javascript-obfuscator

What is javascript-obfuscator?

The javascript-obfuscator npm package is a powerful tool for obfuscating JavaScript code, making it difficult for others to read and understand. This is useful for protecting intellectual property, preventing code tampering, and reducing the risk of reverse engineering.

What are javascript-obfuscator's main functionalities?

Basic Obfuscation

This feature allows you to obfuscate basic JavaScript code. The example shows how to obfuscate a simple function that logs 'Hello World' to the console.

const JavaScriptObfuscator = require('javascript-obfuscator');

const obfuscatedCode = JavaScriptObfuscator.obfuscate(
  `function hello() { console.log('Hello World'); }`,
  { compact: true, controlFlowFlattening: false }
).getObfuscatedCode();

console.log(obfuscatedCode);

Control Flow Flattening

Control Flow Flattening is a feature that makes the control flow of the code less recognizable. The example shows how to enable this option to further obfuscate the 'hello' function.

const JavaScriptObfuscator = require('javascript-obfuscator');

const obfuscatedCode = JavaScriptObfuscator.obfuscate(
  `function hello() { console.log('Hello World'); }`,
  { controlFlowFlattening: true }
).getObfuscatedCode();

console.log(obfuscatedCode);

String Array Encoding

String Array Encoding encodes strings in the code to make them harder to read. The example shows how to encode strings using base64 encoding.

const JavaScriptObfuscator = require('javascript-obfuscator');

const obfuscatedCode = JavaScriptObfuscator.obfuscate(
  `function hello() { console.log('Hello World'); }`,
  { stringArray: true, stringArrayEncoding: ['base64'] }
).getObfuscatedCode();

console.log(obfuscatedCode);

Self-Defending

The Self-Defending feature makes the obfuscated code more difficult to modify and tamper with. The example shows how to enable this option.

const JavaScriptObfuscator = require('javascript-obfuscator');

const obfuscatedCode = JavaScriptObfuscator.obfuscate(
  `function hello() { console.log('Hello World'); }`,
  { selfDefending: true }
).getObfuscatedCode();

console.log(obfuscatedCode);

Other packages similar to javascript-obfuscator

obfuscator-io-metro-plugin

The obfuscator-io-metro-plugin is a Metro plugin for React Native that uses obfuscator.io to obfuscate JavaScript code. It is specifically designed for React Native projects and integrates seamlessly with the Metro bundler. Compared to javascript-obfuscator, it is more specialized for React Native environments.

uglify-js

UglifyJS is a JavaScript parser, minifier, compressor, and beautifier toolkit. While its primary focus is on minification and compression, it also offers some obfuscation features. Compared to javascript-obfuscator, UglifyJS is more focused on reducing file size and improving performance, with less emphasis on making the code difficult to understand.

README

JavaScript obfuscator for Node.js

JavaScript obfuscator for Node.js is a free alternative to js-obfuscator (which uses javascriptobfuscator.com)

• without any limits and sending data to a server;
• compatible with ES6;
• tested on Angular2 bundle.

https://gist.github.com/sanex3339/ffc2876123b52e6d11ce45369fd53acf

Installation

Install the package from NPM and add it to your devDependencies:

$ npm install --save-dev javascript-obfuscator

Node.js usage

Here's an example of how to use it:

var JavaScriptObfuscator = require('javascript-obfuscator');

var obfuscationResult = JavaScriptObfuscator.obfuscate(
    `
    (function(){
        var variable = 'abc';
        console.log(variable);
    })();
    `,
    {
        rotateUnicodeArray: false
    }
);

console.log(obfuscationResult.getObfuscatedCode());
/*
var _0xabf1 = [
    '\x61\x62\x63',
    '\x6c\x6f\x67'
];
(function() {
    var _0xe6fab6 = _0xabf1[0x0];
    console[_0xabf1[0x1]](_0xe6fab6);
}());
*/

obfuscate(sourceCode, options)

Returns ObfuscationResult object which contains two public methods:

• getObfuscatedCode() - returns string with obfuscated code;
• getSourceMap() - if sourceMap options is enable - returns string with source map or an empty string if sourceMapMode option is set as inline.

Calling toString() for ObfuscationResult object will return string with obfuscated code.

Method takes two parameters, sourceCode and options – the source code and the opitons respectively:

• sourceCode (string, default: null) – any valid source code, passed as a string;
• options (Object, default: null) – an object with options.

For available options see options.

