Experience with Jscrambler – Part I

As mentioned in the last post we have decided to use Jscrambler to protect and optimise our JavaScript Code.
After posting it was discussed busily about this issue whether it is the “right” way to secure your property, because everything can be “deobfuscated”.
Others mentioned that this may endanger the “open internet”.

Well we have our opinion about this:
We’ve been working on our project for more than two years now. We simply do not want to see a stolen version of our game somewhere on a foreign site, this is something we’ve experienced too often in the last years.
We can not really prohibit this, but we can make it a lot harder, not more not less!

Overview of the Protection-Options in Jscrambler

In a first attempt we’ve checked the possibilities in Jscrambler, which are enormous.
For your info: we are going with the professional version, because we need Html5 compliance and also self-protecting features, to prevent
players from cheating through the debugger!

After uploading our file(s) we can choose from a lot of settings in the “Advanced Users” tab, which offers you a lot of settings:

Capture

Of course we choose HTML5 Compatibility mode first.
This means: Jscrambler protects and optimizes your HTML5 and Web Gaming applications by targeting the new HTML5 features.

Here from the Jscrambler-Blog:

How can I reach the maximum level of protection?

Our maximum level of protection is available both on our Professional and Ultimate plans. If you are doing something with HTML5, you’d be interested to know that we support protecting it, including Canvas code. These plans include also the Self-defending transformation, which is a combination of anti-tampering and anti-debugging. With the former, your code will be able to detect changes and break down intentionally, and the latter causes your code to break if debugging activities (e.g. popping up the Chrome Dev Console) are detected.

Regarding what protection to use, default templates such as “Obfuscation”, “Domain Lock” or “Self-defending” are solid, working out-of-the-box options to get your code protected. Further protecting your code works best if you have good knowledge of the original code. Are you trying to hide an algorithm? Prevent tampering? Hiding secrets? Depending on your answers, different transformations might be useful. With premium accounts you can go to the Advanced Users tab and select the transformations individually that work best for your code.

 

Most of the protection-options are self-describing, but some need more info.
I’ll show up the descriptions from Jsrambler for the most interesting protection-features:

Dot notation


Description:
Transforms dot notation into array subscript notation.

Example:

source code:
navigator.plugins.length
transformed code:
var a = navigator, b = 'plugins', c = 'length'; a[b][c];

Literal hooking


Description:
Replaces literals for a random number of ternary operators

Example:

source code:
for(i=0; i<length; i++) {
 //code
 }
transformed code:
for(i=((90.0E1,0x5A)<=(0x158,140.70E1)?(.28,3.45E2,0):(95.30E1,26.40E1)<=1.400E2?(1,this):(108.,0x227));i<length;i++) {
 //code
 }

Domain lock


Description:
Lock down a JavaScript so it only works for a list of domains you specify. Good for demos and to enforce license agreements.

Input example:

// only mywebsite.com is allowed
mywebsite.com

// only mywebsite.com and www.mywebsite.com are permitted
mywebsite.com;www.mywebsite.com;

// mywebsite.com and all its sub-domains are permitted
*.mywebsite.com

// All IP addresses on 192.168 network are permitted
192.168.*

Self-defending


Obfuscates functions and objects concealing their logic and thwarting attempts of code tampering by using anti-tampering and anti-debugging techniques.
Attempts to tamper the code will break its functionality and using JavaScript debuggers will trigger defenses to thwart analysis.

Ähhhm – this sounds interesting, but I have absolutely no idea how this could work?
Hopefully I can find out something about this, stay tuned…

 

Expiration date


Description:
Set your JavaScript to expire on a specific date. This is a good way to enforce license agreements. Can also be used to deliver demos with a time to live.

In the next post we’ll show you what had happened with our code at the first attempt, so stay tuned!

thanks Wolfgang!

Author admin
Published
Categories Allgemein
Views 1963

Comments

Leave a Reply

No Comments ;(