Posted by Roman Ziak on 06/02/06 12:55

Jerry Stuckle wrote:
> Roman Ziak wrote:
>> Jerry Stuckle wrote:
>>
>>> universalbitmapper wrote:
>>>
>>>> I'm sorry, my message is not clear.
>>>>
>>>> Please check this link and look for Stunnix javascript + obfuscator:
>>>>
>>>> http://www.sharewareplaza.com/Java-JavaScript-category_119_12.html
>>>>
>>>> the price is 280 $
>>>>
>>>> I can't do much with php alone, obviously I need javascript, css, calls
>>>> to hhtpdrequest,
>>>> interactivity with MySQL and so on.
>>>>
>>>>> From what I gathered, as the browser has to load javascript, the only
>>>>
>>>> thing the obfuscator can do
>>>> is remove explicit variable names, indentation, in order to display
>>>> garbled-like source in the javascript console.
>>>> Some obfuscators cost 20$, some have a site licence of 1000$
>>>> What do you think?
>>>>
>>>
>>> It only "hides" the code from the casual observer. The browser has to be
>>> able to execute the code, so it's still there in plain sight. Just
>>> harder to understand.
>>>
>>
>>
>> Stripping comments, packing, replacing variable names - every steps
>> narrows the group of people having the skills and willing to take time.
>> This group cannot be completely eliminated - even compiled programs are
>> vulnerable to skilled hacker who will recognize algorithms from machine
>> code.
>>
>> Even if code is running in single package CPU without possibility to
>> read it back, with certain level of effort the plastic package can be
>> removed and hacker could tap directly into internal bus.
>>
>> My point is that by taking those above-mentioned steps, the code gets
>> practical level of protection.
>
> Javascript code is typically very short - and uncommented (look at pages
> on different sites - how many have useful comments anyway?).
>
> Any decent code tidier will unpack the file into something readable.
>
> Good variable names do make the code more readable. However, reasonable
> variable names can be easily inferred from calls to system functions and
> other actions.
>
> In short, obfusticating javascript code is going to slow down a
> programmer maybe 10 minutes. 15 minutes if it's really a big code. The
> only people who call it protection are those who sell obfusticators - or
> someone who is really clueless.

Really ?

I'd absolutely love to observe you to understand moderate code size
1000+ LOC with autogenerated viariable names in 15 minutes.

Actually, I'd love to observe you do that in 2 hours.

> And you're going really off the wall. This has nothing to do with
> compiled programs. And you don't need to tap directly into an internal
> bus.

My point of practicality was obviously misunderstood. Nevermind.

[Back to original message]