There are many ways to protect JavaScript files, ranging from free tools to advanced commercial services. The core objective of these protections is simple: make the code difficult to read and reverse engineer.
Common JavaScript Obfuscation Techniques
-
Adding Junk Code: Inserting meaningless or irrelevant code to confuse anyone analyzing the file.
-
Renaming Identifiers: Changing variable and function names to short, nonsensical strings, making it harder to understand their purpose.
It’s important to note that the original variable and function names cannot be fully recovered once obfuscated. However, for an experienced JavaScript developer, this is rarely a significant obstacle.
How Deobfuscation Works
The typical approach to deobfuscating JavaScript involves:
-
Executing the Obfuscated Code: Running the script in a controlled environment to extract the real string values used during execution.
-
Replacing Extracted Strings: Substituting the obfuscated string values with their clear, original counterparts in the appropriate locations.
-
Removing Junk Code: Cleaning up the file by deleting unnecessary or misleading code that was added for obfuscation.
Obfuscation vs. Minification
It’s crucial not to confuse obfuscated JavaScript with minified JavaScript:
-
Minified JavaScript is simply the original code with all unnecessary whitespace, comments, and line breaks removed to reduce file size. Sometimes, variables and functions are renamed to short identifiers like
a
,b
, etc., but the code remains fully functional and relatively readable. -
With minified files, developers can easily reformat the code and rename variables and functions to more descriptive names to improve readability.