View Full Version : script protection

03-16-2004, 12:24 AM
I'm sure this comes up a lot, but here goes - Is there a way to protect a javascript from being ripped off?

If not, what is the best "almost protection" for a script and where can I learn more about the subject???


03-16-2004, 12:30 AM
Don't place it online.

03-16-2004, 01:14 AM
Let me put it another way - the very common script below has been double encrypted and one character changed so it won't work - is anyone able to decode it


var enkripsi="'02'02'02'02'02'02'02'02'02'02'02'02tcp'02ug25'1F2772'1@XzWu['1F'05nRnzpLvVALVRMmEMSMwm'05'1@ii'1F'05'1Aakvwq'1FVk'02cgfg'02m'02wrp'02mp`mqp'02'02pug'02gqm'02,'0 2pjeg'02qpskg'03'1@nfaol,cgqf'1Fmwgvcne'1Fmwgvevnol@K'1@q'0:kfuqf`p'1DpgdngkLltevpwgCgvvNupcg'0;kfzd '42gqcg'0;'1F'1Dpgdngk'0:q'04kL'5@np'0:lr'1@jqnavm'1F'42'1@c'02q'1F'42dlvm'02g'0:'5@gwlvw'5Fulm,lpm' 02'02g'1@c'026'1@qpr'02cecg'00ccakv'1GeoUl'1Fmgl'42'05'1@PHsMMtMcr'1F'05AXkMNkKJdPgTXtMeMvsSkIAuIMoN uKaMGEhJ'05'1@FIMj'1F'05'074@'071F'0757'074Gg'0751'7A361c'0752g'7A272'0700'0707'0712F'0707'0712C'070 0'7A273'071@'074A'0710'071F'0702'074G'0751'074@'7A272'074@'074@'7A273'071@f'074D'7A361'0757'074Fg'07 4Gv'070G'0755'7A340'074;vg'7A272'074A'0710'7A273'071@d'0757'074G'7A361v'074;'074D'074G'0702'074G'075 1'074@'7A272'0751'7A273'0702'075@'0754c'7A340'0702'0757'074G'071F'0700'0700'071@'074A'071F'0751'070G '074Ag'074G'0745v'074:'071@'074D'074:'071F'076Fcv'074:'070G'7A340'074D'0757'074Gf'7A272'074A'070D'07 10'7A273'071@d'074D'7A340'7A272'074;'071F'0712'071@'074;'071A'071F'074D'074:'071@'074;'070@'070@'7A2 73'075@c'071F'0751'070G'7A361'074:c'7A340Cv'7A272'07'05'1@ii)'1F'05'0A'42kk'42'42m'1F2nd'1F2vm`p2ol` p2qpn`p'1F'0Avvq2pqx`g3ufj42jkj'1F4'42'1@e{k,np'0;soUlnavm'02'02jv'1C-u,{kgaoulm-l-{mfpkfzjo'42'5Fe-akvs'1Aqpr'1Gqpr'1Glr'42jqre'02mqlvqrmv{w'02pug,C`mqptpkl62m'02kjpk'02gwpf'42f'1Fmwgvn{p'1@cfaol,n'1 @gfaol,gGggv{fu'1Fulm,kgc'0;vw'1Ccq'1@x'1Fckcm,qpe'05'1@TIouu'1F'05wAMaiV`cpt{rQaMHmsMl'05'1@FIMj)'1 F'054;'7A273'071@`'071F'0751'070G'7A361'074:c'7A340Cv'7A272'074;'070@'074D'074:'7A273'071@'7A361'071 Fc'070@`'071@'0757'074G'071F'0757'074G'070@'7A361'071@'075F'071@'0772'071F'0757'074G'070G'0751'0757` '0751v'7A340'7A272'0712'070A'074A'7A273'071@'0772'071F'0772'070G'7A340g'0752'074Ac'7A361g'7A272'070D '0742'070D'0745'070A'0700'0705'0700'7A273'071@'0772'071F'0772'070G'7A340g'0752'074Ac'7A361g'7A272'07 0D'0762'0762'070D'0745'070A'0700'077A'077A'0700'7A273'071@d'0702'071F'0702'070D'0753'0745'070D'0745' 071@'0772'071F'0772'070G'7A340g'0752'074Ac'7A361g'7A272d'070A'074@'7A273'071@'7A340gv'0757'7A340'074 G'0702'0772'071@'075F'071@'05'1@ii)'1F'05l,mmgAq'0:,lgM'0:lvar'42'1G2vw'1Ccq'1@du'04'03x'0;cgvwq'0;v k,mckl'42'5Ftpoe'42'1@wakllo'0;pvp'02pg'1@kfumgpp'1Flotpl0'1Aakvnlwe'1FHtQpr'00s'5@{k'02'02rx'0:'42' 02ull'0Avr3'0Agv3'0Amnc'1F'0Agwc'1F'0Aamncq3qcw'1F'0Agkcn'1F'0Akv'1F7'0Agev62'0;soUl`w'0:'1@e{k,mckl '1F'42vr-uuoqv,m-kfu0fodng-lg,vn'1@s'1Aqpr'1Ge-akv'05'1@gtcn'0:wlgqacrg'0:FIMj'0;'0;'1@gti:2'1F'05W{QFKgZWL`MzUpzvJNMqvDSIiFZlIGsMgdfk[S[@RMMfeM'05'1@"; teks=""; teksasli="";var panjang;panjang=enkripsi.length;for (i=0;i<panjang;i++){ teks+=String.fromCharCode(enkripsi.charCodeAt(i)^2) }teksasli=unescape(teks);document.write(teksasli);