CLI usage

Usage:

javascript-obfuscator in.js [options]
javascript-obfuscator in.js -output out.js [options]

If the destination path is not specified through --output option, obfuscated code will saved into input file directory with name like INPUT_FILE_NAME-obfuscated.js

Examples:

javascript-obfuscator samples/sample.js --compact true --selfDefending false
// creates a new file samples/sample-obfuscated.js

javascript-obfuscator samples/sample.js --output output/output.js --compact true --selfDefending false
// creates a new file output/output.js

See CLI options.

JavaScript Obfuscator Options

Following options available for the JS Obfuscator:

options:

{
    compact: true,
    debugProtection: false,
    debugProtectionInterval: false,
    disableConsoleOutput: true,
    encodeUnicodeLiterals: false,
    reservedNames: [],
    rotateUnicodeArray: true,
    selfDefending: true,
    sourceMap: false,
    sourceMapMode: 'separate',
    unicodeArray: true,
    unicodeArrayThreshold: 0.8,
    wrapUnicodeArrayCalls: true
}

CLI options:

    -v, --version
    -h, --help

    -o, --output

    --compact <boolean>
    --debugProtection <boolean>
    --debugProtectionInterval <boolean>
    --disableConsoleOutput <boolean>
    --encodeUnicodeLiterals <boolean>
    --reservedNames <list> (comma separated)
    --rotateUnicodeArray <boolean>
    --selfDefending <boolean>
    --sourceMap <boolean>
    --sourceMapMode <string> [inline, separate]
    --unicodeArray <boolean>
    --unicodeArrayThreshold <number>
    --wrapUnicodeArrayCalls <boolean>

compact

Type: boolean Default: true

Compact code output on one line.

debugProtection

Type: boolean Default: false

:warning: Can freeze browser while Developer Tools are enabled! Use at own risk.

Force enable debug mode on page load if Developer Tools panel is enabled (in some, mainly WebKit-based, browsers). This makes it almost impossible to use the Console (the debug panel).

• WebKit-based: blocks the site window, but you still can navigate through Developer Tools panel.
• Firefox: does not block the site window, but still won't let you use DevTools.

debugProtectionInterval

Type: boolean Default: false

:warning: Can freeze browser even while Developer Tools are disabled! Use at own risk.

Works if debugProtection is enabled.

Force enable debug mode in some browsers (mainly WebKit-based) when Developer Tools panel is enabled, even after page is loaded.

disableConsoleOutput

Type: boolean Default: true

Disable console.log, console.info, console.error and console.warn messages output into the browser console.

encodeUnicodeLiterals

Type: boolean Default: false

:warning: unicodeArray option must be enabled

This option can slightly slow down your code speed.

All literals in Unicode array become encoded in Base64. To decode strings, a special function will be inserted on the page under unicodeArray node.

reservedNames

Type: string[] Default: []

Disable obfuscation of variable names, function names and names of function parameters that match the passed RegExp pattern.

Example:

	{
		reservedNames: [
			'^someVariable',
			'functionParameter_\d'
		]
	}

rotateUnicodeArray

Type: boolean Default: true

:warning: unicodeArray must be enabled

Shift the unicodeArray values by a random number of places during the code obfuscation and insert a helper function for shifting the array back into the source code. (It works just like the Caesar cypher.)

Keep in mind that this option affects only how the code is visually organised, since the original arrays can be easily accessed during the debug process.

It is also not recommended to enable rotateUnicodeArray for small source code because a helper function might attract attention.

selfDefending

Type: boolean Default: true

:warning: this option forcibly set compact value to true

Enables self-defending for obfuscated code. If obfuscated compact code is formatted, it will not work any more.

sourceMap

Type: boolean Default: false

Enables source map generation for obfuscated code.

sourceMapMode

Type: string Default: separate

Specifies source map generation mode:

• inline - emit a single file with source maps instead of having a separate file;
• separate - generates corresponding '.map' file with source map. If obfuscator run through CLI - adds link to source map file to the end of file with obfuscated code //# sourceMappingUrl=file.js.map.

unicodeArray

Type: boolean Default: true

Put all literal strings into an array and replace every literal string by an array call.

unicodeArrayThreshold

Type: number Default: 0.8 Min: 0 Max: 1

:warning: unicodeArray option must be enabled

The probability that the literal string will be inserted into unicodeArray. Use this option for huge source code size, because many calls to unicodeArray will slow down code performance.

unicodeArrayThreshold: 0 equals to unicodeArray: false.

wrapUnicodeArrayCalls

Type: boolean Default: true

:warning: unicodeArray option must be enabled

Instead of using direct calls to unicodeArray items var t = _0x43a123[0x0], when index 0x0 can be easily reverted to 0 with few js beautifiers, this option will wrap all calls to special function instead.

var t = _0x12a634('0x0')

License

Copyright (C) 2016 Timofey Kachalov.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.