Posted by Jerry Stuckle on 06/02/06 12:32

Roman Ziak wrote:
> Jerry Stuckle wrote:
>
>>universalbitmapper wrote:
>>
>>>I'm sorry, my message is not clear.
>>>
>>>Please check this link and look for Stunnix javascript + obfuscator:
>>>
>>>http://www.sharewareplaza.com/Java-JavaScript-category_119_12.html
>>>
>>>the price is 280 $
>>>
>>>I can't do much with php alone, obviously I need javascript, css, calls
>>>to hhtpdrequest,
>>>interactivity with MySQL and so on.
>>>
>>>>From what I gathered, as the browser has to load javascript, the only
>>>
>>>thing the obfuscator can do
>>>is remove explicit variable names, indentation, in order to display
>>>garbled-like source in the javascript console.
>>>Some obfuscators cost 20$, some have a site licence of 1000$
>>>What do you think?
>>>
>>
>>It only "hides" the code from the casual observer. The browser has to be
>>able to execute the code, so it's still there in plain sight. Just
>>harder to understand.
>>
>
>
> Stripping comments, packing, replacing variable names - every steps
> narrows the group of people having the skills and willing to take time.
> This group cannot be completely eliminated - even compiled programs are
> vulnerable to skilled hacker who will recognize algorithms from machine
> code.
>
> Even if code is running in single package CPU without possibility to
> read it back, with certain level of effort the plastic package can be
> removed and hacker could tap directly into internal bus.
>
> My point is that by taking those above-mentioned steps, the code gets
> practical level of protection.

Javascript code is typically very short - and uncommented (look at pages on
different sites - how many have useful comments anyway?).

Any decent code tidier will unpack the file into something readable.

Good variable names do make the code more readable. However, reasonable
variable names can be easily inferred from calls to system functions and other
actions.

In short, obfusticating javascript code is going to slow down a programmer maybe
10 minutes. 15 minutes if it's really a big code. The only people who call it
protection are those who sell obfusticators - or someone who is really clueless.

And you're going really off the wall. This has nothing to do with compiled
programs. And you don't need to tap directly into an internal bus.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]