How to obfuscate JavaScript code

[Lord777]

Do I need to obfuscate JavaScript
JavaScript code runs in users' web browsers and is available to them for study and other actions. If you were wondering "Why should I obfuscate my JavaScript code?", There are many reasons why it is recommended to protect the code, for example:

• Don't let anyone just copy / paste your work. This is especially important for 100% client projects such as HTML5 games;
• Removing comments and spaces that are not needed. Faster loading and increased complexity to understand;
• Protection of works that have not yet been paid for. You can show your work to a client knowing that they won't have the source code until the invoice is paid;
• Protection against website proxying, proxying programs can change all internal links, thanks to JavaScript obfuscation, you can protect yourself from automatic parsers.

See also the article "Deobfuscating JavaScript Code".

Obfuscated JavaScript is slower!
The article linked above explains the difference between minifying and obfuscating source code. In addition to the way they are performed and the ease of restoring them to their original form, the result obtained also differs in performance.

Minified code: downloads from the server faster, as it is smaller, execution time (performance) is the same as the code in the original version.

Obfuscated code: usually larger and almost always slower (by tens of percent), since in addition to the main function, the accompanying actions are performed that are necessary to run the code.

So, minified code: easy to restore to its original form, performance does not degrade.

Obfuscated code: (very) difficult to restore to its original form, the performance of the code degrades. You can add self-protection and protection against debugging to obfuscated code, as well as meaningless code fragments that will greatly complicate its analysis.

Conclusion: obfuscate only the code you want to protect. That is, it makes sense to obfuscate your code, but it makes no sense to obfuscate the code of popular JavaScript libraries, which are already publicly available in their original form.

JavaScript minification and obfuscation programs
This article will look at various tools and techniques for protecting and optimizing JavaScript code.

Btoa and atob functions
In simple cases, cumbersome obfuscation tools are not needed to protect against parsers, and it is enough to simply "hide" some lines.

To make it clear, I will give a practical example. The site kali.tools began to be proxied on another domain, that is, the content of the site is displayed and all links to a foreign domain are replaced in it, so that when clicking on the links, the user remains on this third-party site.

Since the site was copied completely, along with all the scripts, it is enough to add a similar code:

<script>
        if (/(www\.)?kali\.tools/.test(window.location.hostname)) {
        }
        else {
         window.location = 'https://kali.tools';
        }
</script>

This code checks on which domain the page is open, and if this page is not on the kali.tools domain, then a transition is made to https://kali.tools.

The problem is that when proxying all references to kali.tools are replaced with ALIEN_DOMEN.Ru , as a result, the code turned into:

<script>
        if (/(www\.)?kali\.tools/.test(window.location.hostname)) {
        }
        else {
         window.location = 'https: // ALIEN_DOMEN.Ru';
        }
</script>

The code can be obfuscated (but it is not enough just to minify!). But it's even easier to hide the "kali.tools" line with the btoa and atob functions .

The btoa and atob functions are built-in JavaScript functions and are always available.

The btoa function converts the specified string to a character set (works like Base64), and the atob function does the opposite.

The principle of operation in two lines:

btoa ('Some text'); // U29tZSB0ZXh0
atob ('U29tZSB0ZXh0'); // Some text

So, let's see what the "" line turns into:

<script>
    document.write (btoa ('https://kali.tools'));
</script>

Result:

aHR0cHM6Ly9rYWxpLnRvb2xz

Now, in my simple code, we use the atob function to reverse the transformation of this string, we get:

if (/(www\.)?kali\.tools/.test(window.location.hostname)) {
}
else {
    window.location = atob ('aHR0cHM6Ly9rYWxpLnRvb2xz');
}

This code does exactly what is needed - it checks on which domain the site was opened, and if it is not kali.tools, it redirects to kali.tools. At the same time, when the site is proxied, the parsers do not see the kali.tools line and do not make any changes in this code fragment.

JavaScript Obfuscator
JavaScript Obfuscator is a powerful obfuscator with many options. The JavaScript Obfuscator will produce code that is really hard to figure out. Additionally, JavaScript Obfuscator can embed protection against debugging (when you open the Debug panel in Webmaster Tools in a browser, the browser will freeze), code self-defense (inserting meaningless fragments, etc.). JavaScript Obfuscator has many subtle options for tweaking the obfuscation process.

This tool has both a graphical interface and a command line interface.

