Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
  1. #1
    New Coder
    Join Date
    Mar 2012
    Posts
    32
    Thanks
    13
    Thanked 0 Times in 0 Posts

    Can't hide code, but how to protect as best as possible?

    I know it is impossible to protect js. Minify and obfuscation don't seem very effective.

    But I ran across code like this, which could not be unobfuscated via simple methods. It appears to have non ascii characters (which I didn't know was possible). I would like to know how to create this same effect to help improve my protection. I realize it will not be highly secure, but something should be better than nothing.

    A portion of the .js:

    `XEnE)J:2\x00dzA\

    EDIT: That doesn't work since the forum can only interpret ascii. But in the actual .js there are non ascii characters. What was done to achieve this?

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,436
    Thanks
    75
    Thanked 4,370 Times in 4,335 Posts
    JavaScript supports unicode. Nothing special about that.

    Example:
    Code:
    <script>
    var s = "the quick brown fox";
    var r = "";
    for ( var i = 0; i < s.length; ++i )
    {
        r += String.fromCharCode(1024 + s.charCodeAt(i));
    }
    document.write(r);
    document.write("<hr/>");
    
    var s2 = "ѴѨѥРѱѵѩѣѫРѢѲѯѷѮРѦѯѸ";
    var r2 = "";
    for ( var i = 0; i < s2.length; ++i )
    {
        r2 += String.fromCharCode(s2.charCodeAt(i)-1024);
    }
    document.write(r2);
    
    </script>
    If that string of UTF8 characters doesn't show correctly in your browser, just run the code then copy/paste the result of the first document.write into the s2 quoted string and run it all again.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • Users who have thanked Old Pedant for this post:

    ronjon65 (03-29-2012)

  • #3
    Gütkodierer
    Join Date
    Apr 2009
    Posts
    2,127
    Thanks
    1
    Thanked 426 Times in 424 Posts
    Quote Originally Posted by ronjon65 View Post
    But I ran across code like this, which could not be unobfuscated via simple methods.
    Whether this obfuscation method makes any sense probably depends on which people you don't want to understand your code. Although UTF8 characters might look rather cryptic to the layman, for anyone savvy enough, this is very simple to beautify: Just step through the code with a debugger — at some point that crazy stuff has to be decoded and evaluated, and there you got the plain text.

    It's much better to use a tool that tries to actually understand your code and optimize it, like the Google closure compiler. That way, trying to beautify it will still leave you with a bunch of gibberish that's intended for machines, and not for people.

    If you're so inclined, you can of course use both methods for maximum obfuscation. If you're using any Javascript framework and you're okay with not serving it from a CDN, putting it in the same file as your actual code before obfuscation helps too.

    Also, the forum has no problems displaying UTF8 characters, so something else must have gone wrong there.
    .My new Javascript tutorial site: http://reallifejs.com/
    .Latest article: Calculators — Tiny jQuery calculator, Full-fledged OOP calculator, Big number calculator
    .Latest quick-bit: Including jQuery — Environment-aware minification and CDNs with local fallback

  • Users who have thanked venegal for this post:

    ronjon65 (03-29-2012)

  • #4
    New Coder
    Join Date
    Mar 2012
    Posts
    32
    Thanks
    13
    Thanked 0 Times in 0 Posts
    Wow, thanks. For now, that only makes me totally confused...but more importantly optimistic that I can protect my code to a greater degree than what jsbeatifier.org can easily unobfuscate.

    Is there a "step-by-step" way to take my code and improve the security. I know it won't be perfect, but better than nothing.

  • #5
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,982
    Thanks
    203
    Thanked 2,536 Times in 2,514 Posts
    Quote Originally Posted by ronjon65 View Post
    Wow, thanks. For now, that only makes me totally confused...but more importantly optimistic that I can protect my code to a greater degree than what jsbeatifier.org can easily unobfuscate.

    Is there a "step-by-step" way to take my code and improve the security. I know it won't be perfect, but better than nothing.
    Do you have a particular reason for believing that your code is so remarkable and unusual that anyone would be interested in stealing it?

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  • #6
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,639
    Thanks
    0
    Thanked 649 Times in 639 Posts
    The simplest way to reduce the chances of your code getting stolen is to not obfuscate it at all. There is a whole group of thieves who steal obfuscated code just to prove to one another how clever they are to be able to unobfuscate it.

    The next thing to do is to place a copyright notice at the top of the code that identifies how to contact you. That way most people will actually contact you for permission if your code actually is that good that other people want to copy it rather than using the code the experts give away.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #7
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,332
    Thanks
    11
    Thanked 587 Times in 568 Posts
    the best deterrent is simply writing code that nobody wants to steal. It's like keeping a cheap bike to ride and lock up on campus whilst you have a nice one in the garage at home: reduce exposure, reduce desire, and nobody will likely bother.

    making good use of ternary and default operators, single-letter private vars, and so on will turn folks away. take this thread for example: i posted a function that does more, but someone would rather have the "more readable" version that does less. While that was just trying to be fewer bytes, I've found it's pretty easy to scare people away from code if you try.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/5/28) IE7:0.1, IE8:5.3, IE11:8.4, IE9:3.2, IE10:3.2, FF:18.2, CH:46, SF:7.9, NON-MOUSE:32%

  • Users who have thanked rnd me for this post:

    ronjon65 (03-30-2012)

  • #8
    Banned
    Join Date
    Mar 2012
    Posts
    306
    Thanks
    1
    Thanked 28 Times in 28 Posts
    Quote Originally Posted by Philip M View Post
    Do you have a particular reason for believing that your code is so remarkable and unusual that anyone would be interested in stealing it?
    A lot of newbies and even not so newbies take both remarkable and not remarkable code when it's what they are after because either don't know how to write it themselves or can't be bothered writing it for some reason. I've taken a lot on unremarkable code from the interweb, none of your though .

