Javascript obfustication and Re-obfustication

Kiran KuyateKiran Kuyate
7 min read

Javascript is an interpreted and lightweight programming language which will be found in most Dynamic websites. It’s one of the most recognized languages in web development. It has a variety of use cases, which can vary from animating some elements to handling the user input on the platform. The programs in this language are called scripts. They can be written in a web page’s HTML and run automatically as it loads. Scripts are provided and executed as plain text. They don’t need special preparation or compilation to run.

Obfuscation:

Obfuscation means making something difficult to understand. Programming code is often obfuscated to protect intellectual property or trade secrets and to prevent an attacker from reverse engineering prietary software programs.

Encryption of some or all of a program's code is one obfuscation method. Other approaches include stripping out potentially revealing metadata, replacing class and variable names with meaningless labels, and adding unused or meaningless code to an application script. A tool called an obfuscator will automatically convert straightforward source code into a program that works the same way but is more difficult to read and understand. malicious code writers also use these methods to prevent their attack mechanisms from being detected by antimalware tools. The 2020 SolarWinds attack is an example of hackers using obfuscation to evade defenses.

Deobfuscation techniques can be used to reverse engineer -- or undo -- obfuscation. These techniques include program slicing, which involves narrowing the program code to just the relevant statements at a particular point in the program. Compiler optimization and program synthesis are two other deobfuscation techniques. Obfuscation aims to make reverse engineering difficult and not worth the trouble.

How does obfuscation work?

Obfuscation in computer code uses complex roundabout phrases and redundant logic to make the code difficult for the reader to understand. The goal is to distract the reader with the complicated syntax of what they are reading and make it difficult for them to determine the true content of the message.

Code obfuscation is not about changing the content of a program's original code, but rather about making the delivery method and presentation of that code more confusing. Obfuscation does not alter how the program works or its end output.

example snippet of normal JavaScript code:

var greeting = 'Hello Kiran';

greeting = 10;

var product = greeting * greeting;

That same snippet in the obfuscated form :

var_0x154f['98303fgKsLC','9koptJz','1LFqeWV','13XCjYtB','6990QlzuJn','87260lXoUxl','2HvrLBZ','15619aDPIAh','1kfyliT','80232AOCrXj','2jZAgwY','182593oBiMFy','1lNvUId','131791JfrpUY'];var_0x52df=function(_0x159d61,_0x12b953){_0x159d61=_0x159d61-0x122;var_0x154f4b=_0x154f[_0x159d61];return_0x154f4b;};(function(_0x19e682,_0x2b7215){var_0x5e377c=_0x52df;while(!![]){try{var_0x2d3a87=-parseInt(_0x5e377c(0x129))parseInt(_0x5e377c(0x123))+-parseInt(_0x5e377c(0x125))parseInt(_0x5e377c(0x12e))+parseInt(_0x5e377c(0x127))-parseInt(_0x5e377c(0x126))+-parseInt(_0x5e377c(0x124))-parseInt(_0x5e377c(0x12f))+-parseInt(_0x5e377c(0x128))-parseInt(_0x5e377c(0x12b))+parseInt(_0x5e377c(0x12a))parseInt(_0x5e377c(0x12d))+parseInt(_0x5e377c(0x12c))parseInt(_0x5e377c(0x122));if(_0x2d3a87===_0x2b7215)break;else_0x19e682'push';}catch(_0x22c179){_0x19e682'push';}}}(_0x154f,0x1918c));vargreeting='Hello\x20World';greeting=0xa;var product=greetinggreeting;

The obfuscated version is nearly impossible to follow using the human eye.

Obfuscation techniques:

Obfuscation involves several different methods. Often, multiple techniques are used to create a layered effect. Some standard obfuscation techniques include the following :

  • Renaming. The obfuscator alters the methods and names of variables. The new names may include unprintable or invisible characters. Source code before after renaming obfuscation

  • Packing. This compresses the entire program to make the code unreadable.

  • Control flow. The decompiled code is made to look like spaghetti logic, which is unstructured and hard-to-maintain code where the line of thought is obscured. The results from this code are unclear, and it's hard to tell what the point of the code is by looking at it.

  • Instruction pattern transformation(mapping). This approach takes common instructions created by the compiler and swaps them for more complex, less common instructions that effectively do the same thing.

  • Dummy code insertion. Dummy code can be added to a program to make it harder to read and reverse engineer, but it does not affect the program's logic or outcome.

