On Apr 29, 2013, at 2:35 PM, Ricardo Quesada <[email protected]> wrote:
> What we want to do is to "protect" the JavaScript source code.
>
> Currently we are using JS_EncodeScript / JS_DecodeScript to protect it. So,
> instead of shipping the JS files, we are shipping the "encoded scripts"
> instead.
>
> The question is: is it possible to obtain the original JS file from the
> encoded script ?
1. In the SpiderMonkey source code it looks like
JS_EncodeScript
calls XDRState<XDR_ENCODE>::codeScript()
calls js::XDRScript<XDR_ENCODE>()
calls ScriptSource::performXDR()
which looks like it stores a compressed copy of the full source code in the
encoded script.
So, yes, I think it is recoverable.
You can of course hack the copy of SpiderMonkey you use for encoding so as not
to include source code. Then you would run into the second problem...
2. This is a lot like shipping JVM bytecode, which is considered easy to
reverse-engineer. The main difference is that the JVM bytecode format is
extremely well-known and even documented. There are even tools that decompile
it. The only documentation for our bytecode is the SpiderMonkey source. A good
enough engineer could decipher it, though. We once had a full decompiler built
into SpiderMonkey! Parts of it remain (js::DecompileValueGenerator).
> If so, what "protection" methods do you recommend ?
There's no totally secure protection, but you're probably better off trying to
obfuscate the source JS before compiling it.
http://stackoverflow.com/questions/194397/how-can-i-obfuscate-javascript
The answers there are pessimistic, which is appropriate. But if you're just
trying to increase the cost of reverse-engineering your code, even for experts,
by a factor of say 5 or 10, I think that's achievable.
-j
_______________________________________________
dev-tech-js-engine-internals mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
