javascript-obfuscator
Advanced tools
The javascript-obfuscator npm package is a powerful tool for obfuscating JavaScript code, making it difficult for others to read and understand. This is useful for protecting intellectual property, preventing code tampering, and reducing the risk of reverse engineering.
Basic Obfuscation
This feature allows you to obfuscate basic JavaScript code. The example shows how to obfuscate a simple function that logs 'Hello World' to the console.
const JavaScriptObfuscator = require('javascript-obfuscator');
const obfuscatedCode = JavaScriptObfuscator.obfuscate(
`function hello() { console.log('Hello World'); }`,
{ compact: true, controlFlowFlattening: false }
).getObfuscatedCode();
console.log(obfuscatedCode);Control Flow Flattening
Control Flow Flattening is a feature that makes the control flow of the code less recognizable. The example shows how to enable this option to further obfuscate the 'hello' function.
const JavaScriptObfuscator = require('javascript-obfuscator');
const obfuscatedCode = JavaScriptObfuscator.obfuscate(
`function hello() { console.log('Hello World'); }`,
{ controlFlowFlattening: true }
).getObfuscatedCode();
console.log(obfuscatedCode);String Array Encoding
String Array Encoding encodes strings in the code to make them harder to read. The example shows how to encode strings using base64 encoding.
const JavaScriptObfuscator = require('javascript-obfuscator');
const obfuscatedCode = JavaScriptObfuscator.obfuscate(
`function hello() { console.log('Hello World'); }`,
{ stringArray: true, stringArrayEncoding: ['base64'] }
).getObfuscatedCode();
console.log(obfuscatedCode);Self-Defending
The Self-Defending feature makes the obfuscated code more difficult to modify and tamper with. The example shows how to enable this option.
const JavaScriptObfuscator = require('javascript-obfuscator');
const obfuscatedCode = JavaScriptObfuscator.obfuscate(
`function hello() { console.log('Hello World'); }`,
{ selfDefending: true }
).getObfuscatedCode();
console.log(obfuscatedCode);The obfuscator-io-metro-plugin is a Metro plugin for React Native that uses obfuscator.io to obfuscate JavaScript code. It is specifically designed for React Native projects and integrates seamlessly with the Metro bundler. Compared to javascript-obfuscator, it is more specialized for React Native environments.
UglifyJS is a JavaScript parser, minifier, compressor, and beautifier toolkit. While its primary focus is on minification and compression, it also offers some obfuscation features. Compared to javascript-obfuscator, UglifyJS is more focused on reducing file size and improving performance, with less emphasis on making the code difficult to understand.
JavaScript obfuscator for Node.js is a free alternative to js-obfuscator (which uses javascriptobfuscator.com)
Online version: javascriptobfuscator.herokuapp.com
Example of obfuscated code: gist.github.com
Install the package from NPM and add it to your devDependencies:
$ npm install --save-dev javascript-obfuscator
Here's an example of how to use it:
var JavaScriptObfuscator = require('javascript-obfuscator');
var obfuscationResult = JavaScriptObfuscator.obfuscate(
`
(function(){
var variable = 'abc';
console.log(variable);
})();
`,
{
rotateStringArray: false
}
);
console.log(obfuscationResult.getObfuscatedCode());
/*
var _0xabf1 = [
'\x61\x62\x63',
'\x6c\x6f\x67'
];
(function() {
var _0xe6fab6 = _0xabf1[0x0];
console[_0xabf1[0x1]](_0xe6fab6);
}());
*/
obfuscate(sourceCode, options)Returns ObfuscationResult object which contains two public methods:
getObfuscatedCode() - returns string with obfuscated code;getSourceMap() - if sourceMap options is enable - returns string with source map or an empty string if sourceMapMode option is set as inline.Calling toString() for ObfuscationResult object will return string with obfuscated code.
Method takes two parameters, sourceCode and options – the source code and the opitons respectively:
sourceCode (string, default: null) – any valid source code, passed as a string;options (Object, default: null) – an object with options.For available options see options.
Usage:
javascript-obfuscator in.js [options]
javascript-obfuscator in.js -output out.js [options]
If the destination path is not specified through --output option, obfuscated code will saved into input file directory with name like INPUT_FILE_NAME-obfuscated.js
Examples:
javascript-obfuscator samples/sample.js --compact true --selfDefending false
// creates a new file samples/sample-obfuscated.js
javascript-obfuscator samples/sample.js --output output/output.js --compact true --selfDefending false
// creates a new file output/output.js
See CLI options.
