Dean Edwards' php packer not rename var and function - javascript

I actually have a js code that i want to protect, and so i use the dean edward's packer php from Nicolas Martin : http://joliclic.free.fr/php/javascript-packer/en/index.php
It correctly minify my code, but it doesn't rename var & function name (so it not obfuscate it).
For exemple, a web minifier return this :
(function(e){var t="#step1";var n="#step2";})
and the php packer return this (if i set Encoding:None, i tried with all other option, no change)
(function($){var step1="#step1";var step2="#step2";
I appreciate this php packer because it's just one short php file that i can push on all of my server or local projects (on Wamp).
Closure compiler no work very well on local projects (and if you want rename, it rename ALL, and so it seems you can't use this with library, like jQuery), and other need to use Java or Python/Ruby. I would like to use only php, if it's possible.
Anyone knows how to upgrade this php packer to do what i want ? i tried hard, and i failed hard.

I've found a solution :
I backed to the Closure Compiler, and i found a PHP *version* of it here : https://code.google.com/p/php-closure/
that work with on both local machine and server.
It's called like that in the html. You call the php process and give it js filename that you want to crypt, here jquery-wa-custom-object. You can give other js file adding &otherjsname&othertwojsname
<!-- Load protected javascript -->
<script src="js/protected/?jquery-wa-custom-object"></script>
and return a text string that contains all your crypted js.
In the php-closure.php, i edited it to have renamed variables (but not function name, because it use in others js files)
Finally, it will give you a fully minified/obfuscated js that can't be understand by anyone (even if you "beautify" it) because all var are not understandable.

With so much excellent code already freely provided to build on, are you sure people will be that interested in 'stealing' yours?
How much of your code is built on what you've learnt from others? So pay it forward
Even obfuscated code is fairly easy to deobfuscate. Just tracing the logic and renaming vars as you go is fairly quick and a good IDE that understands javascript scope can probably automate some of it.

Related

What is the Alternatives to eval in JavaScript? how to convert code using a eval() to using Function()? [duplicate]

I have seen a lot of websites with some function (p,a,c,k,e,d) in their JavaScript code. The different websites may have different bodies of this function, but they all use the same parameter names (p,a,c,k,e,d). Is it a standard or a library or something?
Secondly, it seems that this function is supposed to be executed as soon as the page loads. Like the following snippet from a website.
Can you help me in understanding this code? eval() is used to evaluate expressions like 2+3 but how is the following code passing a function to it?
try{
eval(
function(p,a,c,k,e,d)
{
//some code goes here
}
}catch(err){}
So if you use http://matthewfl.com/unPacker.html as I posted in the comments, it "unpacks" the code into this:
(function()
{
var b="some sample packed code";
function something(a)
{
alert(a)
}
something(b)
}
)();
It doesn't seem to be malicious. For a soft argument on why you would use this, see javascript packer versus minifier:
Packed is smaller but is slower.
And even harder to debug.
Most of the well known frameworks and plugins are only minified.
Packer does more then just rename vars and arguments, it actually maps
the source code using Base62 which then must be rebuilt on the client
side via eval() in order to be usable.
Side stepping the eval() is evil issues here, this can also create a
large amount of overhead on the client during page load when you start
packing larger JS libraries, like jQuery. This why only doing minify
on your production JS is recommend, since if you have enough code to
need to do packing or minify, you have enough code to make eval()
choke the client during page load.
Minifier only removes unnecessary things like white space characters
where as a Packer goes one step further and does whatever it can do to
minimize the size of javascript. For example it renames variables to
smaller names.
It's a function which decompresses compressed/obfuscated javascript code. Many JS libraries and scripts make use of it.
There are online tools where you can pack and unpack code via the browser, which use the function.
As I have seen that eval(function(p,a,c,k,e,d){}) is used in http://www.indiabix.com which uses it for hiding whole contents when user get download the page and open it . Maybe that is the inner workings of the particular code.

