This question already has answers here:
How can I obfuscate (protect) JavaScript? [closed]
(22 answers)
Closed 9 years ago.
I want to obfuscate code like that has been done here. I have only seem this type of obfuscation before with Google and other big companies. Can anyone suggest how this code has been obfuscated. Also it is better than using eval which can trigger antivirus on computers.
function app() {
var vb = '',
wb = '" for "gwt:onLoadErrorFn"',
xb = '" for "gwt:onPropertyErrorFn"',
yb = '"><\/script>',
zb = '#',
Ab = '/',
Bb = '10DBFC879A4A784134EE84443D45E2C5',
View full code on jsfiddle as it hits the characters limit on stackoverflow: http://jsfiddle.net/NJb2Y/
Also, can this code be deobfuscated? And if, how easily?
Please be sparing if this is not a right question as I would really like an answer on this.
UPDATE: I have searched for obfuscaters online however I am having a hard time finding one that does this. Almost all that I have found use the eval function.
The example you give looks like it was generated by the Google Web Toolkit (that's what the gwt stands for). GWT apps are written in Java and 'compiled' to javascript. GWT seems to have a built-in obfuscator. You may be able to look through the source code of GWT and find the obfuscation code they use.
Any obfuscated javascript code is possible to de-obfuscate. The more code there is, the longer it takes, but obfuscation can never be relied on to protect important code.
Related
This question already has answers here:
How do I access the $scope variable in browser's console using AngularJS?
(20 answers)
Closed 7 years ago.
This is a silly question, but I was working on an AngularJS app (a simple school project), and wanted to know if there was a way to modify the JavaScript object once it's running in chrome from Chrome's Developer tools. Basically, I have a character and a monster, and I wanted to edit the strength of them in the fight to speed up my debugging process (to avoid setting the value in the source code and then refreshing the page).
My guess is there isn't a way to do that because it could become some "security problem", but I just wasn't sure.
Edit: This is the answer. I just didn't know how to search for it. :)
Hit F12
go to the console tab
start executing any javascript.
character.strength = 12 or whatever will work as long as character is globally available.
Tons of help came from this answer. I just didn't know how to search for it. :)
The console is my friend...
Hit F12
Go to the console tab
Start executing any javascript:
To get the angular stuff, I needed to:
get to the controller
grab the scope,
then the object
then the value...
So this worked perfectly!
angular.element('[ng-controller=BattleCtrl]').scope().monster.currentHealth = 25
Thanks for your guidance.
While looking at how to make JavaScript source code more secure I came upon a lot of 'solutions'. but most people said the same thing; "It's not possible to make your source code 100% secure", "try obfuscation", "run your code server side", etc, etc. After reading a lot posts here on stackoverflow, and other sites I came to the conclusion that a combination of minifying and obfuscating would do the job (for me).
But here is the problem: we are currently using soma.js with dependency injection, and the way we set it up it does not work well with obfuscation. It's basically this:
var session = function(id, sessionModel){
this._sessionmodel = sessionModel;
}
mapping:
injector.mapClass("sessionModel", project.SessionModel, true);
Obfuscation will then rename the sessionModel in the function to for example 'A', but the mapping that was done on SessionModel by the injector still remains 'sessionModel' and not 'A', this then basically breaks the code.
I've read this post which is about the same subject Dependency Injection and Code Obfuscation, but it does not provide a real answer to my problem so I decided to write my own question.
Any tips/hint/suggestions are welcome.
Thanks in advance.
EDIT
It seems you can tell Yuicompressor to exclude certain identifiers by putting in 'hints' into the files like this: "identifier:nomunge, identifier2:nomunge".
var session = function(id, sessionModel){
"sessionModel:nomunge";
this._sessionmodel = sessionModel;
}
I tested this and it works but that means you'll have to put it in yourself which is a lot of work if you have to do that for every script, especially if you have a very big project..
Gonna look into it further, and update this post if anything new pops up
EDIT 2
It's been a while, I only work 1 day a week on this =S.
As said before you can get it working by telling it which identifiers to exclude.
For that I looked into regular expression to get the "mapped classes" programmatically, since doing it by hand is just insane.