JavaScript Obfuscator online
Instead of installing on a computer, you can use an online service from the authors, it is located at: https://obfuscator.io/

Installing JavaScript Obfuscator

Installation on Kali Linux

sudo apt install npm
sudo npm install --save-dev javascript-obfuscator
sudo ln -s ~ / node_modules / javascript-obfuscator / bin / javascript-obfuscator / usr / local / bin
javascript-obfuscator -h

Installation in BlackArch

sudo pacman -S npm
sudo npm install --save-dev javascript-obfuscator
sudo ln -s ~ / node_modules / javascript-obfuscator / bin / javascript-obfuscator / usr / local / bin
javascript-obfuscator -h

How to install JavaScript Obfuscator GUI

Installing JavaScript Obfuscator Web Interface on Kali Linux

sudo apt remove cmdtest
sudo apt install npm
sudo npm install -g yarn
sudo npm cache clean -f
sudo npm install -gn
sudo n stable
git clone https://github.com/javascript-obfuscator/javascript-obfuscator-ui
cd javascript-obfuscator-ui /
yarn
npm run updatesemantic
npm run webpack: dev
node server.js

After that, the web interface will be available at http: // localhost: 3000 /

Installing JavaScript Obfuscator web interface in BlackArch

sudo pacman -S npm yarn
git clone https://github.com/javascript-obfuscator/javascript-obfuscator-ui
cd javascript-obfuscator-ui /
yarn
npm run updatesemantic
npm run webpack: dev
node server.js

After that, the web interface will be available at http: // localhost: 3000 /

A detailed description of the options and examples of running JavaScript Obfuscator can be found at https://kali.tools/?p=5621

To obfuscate JavaScript code in the script.js file on the command line:

javascript-obfuscator script.js

For example, with default options, the code is:

if (/(www\.)?kali\.tools/.test(window.location.hostname)) {
}
else {
    window.location = atob ('aHR0cHM6Ly9rYWxpLnRvb2xz');
}

Turns into:

var _0x2001 = ['test', 'aHR0cHM6Ly9rYWxpLnRvb2xz', 'location', 'hostname']; ( function (_0x20ce42, _0x200145) { var _0x20e03c = function (_0x46b9e3) { while (--e_ 0x46 (_0x20ce42 ['shift'] ());}}; _ 0x20e03c (++ _ 0x200145);} (_ 0x2001,0xed)); var _0x20e0 = function (_0x20ce42, _0x200145) {_ 0x20ce42 = _0x20ce42-0x0; var _0x20e03c = _0x2001 [_0x20ce42]; return _0x20e03c;}; if (/ (www \.)? kali \ .tools / [_ 0x20e0 ('0x3')] (window ['location'] [_ 0x20e0 ('0x2')])) {} else {window [_0x20e0 ('0x1' )] = atob (_0x20e0 ('0x0'));}

JSFuck
JSFuck is a very unusual obfuscator, it can represent any JavaScript code with a record of only six characters, namely [] ()! +

This entry can be more deadlocked than the output of the JavaScript Obfuscator discussed above. But, in fact, the obfuscated code can be brought back to its previous form, for example, with the JStillery tool.

Installing JSFuck

Installation on Kali Linux

git clone http://github.com/aemkei/jsfuck
cd jsfuck
php -S 127.0.0.1:8181

After that JSFuck will be available at http: // localhost: 8181 /

Installation in BlackArch

sudo pacman -S jsfuck

Installing on Windows
Download and unzip the archive with the program: https://github.com/aemkei/jsfuck/archive/master.zip

Open their archive's index.html file in a web browser.

Regardless of the installation method, in the index.html file it is recommended to replace the line

< input id = "input" type = "text" value = "alert (1)" />

per line:

< textarea id = "input"> alert (1) </ textarea >

As a result, you will be able to enter not only separate lines for obfuscation, but also large fragments of code.

The following code is working, you can save it as a .htm file and open it in any web browser:

Agree, this is very unusual! But that's not all! The author of JSFuck has prepared completely unreal concepts that will blow your mind:

• writing JavaScript in characters of any language, including hieroglyphs or a non-existent language from Star Wars
• invisible JavaScript
• JavaScript fully written as ASCII

These highly entertaining examples will be discussed at the end of this article as they are more educational (than practical).

