 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers |
Webmaster Forum / HTML, CSS, Scripts / JavaScript / June 2006looking for good javascript unescape encoder
Neeed good javascript unescape encoder, to protect javascript code. Some advices? Online tool, or ready javascript only. Any opinions about the Javascript Obfuscator: http://www.javascript-source.com/ > Neeed good javascript unescape encoder, to protect javascript code. > Some advices? http://jibbering.com/faq/obfuscate.html David Dorward (): > Neeed good javascript unescape encoder, to protect javascript code. > Some advices? > http://jibbering.com/faq/obfuscate.html ----------------------- <citation> "The problem with all of these methods is that script is insecure. You can't make insecure script secure by writing more script!" </citation> sorry, you dont understand me. I do not need security. I need obfuscate script. > > http://jibbering.com/faq/obfuscate.html > sorry, you dont understand me. I do not need security. I need obfuscate > script. Why? To stop people from reading the source? So you want to SECURE the source? So you need security? David Dorward (): > > > http://jibbering.com/faq/obfuscate.html > > sorry, you dont understand me. I do not need security. I need obfuscate > > script. > Why? To stop people from reading the source? So you want to SECURE the > source? So you need security? Can you answer on my_specific_question,_please??????? Do not mix the "security" and "preventing from reading source" . This is completely different thing? No any secure in Internet. But it possible obfuscate script a little, accurately and error-free, just make for someone difficult to read and he will lazy spend time to decode script. Is there some good obfuscator script, unescape, or another? READY script - online tool or desktop application. > Can you answer on my_specific_question,_please??????? You will not get much help here, as most knowledgable users realize that javascript obfuscation is a complete waste of time.  SignatureMatt Kruse http://www.JavascriptToolbox.com http://www.AjaxToolbox.com Matt Kruse (): > > Can you answer on my_specific_question,_please??????? > [quoted text clipped - 5 lines] > http://www.JavascriptToolbox.com > http://www.AjaxToolbox.com I just amazed, its absolutely the wrong way, for me. Well, is there a *normal* users, not highly "knowledgable users", which capable think normally and can answer? which from this two scripts is better, have more sense, etc: http://dean.edwards.name/packer/ http://scriptasylum.com/tutorials/encdec/javascript_encoder.html First script does not use ''unescape", second based on unesacpe. > Matt Kruse (): > [quoted text clipped - 18 lines] > > First script does not use ''unescape", second based on unesacpe. Dear sir, If you wish to obfuscate some script, you will probably have to use some kind of algorithm to encode the script. Through this algorithm, you can then decode the obfuscated script to run it. I am not adept at all in any creation of algorithm, but you can probably talk to your local math major or something and ask for their advice. If you find one, you can easily transform the written equations into JavaScript quickly. It isn't exactly an already created script, but it is easy enough to create. I am sorry for the tangent, but that is what I will contribute. I have the honor to remain your most humble and Ob't Sv't in our war against the King. -- Patrick Reilly 1st Coy. Colonel Seth Warner's Regiment > Can you answer on my_specific_question,_please??????? I did - you just didn't like the answer. > Can you answer on my_specific_question,_please??????? > Do not mix the "security" and "preventing from reading source" . This [quoted text clipped - 4 lines] > > Is there some good obfuscator script, unescape, or another? What properties should it have? I.e., by what measure should it be "good"? Anything that makes Javascript not immediately readable should suffice as I understand you. Anything above that would be aiming for security, not obfuscation, which you don't want. A simple obfuscator is: ---- <textarea cols="72" rows="10" id="input">input here</textarea> <br> <input type="button" value="obfuscate" onclick=" function lz(s,n) { s = '000' + s; // sufficient for n<=4. return s.substring(s.length-n); } var inp = document.getElementById('input').value; var scr = document.getElementById('script').checked; var res = []; if (scr) { res.push('<script type=\'text/javascript\'>'); } res.push('eval(\''); for(var i = 0; i < inp.length; i++) { var c = inp.charCodeAt(i); var ch = c.toString(16); if (c < 256) { res.push('\\x', lz(ch,2)); } else { res.push('\\u', lz(ch,4)); } } res.push('\');'); if (scr) { res.push('<\/script>'); } var out = document.getElementById('output'); out.value = res.join(''); out.select(); "> <input type="checkbox" id="script" checked="checked"><label for="script">include <script...