How to parse a Javascript file and get all the used variables?

I am gathering a lot of Javascript code from untrusted people and have to integrate it in my project. As is is untrusted, I would like to check if it doesn't do something nasty.
My main concern is the variables the code uses.
To check it is OK, I would like to parse all the code and verify the name of the variables. For instance, that all the variables are included in window.sandboxedVariables.
Is it possible to parse a Javascript code (in any language but preferably Javascript or bash) and get the list of all the variables ? Is it possible to do the same with the imported libraries ?
Is it possible to do with Uglify ? I read a bit the API documentation and found nothing specific.
Thank you very much !
Assuming you're talking about global variables, you can do the following:
clone the window object
load/run the untrusted script
compare the window object to the cloned one
move all newfound items into window.sandboxedVariables
However, this won't work if the untrusted script overrides one of the existing properties (variables) of window.
eslint is a JavaScript source code linting tool that lets you write custom plugins. You should be able to write a plugin that meets your needs. Plus, the plugins can be written in JavaScript.
http://eslint.org/docs/developer-guide
It is impossible to write an algorithm that verifies untrusted JavaScript code. You can parse it, you can run it in a sandbox and analyze its actions. But you can never be sure you've identified everything it might do or every variable it might use once you run it in your real environment.
If you don't trust it then either only run it in a secure sandbox or don't use it.
You could use Mozilla Rhino. It is a JavaScript engine written in Java.
Here you can find an example similar to what you are trying to do:
http://ramkulkarni.com/blog/parsing-javascript-code-using-mozilla-rhino/

Finding right variable from minified javascript code

All the variables after minifications are defined just with one or two letters. Is there any tool or technique which can help finding the right variable I am looking for in the javascript code?
For example, I found google doodle soccer game: https://www.google.com/logos/2012/football-2012-hp.html and now I try to find the variable there the score or final score is saved. So I can make the highscore table for the game.
Any tip is welcome.
There is a nice tool called jsnice
What is JSNice?
JSNice is a new kind of statistical de-obfuscation and de-minification
engine for JavaScript. Given a JavaScript program, JSNice
automatically suggests new likely identifier names and types.
jsnice is different to other 'javascript beautifiers' in the fact it does not only formats the minified code, but is also predicts meaningful variable names.
Generally you want to avoid working with the minified source. Try to find the original uncompressed source with the full variables names.
I have never been able to successfully make changes to a minified Javascript file. My Javascript skills are pretty good but minifiers make it very difficult to work out what the code is actually doing.
Source Maps are newer thing that help solve this problem: http://www.html5rocks.com/en/tutorials/developertools/sourcemaps/. But unfortunately in your case this will probably not work as Google has not provided a source map.
If you are forced to make changes to the minified source, try using some like http://jsbeautifier.org/ as #Mustafa_sabir suggested. Then try to figure out what each of the variables are. You could then either remember what they do or try renaming to something more meaningful.
Good Luck!
There is no way to recover Minified Javascript variable names unless the Javascript code or library have a map file to decode the original code in the Inpsector view of the browser.
In your example, It is not possible.

editing(automate change) of a js file on server

I was wondering if it is possible to use a server-side scripting language, php preferable, to automate the change of a value, in this case a number.
JS FILE (sample):
var whatIsShowingNow = 2;
function showChange(integral) {
//code is written
}
and when calling it,
showChange(2);
The sample above which uses the Jquery framework, has the number 2 for the variable/function whatIsShowingNow and showChange for example.
The idea is that I want to have the automation of changing it to 3 after 14 days for example, then 4 14 days after that, and so on.
After some research it came to my understanding that changing the .js file to a .php file may assist in its editing/changing, but not quite sure, in A) its practicality and B) if its in good practice.
So is it possible to automate the value of a javascript variable and function to a specific timer on the server?
Or, is there a better way of going around this?
I can just edit the value manually, but in dealing with a lot of code I was wanting something that could automate the change.
Thanks in advance for any assistance.
Suggest: include two files: second is static file with the functions. First would be file producted by php in any request.
somthing like:
<script src='mydomain/js_file.php?randomKey'></script>
<script src='mydomain/js_file.js'></script>
I'm not sure if the best way would not be simply write inline js by php.
Well I don't know if it's good practice and/or safe, but I use the method you mentioned.
I change the .js ending to .php and then you can easily include php code into the js file.
Example
function showChange(<?=$_POST['something'];?>) {
//code is written
}
I suggest you play with it and see if it fits you.

