Introduction to Stunnix JavaScript Obfuscator
BuyNow:
Download:
Product Website:
The current trend in the application and web development industry is switching from compiled languages like C/C++ and Delphi to scripting languages like Perl, Javascript or VBScript. One of the main disadvantages of these languages for developers of commercial applications is great ease of studying, analysing and reuse of source code texts of the applications written in these programming languages by customers and competitors. For custom solutions the risk of losing control over intellectual property is even much higher since it's much more difficult to track violations of intellectual property in them due to the highly targeted or even exclusive distribution of such solutions or products - so in such cases violations of intellectual property can be in form of reuse of original source code even with arbitrary level of adaptation! Due to the ease of study and modification, it's extremely difficult to ensure licensing conditions of the code are met too - for example that the script is used only in the documents that came from the hosts it was licensed to, and only till the date it was licensed to run.
Stunnix JavaScript Obfuscator is the unique solution for this problem for code written in ECMAScript or JavaScript programming language - it's both obfuscation and encoding tool for JavaScript source code in pure .js files and in HTML, PHP, ASP and JSP pages that has advanced support for adding extremely difficult to remove automatic checks of licensing conditions. Stunnix JavaScript Obfuscator converts scripts in input files (with .js extension, or located in html, asp, php or jsp files) into highly mangled and obfuscated form, making them extermely difficult to study, analyse, reuse and re-work for competitors or customers, while fully retaining functionality of the original code. By default that highly mangled and obfuscated code is encoded afterwards to hide the structure of the script completely. Stunnix JavaScript Obfuscator is not a compiler to machine or pseudo code - the protected form will still be the usual script, thus it will work on all platforms the original code worked on. State of the art support for ensuring license conditions (expiration, several types of hostname checks, user-defined checks) is present in Stunnix JavaScript Obfuscator since version 1.3. Note, that Stunnix JavaScript Obfuscator is referred to as Stunnix JS-Obfus for brevity in some places.
The obfuscation means:
- replacing all symbol names it's possible to with the non-meaningfull ones, e.g. replacing files with zcadaa4fc81, while preserving syntaxical and semantical correctness of the source code. Of course predefined symbols like Math and symbols from the third-party libraries the JavaScript source code uses will be left the same so the obfuscated code will still work without requiring to obfuscate those third-party JavaScript libraries;
- substitution of numeric values with the arithmetic expressions using (random or constant for the same numeric value as requested by the options) decimial and hexadecimial numeric values that evaluate to the same value;
- using hexadecimial character codes for all characters in strings;
- replacing strings with interpolated variables with the concatenation of the appropriate components;
- removing extra white spaces;
- jamming as much code on each line as possible.
The encoding means hiding JavaScript code by converting it into special form that completely hides program structure and adding a special advanced decoding code, that will decode the script at runtime and execute it. Since the code to decode encoded body is automatically included into each file, no standalone decoders or interpreters are needed. By default encoding is applied to the result of obfuscation, but it's possible to apply encoding to original source to allow effortless code hiding not requiring any changes to the code to be hidden.
Even just obfuscating JavaScript without encoding it afterwards is extremely difficult to understand for a human since the name of variables and subroutines and other symbols are totally meaningless and hard to remember (e.g. files becomes zcadaa4fc81). It's possible to control all aspects of JavaScript obfuscation and encoding using commandline switches of the Stunnix JavaScript Obfuscator. An example of how cryptic typical file after obfuscation and encoding with JavaScript Obfuscator looks like is available.
The features summary of Stunnix JavaScript Obfuscator:
- Unique! New! JavaScript Obfuscator includes Project Manager - an advanced intuitive cross-platform graphical user interface for protecting projects with JavaScript of any size with mixed types of code and files.
- Unique! By default encoding is applied to the result of obfuscation by JavaScript Obfuscator.
- Unique! JavaScript Obfuscator supports all JavaScript syntax constructs, including inline regexps and statements terminated with newlines.
- Unique! JavaScript Obfuscator has support for scripts expiration, advanced server hostname checks and general checks and actions such as showing alerts, all implemented in the non-removable encoded block of code.
- Unique! JavaScript Obfuscator supports script compression mode.