  • Metadata or unused code removal. Unused code and meta data give the reader extra information about the program, much like annotations on a Word document, that can help them read and debug it. Removing metadata and unused code leaves the reader with less information about the program and its code.

  • Opaque predicate insertion. A predicate in code is a logical expression that is either true or false. Opaque predicates are conditional branches -- or if-then statements -- where the results cannot easily be determined with statistical analysis. Inserting an opaque predicate introduces unnecessary code that is never executed but is puzzling to the reader trying to understand the decompiled output.

  • Anti-debug. Legitimate software engineers and hackers use debug tools to examine code line by line. With these tools, software engineers can spot problems with the code, and hackers can use them to reverse engineer the code. IT security pros can use anti-debug tools to identify when a hacker is running a debug program as part of an attack. Hackers can run anti-debug tools to identify when a debug tool is being used to identify the changes they are making to the code.

  • Anti-tamper. These tools detect code that has been tampered with, and if it has been modified, it stops the program.

  • String encryption. This method uses encryption to hide the strings in the executable and only restores the values when they are needed to run the program. This makes it difficult to go through a program and search for particular strings.

  • Code transposition. This is the reordering of routines and branches in the code without having a visible effect on its behavior.

How to measure obfuscation success:

JavaScript obfuscation continues to be a favored method among cyberattackers for sneaking past defenses to deliver a broad range of payloads. However, even a good method for flagging the presence of JavaScript packer obfuscation is not a foolproof method of detection because a small number of websites use obfuscation for legitimate purposes, too, research shows.

The success of obfuscation methods can be measured using the following criteria:

  • Strength. The extent to which transformed code resists automated deobfuscation attempts determines strength. The more effort, time, and resources it takes, the stronger the code is.

  • Differentiation. The degree to which transformed code differs from the original is another measure of how effective it is. Some of the ways used to judge differentiation include

    • The number of predicates the new code contains.

    • The depth of the inheritance tree (DIT) -- a metric used to indicate the complexity of code. A higher DIT means a more complex program.

  • Expense. A cost-efficient obfuscation method will be more useful than an expensive one, particularly when it comes to how well it scales for larger applications.

  • Complexity. The more layers the obfuscator adds, the more complex the program will be, making the obfuscation more successful.

Benefits of javascript Obfuscation:

  • Secrecy. Obfuscation hides the valuable information contained in the code. This is an advantage for legitimate organizations looking to protect code from competitors and attackers. Conversely, bad actors capitalize on the secrecy of obfuscation to hide their malicious code.

  • Efficiency. Some obfuscation techniques, like unused code removal, have the effect of shrinking the program and making it less resource intensive to run.

  • Security. Obfuscation is a built-in security method, sometimes referred to as application self-protection. Instead of using an external security method, it works within what's being protected. It is well-suited for protecting applications that run in an untrusted environment and that contain sensitive information.

    Using this we can create our javascript code difficult to understand to other persons and provide your application security.

Obfuscation code

Obfuscation code

You can use also the Javascript library of obfustication which is also mostly used. also, you can refer to this for more understanding it is openSource https://github.com/javascript-obfuscator

Ok till now we know the code ho makes it difficult to code using obfustication but how we can access the original code from that difficult code? At that time reverse engineering come.

Javascript Re-Obfustication :

Web developers and programmers often obfuscate code for two reasons – one, the code becomes smaller thus reducing the overall time it takes to download a web page. Second, obfuscated code is difficult to understand and thus the programming logic is hidden, well sort of, from prying eyes.

It is however extremely easy to de-obfuscate, or you can also say reverse-engineer, any piece of obfuscated code and make it more human-readable. Here’s how:

If you have Google Chrome, open the web page that has the JavaScript you are trying to decrypt. Press F12 to open Developer Tools inside Chrome. Now switch to the Scripts tab, right-click and choose De-obfuscate source.🤓 That’s it!

Alternatively, go to jsbeautifier.org jsbeautifier.org and copy-paste the cryptic JavaScript /HTML code that you are trying to understand. Hit the Beautify button and voila! Mystery solved 😃.

But there are some obfustication methods are complicated no one can understand or reverse them except the owner that whose own algorithms work well and provide more security to the application.

follow on 👉🔆
- https://github.com/kirankuyate2157
- https://twitter.com/kuyatekiran

1
Subscribe to my newsletter

Read articles from Kiran Kuyate directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Kiran Kuyate
Kiran Kuyate