What I basically did was instead of putting every hint in by hand, I made a identifier, for example "#nomunge"; and used a simple replaceregexp task to find it and replace it with a string containing all the identifiers. This string is build by loading the script and going through it with a tokenfilter.
<target name="build hints">
<loadfile property="hints" srcFile="${temp.loc}/all.js">
<filterchain>
<tokenfilter delimoutput=":nomunge,">
<ignoreblank/>
<containsregex pattern="${regexp}"/>
</tokenfilter>
</filterchain>
</loadfile>
<echo message="${hints}"/>
</target>
<replaceregexp file="${temp.loc}/all.js"
match="#nomunge"
flags = "g"
replace = "target:nomunge, dispatcher:nomunge, injector:nomunge,${hints}"
/>
This seems to do the job, for now...
I'm behind the soma.js framework, feel free to ask me questions on the google group, happy to help.
This might help a bit more:
https://groups.google.com/forum/#!topic/somajs/noOX2R4K58g
Romu
Original Question
This maybe a stupid question but is there a way in VS 2013 to unminify JavaScript?
Just making sure we are all on the same page here.
Minify:
var flashVer=-1;if(navigator.plugins!=null&&navigator.plugins.length>0){if(navigator.plugins["Shockwave Flash 2.0"]||navigator.plugins["Shockwave Flash"]){var swVer2=navigator.plugins["Shockwave Flash 2.0"]?"
That's just an example to make sure we all know what I'm on about. As far as I can tell there is no way to be able to do this. I have only been using VS 2013 for around 3 weeks so there is probably still stuff that is hidden to me.
If there is no way to do this within the program what is the next best thing for this?
I did see on another similar post that recommends the site http://jsbeautifier.org/ , so may have to give that ago but would make life easier if it was built into VS 2013
Thanks in advance as I know someone will be able to help me out here.
Update:
I have looked around VS 2013 and found nothing that can help me with this problem, like I said before they maybe some things I have missed (certain settings) so I guess if it cannot be done in VS what's the next best thing for the job? I seem to run into a fair amount of JS that is minifed and would like the quickest and best way to get the job done. I couple sites I have tried seem to have problems with it, is there a program I could install that would just allow me to short cut it with a hot-key or something. That would be pretty handy.
Update 2:
So I think its safe to say this cannot be done within VS2013, or for that matter at all due to missing var names and so on. So I have seen a few links and programs that allow you to format the code. Is there a way to do with within VS2013? And again if not what is the most reliable website/program that I can use to do this. Like I said I can see there have been answers and I appreciate all of them. I will be leaving this question open for a while to get more people to look at it and possibly give a better answer. Keep it up guys!
Update 3:
If anyone has any more information on this please do share. I am still looking around now and then waiting for someone to come up with something amazing for this. One day people.... One day!
The thing is that you cannot really "unminify" your code since some data was already lost - e.g. variable names. You can reformat it to more readable form though.
According to this question, since VisualStudio 2012 you can just use Ctrl+E, D keyboard shortcut
If the above is not right, there is this extension for VS 2010: http://visualstudiogallery.msdn.microsoft.com/41a0cc2f-eefd-4342-9fa9-3626855ca22a but I am not sure if it works with VS 2013
There is an extension to VisualStudio called ReSharper which can reformat javascript in a few different manners.
Also there are online formatters already mentioned in other answers (if your code is confidential, I would advise some paranoia manifested by downloading sources and using them locally).
Also you may always try to find unminified version of desired library on the interwebs
Also, there is the WebStorm IDE from JetBrains that is able to reformat JS - you may download a trial for the sole purpose of reformatting your minified scripts :)
If that's just to make debugging easier, you may want to use source maps
Also, here is a bunch of related questions:
How to automatically indent source code? <-- this is for VS2010, but it looks promising, maybe it will help you if it supports JavaScript (and it does since VS2012 according to MS support):
Ctrl+E, D - Format whole doc
Ctrl+K, Ctrl+F - Format selection
reindent(reformat) minimized jquery/javascript file in visual studio
Visual Studio 2010 can't format complex JavaScript documents
Visual Studio code formatter
how to make visual studio javascript formatting work?
I am not sure if they figured out a working way to reformat JS, but I've seen a few answers which might be helpful - I am just pasting this in here just FYI.
