10

the first javascript < script >< /script > in google looks like this: (note I have used jsbeautifier.org to render it nicely) 

window.google = {
kEI: "Eqx4TailJIez8QOhrtAxSw",
kEXPI: "17259,17291,28460,21559,28595,28605,29014,29135,29249,29254,29265,29279",
kCSI: {
    e: "17159,17291,21460,28559,28595,28605,29014,29135,29249,29254,29265,29279",
    ei: "Ex4TailJIez8QOhrtGwBA",
    expi: "17159,17291,28460,28559,28595,28605,29014,29135,29249,29254,29265,29279"
},
ml: function () {},
pageState: "#",
kHL: "en",
time: function () {
    return (new Date).getTime()
},
log: function (c, d, b) {
    var a = new Image,
        e = google,
        g = e.lc,
        f = e.li;
    a.onerror = (a.onload = (a.onabort = function () {
        delete g[f]
    }));
    g[f] = a;
    b = b || "/gen_204?atyp=i&ct=" + c + "&cad=" + d + "&zx=" + google.time();
    a.src = b;
    e.li = f + 1
},
lc: [],
li: 0,
j: {
    en: 1,
    l: function () {
        google.fl = true
    },
    e: function () {
        google.fl = true
    },
    b: location.hash && location.hash != "#",
    bv: 5,
    pl: [],
    mc: 0,
    sc: 0.5,
    u: ""
},
Toolbelt: {} };

Can somebody expain what it does ? is it capturing information about me ? or are they just trying to encrypt their javascript to protect their code ?

Many thanks,

chacko
  • 5,004
  • 9
  • 31
  • 39

2 Answers2

11

What it does:

This code, apparently, defines the top-level global google object, which has one main function, google.log.

google.log seems to grab an image from the url: www.google.com/gen_204?atyp=... with a time-stamp to avoid caches. After this image loads, it deletes itself.

google.log then appears to be using some tracking mechanism (similar to Google Analytics) to track visits to the page.

Explanation for the weird obfuscation:

All Google code is compiled by the Closure Compiler in Advanced mode, which automatically obfuscates the entire site.

The Dojo Library is the only common JavaScript library (outside of the Closure Library) which can be used with the Closure Compiler's Advanced mode.

Compiled code has exactly the same behavior as plain-text code, except that it is much smaller (average 25% over minifiers), runs much faster (especially on mobile devices), and is almost impossible to reverse engineer, even after passing through a beautifier, because the entire code base (including the library) is obfuscated.

Code that is only "minified" (e.g. YUI compressor, Uglify) can be easily reverse-engineered after passing through a beautifier.

You have been only reading "minified" JavaScript before. Closure Compiler goes way further than this.

ali_m
  • 71,714
  • 23
  • 223
  • 298
Stephen Chung
  • 14,497
  • 1
  • 35
  • 48
  • 2
    Stephen, the code compiled via the 'closure compiler' is still javascript. it might be hard to reverse engineer but it is still javascript. Hence we should be able to know what it does. – chacko Mar 10 '11 at 11:06
  • 1
    That's true. However, without meaningful function names and property names as a cue, it is "almost impossible" to reverse-engineer. Code that has been in-lined, flattened and virtualized even have their structure, arguments and code flow different from the original source. I agree it is possible, but definitely not a trivial task. – Stephen Chung Mar 10 '11 at 11:33
  • >The Dojo Library is the only common JavaScript library... See knockout js – megawac Aug 18 '14 at 18:44
9

It looks like this piece of code is collecting all the information about your DNA. They then verify it to see if it is of superior quality.

I can only guess they use this to combine it with superior DNA of other humans to create the ultimate human being.

--- Or ----

It can just be boring obfuscated javascript that has to do with how the url of the request is build up.

I hope it's the first!

Community
  • 1
  • 1
Peter
  • 14,221
  • 15
  • 70
  • 110