0

if i put below javascript in javascriptobfuscator.com

Before

var a="Hello World!";

function MsgBox(msg){
   alert(msg+"\n"+a);
}

MsgBox("OK");

it returns below packed javascript

After

var _0xd429=["\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21","\x0A","\x4F\x4B"];
var a=_0xd429[0];function MsgBox(_0xdb32x3){alert(_0xdb32x3+_0xd429[1]+a);};
MsgBox(_0xd429[2]);

how can i make same functionality in php.

Community
  • 1
  • 1
Vipul Vaghasiya
  • 481
  • 1
  • 5
  • 16
  • 2
    taht looks like really weird obfuscation. Why would it increase the byte footprint, but then not rename the function to a short function name like `a`? What exactly do you want to do, have a JS minifier/obfuscator that can run on your server? If so, have a look at the YUI, Minify, and Uglify libraries, which all have PHP package equivalents. – Mike 'Pomax' Kamermans Nov 29 '13 at 05:47
  • I want to pack javascript on my server using php not using any other library or crossdomain. Above packed javascript does not unpack easily so that I want to generate packed javascript dynamicaly using php. Any help appreciated. – Vipul Vaghasiya Nov 29 '13 at 06:00
  • http://stackoverflow.com/questions/9633829/looking-for-a-css-and-for-a-js-file-merger-and-minimizer http://stackoverflow.com/questions/868857/combining-and-compressing-multiple-javascript-files-in-php – Ruben Kazumov Nov 29 '13 at 06:41
  • i want to secure my javascript code not to minimize it. – Vipul Vaghasiya Nov 29 '13 at 06:45
  • there is another post about this where apparently they didn't even justify it with an answer really http://stackoverflow.com/questions/18497597/how-to-obfuscate-javascript-using-php?rq=1 – jm0 Nov 29 '13 at 15:58
  • you can't "secure" javascript: you're going to give it away to people and they will be able to run any prettifier to have fully readable javascript again. And if your javascript is good, it'll be well written, so unless you purposefully write really crap JS, people will be able to read the reprettified source just fine. If you want to prevent people from seeing your JS: put that effort into making good content first. People don't care about your JS unless you go to great length to hide it from them. – Mike 'Pomax' Kamermans Nov 29 '13 at 17:22

2 Answers2

2

Static asset minifying and file merges are accomplished automatically in many web frameworks (in Rails this concept is called the "asset pipeline"). You need to use a framework that has an asset minification/compilation scheme that suits you, otherwise either

  1. use a build tool that watches your codebase and executes automatically if you change any files
  2. write a build script and execute it yourself when creating a build

Assetic seems to be a PHP tool of choice that does all this for you.

https://github.com/kriswallsmith/assetic

Also, Asset Pipeline/Framework for PHP

Community
  • 1
  • 1
jm0
  • 3,294
  • 2
  • 16
  • 18
  • i want to secure my javascript code and make unreadable not to minimize it. – Vipul Vaghasiya Nov 29 '13 at 06:47
  • same concept, you just have to find an obfuscator tool and put it in a build script. the harder issue is doing it automatically. A tool like Jenkins CI server could accomplish this but could be hard to learn if you're not familiar with the problem space – jm0 Nov 29 '13 at 06:56
  • 1
    I edited the answer with a tool I found that seems to be a common PHP methodology and includes uglify filters. – jm0 Nov 29 '13 at 07:35
  • Asset pipline framework uses YUI Compressor to pack javascript but it has been unpacked easily! – Vipul Vaghasiya Nov 29 '13 at 09:40
  • There are many different filters available within Assetic. If the one you want is not there I recommend contacting the author about possibly including it, figuring out how Assetic works and including it (it's open source after all), finding a different but similar tool that has the functionality you want. As the other poster mentioned, this is not 100% secure so generally people don't even bother with obfuscation. If you can't find an asset pipeline tool for it and don't know how to modify an existing tool, you may be stuck executing a hand-written script with an obfuscator tool. – jm0 Nov 29 '13 at 15:44
1

I beg the question

  • Why do you want to secure your javascript?

Just making it unreadable to humans does not mean someone with aspbergers or with enough motivation to deobfuscate it cannot.

  • If you are protecting your script because you don't want people to recycle it, then minify (manually or automatically through frameworks and plugins).
  • If you have other security concerns then I think your time is better spent elsewhere

Sorry if this sounds harsh but I wasted a lot of time on this before realizing how futile and useless this endeavour turned out to be

hanzo2001
  • 1,338
  • 1
  • 10
  • 24
  • Minified script can be easily unpacked also, I have dynamic generated script so that i can't use any third party library every time that's why i am finding my own solution using php like http://javascriptobfuscator.com/ – Vipul Vaghasiya Nov 29 '13 at 10:48
  • 1
    **dynamically generated javascript**? I think I've been down this road before. I hope you know what you are getting into, otherwise you will reach a nightmare like no other. I'd like to help more but I would need to know **why** you need your javascript to be generated dynamically. There could be other solutions to your problem that do not involve php getting into javascript unwarrantedly – hanzo2001 Nov 29 '13 at 10:54
  • Keep in mind that as your JavaScript code will run in the client side, the user **always** will be able to see what code is being run. Security through obscurity is not security at all. – Guilherme Sehn Nov 29 '13 at 11:11
  • Let me clear. I have one web app contain one js file. It's configuration change every time and i want to keep it private (not readable, packed). How can i do that using php? – Vipul Vaghasiya Nov 29 '13 at 11:16
  • here's the thing... javascript cannot be unreadable to the browser. You may make as many transformations to it as you want, but in the end it still has to be parseable. Therefore, whether you obfuscate, minify (which is also obfuscation), or both, done by you or 3rd parties, your code will not be safe, or secure. Javascript is not supposed to be a secure format. I'm sorry to say this but if your app depends on the fact that your javascript is unreadable to humans you are doing things the wrong way. As a side note, if there is sensible information in js, do something about it sooner than later – hanzo2001 Nov 29 '13 at 11:29
  • i know JavaScript is client side script but i want to answer my simple question. "How to obfuscate JavaScript using PHP like javascriptobfuscator.com?" . – Vipul Vaghasiya Nov 29 '13 at 11:44
  • oh, now I get it! you want to implement the functionality of an existing service to _"protect"_ your files. I think what you are looking for cannot be answered here, it looks more like a project of parsing javascript through php, that means you wan't to build your own parser, with it's own lexicon, that reads through the javascript file, saving tokens to identifiers and then... you get the picture. 1st you build your parser. 2nd you create your dynamic js files as streams. 3rd you pass the streams through the parser. Last you hope the browser can still read them. Yup, this is a whole project – hanzo2001 Nov 29 '13 at 11:54
  • 1
    There is no need to question motives, this is a pretty straight 1:1 question asking for a tool. It's true that this is not the best method for securing a site but it may have use cases. Assetic for PHP gives many filter options for static assets. – jm0 Nov 29 '13 at 15:37
  • 1
    I'll just use my newly acquired rights from [stackexchange](http://blog.stackoverflow.com/2011/06/optimizing-for-pearls-not-sand/) and ignore this question. sorry, but @jm0 gives a good answer – hanzo2001 Nov 29 '13 at 15:47
  • Your input was valuable and deserves a place on the page even if its not a direct answer ;) – jm0 Nov 29 '13 at 15:49