Español English

Obfuscating javascript with dirty code

One of the easiest and more dangerous ways of obfuscate a source code is adding dirty code.
This means adding lines of functions and variables with no objetive but the interruption of the original code interpretation.

In the proccess of writing an useless code, which is very simple at first, we may be careful with what we write and where we do it.
We must know that the more simbiotic a dirty code is with the original one, more obfuscate effect will have, bearing in mind that the final result never will so optimize as at first
and the more tedious code lines we insert, the more slower and heavier the program will be.

Writing a dirty code may be a very simple task, we just have to add variables and functions to the original one what will interact
with them without touching the real code.
However, this involves a very poor obfuscation since with some of reverse engineering we may get real lines and
throw away those which are just filling in.
A good dirty code may interact with the real code and be next to it like a vital part itself; the final code must integrate the dirty code so well that no even itself could work properly if we trip all the added signs.
Javascript has special features in order to write dirty code,
but the possibility of writing functions and modulus as well as define variables in any part of the code, may give us an advantage
when set up the obfuscate code. With these characteristics we can define bucles for and while with any original variable and play with themselves in and out the functions.

Sequential code :

function fExample(){alert(1)};

Using javascript we can change the order:

function fExample(){alert(1)};

Adding dirty code:

a=”fNormal2“;var b;
function fExample(){alert(1)};

In the code-mixing proccess we must always find the harmony between obfuscation, fluency and optimization of the program.
If we get a complex javascript at the end of the obfuscation but slow and heavy at the same time, it could even rise the use
of the CPU slowing the navegators and the computer, which means that all the work made for obfuscate it, won’t be useful.

Español English

Compressing and obfuscating javascript

Many obfuscators actually do compression  and don´t do it  well at 100%.

Most compressors simply removed white spaces, line breaks and tabs and leave all the javascript code on one line, this is not any compression, it is true that the javascript after the process weighs less, but this is just a feature of javascript which does not respond to blank spaces and spaces in general.

Giving us a format code which is easy to return to the original state.

There are other more advanced compressor which variables and functions renamed to simpler name with fewer characters for example the following line:

var variable1=”javascript obfuscation“;

After compression:

var a=”javascript obfuscation“;

This is a more efficient compression than just remove the white spaces of the code.

However, as we see there isnt a  direct way of obfuscation. This effect is caused simply by the compression process and in the case of deletion of the spacing obfuscation is easily reversible.

In any case these are pretty poor compression, a good compression must have replacing repeated string. And for example delete var where not necessary.

Español English

How to obfuscate javascript 1#

In this post we go to explain waht is obfuscate javascript code:

Actually when we are trying to obfuscate code, our ultimate goal is to prevent someone else can understand and not be copied  or information disclosure . Sometimes we forget it in this process and we create complex algorithms and formulas to do hyperobfuscated codes which have a simple inverse process to obtain the original lines.

For example the famous compressor of Although named packer (compressor) actually  work like an obfuscator . Well imagine a very simple code, the declaration of a variable:


Using the wonderfull packer we get:

eval(function(p,a,c,k,e,r){e=String;if(!”.replace(/^/,String)){while(c–)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return\\w+‘};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,'g’),k[c]);return p}(‘01“;’,2,2,’var|hola‘.split(‘|’),0,{}))

Well, work is worthy of admiration, a global eval function where we sent 5 values, however we quickly realized the solution. After analyzing a little formula we see the clear return p  which returns all the decoded script. So we can modify the script and add a document.write (p) or alert (p) and obtain the pure code instantly.

As we see sometimes in an effort to find best methods of obfuscation we  forget the ultimate goal of the whole process, that is to hinder to deobfuscate the code and make it readable.

Understanding this is the first step, we must begin to find ways to obfuscate our codes by avoiding inverse processes, i.e. make a  mixed code with the original code and  the false lines or  dirty code, and no one can get the original code obfuscated by any direct process .


Español English

What is obfuscated source code and what to do

When it comes to obfuscate, we understand the fact confuse and change something that does not seem what it is.

Let’s see what the dictionary says:

From Latin offuscāre

1. tr. Dazzling, disturbing sight.

2. tr. Darken and make shade.

3. tr. Disrupt, disquieted or confused ideas, hallucination.

However, this concept should be applied to programming and code obfuscation. The languages ​​of 2 nd and 3 rd generation are closer to human understanding than the machine, everyday more, and contain words and attributes with semantic features, usually in English.

This helps us especially to remember  programming languages ​​and allows us to learn it quickly and stored in our memory easily.

We see that in almost any language. For example there are words that are common to almost all languages​​, such as if, for, while or function, all make sense in english.

When we learn a programming language is very easy to remember that for a condition we must use the option if, even not knowing English will always remember this simple word and its methodology.

in javascript we can write:


And anyone even without knowledge of Programmation can come to understand what makes this line of code. But if we write the following line in assembler it gets tricky:

cmp a, 5
jne gocode
mov a 6

* This code is not real and is very simplified

These observations may seem obvious to many people, but this explanation is because it has been a consequence.

Today many applications are developed in pseudo compiled languages ​​ with console and script languages. Pseudo ompiled languages ​​can be decompiled and get a code much like the original code such as Flash or Java. And in the script language simply does not compile the code and see it as the author wrote (php or javascript).

Currently have evolved  the programming languages so far, that a  ​​javascript code can be understood by many people with little knowledge on the subject.

Add to this the advent of Ajax, json and html 5 now get a huge amount of applications written in javascript and more every day. Most of web pages use javascript, and many of them are applications powered with HTML 5 canvas and using the new HTML labels all managed from java script.

Now we have two problems, first is the insecure  to show code to any user, sometimes with critical information about  the web. The second problem, not less important is the ease of copying the source, the author may spend months creating a masterpiece in javascript and someone comes and copy everything in seconds without asking, and what is more serious taking money from someone else’s code.

For all this it is necessary to obfuscate the javascript code and make it a code that works well but is unreadable to the human eye, not only to protect intellectual property but also have our web applications more secure.



Español English

What is

Hello and wellcome to This web is about the new born of  javascript with html5 and ajax We focus our research to ofuscate our javascript code and protect it everyday more necessary.