Hide Javascript code

Question

Hide Javascript code

Asked 9 years, 11 months ago

Viewed 13,723 times

22

I’ve been trying for a while to find out if there is any way to hide the Javascript source code from direct access. Is there any way to do this?

1

There are several techniques, but there is no hiding as the browser needs to compile the code anyway.. What you can do is obfuscate the code, which also does not guarantee protection, but at least will hinder copies.

– Daniel Omine

2014/07/11 at 08:08
Depending on why you want to hide (not to be copied, not to exploit loopholes, etc.) you can use other types of solutions, such as putting the code on the server, obfuscating and minify Javascript, etc. But it all depends on the case. What about client-side, nay there is a 100% effective method for "hiding" the user’s Javascript.

– Kazzkiq

2014/07/11 at 13:43
Dear friend try using Encrypt HTML Pro, I believe will meet your needs.

– SAC Grupo IDS

2017/07/07 at 20:35
It is impossible to hide. You can even make an encryption type. More always have someone to decrypt.

– Matheus Miranda

2017/07/07 at 22:12

4 answers

24

Diogo, the most you can do is disturb anyone who wants to see the source code but will never be able to hide it in its entirety.

You can make this code:

var a = "Hello World!";
function MsgBox(msg){
    alert(msg+"\n"+a);
}
MsgBox("OK");

show up like this:

var _0x8e48 = ["\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21", "\x0A", "\x4F\x4B"];
var a = _0x8e48[0];

function MsgBox(_0xab5dx3) {
    alert(_0xab5dx3 + _0x8e48[1] + a);
};
MsgBox(_0x8e48[2]);

or only

var a = "Hello World!";
function B(c){
    alert(c+"\n"+a);
}
B("OK");

But the user can always find the code and decrypt it. If the browser can use it, the user can view it and try to decrypt it.

Browser other questions tagged javascript

You are not signed in. Login or sign up in order to post.

by Michelle Akemi • **759** points · Answer 1 · 2016-11-14T18:10:25+00:00

I searched several solutions on the internet in English using the term "javascript Obfuscator" and found some excellent solutions, but paid and very expensive (even more for Brazilians who pay the service in dollars).

However the company did not want to pay for the tool, and I ended up finding one on github https://github.com/javascript-obfuscator/javascript-obfuscator

You can use the online version too: https://javascriptobfuscator.herokuapp.com/ and the best: it’s free and open-source.

Edit: for example, if we take the code @Sério posted in the other answer:

    var a = "Hello World!";
    function MsgBox(msg){
        alert(msg+"\n"+a);
    }
    MsgBox("OK");

And use in the tool above, it is completely illegible and also protected against modifications. If someone tries to format it (place line breaks, rename variables or functions, remove codes, etc.) using a javascript beautifier of life, it stops working.

