looking for good javascript unescape encoder

mistral wrote:

Neeed good javascript unescape encoder, to protect javascript code.
Some advices?

http://jibbering.com/faq/obfuscate.html

David Dorward пи�ал(а):

mistral wrote:
Neeed good javascript unescape encoder, to protect javascript code.
Some advices? http://jibbering.com/faq/obfuscate.html

-----------------------

<citation>
"The problem with all of these methods is that script is insecure. You
can't make insecure script secure by writing more script!"
</citation>

sorry, you dont understand me. I do not need security. I need obfuscate
script.

mistral wrote:

http://jibbering.com/faq/obfuscate.html

sorry, you dont understand me. I do not need security. I need obfuscate
script.

Why? To stop people from reading the source? So you want to SECURE the
source? So you need security?

David Dorward пи�ал(а):

mistral wrote:

http://jibbering.com/faq/obfuscate.html

sorry, you dont understand me. I do not need security. I need obfuscate
script.

Why? To stop people from reading the source? So you want to SECURE the
source? So you need security?

Can you answer on my_specific_question,_please???????
Do not mix the "security" and "preventing from reading source" . This
is completely different thing? No any secure in Internet. But it
possible obfuscate script a little, accurately and error-free, just
make for someone difficult to read and he will lazy spend time to
decode script.

Is there some good obfuscator script, unescape, or another? READY
script - online tool or desktop application.

mistral wrote:

Can you answer on my_specific_question,_please???????

You will not get much help here, as most knowledgable users realize that
javascript obfuscation is a complete waste of time.

--
Matt Kruse
http://www.JavascriptToolbox.com
http://www.AjaxToolbox.com

mistral wrote:

Can you answer on my_specific_question,_please???????

I did - you just didn't like the answer.

Matt Kruse пи�ал(а):

mistral wrote:

Can you answer on my_specific_question,_please???????

You will not get much help here, as most knowledgable users realize that
javascript obfuscation is a complete waste of time.

--
Matt Kruse
http://www.JavascriptToolbox.com
http://www.AjaxToolbox.com

I just amazed, its absolutely the wrong way, for me.
Well, is there a *normal* users, not highly "knowledgable users", which
capable think normally and can answer?

which from this two scripts is better, have more sense, etc:

http://dean.edwards.name/packer/
http://scriptasylum.com/tutorials/en...t_encoder.html

First script does not use ''unescape", second based on unesacpe.

mistral wrote:

Matt Kruse пи�ал(а):

mistral wrote:

Can you answer on my_specific_question,_please???????

You will not get much help here, as most knowledgable users realize that
javascript obfuscation is a complete waste of time.

--
Matt Kruse
http://www.JavascriptToolbox.com
http://www.AjaxToolbox.com

I just amazed, its absolutely the wrong way, for me.
Well, is there a *normal* users, not highly "knowledgable users", which
capable think normally and can answer?

which from this two scripts is better, have more sense, etc:

http://dean.edwards.name/packer/
http://scriptasylum.com/tutorials/en...t_encoder.html

First script does not use ''unescape", second based on unesacpe.

Dear sir,
If you wish to obfuscate some script, you will probably have to use
some kind of algorithm to encode the script. Through this algorithm,
you can then decode the obfuscated script to run it. I am not adept at
all in any creation of algorithm, but you can probably talk to your
local math major or something and ask for their advice. If you find
one, you can easily transform the written equations into JavaScript
quickly. It isn't exactly an already created script, but it is easy
enough to create.

I am sorry for the tangent, but that is what I will contribute.

I have the honor to remain your most humble and Ob't Sv't in our war
against the King.

--
Patrick Reilly
1st Coy.
Colonel Seth Warner's Regiment

"mistral" <po*******@softhome.net> writes:

Can you answer on my_specific_question,_please???????
Do not mix the "security" and "preventing from reading source" . This
is completely different thing? No any secure in Internet. But it
possible obfuscate script a little, accurately and error-free, just
make for someone difficult to read and he will lazy spend time to
decode script.

Is there some good obfuscator script, unescape, or another?