>...</script></label> <br> <textarea cols="72" rows="10" id="output" readonly="readonly"></textarea> ---- Is it "good"? That depends entirely on your requirements. It obviously obfuscates. /L SignatureLasse Reichstein Nielsen - lrn@hotpop.com DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html> 'Faith without judgement merely degrades the spirit divine.' Lasse Reichstein Nielsen (): > Can you answer on my_specific_question,_please??????? > Do not mix the "security" and "preventing from reading source" . This [quoted text clipped - 4 lines] > > Is there some good obfuscator script, unescape, or another? What properties should it have? I.e., by what measure should it be "good"? Anything that makes Javascript not immediately readable should suffice as I understand you. Anything above that would be aiming for security, not obfuscation, which you don't want. A simple obfuscator is: ---- <textarea cols="72" rows="10" id="input">input here</textarea> <br> <input type="button" value="obfuscate" onclick=" function lz(s,n) { s = '000' + s; // sufficient for n<=4. return s.substring(s.length-n); } var inp = document.getElementById('input').value; var scr = document.getElementById('script').checked; var res = []; if (scr) { res.push('<script type=\'text/javascript\'>'); } res.push('eval(\''); for(var i = 0; i < inp.length; i++) { var c = inp.charCodeAt(i); var ch = c.toString(16); if (c < 256) { res.push('\\x', lz(ch,2)); } else { res.push('\\u', lz(ch,4)); } } res.push('\');'); if (scr) { res.push('<\/script>'); } var out = document.getElementById('output'); out.value = res.join(''); out.select(); "> <input type="checkbox" id="script" checked="checked"><label for="script">include <script...>...</script></label> <br> <textarea cols="72" rows="10" id="output" readonly="readonly"></textarea> ---- Is it "good"? That depends entirely on your requirements. It obviously obfuscates. ============== well, I just wanted to hear opinions those users who uses or used some obfuscators. What is good? good obfuscator provide code that work on most javascript enabled browsers, that will be able to open scrambled documents without distortion. Making them extermely difficult to study, analyse, reuse for users, while fully retaining functionality of the original code. The protected form will still be the usual script, thus it will work on all platforms the original code worked on. Obfuscation (scrambling) of JavaScript and JScript standalone files, flexible settings for obfuscation that allow to fine-tune level of scrambling(include unescape); checking of missing and/or extra semicolons in JavaScript, JScript code; generate new non-understandable names and rename functions and variables depending on user settings; remove comments and white spaces, reducing the file size and minimizing the loading time; pack the code as a long line add finishing ";" when appropriate; work with command line. I tried script sample you show, it not work. Mistral -------------------------- > /L > -- > Lasse Reichstein Nielsen - lrn@hotpop.com > DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html> > 'Faith without judgement merely degrades the spirit divine.' mistral wrote on 22 jun 2006 in comp.lang.javascript: > Is there some good obfuscator script, unescape, or another? READY > script - online tool or desktop application. ===== obfuscatorScript.html =========== <script type='text/obfuscatorScript' id='S'> ine g = 'boshfpngbeFpevcg guebhtu EBG13'; g = 'Guvf vf n qrzb bs ' + g; qbphzrag.jevgr(g); </script> <script type='text/javascript'> var __b__ = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; __b__ = __b__ + __b__.substr(0,13); __b__ = __b__ + __b__.toLowerCase(); var __a__=document.getElementById('S').text; eval(__a__.replace(/(.)/g, function(c){ return((d=__b__.indexOf(c))<0)? c:__b__.charAt(d+13)})) </script> =========================== btw: eval is evil. SignatureEvertjan. The Netherlands. (Please change the x'es to dots in my emailaddress) JRS: In article <Xns97EEA84AA179Ceejj99@194.109.133.242>, dated Mon, 26 Jun 2006 14:32:35 remote, seen in news:comp.lang.javascript, Evertjan. <exjxw.hannivoort@interxnl.net> posted : >ine g = 'boshfpngbeFpevcg guebhtu EBG13'; >g = 'Guvf vf n qrzb bs ' + g; >qbphzrag.jevgr(g); The form at the end of <URL:http://www.merlyn.demon.co.uk/problems.htm> will en/de-obfuscate that. Signature© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 © <URL:http://www.jibbering.com/faq/>? JL/RC: FAQ of news:comp.lang.javascript <URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources. <URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links. Dr