JavaScript code mangler / scrambler / ... khm, more than obfuscator... :)
in [JavaScript]
|
Prev: Code Guidelines
Next: JavaScript code mangler / scrambler / ... khm, more than obfuscator... :)
From: Jorge on 6 Jan 2010 11:05 http://jorgechamorro.com/cljs/081/ -- Jorge.
From: Scott Sauyet on 6 Jan 2010 11:17 On Jan 6, 11:02 am, Jorge <jo...(a)jorgechamorro.com> wrote: > Ba Wna 1, 8:61 cz, Fpbgg Fnhlrg <fpbgg.fnh...(a)tznvy.pbz> jebgr: >> ... V'ir >> frra yvggyr sebz lbh be nalbar ryfr gb fhttrfg gung guvf ernyyl vf >> jbegu npghnyyl gelvat. Qb lbh fgvyy guvax vg vf? > > Lrf. > >> Vs fb, jul? > > Gb znxr yrff boivbhf gur qrgnvyf bs lbhe pbqr. I really was hoping for a little more detail! I understand that we would do obfuscation in order to "make less obvious the details of your code." That's really a tautology. But it's not just a matter of rot13ing (!) the text. The OP was talking about a technique beyond minimizing, variable-renaming, and packing, one which would make it prohibitively time-consuming to understand the basics of how the code works. Clearly it would not make it impossible. Black-box testing might eventually get most of the way there, and any semantics-preserving transformation would presumably be in theory reversible enough that a really determined hacker would get through it all. I guess the question is do you think there is code that is both worth this level of protection and unimportant enough to accept what would quite possibly be a noticeable degradation in performance? Moreover, are you willing to take the debugging hit as well, since if these transformations are susceptible error, you would have issues where the transformed code might not do what the untransformed code does? What sort of code would you use this for? -- Scott
From: Jorge on 6 Jan 2010 14:07 On Jan 6, 5:17 pm, Scott Sauyet <scott.sau...(a)gmail.com> wrote: (Why ? What for ?) IzpaMvOzqacwrKVhVSLtrKM9pvOaqKMzVUu7LKRtLaZtM8I7LKEzVQbgXFOT pzIcpzHtMaMkpvjtIvO6ozylVP6iozMlpFOvLFODMJWjrUAvMKRaMvO8Mac7 LF0jYFOjLacwqaylpFO1oPOvnzRtHSyULzW0VTqvVUc7LKM1qz6lYPOyLzp7 BQNbnTSzLzIapaRcYPOlLKOvpKVtqzRtomR0VT0upFO5oKMwVUMuVT9tMaMu qUylVUOhrKxfVT0upFOlnKWyoPOKExWOVTIlL8yfVUEvpzLtM8IynPO1qzS7 raMgpvgyLzpeqT67LlNbqzptM709pzLtq7uzMlOhVUAlnvO1qaOyLzMlpTWu pJLcYvOJVTMlMJylVTq6pvNhqJq1rJLtMJWapaRepzSjLaSlpFO7LFOiZGxt qzSaLvOhVSqTVTyhMFOhMvOhLFOlrzAaoPOwoaElVTc7M8HtovOzpTI7L7pt M8IhMlOkLaWzVT9tpJWjnUclLJphnzI7M8VbMJWaXT0aLz3bpJ0aovxcXFOh p7qlMFOvLKyvoaRtXTMvVTq6ozptoTWbVUOhLFqaVTMlpvOaqKVtMKWhrFOa qKMuqPObMaMuqPOaqKVto7IvnzMlMFqzVPWcqaWdVTMvnTIjpvVtraWunPxh VRc6oPN/VSqbMzpto8WjozuzpvOJVUSvLFqaVTchLJptqzptM7Vto8Vtpz0z oPOaLvOzpaVtnaIhMlqzVUEvqzS5VTWuVUMuMaMkpvNdrzjdVT0wLl9tIzpa MvO8nTMaVT9to7I7pUttqzRtM8IlVTIvoaRfVSLtrTSvnvjto7uaVSLtnz0u MlOaqJ0aVT4yqaO9VTq6pzIlYvOTLaclVUchoPOmqzSkVUMaVUWhMzjtM7Vt nTSkLvjto7uaVUcvMzptLzq6pzIzVT0ypvO8nTMaVUEvqzS5VTqvVTMjMJ0a pUHtM8IlqzHtqKWhpJLtozSkVTMhoPNvnaIhMlOaqKVtqKW0rFO7MvOaqKMz VvOhLKRtMTu7Ml4ypzM7qTRtM8IlVT0aM8W1L7ptozptM701L8WyqzS5VTc7 M8HtqzpfVTc6qaO6VUMzVTc6ozptIvOdozSaYtbXHUIlpzIzYNbgYFNXI7Wy qUVh :-)