What properties should it have? I.e., by what measure should it
be "good"? Anything that makes Javascript not immediately readable
should suffice as I understand you. Anything above that would
be aiming for security, not obfuscation, which you don't want.

A simple obfuscator is:
----
<textarea cols="72" rows="10" id="input">input here</textarea>
<br>
<input type="button" value="obfuscate" onclick="
function lz(s,n) {
s = '000' + s; // sufficient for n<=4.
return s.substring(s.length-n);
}
var inp = document.getElementById('input').value;
var scr = document.getElementById('script').checked;
var res = [];
if (scr) { res.push('<script type=\'text/javascript\'>'); }
res.push('eval(\'');
for(var i = 0; i < inp.length; i++) {
var c = inp.charCodeAt(i);
var ch = c.toString(16);
if (c < 256) {
res.push('\\x', lz(ch,2));
} else {
res.push('\\u', lz(ch,4));
}
}
res.push('\');');
if (scr) { res.push('<\/script>'); }
var out = document.getElementById('output');
out.value = res.join('');
out.select();
">
<input type="checkbox" id="script" checked="checked"><label for="script">include &lt;script...>...&lt/script></label>
<br>
<textarea cols="72" rows="10" id="output" readonly="readonly"></textarea>

----
Is it "good"? That depends entirely on your requirements.
It obviously obfuscates.
/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

Lasse Reichstein Nielsen пи�ал(а):

"mistral" <po*******@softhome.net> writes: Can you answer on my_specific_question,_please???????
Do not mix the "security" and "preventing from reading source" . This is completely different thing? No any secure in Internet. But it
possible obfuscate script a little, accurately and error-free, just
make for someone difficult to read and he will lazy spend time to
decode script.

Is there some good obfuscator script, unescape, or another?
What properties should it have? I.e., by what measure should it
be "good"? Anything that makes Javascript not immediately readable
should suffice as I understand you. Anything above that would
be aiming for security, not obfuscation, which you don't want.

A simple obfuscator is:
----
<textarea cols="72" rows="10" id="input">input here</textarea>
<br>
<input type="button" value="obfuscate" onclick="
function lz(s,n) {
s = '000' + s; // sufficient for n<=4.
return s.substring(s.length-n);
}
var inp = document.getElementById('input').value;
var scr = document.getElementById('script').checked;
var res = [];
if (scr) { res.push('<script type=\'text/javascript\'>'); }
res.push('eval(\'');
for(var i = 0; i < inp.length; i++) {
var c = inp.charCodeAt(i);
var ch = c.toString(16);
if (c < 256) {
res.push('\\x', lz(ch,2));
} else {
res.push('\\u', lz(ch,4));
}
}
res.push('\');');
if (scr) { res.push('<\/script>'); }
var out = document.getElementById('output');
out.value = res.join('');
out.select();
">
<input type="checkbox" id="script" checked="checked"><label
for="script">include &lt;script...>...&lt/script></label>
<br>
<textarea cols="72" rows="10" id="output"
readonly="readonly"></textarea>

----
Is it "good"? That depends entirely on your requirements.
It obviously obfuscates.

==============

well, I just wanted to hear opinions those users who uses or used some
obfuscators.

What is good? good obfuscator provide code that work on most
javascript enabled browsers, that will be able to open scrambled
documents without distortion. Making them extermely difficult to study,
analyse, reuse for users, while fully retaining functionality of the
original code.
The protected form will still be the usual script, thus it will work on
all platforms the original code worked on.
Obfuscation (scrambling) of JavaScript and JScript standalone files,
flexible settings for obfuscation that allow to fine-tune level of
scrambling(include unescape); checking of missing and/or extra
semicolons in JavaScript, JScript code; generate new non-understandable
names and rename functions and variables depending on user settings;
remove comments and white spaces, reducing the file size and minimizing
the loading time; pack the code as a long line add finishing ";" when
appropriate; work with command line.

I tried script sample you show, it not work.

Mistral
--------------------------
/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

mistral wrote on 22 jun 2006 in comp.lang.javascript:

Is there some good obfuscator script, unescape, or another? READY
script - online tool or desktop application.