John Stockton wrote on 27 jun 2006 in comp.lang.javascript: > JRS: In article <Xns97EEA84AA179Ceejj99@194.109.133.242>, dated Mon, 26 > Jun 2006 14:32:35 remote, seen in news:comp.lang.javascript, Evertjan. [quoted text clipped - 6 lines] > The form at the end of <URL:http://www.merlyn.demon.co.uk/problems.htm> > will en/de-obfuscate that. ... as the de-obfuscation of "EBG13" suggests. SignatureEvertjan. The Netherlands. (Please change the x'es to dots in my emailaddress) Evertjan. (): > mistral wrote on 22 jun 2006 in comp.lang.javascript: > Is there some good obfuscator script, unescape, or another? READY > script - online tool or desktop application. ---------------------------------------------------------- ===== obfuscatorScript.html =========== <script type='text/obfuscatorScript' id='S'> ine g = 'boshfpngbeFpevcg guebhtu EBG13'; g = 'Guvf vf n qrzb bs ' + g; qbphzrag.jevgr(g); </script> <script type='text/javascript'> var __b__ = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; __b__ = __b__ + __b__.substr(0,13); __b__ = __b__ + __b__.toLowerCase(); var __a__=document.getElementById('S').text; eval(__a__.replace(/(.)/g, function(c){ return((d=__b__.indexOf(c))<0)? c:__b__.charAt(d+13)})) </script> =========================== btw: eval is evil. -- Evertjan. The Netherlands. (Please change the x'es to dots in my emailaddress) ---------------------------------------- and how to implement the snippet into some workable application (html)? Mistral mistral wrote on 27 jun 2006 in comp.lang.javascript: > Evertjan. пиÑал(а): > [quoted text clipped - 26 lines] > > and how to implement the snippet into some workable application (html)? I do not intend to write all your code, you will have to do something yourself. This NG is about javascript, not html as such. SignatureEvertjan. The Netherlands. (Please change the x'es to dots in my emailaddress) Evertjan. (): > mistral wrote on 27 jun 2006 in comp.lang.javascript: > Evertjan. (): mistral wrote on 22 jun 2006 in comp.lang.javascript: Is there some good obfuscator script, unescape, or another? READY script - online tool or desktop application. ---------------------------------------------------------- ===== obfuscatorScript.html ========== <script type='text/obfuscatorScript' id='S'> ine g = 'boshfpngbeFpevcg guebhtu EBG13'; g = 'Guvf vf n qrzb bs ' + g; qbphzrag.jevgr(g); </script> <script type='text/javascript'> var __b__ = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; __b__ = __b__ + __b__.substr(0,13); __b__ = __b__ + __b__.toLowerCase(); var __a__=document.getElementById('S').text; eval(__a__.replace(/(.)/g, function(c){ return((d=__b__.indexOf(c))<0)? c:__b__.charAt(d+13)})) </script> ========================== btw: eval is evil. and how to implement the snippet into some workable application (html)? > I do not intend to write all your code, > you will have to do something yourself. > This NG is about javascript, not html as such. -- > Evertjan. > The Netherlands. > (Please change the x'es to dots in my emailaddress) ============================ Have someone advice for real good obfuscator script, not the script caricature shown? mistral wrote on 28 jun 2006 in comp.lang.javascript: > and how to implement the snippet into some workable application > (html)? [quoted text clipped - 3 lines] > >> This NG is about javascript, not html as such. > =========================== > Have someone advice for real good > obfuscator script, not the script caricature shown? The one I showed you is all there is, because, as you were told, obfuscation is easily defeated because the client has to be able to read the original. My code shows that. Be free to fill in another algorithm, ROT13 is just for demonstration. btw, did your mother not teach you to say "thank you" when you get free advice? Usenet is not a payed helpdesk. SignatureEvertjan. The Netherlands. (Please change the x'es to dots in my emailaddress) Evertjan. (): > mistral wrote on 28 jun 2006 in comp.lang.javascript: > and how to implement the snippet into some workable application > (html)? >> I do not intend to write all your code, > you will have to do something yourself. >> This NG is about javascript, not html as such. > =========================== > Have someone advice for real good > obfuscator script, not the script caricature shown? > The one I showed you is all there is, because, as you were told, >obfuscation is easily defeated because the client has to be able to read >the original. My code shows that. > Be free to fill in another algorithm, ROT13 is just for demonstration. > > btw, did your mother not teach you to say "thank you" when you get free > advice? > > Usenet is not a payed helpdesk. > Evertjan. > The Netherlands. > (Please