0

If I obfuscate javascript code how does the browser process/understand it?

Second if I want to obfuscate a short script in an HTML what are the steps I need to take to do that as I've never doen this before? Do I paste javascript into some sort of tool and which 'scrambles' it and then I paste the results back into my html page?

Thanks

user2976086
  • 53
  • 7
  • http://stackoverflow.com/questions/194397/how-can-i-obfuscateprotect-javascript?rq=1 – sbeliv01 Jun 13 '14 at 13:44
  • 2
    Obfuscating javascript still outputs javascript. – Patrick Hofman Jun 13 '14 at 13:45
  • Obfuscation renames most or all variable names, property names, function names etc. into something more difficult for a human to understand. You can use [jsobfuscator](http://www.jsobfuscate.com/) to do this. – thykka Jun 13 '14 at 13:46
  • 1
    @Patrick - But it doesn't look look javascript it looks like random letters, numbers and symbols - how can the browser 'understand' it? – user2976086 Jun 13 '14 at 13:47
  • That you can't read it is it's entire purpose, but it is still javascript and thus a browser can read it. – Patrick Hofman Jun 13 '14 at 13:48
  • Closer: OP didn't ask for a tool. He asked for an explanation of how obfuscation works. Sheesh. – Ira Baxter Jun 13 '14 at 13:55
  • @IraBaxter: I do understand why one would close. The first part of the question is quite broad, the second part says: "what are the steps I need to take to do that". The link provided by sbeliv01 explains that. – Patrick Hofman Jun 13 '14 at 13:57
  • 1
    @PatrickHofman: "quite broad?" He asked why an obuscator should work; that's a pretty narrow question. "What are the steps...?" Almost every SO question ultimately turns into that. I don't see a decent close reason. – Ira Baxter Jun 13 '14 at 13:59

1 Answers1

6

The secret to obfuscation is the browser never "understood" the original pretty program in the first place, and in fact does not need to understand it. All it does is execute the individual bits of the program in the order the program says. This is the point of Turing machines; mere local symbol manipulation is enough to do any computation.

So, your pretty program is executed as little bits, each of which does something specific; e.g. 

   x = y + z;  // sum the elements
   if (p)  q = 1; // handle special condition
   print(x+q);  // produce the answer

An obfuscator tool scrambles the names used by the bits in consistent way, and may shuffle the bits of computation about in a way that don't affect the result, e.g.,

   if (r7)  p52= 1; // handle special condition
   c17 = n9 + b12; // sum the elements
   print(p52+c17); // produce the answer

Often comments and whitespace that are key help to readability are removed:

   if(r7)p52=1;c17=n9+b12;print(p52+c17);

So when the obfuscated program is run, it computes the same results, and puts them in equivalent places.

Net result: the obfuscated program does the same thing as the original.

Yes, you need a tool to do this; you can't do this by hand to any program of any real size reliably. Good obfuscators will obfuscate javascript embedded in HTML pages directly; you don't need to do any hand cutting and pasting. They are easy find with Google; you can also find a variety of them via my bio.

Ira Baxter
  • 93,541
  • 22
  • 172
  • 341