JavaScript is a popular and powerful programming language that is supported by most modern web browsers. It’s used for a variety of tasks from authenticating users to monetizing websites. It’s not just a pretty wrapper around HTML and CSS, it’s essential for modern web programming.
What is De-Obfuscation?
De-obfuscation is the process of removing or removing the obfuscation features from a program. Oftentimes, this is done to audit a code base to make sure it’s properly licensed and in compliance with best-practices. But it can also be done to analyze a code base to identify duplicate code and encourage future improvements.
Typically, the goal of de-obfuscation is to remove all the extra information that may have been added by the original author without their knowledge.
The Importance of De-Obfuscation
When a developer writes code, they usually don’t know where it’ll be used. For example, a checkout flow in a web application may use a lot of variable names and expressions that are unique to that application. But the author might not know that the checkout algorithm will lead to different results on different websites.
/ Example obfuscated code
const _0x38a2db = ['\x54\x6f\x74a\x6c', '\x6c\x6f\x67', '\x3a\x20'];
const _0x9b58d9 = function(_0x39ddb7) {
return _0x38a2db[_0x39ddb7 + (-0x6d5 + 0x58 + 0x11 * 0x62)];
}, _0x498b9b = function(_0x48d808, _0x14da1e) {
return _0x9b58d9(_0x48d808);
}, _0x34c7bc = function(_0x16af1d, _0x27a29e) {
return _0x498b9b(_0x16af1d);
}, _0x23a1 = _0x34c7bc;
let total = 0x2 * 0x109e + -0xc * -0x16a + -0x3234;
for (let i = 0x1196 + 0x97b * 0x3 + -0x2e07; i < -0x95 * -0x38 + -0x1a75 + -0x619; i++) {
total += i;
}
console[_0x34c7bc(-(0x1e7c + -0x1 * -0x1367 + 0x2ef * -0x11))](_0x498b9b(-(0x1020 + 0x253 + 0x7 * -0x2a2)) + _0x23a1(-(0x12c5 + -0x1887 + -0x1 * -0x5c5)) + total);
That’s where de-obfuscation comes into play. By removing the variable names and expressions from the source code, the developer prevents others from accidentally introducing those variables into their code.
deobfuscated javascript code
let total = 0;
for (let i = 0; i < 10; i++) {
total += i;
}
console.log("Total: " + total);
Why De-Obfuscation is Important
When you spend time in a codebase, you’re using that code as your guide. It might be a novel idea in one organization, but in another, it might be considered old hat. In either case, the code should be treated as if it were written by someone else. After all, it is!
When you work in a team, it’s essential to write clean code. If someone else has to mess with your code, you want that person to be as gentle with it as possible. That way, you can continue to make improvements and new features without having to reverse engineer the entire server!
When you don’t know where your code will be used, it’s much easier to make changes that follow best-practices and local precedent. When you know where your code will be used, you can more easily aim for maintainership and avoid common pitfalls such as naming conflicts, typos, and inconsistencies.
Defeating De-Obfuscation
You may have success in removing the obfuscation features from your code base, but what happens if someone else wants to read it and understand it better? Let’s say you submit your code to a code review service. The code is marked as stable and ready for review. But then you realize that a colleague has a different idea of what your code should look like. What should you do?
You might want to reverse-engineer your code to find the parts of it that your colleague removed. But that’s a huge mistake! You should definitely not reveal your code’s internal structure in order to keep your colleague from accidentally revealing information you didn’t want them to see.
Instead, you should simply contact the colleague and let them know what was removed and why. This simple action can go a long way in re-obfuscating your code. And it can also prevent future misunderstandings.
Top comments (0)