Following options available for the JS Obfuscator:
{
compact: true,
debugProtection: false,
debugProtectionInterval: false,
disableConsoleOutput: true,
reservedNames: [],
rotateStringArray: true,
selfDefending: true,
sourceMap: false,
sourceMapBaseUrl: '',
sourceMapFileName: '',
sourceMapMode: 'separate',
stringArray: true,
stringArrayEncoding: false,
stringArrayThreshold: 0.8,
unicdeEscapeSequence: true
}
-v, --version
-h, --help
-o, --output
--compact <boolean>
--debugProtection <boolean>
--debugProtectionInterval <boolean>
--disableConsoleOutput <boolean>
--reservedNames <list> (comma separated)
--rotateStringArray <boolean>
--selfDefending <boolean>
--sourceMap <boolean>
--sourceMapBaseUrl <string>
--sourceMapFileName <string>
--sourceMapMode <string> [inline, separate]
--stringArray <boolean>
--stringArrayEncoding <boolean|string> [true, false, base64, rc4]
--stringArrayThreshold <number>
--unicodeEscapeSequence <boolean>
compactType: boolean Default: true
Compact code output on one line.
debugProtectionType: boolean Default: false
This option makes it almost impossible to use the console tab of the Developer Tools (both on WebKit-based and Mozilla Firefox).
debugProtectionIntervalType: boolean Default: false
If checked, an interval is used to force the debug mode on the Console tab, making it harder to use other features of the Developer Tools. Works if debugProtection is enabled.
disableConsoleOutputType: boolean Default: true
Disables the use of console.log, console.info, console.error and console.warn by replacing them with empty functions. This makes the use of the debugger harder.
domainLockType: string[] Default: []
Locks the obfuscated source code so it only runs on specific domains and/or sub-domains. This makes really hard for someone just copy and paste your source code and run elsewhere.
It's possible to lock your code to more than one domain or sub-domain. For instance, to lock it so the code only runs on www.example.com add www.example.com, to make it work on any sub-domain from example.com, use .example.com.
reservedNamesType: string[] Default: []
Disables the obfuscation of variables names, function names and function parameters that match the Regular Expression used.
Example:
{
reservedNames: [
'^someVariable',
'functionParameter_\d'
]
}
rotateStringArrayType: boolean Default: true
stringArray must be enabledShift the stringArray array by a fixed and random (generated at the code obfuscation) places. This makes it harder to match the order of the removed strings to their original place.
This option is recommended if your original source code isn't small, as the helper function can attract attention.
selfDefendingType: boolean Default: true
compact value to trueThis option makes the output code resilient against formatting and variable renaming. If one tries to use a JavaScript beautifier on the obfuscated code, the code won't work anymore, making it harder to understand and modify it.
sourceMapType: boolean Default: false
Enables source map generation for obfuscated code.
Source maps can be useful to help you debug your obfuscated Java Script source code. If you want or need to debug in production, you can upload the separate source map file to a secret location and then point your browser there.
sourceMapBaseUrlType: string Default: ``
Sets base url to the source map import url when sourceMapMode: 'separate'.
CLI example:
javascript-obfuscator input.js --output out.js --sourceMap true --sourceMapBaseUrl 'http://localhost:9000'
Result:
//# sourceMappingURL=http://localhost:9000/out.js.map
sourceMapFileNameType: string Default: ``
Sets file name for output source map when sourceMapMode: 'separate'.
CLI example:
javascript-obfuscator input.js --output out.js --sourceMap true --sourceMapBaseUrl 'http://localhost:9000' --sourceMapFileName example
Result:
//# sourceMappingURL=http://localhost:9000/example.js.map
sourceMapModeType: string Default: separate
Specifies source map generation mode:
inline - emit a single file with source maps instead of having a separate file;separate - generates corresponding '.map' file with source map. If obfuscator run through CLI - adds link to source map file to the end of file with obfuscated code //# sourceMappingUrl=file.js.map.stringArrayType: boolean Default: true
Removes string literals and place them in a special array. For instance the string "Hello World" in var m = "Hello World"; will be replaced with something like var m = _0x12c456[0x1];
stringArrayEncodingType: boolean|string Default: false
stringArray option must be enabledThis option can slightly slow down your script.
Encode all string literals of the stringArray using base64 or rc4 and inserts a special code that used to decode it back at runtime.
Available values:
true (boolean): encode stringArray values using base64false (boolean): don't encode stringArray values'base64' (string): encode stringArray values using base64'rc4' (string): encode stringArray values using rc4. About 30-35% slower then base64, but more harder to get initial valuesstringArrayThresholdType: number Default: 0.8 Min: 0 Max: 1
stringArray option must be enabledYou can use this setting to adjust the probability (from 0 to 1) that a string literal will be inserted into the stringArray.
This setting is useful with large code size because repeatdely calls to the stringArray array can slightly slow down your code.
stringArrayThreshold: 0 equals to stringArray: false.
unicodeEscapeSequenceType: boolean Default: true
Allows to enable/disable string conversion to unicode escape sequence.
Unicode escape sequence greatly increases code size. Recommend to disable this option when using stringArrayEncoding (especially with rc4 encoding).
Copyright (C) 2016 Timofey Kachalov.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
FAQs
JavaScript obfuscator
The npm package javascript-obfuscator receives a total of 239,863 weekly downloads. As such, javascript-obfuscator popularity was classified as popular.
We found that javascript-obfuscator demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A new Node.js homepage button linking to paid support for EOL versions has sparked a heated discussion among contributors and the wider community.
Research
North Korean threat actors linked to the Contagious Interview campaign return with 35 new malicious npm packages using a stealthy multi-stage malware loader.
Research
Security News
The Socket Research Team investigates a malicious Python typosquat of a popular password library that forces Windows shutdowns when input is incorrect.