hngopher.com

       [HN Gopher] JavaScript Obfuscation Techniques by Example
       ___________________________________________________________________
        
       JavaScript Obfuscation Techniques by Example
        
       Author : EntICOnc
       Score  : 30 points
       Date   : 2022-07-17 19:30 UTC (3 hours ago)
        
 (HTM) web link (www.trickster.dev)
 (TXT) w3m dump (www.trickster.dev)
        
       | uwuemu wrote:
       | Before someone asks why would you obfuscate, here's common use
       | case: There's plenty of paid/proprietary Electron apps these days
       | and they're not just websites, some of them do some heavy lifting
       | under the hood and people want to protect that better than what
       | Electron offers out of the box (read: nothing).
        
       | ffhhj wrote:
       | Why obfuscating JS when there is WASM?
        
         | e9 wrote:
         | You can use wasm disassembler (like
         | https://github.com/JoseFMP/wasm-disassembler) as a starting
         | point to understand what's happening. It would be much harder
         | if it was obfuscated on top of that.
        
         | whatshisface wrote:
         | Business people demand it to protect intellectual property
         | without realizing the ease of reversing it / wanting to say
         | they're doing something to protect IP that their own superior
         | will not realize doesn't help. It is making the best of an
         | impossible situation, the paradox of sending your code to every
         | single customer for them to run it while also wishing nobody
         | could see it.
         | 
         | The more aggressive they make patent law the less useful it
         | seems to become for protecting any actual investment, so here
         | we are, clinging to wooden totems...
        
           | iratewizard wrote:
           | With how mediocre most developers today are, obfuscation is
           | enough.
        
       | peanut_worm wrote:
       | If you obfuscate client side javascript that is being served in a
       | browser you should get banned from the internet
        
         | [deleted]
        
       | efortis wrote:
       | For mangling, I made a proxy that creates meaningful names in
       | dev, and sequential or pre-baked ones in production.
       | 
       | For example, FileFields.js:                   const FF =
       | proxyFieldNames('FF', { foo: null, bar: null })         // DEV:
       | FF.foo - FF_foo         // PROD: FF.foo - 'a'
       | 
       | https://github.com/uxtely/js-utils/tree/main/proxy-fields-ob...
       | 
       | As a bonus, it's helpful for renaming, autocompleting, and
       | finding usages.
        
       | muhehe wrote:
       | Why obfuscate, when you can just follow modern trends and use
       | webpack (or similar) which gives you completely unreadable shit.
        
         | sphynxie wrote:
         | I certainly agree with your tone/sympathize with your
         | frustration but I will say that on several occasions I have
         | followed the webpack breadcrumbs to figure out what the hell is
         | going on with a vendor's misbehaving script, knowing it's going
         | to be faster than going through support. Some of these methods
         | would make that much harder.
        
         | cabirum wrote:
         | "Modern"? Webpack/code bundlers is quite an ancient tech by
         | now.
         | 
         | Regard it as an intermediate representation (IR) of your code,
         | a stage between your readable source code and browser
         | bytecode/jit.
         | 
         | The "shit" is still readable since webpack also generates
         | source maps.
        
         | moritzwarhier wrote:
         | That's because Webpack includes a minifier (Terser) by default
         | when running in production mode (I think since version 5, which
         | went a lot in the direction of convention-over-configuration).
         | It is easy to disable if you want to.
         | 
         | Terser transforms non-global identifiers lexically and does
         | some simple substitutions.
         | 
         | Normally you want to bundle modules with their dependencies
         | anyway, maybe transpile code... Then why not minify?
         | 
         | Et voila, some completely unreadable shit.
        
         | [deleted]
        
       | etamponi wrote:
       | Sorry for the slightly offtopic question: this page caused Chrome
       | on my mobile phone to freeze completely. I had to reboot my
       | phone, and even after that, I had to figure out a way to close
       | the tab without opening Chrome. Did it happen to someone else?
        
         | uwuemu wrote:
         | Nope, but I can see the jsfuck example doing something like
         | that as it kinda weirdly lagged on mine (android 12, chrome
         | 103).
        
         | [deleted]
        
         | jeroenhd wrote:
         | Yes, actually. Works perfectly fine on Firefox but on both
         | Chrome and Bromite it causes the browser to crash. My phone
         | just let me kill the app after a few seconds but there's
         | definitely something weird going on here.
         | 
         | Interesting, I have Bromite set up to disable JIT by default,
         | so if it's because it weird JS, it's a bug in both the JIT
         | engine and in the interpreter.
        
       | [deleted]
        
       ___________________________________________________________________
       (page generated 2022-07-17 23:00 UTC)