Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Can JS_EncodeScript be used to protect the source code ?
189 views
Skip to first unread message
Ricardo Quesada
Apr 29, 2013, 3:35:38 PM4/29/13
to
Hi,
We are using JS / SpiderMonkey VM / C++ to ship games for mobile devices (ios/android).
What we want to do is to "protect" the JavaScript source code.
Currently we are using JS_EncodeScript / JS_DecodeScript to protect it. So, instead of shipping the JS files, we are shipping the "encoded scripts" instead.
The question is: is it possible to obtain the original JS file from the encoded script ?
If so, what "protection" methods do you recommend ?
Thanks,
We are using JS / SpiderMonkey VM / C++ to ship games for mobile devices (ios/android).
What we want to do is to "protect" the JavaScript source code.
Currently we are using JS_EncodeScript / JS_DecodeScript to protect it. So, instead of shipping the JS files, we are shipping the "encoded scripts" instead.
The question is: is it possible to obtain the original JS file from the encoded script ?
If so, what "protection" methods do you recommend ?
Thanks,
Jason Orendorff
Apr 29, 2013, 4:35:11 PM4/29/13
to Ricardo Quesada, dev-tech-js-en...@lists.mozilla.org
On Apr 29, 2013, at 2:35 PM, Ricardo Quesada <ricardo...@gmail.com> wrote:
> What we want to do is to "protect" the JavaScript source code.
>
> Currently we are using JS_EncodeScript / JS_DecodeScript to protect it. So, instead of shipping the JS files, we are shipping the "encoded scripts" instead.
>
> The question is: is it possible to obtain the original JS file from the encoded script ?
1. In the SpiderMonkey source code it looks like
> What we want to do is to "protect" the JavaScript source code.
>
> Currently we are using JS_EncodeScript / JS_DecodeScript to protect it. So, instead of shipping the JS files, we are shipping the "encoded scripts" instead.
>
> The question is: is it possible to obtain the original JS file from the encoded script ?
JS_EncodeScript
calls XDRState<XDR_ENCODE>::codeScript()
calls js::XDRScript<XDR_ENCODE>()
calls ScriptSource::performXDR()
which looks like it stores a compressed copy of the full source code in the encoded script.
So, yes, I think it is recoverable.
You can of course hack the copy of SpiderMonkey you use for encoding so as not to include source code. Then you would run into the second problem...
2. This is a lot like shipping JVM bytecode, which is considered easy to reverse-engineer. The main difference is that the JVM bytecode format is extremely well-known and even documented. There are even tools that decompile it. The only documentation for our bytecode is the SpiderMonkey source. A good enough engineer could decipher it, though. We once had a full decompiler built into SpiderMonkey! Parts of it remain (js::DecompileValueGenerator).
> If so, what "protection" methods do you recommend ?
http://stackoverflow.com/questions/194397/how-can-i-obfuscate-javascript
The answers there are pessimistic, which is appropriate. But if you're just trying to increase the cost of reverse-engineering your code, even for experts, by a factor of say 5 or 10, I think that's achievable.
-j
Ricardo Quesada
Apr 29, 2013, 4:56:40 PM4/29/13
to Jason Orendorff, dev-tech-js-en...@lists.mozilla.org
> There's no totally secure protection, but you're probably better off
> trying to obfuscate the source JS before compiling it.
>
Thanks! That's what we are going to do. JS Obfuscation and then encoding
> trying to obfuscate the source JS before compiling it.
>
the script.
0 new messages