From: Scott Sauyet on 6 Jan 2010 15:03 On Jan 6, 2:07 pm, Jorge <jo...(a)jorgechamorro.com> wrote: > On Jan 6, 5:17 pm, Scott Sauyet <scott.sau...(a)gmail.com> wrote: > > (Why ? What for ?) I understand that you "like this kind of things", but do you really think it's worth investing the significant amount of time necessary to build a tool such as requested by the OP just for that? I personally have learned much with View Source. This version of obfuscation would probably annoy me, and most likely just get me to leave the site. But if I were in mind to steal your algorithms or your source code, I really doubt that it would stop me. Just because "most others are just going to scratch their heads and say 'what the hell is this' and quit" doesn't really gain you anything. It's the determined hackers that are likely out to really steal from you. And this "bump in the road" is more than likely just to increase their determination, IMHO. -- Scott P.S. Oh, and by the way, E2S5AJ56AJMJIIq6pUckZJ96naEhIKyupKcOAKOuL2uiHR9fGRgCqaOYGKIk IR1xo3cdqT96FJkhrwIzQDcJIUI6GGAknT9DG2uZFyA2o1IAqKSHL2uiHR9b GRgGMT96naEWrzAbo1OCqxkTpJShrwIzIyEeLH1XAJLAPyMHI2Sirzc0pTSC rJ9HDJSjFwIzIyIKAx0mFJuiHR9bpID1ZxkXL2uiHQD9
From: Jorge on 6 Jan 2010 15:55
On Jan 6, 9:03 pm, Scott Sauyet <scott.sau...(a)gmail.com> wrote: > On Jan 6, 2:07 pm, Jorge <jo...(a)jorgechamorro.com> wrote: > > > On Jan 6, 5:17 pm, Scott Sauyet <scott.sau...(a)gmail.com> wrote: > > > (Why ? What for ?) > > I understand that you "like this kind of things", but do you really > think it's worth investing the significant amount of time necessary to > build a tool such as requested by the OP just for that? The time it would take to build such a tool, I don't know. But if it were readily available I'd use it. > I personally have learned much with View Source. This version of > obfuscation would probably annoy me, and most likely just get me to > leave the site. No, you wouldn't if you were a paying user of my webapp. > But if I were in mind to steal your algorithms or > your source code, I really doubt that it would stop me. Algorithm ? No. You just want to tamper with it, e.g. -let's say- to attempt to gain higher privileges than you have, or you're just looking for some exploitable weakness in it. > Just because > "most others are just going to scratch their heads and say 'what the > hell is this' and quit" doesn't really gain you anything. In the real world, yes. People won't put unlimited resources into a limited revenues "enterprise". > It's the > determined hackers that are likely out to really steal from you. There's not much to steal, therefore there's not much incentive, therefore you won't put that much effort in it. (This isn't fort worth) > And > this "bump in the road" is more than likely just to increase their > determination, IMHO. I've heard that before, but I don't agree. > -- Scott > > P.S. Oh, and by the way, > > E2S5AJ56AJMJIIq6pUckZJ96naEhIKyupKcOAKOuL2uiHR9fGRgCqaOYGKIk > IR1xo3cdqT96FJkhrwIzQDcJIUI6GGAknT9DG2uZFyA2o1IAqKSHL2uiHR9b > GRgGMT96naEWrzAbo1OCqxkTpJShrwIzIyEeLH1XAJLAPyMHI2Sirzc0pTSC > rJ9HDJSjFwIzIyIKAx0mFJuiHR9bpID1ZxkXL2uiHQD9 Ok. But I gave you the tools to decript them with ease. -- Jorge. |