var _0x3102=['\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21'];(function(_0x4d8cba,_0x14ad3c){var _0x52efb3=function(_0x1380af){while(--_0x1380af){_0x4d8cba['\x70\x75\x73\x68'](_0x4d8cba['\x73\x68\x69\x66\x74']());}};var _0x4fa633=function(){var _0x189275={'\x64\x61\x74\x61':{'\x6b\x65\x79':'\x63\x6f\x6f\x6b\x69\x65','\x76\x61\x6c\x75\x65':'\x74\x69\x6d\x65\x6f\x75\x74'},'\x73\x65\x74\x43\x6f\x6f\x6b\x69\x65':function(_0x11387e,_0x173a51,_0x6a0123,_0xea9d6f){_0xea9d6f=_0xea9d6f||{};var _0xb46af2=_0x173a51+'\x3d'+_0x6a0123;var _0x5b1c00=0x0;for(var _0x5b1c00=0x0,_0x24424e=_0x11387e['\x6c\x65\x6e\x67\x74\x68'];_0x5b1c00<_0x24424e;_0x5b1c00++){var _0x4668d5=_0x11387e[_0x5b1c00];_0xb46af2+='\x3b\x20'+_0x4668d5;var _0x1001b3=_0x11387e[_0x4668d5];_0x11387e['\x70\x75\x73\x68'](_0x1001b3);_0x24424e=_0x11387e['\x6c\x65\x6e\x67\x74\x68'];if(_0x1001b3!==!![]){_0xb46af2+='\x3d'+_0x1001b3;}}_0xea9d6f['\x63\x6f\x6f\x6b\x69\x65']=_0xb46af2;},'\x72\x65\x6d\x6f\x76\x65\x43\x6f\x6f\x6b\x69\x65':function(){return'\x64\x65\x76';},'\x67\x65\x74\x43\x6f\x6f\x6b\x69\x65':function(_0x386eb1,_0x29953b){_0x386eb1=_0x386eb1||function(_0x57ca6e){return _0x57ca6e;};var _0x32368d=_0x386eb1(new RegExp('\x28\x3f\x3a\x5e\x7c\x3b\x20\x29'+_0x29953b['\x72\x65\x70\x6c\x61\x63\x65'](/([.$?*|{}()[]\/+^])/g,'\x24\x31')+'\x3d\x28\x5b\x5e\x3b\x5d\x2a\x29'));var _0x5c72b4=function(_0x258f31,_0x5426ba){_0x258f31(++_0x5426ba);};_0x5c72b4(_0x52efb3,_0x14ad3c);return _0x32368d?decodeURIComponent(_0x32368d[0x1]):undefined;}};var _0x3503fd=function(){var _0x2fcea3=new RegExp('\x5c\x77\x2b\x20\x2a\x5c\x28\x5c\x29\x20\x2a\x7b\x5c\x77\x2b\x20\x2a\x5b\x27\x7c\x22\x5d\x2e\x2b\x5b\x27\x7c\x22\x5d\x3b\x3f\x20\x2a\x7d');return _0x2fcea3['\x74\x65\x73\x74'](_0x189275['\x72\x65\x6d\x6f\x76\x65\x43\x6f\x6f\x6b\x69\x65']['\x74\x6f\x53\x74\x72\x69\x6e\x67']());};_0x189275['\x75\x70\x64\x61\x74\x65\x43\x6f\x6f\x6b\x69\x65']=_0x3503fd;var _0x4b2645='';var _0x2e4dc3=_0x189275['\x75\x70\x64\x61\x74\x65\x43\x6f\x6f\x6b\x69\x65']();if(!_0x2e4dc3){_0x189275['\x73\x65\x74\x43\x6f\x6f\x6b\x69\x65'](['\x2a'],'\x63\x6f\x75\x6e\x74\x65\x72',0x1);}else if(_0x2e4dc3){_0x4b2645=_0x189275['\x67\x65\x74\x43\x6f\x6f\x6b\x69\x65'](null,'\x63\x6f\x75\x6e\x74\x65\x72');}else{_0x189275['\x72\x65\x6d\x6f\x76\x65\x43\x6f\x6f\x6b\x69\x65']();}};_0x4fa633();}(_0x3102,0xe5));var _0x4315=function(_0x7fe901,_0x45be0f){var _0x7fe901=parseInt(_0x7fe901,0x10);var _0xfb3ffb=_0x3102[_0x7fe901];return _0xfb3ffb;};var a=_0x4315('0x0');function MsgBox(_0x58908a){var _0x2bc273=function(){var _0x5e0360=!![];return function(_0x4f1bad,_0x575402){var _0x4fa53a=_0x5e0360?function(){if(_0x575402){var _0x205ab8=_0x575402['\x61\x70\x70\x6c\x79'](_0x4f1bad,arguments);_0x575402=null;return _0x205ab8;}}:function(){};_0x5e0360=![];return _0x4fa53a;};}();var _0x113342=_0x2bc273(this,function(){var _0x564997=function(){return'\x64\x65\x76';},_0x7cc57a=function(){return'\x77\x69\x6e\x64\x6f\x77';};var _0x4ebdda=function(){var _0x45b262=new RegExp('\x5c\x77\x2b\x20\x2a\x5c\x28\x5c\x29\x20\x2a\x7b\x5c\x77\x2b\x20\x2a\x5b\x27\x7c\x22\x5d\x2e\x2b\x5b\x27\x7c\x22\x5d\x3b\x3f\x20\x2a\x7d');return!_0x45b262['\x74\x65\x73\x74'](_0x564997['\x74\x6f\x53\x74\x72\x69\x6e\x67']());};var _0x30b472=function(){var _0x1b46dc=new RegExp('\x28\x5c\x5c\x5b\x78\x7c\x75\x5d\x28\x5c\x77\x29\x7b\x32\x2c\x34\x7d\x29\x2b');return _0x1b46dc['\x74\x65\x73\x74'](_0x7cc57a['\x74\x6f\x53\x74\x72\x69\x6e\x67']());};var _0x105955=function(_0x486df9){var _0x4c7fc5=~-0x1>>0x1+0xff%0x0;if(_0x486df9['\x69\x6e\x64\x65\x78\x4f\x66']('\x69'===_0x4c7fc5)){_0x21396d(_0x486df9);}};var _0x21396d=function(_0x5f17fe){var _0x7ba70c=~-0x4>>0x1+0xff%0x0;if(_0x5f17fe['\x69\x6e\x64\x65\x78\x4f\x66']((!![]+'')[0x3])!==_0x7ba70c){_0x105955(_0x5f17fe);}};if(!_0x4ebdda()){if(!_0x30b472()){_0x105955('\x69\x6e\x64\u0435\x78\x4f\x66');}else{_0x105955('\x69\x6e\x64\x65\x78\x4f\x66');}}else{_0x105955('\x69\x6e\x64\u0435\x78\x4f\x66');}});_0x113342();alert(_0x58908a+'\x0a'+a);}MsgBox('\x4f\x4b');

Of course, since the example of code that was obfuscated is very small, obfuscation has gotten much bigger. On a larger code base, the obfuscated code will not be so proportionally large.

by g.carvalho97 • **681** points · Answer 2 · 2014-07-11T14:07:17+00:00

You can use this site to "compress" your Javascript code, if you want to obfuscate the code, check the option "Base62".

Remembering that there is no way you can completely hide your Javascript, there will always be someone who knows more than a normal user and will know what you are using to obfuscate the code.

by Angus Macyver • 31 points · Answer 3 · 2014-07-11T16:11:41+00:00

Since you cannot fail to provide valid Javascript code you need to tackle the problem from another perspective: how to make my code as uninteresting as possible.

Many people understand the "minification" as a "protection" technique but this just aims to minimize the amount of bytes exchanged between client and server, leaving the logic still exposed.

The technique that best satisfies your need is really obfuscation, however, for it to be a valid resource, it needs to be refined: if you test the @gcarvalho97 solution you will see that it is possible to easily go back to your original code.

If you search Google for Javascript Obfuscator will see several options. The second result seemed interesting because it offers protections like forcing your code to run only for certain domains.

No Sponsor can give you 100% guarantees, but it will give you an advantage by discouraging third parties from copying your code/logic.