1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

announcement : free : *true* javascript obfuscation code in PHP - the end of var name leakage.

Discussion in 'JavaScript' started by seductiveapps.com, May 19, 2015.

  1. #1
    skip to the very end of this post to go straight to the sourcecode. the following is the story behind it, and my reasons for releasing an upgrade of another man's work..

    seductiveapps.com is largely unusable at the moment.. it's barely able to boot up, due to changes being made.
    May 18, 22:45 : The changes were succesful, but some lingering bugs remain. Bugs best solved after a night\'s rest.
    May 19, 05:35 : eh friend of mine needs some help, dunno how much help yet... site may be offline a little bit longer..
    May 19, 07:36 : will be till late tonight at the earliest before the server is back up..
    May 19, 23:05 : can work on the site code tomorrow morning again. So what are the changes? True obfuscation of my javascripts folks. Obfuscation means i no longer put out the scripts used on the site to make it look pretty and do cool stuff as very-readable sourcecodes. I now "minimize" them (get rid of all the indenting and output the script as a single line of about 740kb), *and* replace all the variable names with small random strings (3 characters is about 15000 combinations using only uppercase and lowercase latin alphabet). And yes, there is a fairly long "whitelist" for variable names that fall outside my own sourcecodes, everything inside HTMLelement.style for instance; or the code just won't work anymore ofcourse.
    The reason for this is simple; copyright may be free but too limited if you output your actual sourcecodes, patents for software and business-methods (which is what user-interface-designs would often fall under) you can\'t get in Europe and are ridiculously expensive for the rest of the world..
    I\'ve spent about 12 years working on this software people, 3 complete rewrites at least, debugging in the days browsers just didnt have any built-in debuggers, things like that. Makes sense to protect those years of building up high levels of patience with 3 or 4 days of more hard work.
    ';
    Software is a great industry to work in if you come from modest financial means and want to make it to wealth without the aid of clients, investors, and workers, like i do.
    Web-software, with most of the code in the browser-side languages, can provide a single platform for appwriters on all internet devices with a screen. That's useful and profitable, especially starting about 2 to 4 years from now when older standards-un-compliant devices reach the end of their lifecycle. Let alone in about 5 to 10 years when "everybody everywhere" is going to have 4K-HD screens and watch youtube and netflix in 4K-HD, and will want to upload their 4K-HD homevideos to youtube for distribution via social media and email and chatting.
    But web-based software did have 1 problem until I spent time extending functionality of a PHP-based (server-language) javascript obfuscator that i found a few years ago; you end up giving away the complete sourcecodes to anyone who visits your site. Coz we all know how standard obfuscators dont work with whitelists of variable names and just hand out all your variable names to the browser.. Plug in a source-beautifier after re-directing the de-obfusication routine and you're laughing.. Well, so shall it be no longer with my software :D And yes, my obfuscator outputs a new set of random short variable names each. and. every. time. it's. used. :D

    I'll consider just releasing the upgrade of the obfuscator (phpJSO) that i built over the weekend. I've written to the author of it, who hasnt touched it since 2006 as far as i can tell, and the guy doesnt respond to emails either, and his site while still on the net shows nothing but some ads atm.

    This upgrade will help the little guy coding in javascript and webgl (needs different whitelist tho) and canvas (same thing there). I guess you could even obfuscate html extensions like angular-js things with it. And xml. It's all about what goes in your whitelist, which is just a PHP array of variable names and some PHP comments to make clear what set of variable names belong to what larger object outside your own sourcecode.

    So.. Since I wanna help the little guys out there (it's absurdly hard to move up through the economic-class ranks), I'm hereby releasing the upgraded phpJSO sourcecode. If the original author complains, i'd like to see him host my (finalized) upgrade on his own site, but i know i'll have to take my copy offline...

    http://seductiveapps.com/downloads/phpJSO-1.0.0.php.txt
     
    Last edited: May 19, 2015
    seductiveapps.com, May 19, 2015 IP
  2. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #2
    execsum + download link : see http://seductiveapps.com/tools/webappObfuscator (and a link to it's homepage _without_ the 10 to 15MB of pretty artwork for my site, is at http://seductiveapps.com/webappObfuscator )

    Also available at https://github.com/seductiveapps/webappObfuscator (might receive less frequent updates).


