Wednesday, September 2, 2009

JavaScript Scramblers / Obfuscators Softwares and Techniques they used

There are many JavaScript Scrambling softwares/tools available on Internet.
All of them aims to scramble the JavaScript source code to prevent the theft of JavaScript Code.
Obfuscated code is a source code that is very hard to read and understand. 
Macro preprocessors are often used to create hard to read code by masking the standard language syntax and grammar from the main code.

How to create hard to read code (Obfuscated code)?
Take a JavaScript code in .JS files or in HTML files as a input  and replace descriptive variable and function names like Customer, Salary, FirstName... with meaningless names like x0de234f, III111000, oo00ooo... 
Also removes comments and unnecessary whitespace characters (space, tab, carriage return, line feed). The functionality of the code remains the same while source code changes dramatically. This process is called obfuscation, and the tool is called obfuscator.

I tried to find and collect under one roof information about JavaScript Obfuscators.

1. Stunnix JavaScript Obfuscator
 Stunnix JavaScript Obfuscator converts scripts in input files into highly mangled and obfuscated form, while fully retaining  functionality of the original code.
 It provides different encoding techniques such as MD5 (Message Digest version 5), set of o and 0, and set of I and 1 for identifiers/variables/function names. Similarly it provides different encoding technique such as Hex escapes, List of codes for strings. It uses regular expression to replace numbers. It gives freedom to the programmer to select encoding technique of there choice to make JavaScript code difficult to study and analyze. It is also possible to encode the code using one set of encoding techniques and again encode the encoded code using different set of encoding techniques supported by the tool. For example, first encode using a set {MD5, Hex escapes, regular expression} and then encode the encoded code using same or another set of supported techniques by the tool such as {set of o and 0, List of codes, regular expressions}.   
 Examples of Encoding techniques of Stunnix tool are given below:
 Encoding for Identifiers/variables/function name:
  1. MD5: Message Digest version 5, 
   It generates hash value for identifier/variable_name or function_name and replaces the occurrence of identifier/variable with its hash value. (for example every occurrence of FACTORIAL function name in the script is replaced with it hash value Z001C775808)
  2. set of I and 1
   It generates a unique set of I's and 1's for each identifier/variable_name ( for example every occurrence of      SHOW_TOP_RECORDS function name in the script is replaced by IlIlIIIllI)
  3. set of o and 0 
   It generates a unique set of o's and 0's for each identifier/variable_name ( for example every occurrence of      SHOW_TOP_RECORDS function name in the script is replaced by o0o0ooo00o)
 Encoding for strings in the script:
  1. Hex escapes
   It uses Hex encoding for strings (for example no entries is replaced with  \x3c\x62\x3e\x6e\x6f\x20\x65\x6e\x74\x72\x69\x65\x73\x3c\x2f\x62\x3e)
  2. List of Codes
   Adds some constant prefix such as ReplacementFor_ to every occurance of string. (for example  strcomputer variable is replaced with ReplacementFor_strcomputer)
 Encoding for numbers/digits
  It uses regular expression to encode numbers in the script. (For example every occurrence of number 232 is get replaced with 0x14b6+2119-0x1c15 in the script)

2. TagsLock Pro. 
 Replaces string characters (ASCII) with hexadecimal equivalent value and each preceded by a percent symbol. (For example, space character is hexadecimal 20, so the encoded version of a space character is %20)
 It uses JavaScript inbuilt function escape() to generate encoded version of string and uses inbuilt JavaScript function unescape() to decode it.

 For example:
   Original JavaScript:
      document.write("Hello, world!");    

    Scrambled JavaScript:

          document.write(unescape('%3cs%63ript%3e%3c%21%2d-%0d%0ado%63ument.write("%48%65llo%2c %77orld%21"); %0d%0a%2f%2f %2d%2d%3e%0d%0a%3c/s%63%72i'+'pt%3e %0d%0a%0d%0a'))      


3. iWeb Tool. 
 Similar to TagsLock Pro, iWeb tool uses escape() function to convert string (ASCII) into hex encoding.  But to make it more confusing it perform encoding on hex encoded string and converts hex encoded string into unicode. 
 To decrept it uses a inbuilt JavaScript function String fromCharCode() to convert it from Unicode to hex codes and then using unescape () function converts hex codes into a string (ASCII). 
 It keeps the Javascript inbuilt function name as it is, such as document.write in original source code will as it is appear in encoded code.
 For example:
 Original Code:
   document.write("Hello") 
 
Encrypted Code:
  var enkripsi="'1Aqapkrv'1Gfmawoglv,upkvg'0:'00Jgnnm'00'0;'1A-qapkrv'1G"; teks=""; teksasli="";var    panjang;panjang=enkripsi.length;for (i=0;i2) }teksasli=unescape(teks);document.write(teksasli);


4. Javascript Obfuscator v2.53. 
 It reads files with JavaScript code and replaces each occurance of descriptive
variable and function names like CHILDNODE, FIRSTNAME, LASTNAME... with meaningless names like Ia, g, m... 
It also removes comments and unnecessary whitespace characters (such as space, tab, carriage return, line feed).

5. Ajaxian JavaScript Obfucator. 
 It is same as JavaScript Obfuscator v2.53. 
 And Like a iWeb tool, it does not replace document.write() function name, that is the rule is not to replace the function name or vaiable name if it has ".". 

6. JavaScript Scrambler v1.11. 
 It is the simplest JavaScript Obfuscator, which removes comments and unnecessary whitespace characters. It keeps the variable names and Javascript code as it is; except only changes function names in the original code. (for example,  every occurance of function name "doTICKER" is get replaced with "x0822631")


References
1. Stunnix JavaScript Obfuscator. http://www.stunnix.com/prod/jo/
2. TagsLock Pro. http://www.aerotags.com/faq/tips-js-protection.php
3. iWeb Tool. http://www.virtualpromote.com/tools/javascript-encrypt/
4. Javascript Obfuscator v2.53. http://javascript-source.com/javascript-obfuscator.html
5. Ajaxian JavaScript Obfucator. http://ajaxian.com/archives/utility-javascript-obfuscator
6. JavaScript Scrambler v1.11. http://www.quadhead.de/jss.html

2 comments:

  1. There is a new JavaScript source code obfuscation service: JScrambler

    The major features are:

    * Size code reduction transformations
    * Potent and resilient obfuscation transformations
    * Anti-debugging techniques
    * Lexical and syntactic analysis of the JavaScript source code

    Transformations and techniques (most are new among the current offer):

    * Remove code comments, white spaces and newlines
    * Replace identifiers for smaller and randomly created ones
    * Replace common DOM calls for associative array selection
    * Replace literals for a randomly number of conditional operators (?:)
    * Dead code insertion protected by hardly determinable predicates by static code analysis
    * Reorder of function definitions
    * Codify the source code and protect it from debugging
    * Checksum verifications of the source code to detect attempts of code changes

    References
    JScrambler - Protect your code. http://www.jscrambler.com
    JScrambler Features. http://www.jscrambler.com/index/features

    ReplyDelete
  2. This one is nice too:

    http://utenti.multimania.it/ascii2hex/

    ReplyDelete