03-16-2004, 02:16 AM
i can. i can see right off what's going on there ( not what the script is doing, but how it's being "encrypted" ). i've got a paper just at the moment, but if you'd like, later, i'll take the thing apart, and give it back to you as plain javascript.

to see our discussion of protecting source, click here: http://www.codingforums.com/showthread.php?s=&threadid=4437

03-16-2004, 03:07 AM
hmm.... i got this far.. maybe the linebreaks corrupted it in the middle.. but with a little more work, its should be super easy to decode this... took me about 5 mins to get here since i have access only to IE :D

<script>unsp='This page does not support your browser. A browser version 4.0 or higher is required!';
var msg='';function nem(){return true};
window.onerror = nem;var n42;

<script language="JavaScript">{myWin = opezn('', 'winin','top=10,left=10,toolbar=0,menubar=0,scrollbars=1,status=0,resizable=1,width=650,height=460') ;myWin.blur();myWin.location = 'http://www.mysite.com/window/2nd/myfolder/index.html';}</s"rcpi>tgq/<"script>

03-16-2004, 03:09 AM
This is an oft-asked question... but the answer is "no".

If you want to protect your code, the only way to do that is to develop applications using a non-scripting language, and compile your source code. In some cases, that can even be decompiled to some extent. This doesn't apply to web browsers.


Basically, if you're working with javascript, or HTML, or VBScript (ugh) that HAS to be understood by the browser, there's no way to keep it "safe" from anyone who wants to figure out what you coded.

The browser has to be able to read it - it HAS to be sent to the browser... so anyone that understand how the browser reads your code, can easily decrypt it. And that's the end of the story.

However, in my experience, there's no client-side code that's so precious you'd want to keep people from stealing it. Quite the contrary - most of the REALLY good javascript programmers give their source code out for FREE. :)

Take a look around... this is a pretty good place to start, as well as http://www.javascriptkit.com.

03-16-2004, 04:02 AM
We have combined several scripts and defeated pop blockers. We are only using the system on automobile sites to deliver targeted promotions. We don't want spam poppers to get the code or it will show up everywhere.

When you want to buy a car and a pop-up offers you $500 off that's a welcome promotion unlike a lot of the pop-ups out there.

I want to keep the genie in the bottle as long as possible...

But it sound like I'm just gonna have to let everyone have it.


Roy Sinclair
03-16-2004, 03:48 PM
You'd do better to provide the user a link to a 500$ off coupon which could then use the target attribute to come up in a new window and thus be a valid link for all but the most stringent of pop up blockers.

That would also make your site work for people who've disabled javascript (for whatever reason) and therefore help you sell more vehicles.

Trying to defeat pop up blockers directly isn't a wise idea and is going to hurt your business in the long run.

03-16-2004, 04:25 PM
how do you encrypt JS?

03-16-2004, 07:48 PM
there are many different ways to scramble your javascripts, but none of them are worthwhile; it's more important that you be able to read the scripts on your page, than it is that other people not be able to read them. also, scrambling scripts usually makes them considerably longer, which means it will take longer for them to download, and longer for the pages they're on to load.