    -all times listed below here are in the CET timezone-

    2015 May 20, 22:08 :
    Ok so i'm not yet obfuscating javascripts loaded in HTML (outside [head]), nor the keys in the JSON databases loaded up.. That'll change tonight or tomorrow :) A translation table can be saved in JSON, databases and content pages can be pushed through a centralized obfuscation script and that script's output can be cached again :)

    2015 May 28, 05:00 :
    I may finally have the time soon (within the next few days) to start work on the major upgrade for phpJSO - obfuscation of all browser languages for a web software project. The reason for the delay is simple; i needed this javascript-only obfuscator phpJSO to properly work for my http://seductiveapps.com first, and that site needed some more efficiency upgrades as well. I thank the "hawks" at the digitalpoint.com tech forums for pointing out last November or something that my site was a slow mess - this motivated me to actually fix that and I do like the results. (I also took a 5 to 6 month break halfway through the fixes, that's why it took this long).
    The new component will be called webappObfuscator, it'll be a PHP class code structure that reads in most or all of it's configuration via JSON files, i *might* be able to build some kinda progressbar and activity reporting for it's activities ("make it pretty"), and it's likely to take up one to six months to build and test against my seductiveapps.com sources.
    The license for it will be
    "completely free to use, also for commercial applications, no warranties of any kind (as usual), and modifications and re-distributions of modifications ('forks') are allowed too - although you're encouraged to feed the fork back to me at . And this readme-for-webappObfuscator-vX.Y.Z.txt is to remain intact and distributed as a file in the root of any forks you might make"..
    I'll be especially interested in seeing sharebacks of canvas and webgl whitelist config files, which i want to include in the distribution zip. I'll handle most or all of the HTML5+, CSS2+ and Javascript whitelist configging myself, plus the javascript interface between canvas and javascript/HTML5.

    Since hosting a component like this on my own site would tie up the server CPU way too much *and* be suspicious ("is he saving the sources i feed him to obfuscate??"), there will be no online app (on my server) for this, it'll be a PHP-software-download only on my site, and a homepage for the thing at http://seductiveapps.com/tools/webappObfuscator (and a link to it's homepage _without_ the 10 to 15MB of pretty artwork for my site at http://seductiveapps.com/webappObfuscator )
    It'll be easier to use than the current version (phpJSO-1.0.4), for sure. It'll include a tutorial on how to get it running, and arrange things like retaining access (via a "password" on the URL as $_GET parameters) to your full sources, and any number of sequences of alert() statements for your code so you won't have to buy tons of hardware to test your web software against the latest smartphones. Know what, i'll throw in a simple-yet-pretty javascript component that acts as a console.log() and console.trace() display - but dont expect anything as fancy as http://seductiveapps.com/tools/json (my pretty JSON viewer - i am not eager to give up the sources for that component just yet)

    Since this component will be based on phpJSO-1.04, i can and will release regular updates along the development path of webappObfuscator, the first probably within a few days or about 2 weeks from now at the latest (if i don't get any unpleasant surprises on my end)..
     
    seductiveapps.com, May 27, 2015 IP
  3. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #3
    Made a preview release of the sourcecodes for webappObfuscator, see http://seductiveapps.com/webappObfuscator - it doesnt actually do any obfuscation yet for you, but the code to do obfuscation is nearly ready.. The demosite used for the obfuscation demo *is* ready, and you can use it to learn how to create a proper web-2.0 site.. I'm taking the rest of the day off.
     
    seductiveapps.com, Jun 21, 2015 IP
  4. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #4
    See http://seductiveapps.com/webappObfuscator

    2015 June 21, 18:14 CET : current release : webappObfuscator-20150621_1814CET.zip.
    YET TO BE UPDATED : Also available at https://github.com/seductiveapps/webappObfuscator (might receive less frequent updates).

    2015 June 21, 18:14 :
    I decided to make the obfuscator itself run-able, as promised, but also found that I had leaked access to my own full sources for my own closed-source seductiveapps.com framework in the first release of today..
    I'd like to remind you of my very very firm copyright notice, to be found in the page sources for http://seductiveapps.com
    Please show the decency and sanity to delete any of my "seductiveapps/com_pw-ldkjf07a/*.*" files that you may have downloaded.
     
    seductiveapps.com, Jun 21, 2015 IP
  5. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #5
    2015 June 29, 09:14 CET : current release : webappObfuscator-20150629_0914CET.zip.
    Status : better, but still non-functional.