    So if you want to deter people from taking your code it's a good idea to at least make it difficult for the newbies.
    Last edited by Mishu; 03-29-2012 at 10:59 PM.

  • #9
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,639
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Quote Originally Posted by Mishu View Post
    So if you want to deter people from taking your code it's a good idea to at least make it difficult for the newbies.
    Adding a copyright notice is as difficult as you can make it - there's nothing you can do to prevent them from taking it, all you can do is encourage them to ask first.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • Users who have thanked felgall for this post:

    ronjon65 (03-30-2012)

  • #10
    Banned
    Join Date
    Mar 2012
    Posts
    306
    Thanks
    1
    Thanked 28 Times in 28 Posts
    Quote Originally Posted by felgall View Post
    there's nothing you can do to prevent them from taking it
    Read my last post. I never said you can prevent them from taking it. All you can do is make them jump through at least a few hoops to get your code which might stop non tech savvy people. If someone knows what they are doing then of course you can't stop them from taking it. Even I have copied code from other websites regardless of what hurdles are put up infront of me.

  • #11
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,982
    Thanks
    203
    Thanked 2,536 Times in 2,514 Posts
    People who take steps or employ devices which are intended to make it hard for others to copy their code are sending a clear message that they do not wish that to happen, at least without their permission. Obviously that will do nothing to deter the likes of Mishu (and his several pseudonyms), but those who have a moral compass and value their integrity will respect the spirit as well as the letter of the request.

    Dishonest behaviour remains just that, even though there is no practical way of preventing it or applying any sanction. People who disregard honesty boxes are cheats. People who take the contents of honesty boxes are thieves.

    I do realise that since the spread of the internet many people who are not career criminals are perfectly comfortable with lying, cheating and stealing, the only issue being can you get away with it. It could also be said that the Government often sets a poor example.

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  • #12
    New Coder
    Join Date
    Mar 2012
    Posts
    32
    Thanks
    13
    Thanked 0 Times in 0 Posts
    Great comments everyone. Here is my strategy and a few answers:

    - My code is not impressive at all (in fact, the code is unimpressive). However, it does contain a database of values that took many hours to develop. Essentially there is a script that creates the .js. The end result is what I would like to protect.

    - That said, a really great comment was to change the variable names. I can easily make them meaningless variables since the script does not care. This would take a lot more time to interpret and partially deter some.

    - I will add the copyright notice. Does anyone have good examples of such a notice?

    - I may or may not obfuscate the code. At this point, it probably does not matter and I won't waste energy on it. I think spending the energy on making a better product is probably a better way to improve your overall competitiveness.

    - At least I asked the experts and will have peace of mind that I did what I could. The worst is to not even try and find out later that you could have done a better job.

    Thanks

  • #13
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,639
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Quote Originally Posted by Mishu View Post
    Read my last post. I never said you can prevent them from taking it. All you can do is make them jump through at least a few hoops to get your code which might stop non tech savvy people.
    All the thieves are tech savvy people. The non-tech savvy people don't know what JavaScript is.

    A copyright notice is at least as effective at preventing script theft as anything else you can do.

    The number of pages with obfuscated HTML that are stolen is far higher than that of HTML pages that are not obfuscated just because the thieves think they are somehow clever in being able to undo the obfuscation. Because undoing obfuscation of JavaScript involves three or four mouse clicks instead of the one that removing obfuscation from HTML requires they think it is even more clever to be able to steal those scripts.

    Take a look at all the really major sites on the web and see how many of them apply any obfuscation whatsoever to their source. If you find on such site in the top thousand I'd be surprised because they know that a simple copyright notice is far more effective at preventing their page content and scripts from being stolen the alternatives.

    Also ANY obfuscation is near certain to have your page not work properly for more visitors than without the obfuscation.

    The honest people will not steal your content regardless.
    The not quite so honest people might steal content without a copyright notice and if caught would claim they thought it was in the public domain.
    Those who have searched a long time for a script that does what yours does will contact you to ask permission to use it if there is a copyright notice - they may not know who to ask and might just take it even if it is obfuscated without the notice.
    Tech savvy but generally stupid people will deliberately steal obfuscated content just because they think it is clever.
    Those who deliberately set out to steal your content will do so regardless of the measures you apply. The copyright notice will make things easier when you take them to court. The non-tech savvy judge may not realise that the obfuscation is even there or that you mistakenly thought that it would discourage theft.
    Last edited by felgall; 03-30-2012 at 10:01 PM.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #14
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,436
    Thanks
    75
    Thanked 4,370 Times in 4,335 Posts
    RonJon: You know if it is the data you are sensitive about, the the best answer is simple: Don't put the data ANYWHERE in the HTML page. Leave it on the server. Use AJAX to retrieve only the values needed at any given time.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #15
    Banned
    Join Date
    Mar 2012
    Posts
    306
    Thanks
    1
    Thanked 28 Times in 28 Posts
    Quote Originally Posted by felgall View Post
    All the thieves are tech savvy people.
    No they are not. I've shown non tech savvy people how to get around some basic, effectively useless, barriers.

    An "unwritten rule of thumb" I have seen said in many forums is that if you don't want someone to see it or take it, then don't publish it on the interweb.
    Last edited by Mishu; 03-31-2012 at 03:05 AM.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •