Obfuscator (6.2.4)

AppStudio 6.2.4 has a new Obfuscation feature. It’s in option in Project Properties to turn your deployed code into absolute gibberish. You won’t be able to read it - nor will almost anyone else:

It has 4 levels:

• js-obfuscator-low: Low obfuscation, High performance. Performance will slightly slower than without obfuscation
• js-obfuscator-medium: Medium obfuscation, optimal performance. Performance will 30-35% slower than without obfuscation
• js-obfuscator-high: High obfuscation, low performance. Performance will 50-100% slower than without obfuscation
• js-obfuscator-custom: Design your own settings in the obfuscatorSettings property.

Early tests show that low works for most apps, but medium and high have problems with some. Test carefully before releasing!

Use this thread to share your experiences and what you learn. It’s a fairly new library which is being enhanced quickly, so let’s report issues to the GitHub repository.

I’ll start the ball rolling. For my App the JSMin works OK, but any attempt to use any level of the Javascript versions results in the app freezing on startup and the debugger shows:

VM6593:1 Uncaught ReferenceError: W0 is not defined(…)

If I pull that line up it simply reads 1: w0 which is obviously not part of my code.

I await other users experience with interest.

I’ll admit I was very skeptical about the obfuscator, but I tried it and was really pleasantly surprised.

A few comments:

1. The first thing I noticed is that the minute I opened the Chrome Developer Tools, the program paused in Debugger and I could not restart it except by closing the Developer Tools.

Each time I tried to close the debugger (clicking on the blue ‘Run’ icon), a new instance of the debugger opened:

Trying the same procedure with non-obfuscated code worked as expected - the debugger did not trigger unless called.

2. The obfuscator does an excellent job at hiding the program flow, but does not hide variable and function names which are usually descriptive of their use. For example, a list of variables being initiated in the obfuscated code:
   

My previous method of obfuscation was to run the .nsx file through a routine that substitutes a 3 character code for every variable, object ID, and function name. Like this:

So I ran my routine and then compiled again using the new obfuscator. That list of variables became:

and a function went from
to

3. The other method I use to hide code is the substitution of an upper case 2 letter code for long statements or Ajax calls:
   

These substitutions are stored in a .js file which is included in extra headers. I was concerned that this method would be disrupted.

The .nsx code reads:

and the new obfuscated code reads:

4. Given these concerns, I was skeptical. However running the program (using js-obfuscator-high) I instantly noticed an increase in speed! And so far I have not encountered any problems with the code. So now I am using the combination of all three methods, and my conclusion is:
   I LOVE IT!

Helen.sandoz,

For your point 1, one of the options is debugProtection. "Can freeze your browser if you open the Developer Tools.

This option makes it almost impossible to use the console tab of the Developer Tools (both on WebKit-based and Mozilla Firefox).

WebKit-based: blocks the site window, but you still can navigate through Developer Tools panel.
Firefox: does not block the site window, but still won’t let you use DevTools."

If you want to turn that off, use js-obfuscator-custom.

2-3. There is also a mangle option. It enables mangling of variable names.

alan,

My hunch is that there is something in your code which messes up js-obfuscator. It would be great if you could isolate it by slicing your app to the minimum which creates the issue. We can then send it to the developer of the library to have a look at.

I’m sure you are right, but this app has been under development for years and I am first to admit I have not followed professional programming procedures. As such it is now a very complicated jigsaw and slicing it up is really a non-starter.

OK, let’s keep collecting data on this.

Another thing to try would be using js-obfuscator-custom and turning options off until it works.

Hi, i’m creator of obfuscator. For any problems please create the issue in obfuscator repository. I’ll answer on all posts here during this day

Mangle option available only in 0.10.0 version which currently under beta status.

Obfuscator will not rename any global variable or function names and any variables/functions without declaration, because they possible can be global.

Without mangle option obfuscator will generate variable names like ‘0xa4f0bac’. With mangle option this names will additionally mangled to one symbol names, like ‘a’.

About debugger - yes, debug protection enables debugger in loop if dev tools console is visible.

About domain lock option - with this option runtime error will thrown if code runs on wrong domain. It’s correct behaviour to make inspecting of the code more harder.

Hi Sanex,

Thank you for joining the discussion!

Let me know if you would like a complementary copy of AppStudio.

George Henne
NS BASIC Corporation
http://www.nsbasic.com

I find that obfuscation does absolutely nothing so I assume I am doing something wrong…
I set obfuscation to high or to low and I am wondering where I am supposed to see the effect.
The code.js file deployed to my server is plain text as always. There is not problem viewing in the Chrome inspector.
Is there another setting that I need to set in order for it to work?

Thanks
JamesF

Hi, obfuscator transforms your source code in many various ways, check examples in repository (first link in this topic).
After chain of transformations your code will be unreadable (depends on obfuscation level)

In Project Properties, there is an option to set the level of obfuscation.
Then there is a Property call obfuscatorSettings. These do not change, no matter what level of obfuscation I select. And most are set to ‘false’.
Am I supposed to set these myself or are they supposed to be ‘pre-sets’ for the level I choose? Because they are all the same even when I choose a level of "None’.
The only level that has any effect is when I set it to JSMin. Then the code.js text is simply compacted, which I assume to be correct.
Other than that, no code gets transformed.

Medium and High obfuscation presets should enable additional transformations of the code, like RC4 string encoding or Control Flow Flattening. You can see option presets here, and i thinking that AppStudio presets is matching presets under following link.

The presets are all the same.
As I said, it does not work.

Hi James,

If you check out the first posting in this thread, you see what obfuscatorSettings is for. (Hint: It’s for js-obfuscator-custom).

Can you try a sample app like HelloWorld? Let’s see if that changes the code in code.js for you.

George Henne
NS BASIC Corporation
http://www.nsbasic.com

Here is the code.js file with a setting of ‘high’:

Button1.onclick = function() {
NSB.MsgBox("Thanks for clicking!");
};

Here is JSMin:
Button1.onclick=function(){NSB.MsgBox("Thanks for clicking!");};

And here is None:
Button1.onclick = function() {
NSB.MsgBox("Thanks for clicking!");
};

Definitely not obfuscated!

Can you go to the About screen and do View Log? Let’s see if there is anything there.

What OS are you using?

George Henne
NS BASIC Corporation
http://www.nsbasic.com

Here is the log, George:
2017-04-25 08:34:16,617 - main - ERROR - * Python OpenSSL NOT LOADED!
Traceback (most recent call last):
File “”, line 165, in OnInit
File “c:\python27\Lib\site-packages\PyInstaller\loader\pyi_importers.py”, line 270, in load_module
File “C:\Files\nsbx\Setup\build\AppStudio\out00-PYZ.pyz\OpenSSL”, line 8, in
File “c:\python27\Lib\site-packages\PyInstaller\loader\pyi_importers.py”, line 270, in load_module
File “C:\Files\nsbx\Setup\build\AppStudio\out00-PYZ.pyz\OpenSSL.SSL”, line 10, in
ImportError: cannot import name int2byte

I am running this on Win7 Pro SP1 64-bit

Thanks
James

That’s a normal message, nothing to do with this issue. There is also an Open Log Folder option. Can you send me the latest file there?