===== obfuscatorScript.html ===========

<script type='text/obfuscatorScript' id='S'>
ine g = 'boshfpngbeFpevcg guebhtu EBG13';
g = 'Guvf vf n qrzb bs ' + g;
qbphzrag.jevgr(g);
</script>
<script type='text/javascript'>
var __b__ = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
__b__ = __b__ + __b__.substr(0,13);
__b__ = __b__ + __b__.toLowerCase();
var __a__=document.getElementById('S').text;
eval(__a__.replace(/(.)/g,
function(c){
return((d=__b__.indexOf(c))<0)?
c:__b__.charAt(d+13)}))
</script>

===========================

btw: eval is evil.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

JRS: In article <Xn********************@194.109.133.242>, dated Mon, 26
Jun 2006 14:32:35 remote, seen in news:comp.lang.javascript, Evertjan.
<ex**************@interxnl.net> posted :

ine g = 'boshfpngbeFpevcg guebhtu EBG13';
g = 'Guvf vf n qrzb bs ' + g;
qbphzrag.jevgr(g);

The form at the end of <URL:http://www.merlyn.demon.co.uk/problems.htm>
will en/de-obfuscate that.

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
<URL:http://www.jibbering.com/faq/>? JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.

Dr John Stockton wrote on 27 jun 2006 in comp.lang.javascript:

JRS: In article <Xn********************@194.109.133.242>, dated Mon, 26
Jun 2006 14:32:35 remote, seen in news:comp.lang.javascript, Evertjan.
<ex**************@interxnl.net> posted :

ine g = 'boshfpngbeFpevcg guebhtu EBG13';
g = 'Guvf vf n qrzb bs ' + g;
qbphzrag.jevgr(g);

The form at the end of <URL:http://www.merlyn.demon.co.uk/problems.htm>
will en/de-obfuscate that.

.... as the de-obfuscation of "EBG13" suggests.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Evertjan. пи�ал(а):

mistral wrote on 22 jun 2006 in comp.lang.javascript: Is there some good obfuscator script, unescape, or another? READY
script - online tool or desktop application.

----------------------------------------------------------

===== obfuscatorScript.html ===========

<script type='text/obfuscatorScript' id='S'>
ine g = 'boshfpngbeFpevcg guebhtu EBG13';
g = 'Guvf vf n qrzb bs ' + g;
qbphzrag.jevgr(g);
</script>
<script type='text/javascript'>
var __b__ = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
__b__ = __b__ + __b__.substr(0,13);
__b__ = __b__ + __b__.toLowerCase();
var __a__=document.getElementById('S').text;
eval(__a__.replace(/(.)/g,
function(c){
return((d=__b__.indexOf(c))<0)?
c:__b__.charAt(d+13)}))
</script>

===========================

btw: eval is evil.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
----------------------------------------

and how to implement the snippet into some workable application (html)?

Mistral

mistral wrote on 27 jun 2006 in comp.lang.javascript:

Evertjan. пи�ал(а):

mistral wrote on 22 jun 2006 in comp.lang.javascript:

Is there some good obfuscator script, unescape, or another? READY
script - online tool or desktop application.

----------------------------------------------------------

===== obfuscatorScript.html ==========
<script type='text/obfuscatorScript' id='S'>
ine g = 'boshfpngbeFpevcg guebhtu EBG13';
g = 'Guvf vf n qrzb bs ' + g;
qbphzrag.jevgr(g);
</script>
<script type='text/javascript'>
var __b__ = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
__b__ = __b__ + __b__.substr(0,13);
__b__ = __b__ + __b__.toLowerCase();
var __a__=document.getElementById('S').text;
eval(__a__.replace(/(.)/g,
function(c){
return((d=__b__.indexOf(c))<0)?
c:__b__.charAt(d+13)}))
</script>

==========================
btw: eval is evil.
and how to implement the snippet into some workable application (html)?

I do not intend to write all your code,
you will have to do something yourself.

