Implementing Code Obfuscation

(function () {
var _0x58c743 = { ‘JVMld’: ‘Hello\x20everyone!!’ };
console[‘log’](_0x58c743[‘JVMld’]);
}());
Confused??
Don’t be, that’s a very simple function printing “Hello everyone!!”.
But what are these alien characters in between??
That’s something I call “the real power of code obfuscation!”. A simple program is converted to such a form that it becomes difficult to understand the core logic of the code written. As promised, we will unlock this power of code obfuscation together in this article.
In our previous article, we learned about code obfuscation, the need for it, and some techniques of code obfuscation along with some real world examples that led us to basic understanding of code obfuscation. Now as promised, here is part-2, in which we are going to learn how to implement code obfuscation in our code.
Disclaimer: Unlike previous article in this series, this article will target a more technical audience. Feel free to skip the technical part if you want to.
What is Code obfuscation?
Before going to the implementation part, let’s have a quick recap. Code obfuscation is the technique of making the source code of an application difficult to read and comprehend so that it’s reverse engineering by third party becomes difficult, even with the use of tools designed for that purpose.
How do we implement code obfuscation techniques?
Now here comes the most awaited part of this blog, “the implementation”. There are various code obfuscation tools available online. But one of my favourites is javascript-obfuscator, which can be obtained as an npm package and used under BSD –2 clause open source license. This module provides a huge range of obfuscation options. We can always customize the security level of obfuscated code based on our requirement.
To install javascript-obfuscator npm package, use the command:
npm install — save-dev javascript-obfuscator
Now, to obfuscate our code, we use the obfuscate() method,
obfuscate(sourceCode, options)
This method returns an object which contains two methods,
- getObfuscatedCode() — returns string with obfuscated code.
- getSourceMap() — if sourceMap option is enabled — returns string with source map or an empty string if sourceMapMode option is set as ‘inline’.
It takes two parameters, sourceCode and options:
- sourceCode (string, default: null) — any valid source code, passed as a string.
- options (Object, default: null) — an object with options.
Now, to generate the above message with those alien words, let’s write a simple code using the methods described above.
var JavaScriptObfuscator = require(‘javascript-obfuscator’);
var obfuscationResult = JavaScriptObfuscator.obfuscate(
`
(function(){
console.log(“Hello everyone!!”);
})();
`,
{
compact: false,
controlFlowFlattening: true
}
);
console.log(obfuscationResult.getObfuscatedCode());
These few lines of code have provided a further layer of security to our simple code logic. As mentioned earlier, the level of security can be customized as per our requirements.
Note that doing so depends on how much we are willing to trade-off our code’s execution efficiency.
That was the basic code obfuscation of code written in a file. We can also obfuscate an entire project at once using the CLI technique of code obfuscation.
In the next part of this article, we will look at how we can obfuscate a complete project containing various files in one go. In the upcoming parts, we will learn more about obfuscation options and how to use them to increase code security.
I hope you found this article helpful. For more information about javascript obfuscator, check out https://www.npmjs.com/package/javascript-obfuscator.
The javascript-obfuscator library is copyrighted by Timofy Kachalov. npm is a registered trademark of npm, Inc. DLT Labs is a trademark of DLT Global, Inc..
Author — Prakhar Goel, DLT Labs™
About the Author: Prakhar is a young professional, currently working as a NodeJs developer in our DL-Asset Track product team.
