2. Outline
Why Code Obfuscation
Features of a code obfuscator
Potency
Resilience
Cost
Classification of Obfuscating
Transformations
3. Why use Code Obfuscation
Techniques
Mainly to defend against Software
Reverse Engineering
We can only make it more difficult for
reverse engineers
Available obfuscating tools work in
the same way as compiler optimizers
Reduce required space and time for
compilation
4. The level of security that an
Obfuscator adds depends on:
The transformations used
The power of available deobfuscators
The amount of resources available to
deobfuscators
5. Main features of a Code Obfuscator
Potency: is the level up to which a
human reader would be confused by
the new code
Resilience: is how well the obfuscated
code resists attacks by deobfuscation
tools
Cost: is how much load is added to
the application
11. Available JavaScript Obfuscators
Most available commercial JavaScript
obfuscators work by applying Lexical
transformations
Some obfuscators that were
considered are:
Stunnix JavaScript Obfuscator
Shane Ng's GPL-licensed obfuscator
Free JavaScript Obfuscator
12. Example:From Stunnix
Actual code: Obfuscated code:
function foo( arg1) function z001c775808(
{ z3833986e2c) { var
var myVar1 = "some z0d8bd8ba25=
string"; //first comment "x73x6fx6dx65x20x73x
74x72x69x6ex67"; var
var intVar = 24 * 3600; z0ed9bcbcc2= (0x90b+785-
//second comment 0xc04)* (0x1136+6437-
/* here is 0x1c4b); document. write(
a long "x76x61x72x73x20x61
multi-line comment blah */ x72x65x3a"+
z0d8bd8ba25+ "x20"+
document. write( "vars z0ed9bcbcc2+ "x20"+
are:" + myVar1 + " " + z3833986e2c);};
intVar + " " + arg1) ;
};
13. Step by step examination
The Stunnix obfuscator targets at obfuscating
only the layout of the JavaScript code
As the obfuscator parses the code, it removes
spaces, comments and new line feeds
While doing so, as it encounters user defined
names, it replaces them with some random
string
It replaces print strings with their hexadecimal
values
It replaces integer values with complex
equations
14. In the sample code that was obfuscated, the following
can be observed
User defined variables:
foo replaced with z001c775808
arg1 replaced with z3833986e2c
myvar1 replaced with z0d8bd8ba25
intvar replaced with z0ed9bcbcc2
Integers:
20 replaced with (0x90b+785-0xc04)
3600 replaced with (0x1136+6437-0x1c4b)
Print strings:
“vars are” replaced with
x76x61x72x73x20x61x72x65x3a
Space replaced with x20