This NG is about javascript, not html as such.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Evertjan. пи�ал(а):

mistral wrote on 27 jun 2006 in comp.lang.javascript: Evertjan. пи�ал(а):
mistral wrote on 22 jun 2006 in comp.lang.javascript:

Is there some good obfuscator script, unescape, or another? READY
script - online tool or desktop application.
----------------------------------------------------------

===== obfuscatorScript.html ==========
<script type='text/obfuscatorScript' id='S'>
ine g = 'boshfpngbeFpevcg guebhtu EBG13';
g = 'Guvf vf n qrzb bs ' + g;
qbphzrag.jevgr(g);
</script>
<script type='text/javascript'>
var __b__ = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
__b__ = __b__ + __b__.substr(0,13);
__b__ = __b__ + __b__.toLowerCase();
var __a__=document.getElementById('S').text;
eval(__a__.replace(/(.)/g,
function(c){
return((d=__b__.indexOf(c))<0)?
c:__b__.charAt(d+13)}))
</script>

==========================
btw: eval is evil.
and how to implement the snippet into some workable application
(html)?
I do not intend to write all your code,
you will have to do something yourself. This NG is about javascript, not html as such.

-- Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

============================
Have someone advice for real good obfuscator script, not the script
caricature shown?

mistral wrote on 28 jun 2006 in comp.lang.javascript:

and how to implement the snippet into some workable application
(html)?

I do not intend to write all your code,
you will have to do something yourself.

This NG is about javascript, not html as such.

=========================== Have someone advice for real good
obfuscator script, not the script caricature shown?

The one I showed you is all there is, because, as you were told,
obfuscation is easily defeated because the client has to be able to read
the original. My code shows that.

Be free to fill in another algorithm, ROT13 is just for demonstration.

btw, did your mother not teach you to say "thank you" when you get free
advice?

Usenet is not a payed helpdesk.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Evertjan. пи�ал(а):

mistral wrote on 28 jun 2006 in comp.lang.javascript: and how to implement the snippet into some workable application
(html)?

I do not intend to write all your code,

you will have to do something yourself.

This NG is about javascript, not html as such.

=========================== Have someone advice for real good
obfuscator script, not the script caricature shown? The one I showed you is all there is, because, as you were told,
obfuscation is easily defeated because the client has to be able to readthe original. My code shows that. Be free to fill in another algorithm, ROT13 is just for demonstration.

btw, did your mother not teach you to say "thank you" when you get free
advice?

Usenet is not a payed helpdesk.
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

--------------------------------------------------
Your code is absolutely useless, its caricature. Yes, its a caricature.
To write a good code, a person must have at least 10-15 years of
intensive coding experience.

If you intended to show someone some code snippet, you must first very
good understand what user asks, what user want to know, what user want
to see. And, however, 10-15 years of intensive coding experience.
I'm a happy to get good advices, but not code caricature

mistral said the following on 6/28/2006 11:40 AM:

<snip>

Your code is absolutely useless, its caricature.
What is useless is your ability to determine whether code is useless or not.

If you had bothered testing the code you would know that.
Yes, its a caricature.
No, *you* are a caricature.
To write a good code, a person must have at least 10-15 years of
intensive coding experience.
Then you will never write good code. Besides, if that is your criteria,
you won't find "good code" written in Javascript.
If you intended to show someone some code snippet, you must first very
good understand what user asks, what user want to know, what user want
to see.
Bovine Excrement.
And, however, 10-15 years of intensive coding experience.
I'm a happy to get good advices, but not code caricature

You should take a course on Usenet and learn that this group is a
discussion group. You ask a question, it gets discussed. You get an
answer - great. You don't - get over it.

This is NOT your help desk.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Temporarily at: http://members.aol.com/_ht_a/hikksnotathome/cljfaq/
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Randy Webb пи�ал(а):

mistral said the following on 6/28/2006 11:40 AM:

<snip>

Your code is absolutely useless, its caricature.

What is useless is your ability to determine whether code is useless or not.

If you had bothered testing the code you would know that.

Yes, its a caricature.

No, *you* are a caricature.

To write a good code, a person must have at least 10-15 years of
intensive coding experience.

Then you will never write good code. Besides, if that is your criteria,
you won't find "good code" written in Javascript.

If you intended to show someone some code snippet, you must first very
good understand what user asks, what user want to know, what user want
to see.

Bovine Excrement.

And, however, 10-15 years of intensive coding experience.
I'm a happy to get good advices, but not code caricature

You should take a course on Usenet and learn that this group is a
discussion group. You ask a question, it gets discussed. You get an
answer - great. You don't - get over it.

This is NOT your help desk.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Temporarily at: http://members.aol.com/_ht_a/hikksnotathome/cljfaq/
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

------------------------------

Randy Webb,

your comments is rude, coarse and senseless. Same as your "coding"
skills, I think..

mistral wrote:

To write a good code, a person must have at least 10-15
years of intensive coding experience.
15 years of Javascript experience would be quite impressive indeed. Unheard
of, in fact.
If you intended to show someone some code snippet, you must first very
good understand what user asks, what user want to know, what user want
to see.
Rather, if you want a good answer you must first describe exactly what you
want and what qualifies as a valid answer.

Your original request was simply: Neeed good javascript unescape encoder, to protect javascript code.

You cannot protect javascript code. Therefore, your requirement is invalid.
If you want good responses, ask good questions.

Finally, you seem too dense to understand that you will not get good advice
because everyone here realizes that obfuscation is a pointless exercise. So
any "solutions" you find will be junk, from people with limited experience
and knowledge, because they are at the same level that you are in thinking
that obfuscation works and is necessary.

If ROT13 obfuscation isn't enough for your futile requirement, then what
is???

--
Matt Kruse
http://www.JavascriptToolbox.com
http://www.AjaxToolbox.com

mistral said the following on 6/28/2006 12:08 PM:

Randy Webb пи�ал(а):

<snip>
Randy Webb,

your comments is rude, coarse and senseless.
You forgot "blunt", "honest", and "true". Does the truth hurt?

Same as your "coding" skills, I think..

Anytime you want to prepare yourself to prove that, let me know. But
from your posts in this thread, you wouldn't be in a position to judge
my skills. But my bosses seem to think they are worth in excess of 6
figures - approaching 7 - (US Dollars) annually so your opinion doesn't
mean much to me.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Temporarily at: http://members.aol.com/_ht_a/hikksnotathome/cljfaq/
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/

Matt Kruse пи�ал(а):

Your original request was simply: Neeed good javascript unescape encoder, to protect javascript code.
You cannot protect javascript code. Therefore, your requirement is invalid.
If you want good responses, ask good questions. Finally, you seem too dense to understand that you will not get good advice
because everyone here realizes that obfuscation is a pointless exercise. So
any "solutions" you find will be junk, from people with limited experience
and knowledge, because they are at the same level that you are in thinking
that obfuscation works and is necessary. If ROT13 obfuscation isn't enough for your futile requirement, then what
is???
-- Matt Kruse
http://www.JavascriptToolbox.com
http://www.AjaxToolbox.com

-------------------------------------------------

Here is misunderstanding, definitely.
Ther is a many commercial solutions that do code obfuscation, however,
I dont know does it has been written by people "with limited experience
and knowledge" or not. The idea is not encrypt code, but obfuscate.
It is very similar, but you don't need encryption/decryption. It
possible use an obfuscator to change the output to something not human
readable, and then a javascript changes the output back to human
readable form on the browser. While this is VERY similar to
encryption/decryption, it is simpler because you don't have to worry
about public and private keys and the like.

Mistral

Matt Kruse wrote:
<snipped />

You cannot protect javascript code. Therefore, your requirement is
invalid. If you want good responses, ask good questions.

Finally, you seem too dense to understand that you will not get good
advice because everyone here realizes that obfuscation is a pointless
exercise. So any "solutions" you find will be junk, from people with
limited experience and knowledge, because they are at the same level
that you are in thinking that obfuscation works and is necessary.

If ROT13 obfuscation isn't enough for your futile requirement, then
what is???

We all know that it is futile, but if the OP insist, why not give
it to him/her? I mean... if he insist on learning the hard way, why
not let him?

ROT13 might not satisfy his reqs. because you can still see the tags.
'<', '>' and '/' is still in clear text...

Below is a Java class i wrote once to scramble xml-files. It implements
a variation of ROT13, namely ROT39...

He might find that of use... (It is easily portes to any language).

--
Dag.

