2. String Encoding
String literals are converted to Unicode, hexadecimal, or other representations:
console.log("Hello World");
// Hexadecimal encoding
console.log("\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64");
// Unicode
console.log("\u0048\u0065\u006C\u006C\u006F\u0020\u0057\u006F\u0072\u006C\u0064");
// Base64
console.log(atob("SGVsbG8gV29ybGQ="));3. Dead Code Injection
Meaningless operations that don’t affect the result are inserted into the code. This obfuscates the script logic:
4. Control Flow Obfuscation
Redundant conditions, loops, and transitions are added. This masks the actual function execution sequence:
function factorial(num) {
if (num < 0) return;
if (num === 0) return 1;
return num * factorial(num - 1);
}
// After obfuscation
function _0x4a2a(_0x3b9439) {
if (_0x3b9439 < 0) {
if (false) {
return;
} else {
return;
}
}
if (_0x3b9439 === 0) {
if (true) {
return 1;
}
}
return _0x3b9439 * _0x4a2a(_0x3b9439 - 1);
}5. Dynamic Code Generation
Code is assembled in pieces at runtime using eval() and Function():
var add = new Function('x', 'y', 'return x + y');
var result = add(2, 3);
console.log(result);6. Code Packing/Compression
Code is minified, encrypted, and written as a single line. It is unpacked before execution:
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('7 3(5,6){4 5+6}1 0=3(2,8);1 9=a(0);b.c(9)',14,14,'result|var|2|add|return|x|y|function|3|encoded|btoa|console|log'.split('|'),0,{}))
JavaScript Code Deobfuscation
Deobfuscation is the process of transforming obfuscated code back to a readable form. However, high-quality obfuscators use a combination of different techniques, making analysis much more difficult. In such cases, manual deobfuscation may be required. If you want to learn more about JavaScript code deobfuscation, readability restoration techniques, and tools that can help with this, read our detailed article JavaScript Deobfuscation: Unraveling Obfuscated Code Step by Step.
JavaScript Obfuscation Tools
There are many tools for automating obfuscation. Here are some of them:
JavaScript Obfuscator Tool – an online service with a wide range of settings, including variable name control, string encryption methods, and dead code.
JS Obfuscator – a Node.js library for obfuscation. Supports control flow, encryption, compression, and more. Has plugins for Webpack, Gulp, Grunt.
Closure Compiler – a utility from Google that minifies code, removes unused functions and variables while preserving readability.
Uglify-js – a popular minifier and obfuscator. Provides options for name mangling, dead code removal, side effect management.
The choice of a specific tool depends on the requirements for the level of obfuscation, code size, and compatibility with the frameworks and build system used.
Conclusion
JavaScript code obfuscation is an important tool for protecting intellectual property and hindering script analysis. It transforms code into an unreadable format by renaming identifiers, encoding strings, inserting dead code, obfuscating control flow, dynamic generation, and packing.
However, obfuscation has its downsides – it slows down execution and complicates code maintenance. Therefore, obfuscation should be applied judiciously and in a multi-level manner, combining different approaches.
By following the tips from this article, you can effectively protect your JavaScript applications from copying and hacking. Happy obfuscating!