- Unique! JavaScript Obfuscator has state of the art support for obfuscating and encoding of scripts in JavaScript embedded into HTML, PHP, ASP and ASP.NET, WSH/WSC files.
- Unique! JavaScript Obfuscator has support for obfuscating of dynamic JavaScript code inside string arguments of "print"-like calls of client-side code or inside almost any server-side language like ASP, JSP, PHP, C or Perl.
- Unique! JavaScript Obfuscator has special mode for as quick preparing of project for obfuscation as possible, saving a lot of time.
- Unique! JavaScript Obfuscator comes with exception tables for Javascript core functions, W3C html model, non-standard Mozilla and MSIE html models, DOM, DOM Events, CSS model, SVG, XPATH and even XUL; also exceptions for ASP, ADO, WSH and WSC frameworks are included.
- Unique! JavaScript Obfuscator includes unique utilities to gather project-specific exceptions: utility to gather html form fields' names and IDs of html elements, and utility to extract all symbols from ActiveX or OLE components;
- Obfuscated and/or encoded code runs on any compliant interpreter.
- JScript-specific conditional compilation is supported.
- Unique! JavaScript Obfuscator has full support for projects consisting of several JavaScript files and use of eval.
- Unique! Full support for keeping library files application uses in non-obfuscated (original) form.
- Unique! JavaScript Obfuscator has full support for JavaScript.NET and ECMAScript
- Unique! JavaScript Obfuscator has a lot of options to tightly control code hiding.
- Unique! JavaScript Obfuscator has means to make analysis of changes between different releases of the obfuscated product more difficult.
- JavaScript Obfuscator is easy to install on any Unix/Linux or Windows workstation.
- Unique! Web-based commandline builder is available.
Stunnix JavaScript Obfuscator features in detail
Project Manager - an advanced user interface for projects of any complexity
Power and flexibility of Stunnix Obfuscators are now available via graphical user interface, eliminating the need to even read descriptions of commandline options supported! Stunnix JavaScript Obfuscator Project Manager - an advanced intuitive cross-platform browser-based graphical user interface is included. It allows to protect JavaScript in projects of any complexity, consisting of files of any type, and possibly including code of any type (client-side, server-side, asp pages with both server side and client-side code, html files with client-side code), even allowing code in some files to be protected with different sets of options or even not protected at all. Project Manager for Stunnix JavaScript Obfuscator has 'build project' functionality available in most popular IDEs that will result in processing only files which are more fresh than their protected version; files free from code (like images or .css files) will simply be copied to the directory with protected version of the project, allowing to use Project Manager as a generic replacement for 'Make'-like utility. Project Manager for Stunnix JavaScript Obfuscator completely eliminates the need to compose and invoke commandlines manually, all operations can be performed using mouse.
Users who prefer to use command line interface will be able to compose build script (a special project-specific perl program that effectively is a smart stand-alone replacement for project-specific Makefile that already includes functionality of the Make utility) for a project using Project Manager for Stunnix JavaScript Obfuscator and just invoke that build script to perform desired operation like cleaning all output files, reprotecting only changed files or reprotecting all files (with ability to specify only a subset of files to be subject of an operation).
You can see Stunnix JavaScript Obfuscator Project Manager running on our site in demo mode (destructive and editing operations are disabled in it).
By default encoding is performed on the result of obfuscation of JavaScript
Stunnix JavaScript Obfuscator by default encodes the result of obfuscation, thus making much harder to study even the structure of the code. It's even possible to encode only selected parts of the source code by activating special mode of Stunnix JavaScript Obfuscator.
Supports all JavaScript syntax constructs, including inline regexps and statements terminated with newlines
Stunnix JavaScript Obfuscator supports scripts with statements terminated with newlines (i.e. not with semicolons) - even when such file is obfuscated with whitespace and newlines jamming, newlines will preserved in a places where statements are probably terminated (there is a commandline switch to turn this behaviour off of course). Stunnix JavaScript Obfuscator also supports literal text format or the RegExp constructor function too (i.e. code like this: var rx = /\d+\s+\w+/i; will be correctly handled), and there are switches to precisely control handling of such fragments.