// Java code below
**
* Title: 'Crypto' Utilities
* Description:
* Copyright: Copyright (c) 2001
* Company: Viz Consulting AS
* @author Dag Sunde
* @version 1.0
*/

/**
* Class to handle simple Scrambling
* of strings...
*/

public class Crypto
{
private final static int UPPER_LIMIT = 125;
private final static int LOWER_LIMIT = 48;
private final static int CHARMAP = 39;

public Crypto()
{
}

/**
* rot39 is a variation of the ROT13 algorithm,
* that also scrambles numbers and, most important in this
* case; xml-tags ("<", ">" & "/")
* @param - data, String to (de)scrambled
* @return - The string in "data" in (de)scrambled form.
*/
public String rot39(String data)
{
try
{
byte[] buffer = data.getBytes("ISO-8859-1");

for(int iData = 0; iData < buffer.length; iData++)
{
int iCode = buffer[iData];
if((iCode >= LOWER_LIMIT) && (iCode <= UPPER_LIMIT ))
{
iCode+= CHARMAP;
if(iCode > UPPER_LIMIT)
{
iCode = iCode - UPPER_LIMIT + LOWER_LIMIT - 1;
}
buffer[iData] = (byte)iCode;
}
}
return new String(buffer, "ISO-8859-1");

}
catch( java.io.UnsupportedEncodingException e)
{
System.out.println("Unicode/ISO FuckUp!");
System.exit(-1);
return "";
}
}
public static void main(String[] args)
{
Crypto myCrypto = new Crypto();

String buf = myCrypto.rot39( "abcdefghijklmnopqrstuvwxyzæøå_<>='*'" );
System.out.println(buf);

System.out.println( myCrypto.rot39( buf ) );
}

}

JRS: In article <Xn********************@194.109.133.242>, dated Mon, 26
Jun 2006 14:32:35 remote, seen in news:comp.lang.javascript, Evertjan.
<ex**************@interxnl.net> posted :

mistral wrote on 22 jun 2006 in comp.lang.javascript:

Is there some good obfuscator script, unescape, or another? READY
script - online tool or desktop application.

===== obfuscatorScript.html ===========

<script type='text/obfuscatorScript' id='S'>
ine g = 'boshfpngbeFpevcg guebhtu EBG13';

On re-reading - actually IMHO plain ROT13 is not obfuscation; rather, it
is simple encryption.

Obfuscated code will run, on the WWWeb, as well as the original, with
the same results (so one might want to do something additional about the
contents of literal strings and of comment); encrypted code must be
decrypted before reading, for execution or otherwise.

Obfuscation thus means altering all programmer-defined identifiers to
meaningless and maybe hard to read, and maybe removing all non-essential
whitespace and comment.

Code can be compressed for transmission and if every browser can
decompress it that's irrelevant for security.

If code is worth encrypting, one can take other steps to protect it,
such as not letting everyone get it in the first place.

OTOH, if the page has
<script>SomeString="<ROT-13 material>"</script>
<script>exec(X(SomeString))</script>

ISTM that one can use ROT-13 to obfuscate all letters, X being a ROT-13
function (though ROT-13 itself would be a remarkably poor choice; if the
Unicode of the string is ROT-Xed for a suitable X, the character set a-z
can be ROTted into Arabic).

--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
<URL:http://www.jibbering.com/faq/>? JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.

Dr John Stockton wrote on 29 jun 2006 in comp.lang.javascript:

JRS: In article <Xn********************@194.109.133.242>, dated Mon,
26 Jun 2006 14:32:35 remote, seen in news:comp.lang.javascript,
Evertjan. <ex**************@interxnl.net> posted :

mistral wrote on 22 jun 2006 in comp.lang.javascript:

Is there some good obfuscator script, unescape, or another? READY
script - online tool or desktop application.

===== obfuscatorScript.html ===========

<script type='text/obfuscatorScript' id='S'>
ine g = 'boshfpngbeFpevcg guebhtu EBG13';

[skip]
ISTM that one can use ROT-13 to obfuscate all letters, X being a
ROT-13 function (though ROT-13 itself would be a remarkably poor
choice; if the Unicode of the string is ROT-Xed for a suitable X, the
character set a-z can be ROTted into Arabic).

