[HN Gopher] JavaScript Obfuscation Techniques by Example ___________________________________________________________________ JavaScript Obfuscation Techniques by Example Author : EntICOnc Score : 30 points Date : 2022-07-17 19:30 UTC (3 hours ago) (HTM) web link (www.trickster.dev) (TXT) w3m dump (www.trickster.dev) | uwuemu wrote: | Before someone asks why would you obfuscate, here's common use | case: There's plenty of paid/proprietary Electron apps these days | and they're not just websites, some of them do some heavy lifting | under the hood and people want to protect that better than what | Electron offers out of the box (read: nothing). | ffhhj wrote: | Why obfuscating JS when there is WASM? | e9 wrote: | You can use wasm disassembler (like | https://github.com/JoseFMP/wasm-disassembler) as a starting | point to understand what's happening. It would be much harder | if it was obfuscated on top of that. | whatshisface wrote: | Business people demand it to protect intellectual property | without realizing the ease of reversing it / wanting to say | they're doing something to protect IP that their own superior | will not realize doesn't help. It is making the best of an | impossible situation, the paradox of sending your code to every | single customer for them to run it while also wishing nobody | could see it. | | The more aggressive they make patent law the less useful it | seems to become for protecting any actual investment, so here | we are, clinging to wooden totems... | iratewizard wrote: | With how mediocre most developers today are, obfuscation is | enough. | peanut_worm wrote: | If you obfuscate client side javascript that is being served in a | browser you should get banned from the internet | [deleted] | efortis wrote: | For mangling, I made a proxy that creates meaningful names in | dev, and sequential or pre-baked ones in production. | | For example, FileFields.js: const FF = | proxyFieldNames('FF', { foo: null, bar: null }) // DEV: | FF.foo - FF_foo // PROD: FF.foo - 'a' | | https://github.com/uxtely/js-utils/tree/main/proxy-fields-ob... | | As a bonus, it's helpful for renaming, autocompleting, and | finding usages. | muhehe wrote: | Why obfuscate, when you can just follow modern trends and use | webpack (or similar) which gives you completely unreadable shit. | sphynxie wrote: | I certainly agree with your tone/sympathize with your | frustration but I will say that on several occasions I have | followed the webpack breadcrumbs to figure out what the hell is | going on with a vendor's misbehaving script, knowing it's going | to be faster than going through support. Some of these methods | would make that much harder. | cabirum wrote: | "Modern"? Webpack/code bundlers is quite an ancient tech by | now. | | Regard it as an intermediate representation (IR) of your code, | a stage between your readable source code and browser | bytecode/jit. | | The "shit" is still readable since webpack also generates | source maps. | moritzwarhier wrote: | That's because Webpack includes a minifier (Terser) by default | when running in production mode (I think since version 5, which | went a lot in the direction of convention-over-configuration). | It is easy to disable if you want to. | | Terser transforms non-global identifiers lexically and does | some simple substitutions. | | Normally you want to bundle modules with their dependencies | anyway, maybe transpile code... Then why not minify? | | Et voila, some completely unreadable shit. | [deleted] | etamponi wrote: | Sorry for the slightly offtopic question: this page caused Chrome | on my mobile phone to freeze completely. I had to reboot my | phone, and even after that, I had to figure out a way to close | the tab without opening Chrome. Did it happen to someone else? | uwuemu wrote: | Nope, but I can see the jsfuck example doing something like | that as it kinda weirdly lagged on mine (android 12, chrome | 103). | [deleted] | jeroenhd wrote: | Yes, actually. Works perfectly fine on Firefox but on both | Chrome and Bromite it causes the browser to crash. My phone | just let me kill the app after a few seconds but there's | definitely something weird going on here. | | Interesting, I have Bromite set up to disable JIT by default, | so if it's because it weird JS, it's a bug in both the JIT | engine and in the interpreter. | [deleted] ___________________________________________________________________ (page generated 2022-07-17 23:00 UTC)