Hacker News new | comments | ask | show | jobs | submit login
JSNice: Statistical renaming, type inference, and deobfuscation (jsnice.org)
110 points by henridf on Nov 15, 2016 | hide | past | web | favorite | 24 comments

I'd like to know more about how it picks variable names. Running it on non-obfuscated code is amusing. It occasionally comes up with better names for my variables than the ones I had picked.

It has read lots of code before reading yours: http://www.srl.inf.ethz.ch/jsnice.php

Arguably code with better names than the OP's code ;)

I tried to de-obfuscate some HTML5 games that I made and the result was bad, marginally better than some naive JS beautifiers.

Yes, we all know that it's pointless to obfuscate client side code, but this serves as a simple deterrent. I've had games copied/pasted on some Chinese website and this seems to avoid that.

I used this [0] to obfuscate, which is free and open-source. You can also try it online here [1] if you don't feel like installing the Node.js package just for playing with it.

disclosure: I built the web interface [1] to the obfuscator, which is also open source.

[0]: https://github.com/javascript-obfuscator/javascript-obfuscat... [1]: https://javascriptobfuscator.herokuapp.com/

I always see ads from JScrambler, does this really work?

I used JScrambler before and I really liked. If you don't mind the monthly fee, I'd say go for it.

They do nice stuff, like hiding some of your strings, other literals and random predicates inside an encrypted string. This is decrypted and eval'd at runtime using the text of the decrypt function as a parameter i.e, you can't beautify it otherwise it stop working. The random predicates are merged within your code for instance: it appends a `&& somePredicateThatReturnsTrue(someOtherRandomValue)` to ifs conditions. It makes it really hard to figure out what is happening.

Just as a general thought, not specific to this product:

This is decrypted and eval'd at runtime

Most(all?) string-based obfuscators can be bypassed by simply replacing eval with a logging eval implementation.

  var oldEval = eval; eval = function(str){console.log(str);oldEval(str)};
A similar patch to the Function constructor can bypass the other easy dynamic code generation code path.

If at some point, a string needs to be evaluated as code, then it's possible to intercept that code and output it.

That didn't work on JScrambler. The function that does the decryption checks to see if the `eval` has been tampered. (IIRC it checks for a `prototype` property). And you can't modify the body of this function otherwise the decryption fails.

So, all you need is to break a longer eval into multiple smaller ones, shuffle them and thus make it a chore to connect the evals back.

tried it, does not work I'm afraid...

Ah, but they're SaaS, right?

So no webpack plugin, I guess :)

They're SaaS and I believe they do have a webpack plugin (I used their grunt plugin). The plugin will send your code to their servers and wait for it to come back.

Not sure what exactly they're promising wrt. the quality of obfuscation, but if it actually works "well enough" you'd imagine they should be happy for you to run an obfuscated version of their code[1] rather than shipping your JS to their servers. Hmm... :)

[1] I'm assuming it's written in JS. It might not, of course.

There's also an on-premises version, if you don't want to send your code elsewhere..but I guess it might need a bit of investment..

oh lord... thanks for the infos :)

I'm a big fan of JSNice - it's easily the best JS beautifier I've used. It's twice saved my bacon, really helping to make sense of some horrible, buggy third-party code.

It would be useful to have this for other languages. I'd love to have it for some of the VB.net and C# I have seen.

It would be cool if they made an API that an editor could interact with.

I really like this. Is it using the flowtype notation?

They are probably using closure in the background, using the new type inference with the compiler, to collect the meta information.

Yes, the paper JS Nice is based on calls out that they use the Closure Compiler as a backend: http://www.srl.inf.ethz.ch/papers/jsnice15.pdf

Doesnt seem to work with ES6 and imports ? :(

It doesn't work with much of ES6 at all

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact