All About Obfuscation

Unfortunately, I’ve recently come across a surprising level of ignorance among a number of web developers regarding some very basic principals in cybersecurity. As such, I’ve decided to start a new series where we’ll cover obfuscation, hashing, encryptions, and some basic cryptography. I’ll present here all the relevant information for any web developer who wants to start taking security more seriously.

The code examples I’ll be presenting throughout will be in JavaScript—no surprise since it’s now become the single most popular programming language in the world. But really, even if you don’t know JavaScript in depth, you’ll still be able to understand the articles, and the information will still be relevant. The code will actually be quite easy to understand—just think of it as pseudo-code.

Now on to today’s subject. Obfuscation is a very simple technique designed to hide the source code of the program. What does this mean exactly? OK, say we’ve got our source code—some JavaScript for our example. If I want to protect my program or certain parts of it, obfuscation can definitely help me in this. Obfuscation basically takes and turns it into something unreadable. Example?

Let’s say I really busted my hump and wrote this amazing little piece of code:

function myFunction() {
 console.log('Hello world!');
}

myFunction();

What does this code do? You don’t need to be a JavaScript whizz to understand that it prints Hello world! to the console. Now, just assume that I want to use this script with a client but I don’t want anyone to be able to copy it. Or in other words, I want to blur it out. What do I have to do?

1. Take the code and turn it into a text string
2. Convert that text string into base_64
3. Put the converted text string on my site and run it with eval

So how does this all work in the end? First we need to change the code into a long text string:

const source = 'function myFunction() { console.log(\'Hello world!\');} myFunction();';

The result is a whole bunch of gibberish that looks like this:

'ZnVuY3Rpb24gbXlGdW5jdGlvbigpIHsgY29uc29sZS5sb2coJ0hlbGxvIHdvcmxkIScpO30gbXlGdW5jdGlvbigpOw=='

Then I take it and run it. How? I just put it into a decode base64 function and run eval on the whole shebang. Just like so:

const productionCode = 'ZnVuY3Rpb24gbXlGdW5jdGlvbigpIHsgY29uc29sZS5sb2coJ0hlbGxvIHdvcmxkIScpO30gbXlGdW5jdGlvbigpOw==';
eval(window.atob(productionCode));

 If you feel like messing around, you’re more than welcome to check out this codepen:

That was a classic example of obfuscation where the code that a client would see doesn’t contain any functionality. If someone looks at this code, at first they won’t understand anything. But upon second glance is another story however:

const productionCode = 'ZnVuY3Rpb24gbXlGdW5jdGlvbigpIHsgY29uc29sZS5sb2coJ0hlbGxvIHdvcmxkIScpO30gbXlGdW5jdGlvbigpOw==';
eval(window.atob(productionCode));

This is a very naive approach to obfuscation. If someone wants to crack this, they can examine the code a bit, copy the string, and run base64_decode on it. We can take this whole thing up a notch though. For instance, we can change the name of the functions to a random text string. Something along these lines:

const rsajdf = [console.log];

function jhsjkaskjas() { 
 rsajdf[0]('Hello world!');
} 
jhsjkaskjas();

And only afterward take the text string and put it into base64. This makes the code a lot less readable! There are a few other similar methods that can turn the code into something amazing. For example, check out this doozy right here:

var _0x3547 = ['\x4b\x4d\x52\x63\x57'];
(function (_0x2d8f05, _0x4b81bb) {
   var _0x4d74cb = function (_0x32719f) {
       while (--_0x32719f) {
           _0x2d8f05['push'](_0x2d8f05['shift']());
       }
   };
   _0x4d74cb(++_0x4b81bb);
}(_0x3547, 0x184));
var _0xef72 = function (_0x3c4159, _0x224e76) {
   _0x3c4159 = _0x3c4159 - 0x0;
   var _0x39e262 = _0x3547[_0x3c4159];
   return _0x39e262;
};
function myFunction() {
   var _0x2a5c66 = {};
   _0x2a5c66[_0xef72('0x0')] = '\x48\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c\x64\x21';
   console['\x6c\x6f\x67'](_0x2a5c66[_0xef72('0x0')]);
}
myFunction();

What you see there is the same Hello World code from above but run through a tool called JavaScript Obfuscator Tool. It’s a JavaScript module that runs a few different obfuscation methods. Don’t believe me? Paste it into your console and see what happens. The sharp-eyed among you can try to crack it—and you may succeed. That’s because, in the end, it’s code that runs on the client and no matter what we do, somebody can probably crack it—and there are even tools to help them.

But—and this is a big but—no one will be able to take that code and sell it somewhere, at least without a huge effort. It would be really hard to take parts of the code and distribute them elsewhere.

There are more than a few obfuscation techniques out there, some of which are pretty clever. For every language too. But we must remember that even the very best obfuscation won’t stop the most determined and malicious hacker from figuring out what’s going on in your code.

It’s also important to remember that obfuscation is different from minification and aggregation (processes know as uglifying) whose goals are to compress the code to make it more efficient. Obfuscation generally makes the code longer. So it’s actually not normally used in production. So when is it used? Pretty much when you are selling the code and worried that the buyer will copy part of the functionality and resell it.

About the author: Ran Bar-Zik is an experienced web developer whose personal blog, Internet Israel, features articles and guides on Node.js, MongoDB, Git, SASS, jQuery, HTML 5, MySQL, and more. Translation of the original article by Aaron Raizen.