My example was not about ROT13, but was using ROT13 to show as an example
how to use an, any, algorithm.

I think publicizing a useful algoritm is not in the interest of the OP.

I could imagine combining ROT13 with +13-1, +13-2, +13-3, +13-1, ...
depending on it's place in the string. This would end the ROT13
algorithm's nice reversability. Or perhaps also encript the non-
alfanumerics?

I would have given the illusion that obfuscation was more usefull than
it's temporary "anti emailadress harvester's effect", perhaps not to the
OP, but to [future?] newbies.

I think we, again and again, have to warn that obfuscation is not useful
to protect one's code, nor to keep paswords and other secrets.

==========

btw, John, what do you think of using such fancy

<script type='text/myText' id='S'>
My 'Text'
<is> "here"
</script>

....
var t = document.getElementById('S').text;
to get a long string into a javascript litteral without having to bother
about escaping quotes and returns?

Would it stand serious cross-brower scrutiny?

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Dr John Stockton пи�ал(а):

Is there some good obfuscator script, unescape, or another? READY
script - online tool or desktop application.
===== obfuscatorScript.html ===========
<script type='text/obfuscatorScript' id='S'>
ine g = 'boshfpngbeFpevcg guebhtu EBG13';

On re-reading - actually IMHO plain ROT13 is not obfuscation; rather, it
is simple encryption. Obfuscated code will run, on the WWWeb, as well as the original, with
the same results (so one might want to do something additional about the
contents of literal strings and of comment); encrypted code must be
decrypted before reading, for execution or otherwise. Obfuscation thus means altering all programmer-defined identifiers to
meaningless and maybe hard to read, and maybe removing all non-essential
whitespace and comment. Code can be compressed for transmission and if every browser can
decompress it that's irrelevant for security. If code is worth encrypting, one can take other steps to protect it,
such as not letting everyone get it in the first place. OTOH, if the page has
<script>SomeString="<ROT-13 material>"</script>
<script>exec(X(SomeString))</script> ISTM that one can use ROT-13 to obfuscate all letters, X being a ROT-13
function (though ROT-13 itself would be a remarkably poor choice; if the
Unicode of the string is ROT-Xed for a suitable X, the character set a-z
can be ROTted into Arabic).
-- © John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00IE 4 ©
<URL:http://www.jibbering.com/faq/>? JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.

-----------------------------------------

yes, obfuscation and compressing of code is just we need.
If we talk about encryption, it is also very necessary thing, but it
must a) does not affect on code execution speed, and b) encryption
symbols used must be fully recognizable by web browsers.
I heard there is the good encryption program, which excels windows
script encoder, encrypt html code and javascripts -HTML Guardian
http://www.protware.com
http://www.protware.com/dl/HTMLGuardian.exe

and whats about Javascript Obfuscator V.2.22 ?

http://www.javascript-source.com/jsosetup.exe

Mistral

mistral wrote:

[snip]

yes, obfuscation and compressing of code is just we need.
If we talk about encryption, it is also very necessary thing, but it
must a) does not affect on code execution speed, and b) encryption
symbols used must be fully recognizable by web browsers.
I heard there is the good encryption program, which excels windows
script encoder, encrypt html code and javascripts -HTML Guardian
http://www.protware.com
http://www.protware.com/dl/HTMLGuardian.exe

and whats about Javascript Obfuscator V.2.22 ?

http://www.javascript-source.com/jsosetup.exe

Mistral

You will probably find that the majority of people visiting this
newsgroup do not use obfuscators and disapprove of their use, so you
may not find anyone who has any experience of the programs you refer to
in a live commercial environment. If you search this newsgroup you
will find a large number of posts on this issue.

I agree with this view.

Nevertheless, in my experience (having once dabbled on the dark side)
most obfuscators offer line and comment removal, and a degree of
variable name replacement, which is your basic requirement, and I would
imagine there is little difference between the products on the market
in this respect. More advance features, capable of dealing with Object
Oriented JavaScript programming and property names, will be harder to
come by.

Ultimately Google throws up many different obfuscators, free or priced.
If it is that important to your business, then you should perhaps
consider spending some time and money trialling each of these products,
and reaching your own conclusions. If your code is special enough to be
worth protecting, then you must be a skilled programmer and have some
financial backing, and so be capable of affording these products and
evaluating the results.