    YET TO BE UPDATED : Also available at https://github.com/seductiveapps/webappObfuscator (might receive less frequent updates).

    2015 June 29, 09:14 CET :
    Making good progress, the thing is now able to parse html-within-javascript and javascript-within-html to any level deep.. Well, needs more work before that actually works, but the codestructure for it is there now.
     
    seductiveapps.com, Jun 29, 2015 IP
  6. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #6
    Some advice:

    1) It might be nice if your demo didn't require php to function since this is a scripting page. A static .html showing it working would be far more likely to have people bother testing it since not everyone is willing to set up a local server or sandbox to see it run. (and anyone with brains will run it sandboxed -- now I'm not saying don't blindly trust other people's PHP... no, that's exactly what I'm saying).

    2) I'd also suggest trimming down the demo so people can see JUST the process -- you've got it spread out over so many files and so many directories it's hard to make sense of it. A demo where you type in the unobfuscated source, hit "convert' and see the obfuscated version, AND reverses the process would really help clarify what it's doing and how.

    3) 'Tis scripting with the source, that means you could just as easily modify it to output the result anyways, defeating the point of obfuscation. I've never seen a JavaScript obfuscator that actually WORKED; it's one of the flaws with client side languages in the first place is you HAVE to send how it works to the visitor.

    4) If it runs, you can see it. Document inspectors and some developer toolbars slap aside any pretense of scripting protection your project tries to offer. (I fought this fight myself a decade ago)

    5) a massive token file and extra handshakes for multiple JSON isn't exaclty an improvement -- if you could get that down to a single file it might actually prove more useful since "handshakes are the enemy".

    6) even MORE useful would be it provided code reduction instead of enlargement.

    Hmm... have you considered perhaps storing the 'obfuscated' code as raw uint8array data? It wouldn't be compatible with older browsers, but it would provide a much more efficient token system.

    I've actually been playing with making a compression scheme for transferring data via JS that uses five bit data with control codes -- kind of a pain as you have to shift-decode and put control codes on each access level. (set 0..3) and non-current set characters take multiple quibbles. (quibble is a 5 bit set, just as a heckle is a 6 bit one, and a nybble is 4 bits). It's funny though as with mostly lower-case plaintext you can actually guarantee ~30% compression BEFORE you start in on adding things like token tables or RLL encoding.

    If nothing else, figured someone should give you some feedback as it seems darned quiet in here.

    Oh, and your site's still slow and painfully inaccessible. Still way too much scripting either doing CSS' job or stuff that doesn't belong on a site in the first place. Love the massive bandwidth wasting comment too that talks about it being a phone interface, claims some "legally binding" nonsense that wouldn't hold up in courts that ruled in SCO's favor -- much less given that it has no scripting off graceful degradation and would kill any mobile device's battery in two minutes flat. Hell, it makes the fan for my i7 based laptop come on. You REALLY should go back and learn what HTML and CSS can do BEFORE throwing all this endless scripttardery at websites.

    I'd also suggest slapping the dates on your simplified page in H2 so the page is more easily keyboard and accessibility navigable, then use P around the actual paragraphs? Structure my good man, structure!
     
    deathshadow, Jun 30, 2015 IP
  7. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #7
    Yo..

    * this obfuscator thing of mine will *replace* all your own javascript variable names, id=, class=, etc, with random strings. so there's actual obfuscation and protection of ur sources. Your original var names etc are *not* in the obfuscated output, but you can write out the translation table to json so u and only u can debug obfuscated code if u ever need to..

    * yea I know its deadeasy and enabled by default in at least macos safari debugger to pretty print obfuscated/minified js back to properly indented code.. Which is why I am building webappObfuscator and giving it away for free. The trick is to use a whitelist for (browsers internal) code that can't / shouldn't get obfuscated, BTW. It's work to type that whitelist in, but hardly hard work..

    * its in php coz it needs to b to work with your entire site template; js, HTML, CSS, json, etc.

    * there's not a file more than necessary, and no malware either. You get the sources so it ain't hard to verify that.

    * made my site a lot faster and more efficient than it was before we met, will never b js-disabled compatible. I'm happy with what it's like now; runs fine on my core-i3 and 1.7ghz android.