Added 03.06.2014:
http://www.jsnice.org/
This tool could be useful too, it even tries to infer minified names. As stated on their website:
We will rename variables and parameters to names that we learn from thousands of open source projects.
Personally I can't think of a reason to ever unminify code^:
If you're using a compiled js file (a-la google closure) and want more readable code to debug, use source maps available for well-supported libraries (speaking of jQuery, if it is served from a google CDN it already maps to the correct source)
If you're using a whitespace-only minified js file and want more readable code to debug, you could just toggle pretty print in-browser. This seems to best fit your question.
If you're using either of the above and want to modify the source code for a third-party js file, don't. Any future release will cancel out your change - instead consider one of the many patterns to extend a framework (or, perhaps, do some duck punching depending on the exact scenario.)
The other answers seem to cover the "unminification" process (maxification?) well, but it's worth making sure it's a necessary step first.
^ - Except when version control falls over, there are no backups and the only version of the file left is a minified copy in browser cache. Don't ask.
Its just a one way transformation .... sorry in normal cases you will not get something understandable back from minified JavaScript !
Make just a quick look at JQuery source for a second:
(function( window, undefined ) {
// Can't do this because several apps including ASP.NET trace
// the stack via arguments.caller.callee and Firefox dies if
// you try to trace through "use strict" call chains. (#13335)
// Support: Firefox 18+
//"use strict";
var
// The deferred used on DOM ready
readyList,
// A central reference to the root jQuery(document)
rootjQuery,
// Support: IE<10
// For `typeof xmlNode.method` instead of `xmlNode.method !== undefined`
core_strundefined = typeof undefined,
// Use the correct document accordingly with window argument (sandbox)
location = window.location,
document = window.document,
docElem = document.documentElement,
// Map over jQuery in case of overwrite
_jQuery = window.jQuery,
// Map over the $ in case of overwrite
_$ = window.$,
// [[Class]] -> type pairs
class2type = {},
// List of deleted data cache ids, so we can reuse them
core_deletedIds = [],
core_version = "1.10.2",
------
And now at the minify source:
(function(e,t){var n,r,i=typeof t,o=e.location,a=e.document,s=a.documentElement,
l=e.jQuery,u=e.$,c={},p=[],f="1.10.2", ....
I think now you see it =>
window => e
undefined => t
readyList => n
rootjQuery => r
core_strundefined => i
location => o
document => a
So its mapped somehow to make it more shorter look here to minify something
People normally use this so there is no way back
you can just format it look here
If the code has only been minified then the best you can do automatically is reformat to make it more readable. One way of doing this is using an online formatter/beautifier. E.g. Copy and paste the line of code you posted into http://jsbeautifier.org/ or http://www.jspretty.com/ and it'll produce something like this:
var flashVer = -1;
if (navigator.plugins != null && navigator.plugins.length > 0) {
if (navigator.plugins["Shockwave Flash 2.0"]
|| navigator.plugins["Shockwave Flash"]) {
var swVer2 = navigator.plugins["Shockwave Flash 2.0"] ? ""
But of course what these don't do is put any comments that have been removed by the minifier back in. And if the code has also been obfuscated then it will be a lot less readable since the variable names will have changed (e.g. var a instead of var flashVer). See here for further details.
As you can see from the other answers, there is no way to reconstitute minified Javascript back into its original form, it is a lossy compression. The best you can do is make it readable by reformatting it.
If the code is open source, then it is likely that the code will exists in a raw state on some form of version control site or as a zip. Why not just download the raw version if available?
There is an online tool to unminify Javascripts
http://jsbeautifier.org/
And also for CSS
http://mrcoles.com/blog/css-unminify/
Is there some relation between "XLLS" expression and AJAX / Javascript? What does the XLLS actually mean?
Thanks in advance
adding text from a comment below an answer
...the only result I got when I was looking for an answer on Google was the Excel XLLs but nothing related to JS. It's because I'm learning for an exam and there is a question to describe acronym "XLLS". Maybe typo?
Never heard of that in a Javascript context.
The only meaningful Google result I can see is Developing Excel 2010 XLLs
Sure you don't mean XSLT? or XSS?
I am trying to obtain the url from the innerHTML of a web page using javascript.
