1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Defeating Automatic Javascript De-Obfuscation

Discussion in 'General Scripting Chat' started by EvilByte, Jan 19, 2015.

  1. EvilByte

    EvilByte Registered Member

    Joined:
    Jan 19, 2015
    Messages:
    53
    Likes Received:
    14
    while scraping a site that was using some stupidly easy to break javascript obfuscation I started to think about how to improves it. Does anyone know of a good javascript obfuscation technique?

    Of course it's impossible to create something that will defeat a dedicated reverse engineer, but maybe something that mutates a little each time in order to defeat scripts. Meaning a person would have to manually break the obfuscation every single time.
     
  2. mrWhite52

    mrWhite52 Newbie

    Joined:
    Jan 19, 2015
    Messages:
    3
    Likes Received:
    2
    I'd say your best bet is getting 3+ good obfuscation libaries then randomly choosing through them and obfuscating your code a few times.

    ie:

    1 - Original javascript
    2 - First obfuscation library
    3 - Third obfuscation library
    4 - Second obfuscation library
    5 - Third obfuscation library
    6 - Final javascript
     
  3. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,478
    Likes Received:
    11,183
    Occupation:
    CHEAP
    Location:
    DATASETS
    Home Page:
    You can't obfuscate JS beyond a certain point. The thing still has to make sense to users of the program, so the function names all have to remain the standard ones. Just variables and stuff get garbled up but that's as far as you can go.

    Any deobfuscator will do the job no matter what you do. Unless of course the library is not used by anyone outside it, then it can garble up all functions too and it becomes an incomprehensible mess.
     
  4. xNotch

    xNotch Registered Member

    Joined:
    Sep 16, 2014
    Messages:
    81
    Likes Received:
    19
    this might increase the time needed to make a completely automated deobfuscator, but as soon as someone fingerprints and breaks each of your libraries your done for.

    In my expierence the hardest site I ever had to scrape was hard not because of the javascript but because of the html itself. Every few days they would mix around IDs, divs, and lots of other random stuff and totally kill my bot. I'm not sure if it was done manually or through some automated process, but it definally increased my workload.
     
  5. mrWhite52

    mrWhite52 Newbie

    Joined:
    Jan 19, 2015
    Messages:
    3
    Likes Received:
    2
    forget obfuscation why not implement full encryption. then have the decrypting function phone back to the server for the decryption key. If everything is done in memory and the key is almost randomly generated with each request it makes it a lot harder to analys the javascript.
     
  6. Mercury_Hg

    Mercury_Hg Registered Member

    Joined:
    Aug 23, 2010
    Messages:
    88
    Likes Received:
    18
    This would be trivial to break and doesn't provide any actual security.

    EDIT: OP there's nothing you can do to stop someone dedicated from getting your code. I reverse engineer programs for fun and it's only a matter of time in each case. Implementing unique obfuscation techniques can slow people down, but I can guarantee someone without a life will get it eventually.
     
    Last edited: Jan 19, 2015
  7. xNotch

    xNotch Registered Member

    Joined:
    Sep 16, 2014
    Messages:
    81
    Likes Received:
    19
    1 - Spoof request for the decryption key
    2 - Use key to decrypt
    3 - Decrypt javascript
    4 - ????
    5 - Profit!!