Saturday, August 29, 2009

Obfuscated Code

When source code in programming language is transform to human unreadable form then it is known as Obfuscated Code.  The software that performs obfuscation on code are called as obfuscators.
Obfuscation on the source code can be used for good purpose as well as for bad purpose. Programmers can obfuscate there code to conceal its purpose, to avoid theft of there code. This is also known as security through obscurity. On other hand, attackers can use obfuscator to hide malicious program. 
The code written in languages which can be obfuscated  includes but not limited to are C, C++, Perl, JavaScript, etc.
Obfuscation by code morphing  refers to obfuscating machine language code or object code rather than obfuscating the source code.

Obfuscated code makes it difficult to reverse engineer the code, but it is not impossible to reverse engineer the obfuscated code.  Obfuscated code makes it difficult to debug, because the variable names no longer make sense, and the structure of code is hard to recognize.

In this post I will mainly focus on the JavaScript Obfuscators, techniques used for JavaScript Obfuscation, and JavaScript Obfuscation used in malicious software.

Obfuscated JavaScript code is mostly used by spammers in spam messages.   The obfuscation makes it difficult for investigators to identify what exactly the JavaScript code does? or where the link goes?. Attackers used JavaScript Obfuscation to conceal an entire or some part of code that runs browser exploit. 

The good news about JavaScript source code obfuscation techniques  is, they are limited to number of techniques (de-obfuscation) supported by Web browser. However the bad news is, it is not limited to number of levels of obfuscation on source code.   


  1. Can you put some sample examples and different techniques use for Javascript Obfuscation.

  2. Yeah. That would be better