
JSNice: Statistical renaming, type inference, and deobfuscation - henridf
http://www.jsnice.org/
======
andybak
I'd like to know more about how it picks variable names. Running it on non-
obfuscated code is amusing. It occasionally comes up with better names for my
variables than the ones I had picked.

~~~
unhammer
It has read lots of code before reading yours:
[http://www.srl.inf.ethz.ch/jsnice.php](http://www.srl.inf.ethz.ch/jsnice.php)

~~~
wereHamster
Arguably code with better names than the OP's code ;)

------
slig
I tried to de-obfuscate some HTML5 games that I made and the result was bad,
marginally better than some naive JS beautifiers.

Yes, we all know that it's pointless to obfuscate client side code, but this
serves as a simple deterrent. I've had games copied/pasted on some Chinese
website and this seems to avoid that.

I used this [0] to obfuscate, which is free and open-source. You can also try
it online here [1] if you don't feel like installing the Node.js package just
for playing with it.

disclosure: I built the web interface [1] to the obfuscator, which is also
open source.

[0]: [https://github.com/javascript-obfuscator/javascript-
obfuscat...](https://github.com/javascript-obfuscator/javascript-obfuscator)
[1]:
[https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com/)

~~~
k__
I always see ads from JScrambler, does this really work?

~~~
slig
I used JScrambler before and I really liked. If you don't mind the monthly
fee, I'd say go for it.

They do nice stuff, like hiding some of your strings, other literals and
random predicates inside an encrypted string. This is decrypted and eval'd at
runtime using the text of the decrypt function as a parameter i.e, you can't
beautify it otherwise it stop working. The random predicates are merged within
your code for instance: it appends a `&&
somePredicateThatReturnsTrue(someOtherRandomValue)` to ifs conditions. It
makes it really hard to figure out what is happening.

~~~
dsp1234
Just as a general thought, not specific to this product:

 _This is decrypted and eval 'd at runtime_

Most(all?) string-based obfuscators can be bypassed by simply replacing eval
with a logging eval implementation.

    
    
      var oldEval = eval; eval = function(str){console.log(str);oldEval(str)};
    

A similar patch to the Function constructor can bypass the other easy dynamic
code generation code path.

If at some point, a string needs to be evaluated as code, then it's possible
to intercept that code and output it.

~~~
visarga
So, all you need is to break a longer eval into multiple smaller ones, shuffle
them and thus make it a chore to connect the evals back.

~~~
r0ckcg
tried it, does not work I'm afraid...

------
jwarren
I'm a big fan of JSNice - it's easily the best JS beautifier I've used. It's
twice saved my bacon, really helping to make sense of some horrible, buggy
third-party code.

------
kwhitefoot
It would be useful to have this for other languages. I'd love to have it for
some of the VB.net and C# I have seen.

------
z3t4
It would be cool if they made an API that an editor could interact with.

------
bflesch
I really like this. Is it using the flowtype notation?

~~~
phpnode
These are closure type annotations - [https://github.com/google/closure-
compiler/wiki/Annotating-J...](https://github.com/google/closure-
compiler/wiki/Annotating-JavaScript-for-the-Closure-Compiler)

~~~
lennelpennel
They are probably using closure in the background, using the new type
inference with the compiler, to collect the meta information.

~~~
kevinoconnor7
Yes, the paper JS Nice is based on calls out that they use the Closure
Compiler as a backend:
[http://www.srl.inf.ethz.ch/papers/jsnice15.pdf](http://www.srl.inf.ethz.ch/papers/jsnice15.pdf)

------
sethx
Doesnt seem to work with ES6 and imports ? :(

~~~
SparkyMcUnicorn
It doesn't work with much of ES6 at all