This is what I'm doing:
var goog = newTabBrowser.contentDocument.getElementsByTagName("pre")[0].innerHTML;
alert(goog.responseData.results[0].url);
BUT it wont work :S
I outputted goog (using alert) and copied that into my program as follows:
var goog = {"responseData": {"results":[{"GsearchResultClass":"GwebSearch","unescapedUrl":"http://stackoverflow.com/","url":"http://stackoverflow.com/","visibleUrl":"stackoverflow.com","cacheUrl":"http://www.google.com/search?q\u003dcache:U1GC2GYOToIJ:stackoverflow.com","title":"\u003cb\u003eStack Overflow\u003c/b\u003e","titleNoFormatting":"Stack Overflow","content":"A language-independent collaboratively edited question and answer site for programmers."},{"GsearchResultClass":"GwebSearch","unescapedUrl":"http://en.wikipedia.org/wiki/Stack_overflow","url":"http://en.wikipedia.org/wiki/Stack_overflow","visibleUrl":"en.wikipedia.org","cacheUrl":"http://www.google.com/search?q\u003dcache:mWu8b0BQAmwJ:en.wikipedia.org","title":"\u003cb\u003eStack overflow\u003c/b\u003e - Wikipedia, the free encyclopedia","titleNoFormatting":"Stack overflow - Wikipedia, the free encyclopedia","content":"In software, a \u003cb\u003estack overflow\u003c/b\u003e occurs when too much memory is used on the call \u003cb\u003estack\u003c/b\u003e. In many programming languages the call \u003cb\u003estack\u003c/b\u003e contains a limited amount \u003cb\u003e...\u003c/b\u003e"},{"GsearchResultClass":"GwebSearch","unescapedUrl":"http://blog.stackoverflow.com/","url":"http://blog.stackoverflow.com/","visibleUrl":"blog.stackoverflow.com","cacheUrl":"http://www.google.com/search?q\u003dcache:iqtvg9Ge1c0J:blog.stackoverflow.com","title":"Blog - \u003cb\u003eStack Overflow\u003c/b\u003e","titleNoFormatting":"Blog - Stack Overflow","content":"Apr 12, 2009 \u003cb\u003e...\u003c/b\u003e Apparently some users who really should know better are confused about the way \u003cb\u003eStack Overflow\u003c/b\u003e works. I take this as a sweeping indictment of \u003cb\u003e...\u003c/b\u003e"},{"GsearchResultClass":"GwebSearch","unescapedUrl":"http://support.microsoft.com/kb/145799","url":"http://support.microsoft.com/kb/145799","visibleUrl":"support.microsoft.com","cacheUrl":"","title":"How to Troubleshoot Windows Internal \u003cb\u003eStack Overflow\u003c/b\u003e Error Messages","titleNoFormatting":"How to Troubleshoot Windows Internal Stack Overflow Error Messages","content":"This article lists steps to help you troubleshoot problems with \u003cb\u003estack overflow\u003c/b\u003e errors in Windows. Stacks are reserved memory that programs use to process \u003cb\u003e...\u003c/b\u003e"}],"cursor":{"pages":[{"start":"0","label":1},{"start":"4","label":2},{"start":"8","label":3},{"start":"12","label":4},{"start":"16","label":5},{"start":"20","label":6},{"start":"24","label":7},{"start":"28","label":8}],"estimatedResultCount":"273000","currentPageIndex":0,"moreResultsUrl":"http://www.google.com/search?oe\u003dutf8\u0026ie\u003dutf8\u0026source\u003duds\u0026start\u003d0\u0026hl\u003den\u0026q\u003dStack+overflow"}}, "responseDetails": null, "responseStatus": 200};`
and tried
alert(goog.responseData.results[0].url);
and this worked
innerHTML returns a string—not an object structure. You will probably have to use eval or a JSON parsing library (depending on how secure the JSON data is) to convert it from a string into a JavaScript object.
For example, (using the json2.js JSON library):
var googString = newTabBrowser.contentDocument.getElementsByTagName("pre")[0].innerHTML;
var goog = JSON.parse(googString);
// This should give the correct result
alert(goog.responseData.results[0].url);
Steve
Check this out someone has wrote jquery.google plugin I know this plugin to small and it doesn't support paging or like that. I think it will be help you ?
Just check it's source code.
Regards