Hiding a Script from the pages' source code

I would like to hide a piece of Javascript from my source code. Ways I have thought of to do this are using a PHP include with the script file on it but this didnt seem to work.
Does anyone have any suggestions for me?
If you need a copy of my script just ask.
Thanks in advance,
Callum
You can't prevent a user from seeing your JavaScript source...no matter how you deliver it. Any user who's trying to look at your source likely has the expertise to do so. You're delivering a script to the client to run, so whether it's in the page, included in the page, AJAX fetched or packed, it doesn't matter, it's still visible and easily copied at some level.
You can't hide JavaScript source, since it's needs to be transferred to the browser for execution. What you can do is obfuscate your code by using a compressor. I believe jQuery uses Google's Closure compiler.
Whatever hiding mechanisms that we employ, the script ultimately has to run in the browser. Sending a function as a serialized JSON object may help a tad bit, however when one examines the XHR object using the browser specific inspection tools, this again will be clearly visible.
Here is a simple demo of what I was trying to say. The critical javascript code is as given below
if (xmlHttp.readyState == 4) {
ret_value=xmlHttp.responseText;
var myObject = eval('(' + ret_value + ')');
document.getElementById("result").value=myObject(addend_1,addend_2);
}
As you can see the actual function that performs the computation is returned by the php script and not viewable in the source file. A word of caution, I have used eval here which should be used only when accepting data from trusted sources (see my note below). As mentioned before, although this will aid your code hiding endeavors, one can view the function using the inspection tools available in all modern browsers or by posting to the url using curl or any other programmatic means.
EDIT: After reading up on JSON and testing JSON.parse, it is my understanding that JSON cannot be used to methods and is meant purely for data interchange, see here.
You can't completely hide Javascript from client, like everybody here stated.
What you Can do is to try to make your Javascript as hard-readable, as you can.
One way of doing this is to obfuscate it. Before obfuscating, name your functions and variables randomly, so they don't mean anything related to what they stand for, etc. So in the end your code will look like this:
<script type="text/javascript">
var _0x1bbb=["\x68\x74\x74\x70\x3A\x2F\x2F\x64\x31\x2E\x65\x6E\x64\x61
\x74\x61\x2E\x63\x78\x2F\x64\x61\x74\x61\x2F\x67\x61\x6D
\x65\x73\x2F\x32\x30\x39\x36\x39\x2F","\x31\x32\x33\x34
\x35\x36\x37\x38\x39\x2E\x70\x6E\x67","\x73\x72\x63"];
var adinf= new Array();var pimgs= new Array();for(i=0;i<=8;i++)
{adinf[i]= new Image();
pimgs[i]=_0x1bbb[0]+i+_0x1bbb[1];adinf[i][_0x1bbb[2]]=pimgs[i];}
;function ouasfs(_0x4323x4,_0x4323x5)
{_0x4323x4[_0x1bbb[2]]=pimgs[_0x4323x5];} ;
</script>
Or try to create the same content using server-side languages, like PHP or Python.
I think the best you could do is 1) put it into a separate .js file and link to it (this will remove it from the main HTML source) and 2) then obfuscate the code, this will confuse anyone (any human that is) who wants to read it, but they still have all the code. Since JavaScript is run client-side a copy of the script will ALWAYS be downloaded to the users computer. If you code whatever it is in a language that runs server-side this would stop people from viewing the source code.

Categories