Support for ensuring license conditions for JavaScript code
Stunnix JavaScript Obfuscator has a state of the art support for making obfuscated and encoded scripts expirate; several variants of server hostname checking (single allowed host name, list of hostname tails, regular expression hostname should match) are also supported. There is an option to show custom notification message; the execution of the JavaScript code is terminated afterwards in any case. User-defined checks with actions are also supported at the same time too. All licensing checks are grouped in the block of code, to which the special initialization code is added without which the JavaScript code won't work correctly, and the whole resultant block of JavaScript code is encoded to protect it from analysis and modification. This block of code can't be removed from the script body without making it malfunctioning. Several sources of information about current time and server host name are suported. See more details here.
Supports JavaScript compression mode
Stunnix JavaScript Obfuscator supports source code compression mode via the use of special aid included- in this mode symbols are renamed to the shortest random allowed symbol name possible in order to minimize resultant size of output (the more used symbols are renamed to the shorter symbols). This turns Stunnix JavaScript Obfuscator into so-called "source code compressor" tool. This module works perfectly for multimodule JavaScript projects too.
State of the art support for obfuscation and encoding of JavaScript embedded into HTML, PHP, ASP and ASP.NET and WSC/WSH files
Stunnix JavaScript Obfuscator obfuscates and encodes JavaScript both client-side or server-side, emebedded into HTML, ASP and ASP.NET files, and also Windows Scripting Host and Windows Scripting Component files - by the use of special extractor and merger engines for HTML, for WSC, for WSH, for ASP and ASP.NET files, and client-side JavaScript in PHP files.
Files with HTML markup in which JavaScript scripts are to be obfuscated can contain SSI, ASP, ASP.NET and PHP fragments in them at any location - inside scripts (even inside string constants of the script!), inside event handlers and inside html markup (i.e. between < and >) - the feature available only in Stunnix JavaScript Obfuscator. JavaScript Obfuscator also can minimize size of html in HTML, ASP and PHP files by removing extra spaces and newlines in the html text itself.
Values of internalName attributes inside WSC files are obfuscated automatically.
A special utility to extract names and ids of form fields and other elements is also included with Stunnix JavaScript Obfuscator. It's even possible to protect both server-side and client-side JavaScript code at the same time in the same file (though it will require 2 invokations of the JavaScript Obfuscator).
Support for obfuscating dynamic JavaScript code inside "print"-like calls of client-side code or inside almost any server-side language like ASP, JSP, PHP, C and Perl
Stunnix JavaScript Obfuscator supports obfuscation and encoding of dynamic JavaScript - e.g. if pieces of JavaScript code computed from various variables are output to the client using document.write() by the client-side JavaScript code, the content of these pieces (e.g. names of variables in them) can be obfuscated.
Also if client-side JavaScript code is output by any server-side language (e.g. ASP, ASP.NET, JSP, PHP, C/C++ or Perl), then the pieces of JavaScript code can be obfuscated inside the strings that are arguments of the desired method calls of the server-side language.
The arguments of those methods can include expressions that compute pieces of JavaScript code using any operators and calls of other functions and methods; but only strings will be treated as JavaScript code and their content will be obfuscated.
More information and samples are available in the manual.
Special mode for as quick preparing of project for obfuscation as possible
A special obfuscation modes are present in Stunnix JavaScript Obfuscator that let project to be adapted for obfuscation very quickly. There is no need to spend valuable time while performing trial-and-error process of preparation for obfuscating. Due to availability of unique utilities for symbol extraction not available with any other products, the preparation process is short as theoretically possible.
Comes with rich set of exception tables
A very rich set of exception tables is included with Stunnix JavaScript Obfuscator for JavaScript core functions, ECMAScript core functions, W3C html model, non-standard Mozilla and MSIE html models, DOM, DOM Events, CSS model, SVG, XPATH and even XUL. Also exceptions for ASP, ADO, WSH and WSC frameworks are included. Each table is stored in a separate file, it's easy to select what set of tables to load on a given invokation or all invokations of Stunnix JavaScript Obfuscator due to a rich set of commandline options and configuration file.
