Hiding javascipt functions from visiteurs

[vediam]

Hi All,

Some of web sites (like http://www.marysbridal.com/bridal/5704.htm) uses encrypted java script code to hide javascript from users.

Code:

<SCRIPT LANGUAGE="JavaScript">
<!--
document.write(unescape("%3C%53%43%52%49%50%54%20%4 .........."))
-->
</script>

How can I do this?

[Pepejeria]

That is a very lame way to hide code...

Code:

<textarea id="output"></textarea>

<script>
var code = "&#37;3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%3C%21%2D%2D%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B%66%75%6E%63%74%69%6F%6E%20%68%70%5F%64%30%30%28%73%29%7B%69%66%28%21%68%70%5F%6F%6B%29%72%65%74%75%72%6E%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%73%29%7D%2F%2F%2D%2D%3E%3C%2F%53%43%52%49%50%54%3E";

document.getElementById("output").value = unescape(code);
</script>

[SimplyFu]

crunch your js, remove all white space, and obfuscate it.

[SimplyFu]

this link brings you to one obfuscator that is free out there. Hope this might help.

[vediam]

Code:

var code = "%3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%3C%21%2D%2D%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B%66%75%6E%63%74%69%6F%6E%20%68%70%5F%64%30%30%28%73%29%7B%69%66%28%21%68%70%5F%6F%6B%29%72%65%74%75%72%6E%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%73%29%7D%2F%2F%2D%2D%3E%3C%2F%53%43%52%49%50%54%3E";]

How did you produce this code?

I'm looking to make my javascipt code like above.

[Pepejeria]

How did you produce this code?

I'm looking to make my javascipt code like above.

And exactly what would be the point of that? Its not like you will be hiding code or something. It takes, as you saw, 0.01 seconds to see the real code.

[vediam]

I'm just seeing a code like %3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22

I want to convert my JS code like this.

[Pepejeria]

Sure, but what would be the point of having your code like that? I am curious.

[Buddy Bradley]

Presumably his code is so incredible he doesn't want anyone else to see it. Although if that were the case, you have to wonder why he needs to ask for help to accomplish this...

[mrhoo]

The kind of personal data that needs to be encripted- account numbers and addresses and so on, shouldn't ever be in a javascript source code,no matter how well you obfuscate it.

[DeNasio]

Stop discussing as to why he wants to encrypt his javascript code. If you guys can't help him or won't help him then you do not need to reply!

Jeez!

[Pepejeria]

Explaining to him and asking him what he wants to achieve with this is perfectly valid for this thread. And that is more that I can say about your comment.

[DeNasio]

Explaining to him and asking him what he wants to achieve with this is perfectly valid for this thread. And that is more that I can say about your comment.

Explaining to him and asking him is ok. But can you tell me what kind of explanation or question you are asking with your comments below?

That is a very lame way to hide code...

And exactly what would be the point of that? Its not like you will be hiding code or something. It takes, as you saw, 0.01 seconds to see the real code.

[chrisdpucci]

If you really want to hide your javascript, why not google "javascript encryption" or "javascript obsfucation" or even "protect javascript". The answers are out there and easy to find if you take the time to look.

[Pepejeria]

DeNasio. Sorry, no offense, but do you come from a family with Stasi background?

[DeNasio]

DeNasio. Sorry, no offense, but do you come from a family with Stasi background?

No, do you?

[Pepejeria]

vediam,

Code:

<xmp id="code">
<script type="text/javascript">
function greatScript() {
	alert("really");
}

greatScript();
</script>
</xmp>

<textarea id="superMegaEncryptedCode"></textarea>

<script>
var code = document.getElementById("code");
var output = document.getElementById("superMegaEncryptedCode");

output.value = escape(code.innerHTML);
</script>

grab the code in the text area and paste it in between where it says <here>

Code:

document.write(unescape(<here>));

But again, you don't gain anything from doing this

[felgall]

Since

document.write(unescape("&#37;3C%53%43%52%49%50%54%20%4 .........."))

is unescaping the content it is equivalent to

document.write("<SCRIPT ..........")

which can be easily determined simply by running the code through the unescape function.

See http://www.felgall.com/javamet6.htm where I have a form that makes it easy to do this.

[vediam]

I'm just seeing a code like %3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22

I want to convert my JS code like this.

Because, I do it sometinh special, and I don't want to somebody see this.

But as I see, escape code is not safely protect my javascript code.

[felgall]

I have a slightly more effective Javascript encryptor at http://javascript.about.com/library/blenc.htm

This one doesn't increase the size of the code as much because it just converts one character to another single character instead of to three characters so the only additional overhead is the code to convert it back. That conversion code is "escaped" to make the whole thing not so easy to read.

For someone to get your original code back from this they would first need to unescape the conversion code and then set up to run the rest of the code through that converter to recover the original code. This would result in them needing to spend a minute or two extracting the original Javascript rather than the seconds that just unescaping requires and is about as much protection as you can apply to Javascript code.

I have been unable to determine any more effective way of protecting Javascript code than that since the browser needs to be able to decode the encryption in order to run the script and the decryption code therefore must be part of the script itself.

JScript (Microsoft's version of Javascript) does have a better encryption method that can be used with it where the decryptor is built into the browser rather than needing to be supplied as part of the script but using that method limits your script to only being able to work on IE and even that only makes it slightly harder to decrypt.

[kyberfabrikken]

This would result in them needing to spend a minute or two extracting the original Javascript rather than the seconds that just unescaping requires and is about as much protection as you can apply to Javascript code.

Actually, redefining document.write does the trick.

Because, I do it sometinh special, and I don't want to somebody see this.

But as I see, escape code is not safely protect my javascript code.

What you're asking is basically impossible. Sorry, but you need to rethink your strategy.

[vediam]

What you're asking is basically impossible.

Actualy, I don't asking for impossible. I know it isn't secure to view source code. But, if It's difficult to read, difficult to solve, difficult to understant for somebody who is interested in, it will be enough for me.

[vediam]

I have been unable to determine any more effective way of protecting Javascript code than that since the browser needs to be able to decode the encryption in order to run the script and the decryption code therefore must be part of the script itself.

Thank you for your time. Your message was very valuable for me.

[felgall]

Actually, redefining document.write does the trick.

That is assuming that the code actually uses the antiquated document.write method of writing to the page from Javascript. All modern scripts would use DOM calls or innerHTML and so redefining document.write would have no effect.