JavaScript obfuscation is the process of transforming more-readable code into less-readable code. For example, take this simple function:
|
function sumAllArrayElements(inputArray) {
var sum = 0;
for (var index = 0; index < inputArray.length; i++) {
sum += inputArray[index];
}
return sum;
}
It's pretty clear that this code adds up the elements in an array and returns the sum. But how about if we write it like this?
function input(ret){var
square=0;for(var
product=0;product<ret.length;i++){square+=ret[product];}return
square;}
It does just the same thing, but it takes a bit longer to figure out what that is. All we've done is change variable names and remove some whitespace. However, there are a lot of other tricks one can use, such as unicode-escaping strings, writing code to generate JavaScript from a packed data format and then execute it (self-loading or self-decrypting code, in effect), and so on.
Here's another way to obfuscate the function:
var foo = [
102,117,110,99,116,105,111,110,32,115,117,109,65,108,108,65,114,
114,97,121,69,108,101,109,101,110,116,115,40,105,110,112,117,116,
65,114,114,97,121,41,32,123,10,32,32,118,97,114,32,115,117,109,32,
61,32,48,59,10,32,32,102,111,114,32,40,118,97,114,32,105,110,100,
101,120,32,61,32,48,59,32,105,110,100,101,120,32,60,32,105,110,112,
117,116,65,114,114,97,121,46,108,101,110,103,116,104,59,32,105,43,
43,41,32,123,10,32,32,32,32,115,117,109,32,43,61,32,105,110,112,
117,116,65,114,114,97,121,91,105,110,100,101,120,93,59,10,32,32,
125,10,32,32,114,101,116,117,114,110,32,115,117,109,59,10,125];
var bar = "";
for (var i in foo) {
bar[i] = String.fromCharCode(foo[i]);
}
document.write(bar.join(""));
And of course, you can use multiple techniques on top of each other. Now imagine trying to figure out a 10000-line JavaScript application that's been thoroughly obfuscated: while it's always possible, it can be extremely tedious and time-consuming.
In this context, JavaScript "compilation" means automatically transforming handwritten code into more compact and/or higher performance code. This term can also mean just-in-time (JIT) compiling, which is something that interpreters do to make code run faster without user intervention. Or it can mean compiling JavaScript into another language, or another language into JavaScript. But that's not what we're talking about here.
For example, we can speed up the original example by using the "in" operator (generally saving both run time, by using more efficient code paths, and download time, by saving bytes from our download), by shortening all symbols down to the bare minimum, by hoisting the declaration of the index variable into the previous declaration of the sum, and by removing all nonessential whitespace:
function f(l){var i,s=0;for(i in l){s+=l[i];}return s;}
Note that in both the obfuscated and the optimized versions, we've changed the name of the function. That means that whatever code elsewhere references that function by name will also have to be aware of that change. In practice, it also means that you won't get to use single-character names for functions, because you'll run out of them too quickly, but you'll probably still shrink them substantially. It's also worth noticing that the optimized code is somewhat obfuscated, although not as much as it could be if we had prioritized obfuscation over performance.
If you want to write applications in JavaScript but don't want users to be able to read, reuse, or reverse-engineer your code, obfuscation can help. It's not a guarantee of privacy—any obfuscation can, with sufficient effort, be undone—but it can make reverse-engineering tedious enough that it's generally not worth the bother. Don't make it worth the bother by trying to hide secret keys or account passwords in the code, though!
If you want your code to download and/or run faster, compilation can help. Virtually any large-scale JavaScript project can benefit from compilation. Also, compilation will invariably obfuscate your code somewhat, so if you want both optimization and obfuscation, you may want to prioritize optimization, and find that that you get sufficient obfuscation for free.
There are a number of free and commercial JavaScript obfuscators and compilers /optimizers available on the web. They vary in cost and ease of use. In choosing between them, you also need to decide what you're prioritizing (download size, speed, obfuscation). Some will be able to optimize for each of these, while some will specialize in just obfuscation or just speed. Examples of well-respected optimizers are the Dojo Toolkit's ShrinkSafe compressor and Yahoo's YUI Compressor.
Chances are the tool you used changed some symbol that it shouldn't have. For example, if it changes the name of a function when it is declared, but not all the calls to the function, that'll break your code. Also, obfuscators generally aren't smart enough to figure out when you're using symbols inside strings. For example, here's something that may confuse them:
var foo = {};
var bar = "fun";
foo.fun = function() { return 7; };
alert(foo[bar]);
If your obfuscator changes the name of the field fun, it probably won't
understand that it also has to change the string held in variable bar to
match. In fact, in many situations, it will be completely impossible for it to
do that kind of replacement. So you'll have to help it along by telling it not
to rename fun, since it's referenced in a string. Any compiler or obfuscator
will have a way for you to tell it what symbols not to change (or, more
conservatively, which symbols it's OK to change). It will already understand
that it can't change JavaScript keywords such as function, but if you're using
any libraries, you'll have to tell it about their special symbols. We supply
lists of the O3D symbols that can and cannot be changed.
Another issue to be aware of is that JavaScript obfuscators do not work with shader code. Be sure to protect your shader code from the obfuscator—for example, by putting the shader code into a string literal or a separate file.