DEV Community

WangLiwen
WangLiwen

Posted on • Edited on

Two top-level JavaScript obfuscation tools: JScrambler and JShaman

JavaScript obfuscation has been widely used for security purposes in JavaScript code. In this field, there are both free utilities and professional, commercial-grade products. The commercial products are generally superior to the free utilities in terms of the strength of their features, level of protection, stability, and other aspects.

This article will evaluate two professional, commercial JavaScript obfuscation tools from multiple perspectives. These tools are JScrambler from Portugal and JShaman from China, both of which are well-known industry products and considered top-tier JavaScript obfuscation tools.
Note: JShaman is available in both Chinese and English versions, but the evaluation in this article focuses on the English version.

Product Form

Both are web-based platforms that can be accessed and used directly in the browser.

Image description

Interface

they all have Web API interfaces that can be called using languages such as JavaScript, Python, Java, C#, etc., and can be integrated into one's own products for use.

Image description

Ease of operation

JScrambler is more complex to use and requires registering for an account and logging into the backend before use. JShaman, however, is much more convenient as it requires no registration and can be used directly.

Image description

Free trial

Both products offer limited free trials. JScrambler provides obfuscated code with usage time restrictions, while JShaman has a limit on the volume of JavaScript code that can be used during the trial period.

Image description

Functional options

JScrambler and JShaman both offer over 20 obfuscation features that can be used, such as: numeric encryption, flattening control flow, JSON encryption, variable name obfuscation, regular expression encryption, string encryption, etc. This means that the protection strength of the two products should be similar because the number of obfuscation options is similar.

In terms of explaining each feature, JShaman uses example code to demonstrate, while JScrambler provides textual descriptions. For users who are not familiar with obfuscation techniques, JShaman's example code approach is more intuitive and allows users to understand the protective effect of each feature after enabling it in their code. However, JScrambler's textual descriptions are more abstract.

Some options in JScrambler allow advanced configurations, such as variable name obfuscation, where specific variable name patterns can be set. However, JShaman does not provide such fine-tuned options.

Image description

Obfuscation effectiveness

As mentioned earlier, many of the feature options are similar between JScrambler and JShaman, but there are also differences. Additionally, it is likely that the respective algorithms for the same feature are different. Therefore, the obfuscation results for the same JavaScript code will naturally be different. The obfuscated code looks complex enough to be copied and downloaded.

Image description

Reporting

The reporting function is used to display the operations performed during obfuscation, allowing the operator to clearly understand which aspects of the code have been enhanced and protected by the obfuscation operations.

JShaman's reporting is concise and straightforward, displayed immediately after obfuscation is completed. JScrambler's reporting can be viewed from historical operation records and displays more detailed information.

Both will display the number of nodes modified during each obfuscation operation (Note: during obfuscation, JavaScript is converted to an AST [Abstract Syntax Tree], modified, and then converted back to code, so the number of modified nodes in the AST is displayed).

JScrambler displays how much the code has increased during each operation, while JShaman displays how many nodes were in the code before obfuscation and how many nodes there are after obfuscation. The methods are different, but the meaning is the same.

Image description

Conclusion

Both JScrambler and JShaman have similar functions and their obfuscation effectiveness is close, making them powerful and professional JavaScript obfuscation tools.
The intuitive differences mainly lie in three aspects: UI, operation, and reporting.
JScrambler is more delicate and complex, with a stronger commercial flavor.
JShaman has a beautiful interface, simple operation, and is easy to use.

Top comments (0)