change the x'es to dots in my emailaddress) -------------------------------------------------- Your code is absolutely useless, its caricature. Yes, its a caricature. To write a good code, a person must have at least 10-15 years of intensive coding experience. If you intended to show someone some code snippet, you must first very good understand what user asks, what user want to know, what user want to see. And, however, 10-15 years of intensive coding experience. I'm a happy to get good advices, but not code caricature mistral said the following on 6/28/2006 11:40 AM: <snip> > Your code is absolutely useless, its caricature. What is useless is your ability to determine whether code is useless or not. If you had bothered testing the code you would know that. > Yes, its a caricature. No, *you* are a caricature. > To write a good code, a person must have at least 10-15 years of > intensive coding experience. Then you will never write good code. Besides, if that is your criteria, you won't find "good code" written in Javascript. > If you intended to show someone some code snippet, you must first very > good understand what user asks, what user want to know, what user want > to see. Bovine Excrement. > And, however, 10-15 years of intensive coding experience. > I'm a happy to get good advices, but not code caricature You should take a course on Usenet and learn that this group is a discussion group. You ask a question, it gets discussed. You get an answer - great. You don't - get over it. This is NOT your help desk. SignatureRandy comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly Temporarily at: http://members.aol.com/_ht_a/hikksnotathome/cljfaq/ Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/ Randy Webb (): > mistral said the following on 6/28/2006 11:40 AM: > [quoted text clipped - 36 lines] > Temporarily at: http://members.aol.com/_ht_a/hikksnotathome/cljfaq/ > Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/ ------------------------------ Randy Webb, your comments is rude, coarse and senseless. Same as your "coding" skills, I think.. mistral said the following on 6/28/2006 12:08 PM: > Randy Webb пиÑал(а): <snip> > Randy Webb, > > your comments is rude, coarse and senseless. You forgot "blunt", "honest", and "true". Does the truth hurt? > Same as your "coding" skills, I think.. Anytime you want to prepare yourself to prove that, let me know. But from your posts in this thread, you wouldn't be in a position to judge my skills. But my bosses seem to think they are worth in excess of 6 figures - approaching 7 - (US Dollars) annually so your opinion doesn't mean much to me. SignatureRandy comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly Temporarily at: http://members.aol.com/_ht_a/hikksnotathome/cljfaq/ Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/ > To write a good code, a person must have at least 10-15 > years of intensive coding experience. 15 years of Javascript experience would be quite impressive indeed. Unheard of, in fact. > If you intended to show someone some code snippet, you must first very > good understand what user asks, what user want to know, what user want > to see. Rather, if you want a good answer you must first describe exactly what you want and what qualifies as a valid answer. Your original request was simply: > Neeed good javascript unescape encoder, to protect javascript code. You cannot protect javascript code. Therefore, your requirement is invalid. If you want good responses, ask good questions. Finally, you seem too dense to understand that you will not get good advice because everyone here realizes that obfuscation is a pointless exercise. So any "solutions" you find will be junk, from people with limited experience and knowledge, because they are at the same level that you are in thinking that obfuscation works and is necessary. If ROT13 obfuscation isn't enough for your futile requirement, then what is??? SignatureMatt Kruse http://www.JavascriptToolbox.com http://www.AjaxToolbox.com Matt Kruse (): > Your original request was simply: Neeed good javascript unescape encoder, to protect javascript code. > You cannot protect javascript code. Therefore, your requirement is invalid. > If you want good responses, ask good questions. > Finally, you seem too dense to understand that you will not get good advice > because everyone here realizes that obfuscation is a pointless exercise. So > any "solutions" you find will be junk, from people with limited experience > and knowledge, because they are at the same level that you are in thinking > that obfuscation works and is necessary. > If ROT13 obfuscation isn't enough for your futile requirement, then what > is??? -- > Matt Kruse > http://www.JavascriptToolbox.com > http://www.AjaxToolbox.com ------------------------------------------------- Here is misunderstanding, definitely. Ther is a many commercial solutions that do code obfuscation, however, I dont know does it has been written by people "with limited experience and knowledge" or not. The idea is not encrypt code, but obfuscate. It is very similar, but you don't need encryption/decryption. It possible use an obfuscator to change the output to something not human readable, and then a javascript changes the output back to human readable form on the browser. While this is VERY similar to encryption/decryption, it is simpler because you don't have to worry about public and private keys and the like. Mistral <snipped /> > You cannot protect javascript code. Therefore, your requirement is > invalid. If you want good responses, ask good questions. [quoted text clipped - 7 lines] > If ROT13 obfuscation isn't enough for your futile requirement, then > what is??? We all know that it is futile, but if the OP insist, why not give it to him/her? I mean... if he insist on learning the hard way, why not let him? ROT13 might not satisfy his reqs. because you can still see the tags. '<', '>' and '/' is still in clear text... Below is a Java class i wrote once to scramble xml-files. It implements a variation of ROT13, namely ROT39... He might find that of use... (It is easily portes to any language). SignatureDag. // Java code below ** * Title: 'Crypto' Utilities * Description: * Copyright: Copyright (c) 2001 * Company: Viz Consulting AS * @author Dag Sunde * @version 1.0 */ /** * Class to handle simple Scrambling * of strings... */ public class Crypto { private final static int UPPER_LIMIT = 125; private final static int LOWER_LIMIT = 48; private final static int CHARMAP = 39; public Crypto() { } /** * rot39 is a variation of the ROT13 algorithm, * that also scrambles numbers and, most important in this * case; xml-tags ("<", ">" & "/") * @param - data, String to (de)scrambled * @return - The string in "data" in (de)scrambled form. */ public String rot39(String data) { try { byte[] buffer = data.getBytes("ISO-8859-1"); for(int iData = 0; iData < buffer.length; iData++) { int iCode = buffer[iData]; if((iCode >= LOWER_LIMIT) && (iCode <= UPPER_LIMIT )) { iCode+= CHARMAP; if(iCode > UPPER_LIMIT) { iCode = iCode - UPPER_LIMIT + LOWER_LIMIT - 1; } buffer[iData] = (byte)iCode; } } return new String(buffer, "ISO-8859-1"); } catch( java.io.UnsupportedEncodingException e) { System.out.println("Unicode/ISO FuckUp!"); System.exit(-1); return ""; } } public static void main(String[] args) { Crypto myCrypto = new Crypto(); String buf = myCrypto.rot39( "abcdefghijklmnopqrstuvwxyzæøå_<>='*'" ); System.out.println(buf); System.out.println( myCrypto.rot39( buf ) ); } } JRS: In article <Xns97EEA84AA179Ceejj99@194.109.133.242>, dated Mon, 26 Jun 2006 14:32:35 remote, seen in news:comp.lang.javascript, Evertjan. <exjxw.hannivoort@interxnl.net> posted : >mistral wrote on 22 jun 2006 in comp.lang.javascript: > [quoted text clipped - 5 lines] ><script type='text/obfuscatorScript' id='S'> >ine g = 'boshfpngbeFpevcg guebhtu EBG13'; On re-reading - actually IMHO plain ROT13 is not obfuscation; rather, it is simple encryption. Obfuscated code will run, on the WWWeb, as well as the original, with the same results (so one might want to do something additional about the contents of literal strings and of comment); encrypted code must be decrypted before reading, for execution or otherwise. Obfuscation thus means altering all programmer-defined identifiers to meaningless and maybe hard to read, and maybe removing all non-essential whitespace and comment. Code can be compressed for transmission and if every browser can decompress it that's irrelevant for security. If code is worth encrypting, one can take other steps to protect it, such as not letting everyone get it in the first place. OTOH, if the page has <script>SomeString="<ROT-13 material>"</script> <script>exec(X(SomeString))</script> ISTM that one can use ROT-13 to obfuscate all letters, X being a ROT-13 function (though ROT-13 itself would be a remarkably poor choice; if the Unicode of the string is ROT-Xed for a suitable X, the character set a-z can be ROTted into Arabic). Signature© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 © <URL:http://www.jibbering.com/faq/>? JL/RC: FAQ of news:comp.lang.javascript <URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources. <URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links. Dr John Stockton wrote on 29 jun 2006 in comp.lang.javascript: > JRS: In article <Xns97EEA84AA179Ceejj99@194.109.133.242>, dated Mon, > 26 Jun 2006 14:32:35 remote, seen in news:comp.lang.javascript, [quoted text clipped - 8 lines] >><script