Included are utilities to gather project-specific exceptions
These utilities are a must have ones for any professional Obfuscator; without them composing lists of exceptions for a project of even medium size is very time-consuming, dull and error-prone process, most typically accomplished by using trial-and-error technique.
The functionality of both utilities is fully integrated into Project Manager user interface and thus can be carried on by using mouse only.
Obfuscated and/or encoded code runs on any JavaScript interpreter
Unlike output of some JavaScript encoders, the code obfuscated and/or encoded with Stunnix JavaScript Obfuscator runs on any fully-compliant JavaScript interpreter, including ones that are included with most popular browsers.
Full support for projects consisting of several JavaScript files and use of eval
Stunnix JavaScript Obfuscator, unlike other obfuscators or encoders, was designed with multi-file complex projects in mind. It means that with same set of obfuscation parameters given symbol name will be obfuscated to the same name independant of its position and file it's located in. Stunnix JavaScript Obfuscator also has support for code that uses eval() with argument that is string containing names of variables and functions - once properly marked up, the names of variables and functions in the string will be obfuscated properly too, thus allowing the obfuscated JavaScript code to work as original.
Full support for keeping library files application uses in nonobfuscated (original) form
Some JavaScript applications use third-party libraries or even COM/CORBA objects. In case of third-party COM/CORBA objects, there is no way to make their method and property names to become obfuscated, and in case of third-party libraries licensing conditions most often disallow modification of those modules, thus there are no options except shipping them in original, non-obfuscated form. Stunnix JavaScript Obfuscator perfectly allows such cases with the concept of the exception lists - a lists of names that shouldn't be obfuscated; some means to generate such exception lists from the source to be obfuscated are also present in Stunnix JavaScript Obfuscator.
Full support for JavaScript.NET and ECMAScript
Stunnix JavaScript Obfuscator fully supports JavaScript.NET and ECMAScript - including encoding and support for ensuring licensing conditions. Also JavaScript.NET for scripting applications is supported too.
A lot of options to tightly control the obfuscation
As all Stunnix products, programs of a Stunnix JavaScript Obfuscator suite have a lot of commandline options to tightly control each aspect of their operation. All options have intuitive names, and there is extensive documentation on each option available. Default options for main part of the Stunnix JavaScript Obfuscator suite can be stored in a globally-visible file in order to make use of it more convenient.
There are free very useful web-based commandline builders for JavaScript Obfuscator too; they are very useful for getting impressions of what abilities JavaScript Obfuscator provides.
Means to make analysis of changes between different releases of the obfuscated product more difficult
Among a variety of options that control each aspect of JavaScript obfuscation and encoding, there are ones that make only obfuscated versions of the same source code to be different from each other. This can be used to make analysis of changes between different versions of the software much more difficult. Another use is distributing unique versions of the obfuscated code to each customer - this way developer can track which customer violated license conditions that resulted in distribution of the product to somebody else.
Key internal parameters of encoding already depend on random values, so the encoded version of the same file will be different on each run.
Easy to install on any Unix/Linux or Windows workstation or server
Stunnix JavaScript Obfuscator is a suite of Perl applications. It requires a Perl interpreter to run, if you don't have one, you can install the one supplied by your OS vendor or download it for free from ActiveState. No additional non-standard Perl modules are required for Stunnix JavaScript Obfuscator to run.
It's used just fine on Linux, Windows XP and Windows 98.
Stunnix JavaScript Obfuscator comes as an archive file. It needs to be extracted to any directory you like. Optionally one can set default values for the site-specific options in the configuration file, however most people won't need to change defaults.
Web-based commandline builder is available
One can get an impression on what options Stunnix JavaScript Obfuscator has by visiting online commandline builder; there is a link to the documentation near each form field, that fully explains the purpose and semantics of corresponding option. . The availability of Project Manager makes that online commandline builder less important though, since the same functionality is included with Stunnix JavaScript Obfuscator itself.
Related links
Full documentation for Stunnix JavaScript Obfuscator is available online.
Interactive web-based commandline builder is available on our site. It's very useful for getting impression of what abilities Stunnix JavaScript Obfuscator provides for obfuscation of the project.
An example of how cryptic typical file after obfuscation with Stunnix JavaScript Obfuscator looks like is available.
|