As others have noted, and you no doubt appreciate, obfuscators offer
protection (if any) only against the casual inexperienced programmer.
Anyone who was genuinely interested in discovering your code would also
have the skills to be able to see through the obfuscation relatively
easily.

Encryption it would appear is IMHO not possible at all, as the browser
needs some way to decrypt the code, which must be supplied along with
the page itself, thereby defeating the object.

Other efforts at code hiding I have encountered, included
- a series of nested "escapes". Again, a few minutes was all that was
needed to get round this
- a series of separate programmatic script downloads (using
document.write, or document.createElement("script")) from the server.
The HTTPRequest object soon beat those.

Whatever protection you choose, a user visiting a page with obfuscated
or encrypted code may of course be inclined to distrust the site.

The alternative is to keep any important processing confined to the
server.

Julian Turner

"Julian Turner" <ju*******@googlemail.com> writes:

As others have noted, and you no doubt appreciate, obfuscators offer
protection (if any) only against the casual inexperienced programmer.
Anyone who was genuinely interested in discovering your code would also
have the skills to be able to see through the obfuscation relatively
easily.
That is the truth. Protecting HTML is meaningless when a bookmarklet
like the following will show you the source as the browser sees it:

javascript:(function(i){return ("<code><ol><li>"+(document.compatMode=="CSS1Compa t"?document.documentElement:document.body).outerHT ML.replace(/(<script.*?>).*?(<\/script>)/ig,function(m,b,a){return b+document.scripts[i++].text+a;}).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/\n/g,"</li><li>").replace(/ /g,"&nbsp;")+"</ol></code>");})(0)

(made for myself for Opera, probably works in other browsers too).

Protecting scripts might fare better, since there isn't necessarily
any way to reach the runtime code of a script. You'll have to be
an accomplished Javascript programmer to foil obscuring like
that from protware.com. But if you are, it collapses easily, using
only simple available tools. One has to consider what the threat
is that is being protected against, and anyone not capable of
defeating a simple obscurement won't know what to do with the
result anyway.
Whatever protection you choose, a user visiting a page with obfuscated
or encrypted code may of course be inclined to distrust the site.

A serious problem is that a protected page requires Javascript to work
at all. There is no gracefull degradation possible for non-JS-enabled
users.

Remember, web pages in raw HTML starts at 100% accessiblity. All you
can do is subtract from that.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

JRS: In article <Xn********************@194.109.133.242>, dated Fri, 30
Jun 2006 07:44:02 remote, seen in news:comp.lang.javascript, Evertjan.
<ex**************@interxnl.net> posted :

Dr John Stockton wrote on 29 jun 2006 in comp.lang.javascript: I think publicizing a useful algoritm is not in the interest of the OP.
Since the OP ignores accepted Usenet and newsgroup convention, I don't
really care about his interest.
I could imagine combining ROT13 with +13-1, +13-2, +13-3, +13-1, ...
depending on it's place in the string. This would end the ROT13
algorithm's nice reversability. Or perhaps also encript the non-
alfanumerics?
There are other self-reversing algorithms. Javascript as transmitted
needs only characters 32-126, call that 127, so 96 characters; ROT-48 of
the lot, leaving control characters unchanged, produces something that
looks fearsome, but reversal should be easy.

btw, John, what do you think of using such fancy

<script type='text/myText' id='S'>
My 'Text'
<is> "here"
</script>

...
var t = document.getElementById('S').text;
to get a long string into a javascript litteral without having to bother
about escaping quotes and returns?

Would it stand serious cross-brower scrutiny?

You should not be asking me; it does not work as is in my IE4. But it
works if getElementById is implemented with document.all.
--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk Turnpike v4.00 IE 4 ©
<URL:http://www.jibbering.com/faq/>? JL/RC: FAQ of news:comp.lang.javascript
<URL:http://www.merlyn.demon.co.uk/js-index.htm> jscr maths, dates, sources.
<URL:http://www.merlyn.demon.co.uk/> TP/BP/Delphi/jscr/&c, FAQ items, links.