type='text/obfuscatorScript' id='S'> >>ine g = 'boshfpngbeFpevcg guebhtu EBG13'; [skip] > ISTM that one can use ROT-13 to obfuscate all letters, X being a > ROT-13 function (though ROT-13 itself would be a remarkably poor > choice; if the Unicode of the string is ROT-Xed for a suitable X, the > character set a-z can be ROTted into Arabic). My example was not about ROT13, but was using ROT13 to show as an example how to use an, any, algorithm. I think publicizing a useful algoritm is not in the interest of the OP. I could imagine combining ROT13 with +13-1, +13-2, +13-3, +13-1, ... depending on it's place in the string. This would end the ROT13 algorithm's nice reversability. Or perhaps also encript the non- alfanumerics? I would have given the illusion that obfuscation was more usefull than it's temporary "anti emailadress harvester's effect", perhaps not to the OP, but to [future?] newbies. I think we, again and again, have to warn that obfuscation is not useful to protect one's code, nor to keep paswords and other secrets. ========== btw, John, what do you think of using such fancy <script type='text/myText' id='S'> My 'Text' <is> "here" </script> ... var t = document.getElementById('S').text; to get a long string into a javascript litteral without having to bother about escaping quotes and returns? Would it stand serious cross-brower scrutiny? SignatureEvertjan. The Netherlands. (Please change the x'es to dots in my emailaddress) JRS: In article <Xns97F26309C7299eejj99@194.109.133.242>, dated Fri, 30 Jun 2006 07:44:02 remote, seen in news:comp.lang.javascript, Evertjan. <exjxw.hannivoort@interxnl.net> posted : >Dr John Stockton wrote on 29 jun 2006 in comp.lang.javascript: >I think publicizing a useful algoritm is not in the interest of the OP. Since the OP ignores accepted Usenet and newsgroup convention, I don't really care about his interest. >I could imagine combining ROT13 with +13-1, +13-2, +13-3, +13-1, ... >depending on it's place in the string. This would end the ROT13 >algorithm's nice reversability. Or perhaps also encript the non- >alfanumerics? There are other self-reversing algorithms. Javascript as transmitted needs only characters 32-126, call that 127, so 96 characters; ROT-48 of the lot, leaving control characters unchanged, produces something that looks fearsome, but reversal should be easy. >btw, John, what do you think of using such fancy > [quoted text clipped - 10 lines] > >Would it stand serious cross-brower scrutiny? You should not be asking me; it does not work as is in my IE4. But it works if getElementById is implemented with document.all. Signature© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 © <URL:http://www.jibbering.com/faq/>? JL/RC: FAQ of news:comp.lang.javascript <URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources. <URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links. Dr John Stockton (): > Is there some good obfuscator script, unescape, or another? READY > script - online tool or desktop application. >===== obfuscatorScript.html =========== <script type='text/obfuscatorScript' id='S'> ine g = 'boshfpngbeFpevcg guebhtu EBG13'; > On re-reading - actually IMHO plain ROT13 is not obfuscation; rather, it > is simple encryption. > Obfuscated code will run, on the WWWeb, as well as the original, with > the same results (so one might want to do something additional about the > contents of literal strings and of comment); encrypted code must be > decrypted before reading, for execution or otherwise. > Obfuscation thus means altering all programmer-defined identifiers to > meaningless and maybe hard to read, and maybe removing all non-essential > whitespace and comment. > Code can be compressed for transmission and if every browser can > decompress it that's irrelevant for security. > If code is worth encrypting, one can take other steps to protect it, > such as not letting everyone get it in the first place. > OTOH, if the page has > <script>SomeString="<ROT-13 material>"</script> > <script>exec(X(SomeString))</script> > ISTM that one can use ROT-13 to obfuscate all letters, X being a ROT-13 > function (though ROT-13 itself would be a remarkably poor choice; if the > Unicode of the string is ROT-Xed for a suitable X, the character set a-z > can be ROTted into Arabic). -- > John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 > <URL:http://www.jibbering.com/faq/>? JL/RC: FAQ of news:comp.lang.javascript > <URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources. > <URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links. ----------------------------------------- yes, obfuscation and compressing of code is just we need. If we talk about encryption, it is also very necessary thing, but it must