Online code obfuscation service
Online service, not very many options: https://www.cleancss.com/javascript-obfuscate/

The resulting code is rather weak in resistance to deobfuscation and can be deobfuscated by the tools discussed in the article "Deobfuscation of JavaScript code".

Sample code for obfuscation:

if (/(www\.)?kali\.tools/.test(window.location.hostname)) {
}
else {
    window.location = atob ('aHR0cHM6Ly9rYWxpLnRvb2xz');
}

The result is:

eval ( function (p, a, c, k, e, d) {e = function (c) { return c.toString (36)}; if (! ''. replace (/ ^ /, String)) { while (c -) {d [c.toString (a)] = k [c] || c.toString (a)} k = [ function (e) { return d [e]}]; e = function () { return '\\ w +'}; c = 1}; while (c -) { if (k [c]) {p = p.replace ( new RegExp ('\\ b' + e (c) + ' \\ b ',' g '), k [c])}} return p} (' 4 (/ (3 \\.)? 2 \\. 5 / .a (0.1.6)) {} 8 { 0.1 = 7 (\ '9 \')} ', 11,11,' window | location | kali | www | if | tools | hostname | atob | else | aHR0cHM6Ly9rYWxpLnRvb2xz | test'.split ('|'), 0, {}))

UglifyJS
The UglifyJS tool does an excellent job of minifying JavaScript code.

Installing UglifyJS

Installation on Kali Linux

sudo apt install uglifyjs

Installation in BlackArch

sudo pacman -S uglify-js

Startup example (to compress code in redir.js file ):

uglifyjs redir.js -c

Sample source code:

if (/(www\.)?kali\.tools/.test(window.location.hostname)) {
}
else {
    window.location = atob ('aHR0cHM6Ly9rYWxpLnRvb2xz');
}

An example of the result obtained:

/(www\.)?kali\.tools/.test(window.location.hostname)||(window.location=atob("aHR0cHM6Ly9rYWxpLnRvb2xz "));

This tool has many configuration options, a complete list can be found at https://kali.tools/?p=5594

slimit and python-jsmin
Program slimit and python-jsmin is a Python module for compressing JavaScript source code.

Installing slimit

On Kali Linux:

sudo apt install slimit

In BlackArch:

sudo pacman -S slimit

Program website: http://slimit.readthedocs.io/en/latest/

Installing python-jsmin in BlackArch:

sudo pacman -S python-jsmin

Program website: https://pypi.python.org/pypi/jsmin

The hardest JavaScript obfuscation
I already mentioned that the author of JSFuck has prepared the most unusual forms and examples of JavaScript, you can find a list of them at http://aem1k.com/. Here is some of them:

• aurebesh.js - JavaScript translation to other writing systems: https://aem1k.com/aurebesh.js/

For example, the code written in Thai characters:

ก = '', ว =! ก + ก, อ =! ว + ก, ซ = ก + {}, ฝ = ว [ก ++], ค = ว [ง = ก], ญ = ++ ง + ก, ฒ = ซ [ง + ญ], ว [ฒ + = ซ [ก] + (ว. อ + ซ) [ก] + อ [ญ] + ฝ + ค + ว [ง] + ฒ + ฝ + ซ [ก] + ค] [ฒ] (อ [ก] + อ [ง] + ว [ญ] + ค + ฝ + "(ก)") ()

Code written with claims only:

x = '', X =! x + x, xx =! X + x, xX = x + {}, Xx = X [x ++], XX = X [Xxx = x], XxX = ++ Xxx + x, xxx = xX [Xxx + XxX], X [xxx + = xX [x] + (X.xx + xX) [x] + xx [XxX] + Xx + XX + X [Xxx] + xxx + Xx + xX [x] + XX] [xxx] (xx [x] + xx [Xxx] + X [XxX] + XX + Xx + "(x)") ()

This is working code that you can place in <script> ... </script> tags and open in a web browser.

• // VOID - invisible variables and code: https://aem1k.com/void/
• M4TR1X 雨- Matrix effect written in JavaScript using only Asian characters: http://aem1k.com/ 雨 /

• DEATH STAR - Death Star from 666 byte JavaScript code executed as ASCII art and with XSS attack: http://aem1k.com/deathstar/
• Invisible Code - invisible source code: http://aem1k.com/0/

In the last example, you won't be able to steal copy-paste JavaScript code!

• Filler - hidden and almost invisible variables: http://aem1k.com/filler/