a) does not affect on code execution speed, and b) encryption symbols used must be fully recognizable by web browsers. I heard there is the good encryption program, which excels windows script encoder, encrypt html code and javascripts -HTML Guardian http://www.protware.com http://www.protware.com/dl/HTMLGuardian.exe and whats about Javascript Obfuscator V.2.22 ? http://www.javascript-source.com/jsosetup.exe Mistral [snip] > yes, obfuscation and compressing of code is just we need. > If we talk about encryption, it is also very necessary thing, but it [quoted text clipped - 10 lines] > > Mistral You will probably find that the majority of people visiting this newsgroup do not use obfuscators and disapprove of their use, so you may not find anyone who has any experience of the programs you refer to in a live commercial environment. If you search this newsgroup you will find a large number of posts on this issue. I agree with this view. Nevertheless, in my experience (having once dabbled on the dark side) most obfuscators offer line and comment removal, and a degree of variable name replacement, which is your basic requirement, and I would imagine there is little difference between the products on the market in this respect. More advance features, capable of dealing with Object Oriented JavaScript programming and property names, will be harder to come by. Ultimately Google throws up many different obfuscators, free or priced. If it is that important to your business, then you should perhaps consider spending some time and money trialling each of these products, and reaching your own conclusions. If your code is special enough to be worth protecting, then you must be a skilled programmer and have some financial backing, and so be capable of affording these products and evaluating the results. As others have noted, and you no doubt appreciate, obfuscators offer protection (if any) only against the casual inexperienced programmer. Anyone who was genuinely interested in discovering your code would also have the skills to be able to see through the obfuscation relatively easily. Encryption it would appear is IMHO not possible at all, as the browser needs some way to decrypt the code, which must be supplied along with the page itself, thereby defeating the object. Other efforts at code hiding I have encountered, included - a series of nested "escapes". Again, a few minutes was all that was needed to get round this - a series of separate programmatic script downloads (using document.write, or document.createElement("script")) from the server. The HTTPRequest object soon beat those. Whatever protection you choose, a user visiting a page with obfuscated or encrypted code may of course be inclined to distrust the site. The alternative is to keep any important processing confined to the server. Julian Turner > As others have noted, and you no doubt appreciate, obfuscators offer > protection (if any) only against the casual inexperienced programmer. > Anyone who was genuinely interested in discovering your code would also > have the skills to be able to see through the obfuscation relatively > easily. That is the truth. Protecting HTML is meaningless when a bookmarklet like the following will show you the source as the browser sees it: javascript:(function(i){return ("<code><ol><li>"+(document.compatMode=="CSS1Compat"?document.documentElement:document.body).outerHTML.replace(/(<script.*?>).*?(<\/script>)/ig,function(m,b,a){return b+document.scripts[i++].text+a;}).replace(/&/g,"&").replace(/</g,"<").replace(/\n/g,"</li><li>").replace(/ /g," ")+"</ol></code>");})(0) (made for myself for Opera, probably works in other browsers too). Protecting scripts might fare better, since there isn't necessarily any way to reach the runtime code of a script. You'll have to be an accomplished Javascript programmer to foil obscuring like that from protware.com. But if you are, it collapses easily, using only simple available tools. One has to consider what the threat is that is being protected against, and anyone not capable of defeating a simple obscurement won't know what to do with the result anyway. > Whatever protection you choose, a user visiting a page with obfuscated > or encrypted code may of course be inclined to distrust the site. A serious problem is that a protected page requires Javascript to work at all. There is no gracefull degradation possible for non-JS-enabled users. Remember, web pages in raw HTML starts at 100% accessiblity. All you can do is subtract from that. /L SignatureLasse Reichstein Nielsen - lrn@hotpop.com DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html> 'Faith without judgement merely degrades the spirit divine.' |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.