    * what's SCO? Why would my copyright notice not b upheld by a judge?
     
    Last edited: Jun 30, 2015
    seductiveapps.com, Jun 30, 2015 IP
  8. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #8
    The SCO Group -- a descendent of the "Santa Cruz Organization" -- was the patent troll to end all patent trolls, they NEVER actually produced a real product, while claiming ownership of several IP's -- most notably a specific distribution of Unix. They went around suing anyone they could (including Linus Torvalds and IBM) through the shadiest courts in the nation in the hope of either settling out of court through intimidation, or using their basically bought judges to rubber stamp things in their favor.

    They're so pathetic that after IBM and Novell pimp slapped them in court causing investors to flee, they STILL have a lawsuit (through a bankruptcy lawyer) suing them for the loss in revenues caused by the court finding in IBM and Novell's favor... which is about as bat**** insane as a company can get.

    It's in the source comment and not visible as CDATA or presented on it's own page via a clear and obvious link -- you'd get thrown out for entrapment. Same reason you can get speeding fines thrown out of court if you bring in pictures of the sign obscured behind a bush.

    Trust me I've seen it happen to a few people the past decade. You want that type of disclaimer it needs to be where everyone can see it, not just the people who hit "view source" -- even if it's off on a sub-page all by itself, it would STILL be valid for the whole site so long as you have a consistent link to it from all pages -- that's why you'll see "privacy policy" or other such links at the bottom of websites all the time.

    If nothing else it's a MASSIVE waste of bandwidth sending it with every page; but to be frank most of your pages suffer from that anyways again with all the "JS for nothing" that just makes everything impossible to use compared to a normal static website built with the PROPER layout methodologies.
     
    Last edited: Jun 30, 2015
    deathshadow, Jun 30, 2015 IP
  9. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #9
    Lol.. Well I clearly ain't like SCO, and thx for the tip on how the copyright notice needs a page of its own and a link to that on every page.. That'll get done real soon then.. Even tho my front page has a notice about where the copyright notice can be found today..

    As for ur "js for nothing" pun; well, it does a lot more than nothing (we've had that discussion already), but some future apps I might make runable without that 4.7mb 250kb gzipped obfuscated js + "lotsa" PNG + jpg artwork bytes (cloud hosted these days though!) pretty framework of mine, and *maybe* I'll make them js-disabled compatible..

    And eh, the HTML for the site is 20kb gzipped dude.. Recommend u stop thinking as if this is the 14k4 era ;)
     
    seductiveapps.com, Jun 30, 2015 IP
  10. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #10
    Oh, side note -- as an EXPERIMENT it's interesting to see so much JS used; you've got a great command of the language -- it's just you're using it for EVERYTHING, and that, well... that's where most of my objection comes from, particularly on a website.

    Probably related to my being accessibility minded and having the mantra "If you can't make the page work without javascript first, you have no business adding scripting to it" drilled into my head.

    Well, that and CSS3 can do a LOT of the things you're using scripting to do, or so close to it as to make no never-mind. The positioning animations for example would be faster and smoother if you let CSS do the heavy lifting there. Element sizing and scaling should be a function of document flow and CSS not dictated by the scripting...

    Much less that trying to scale everything to fit the screen with multiple scrollbars THAT DON'T WORK with the mouse-wheel or keyboard navigation -- those are things that are on the "don't do" accessibility lists for a reason as it's stuff that was tried and realized to be a usability disaster a decade and a half ago.

    Good scripting should enhance functionality, not supplant it... but we're obviously from two different worlds and mindsets on doing things. I start out with content or a reasonable facsimile of content and order it as if HTML didn't even exist, then I mark it up semantically (with no DIV or SPAN) as if the default appearance of HTML tags and CSS didn't even exist, then I create the screen layoutS (yes, plural) with CSS adding DIV and SPAN once I've expended the style I can apply to the existing tags -- then and only then would I further enhance it with scripting; It's called progressive enhancement and it's how one builds a page that gracefully degrades.

    You... seem to be starting with the scripting to manipulate the visual appearance, often before you're even thinking about content or the needs of the content or the visitor. VERY backwards if you care about people actually using your site. If however your purpose is to go "hey look what I can do in JavaScript" -- well, then you're spot on.

    Though you do seem to use some outdated methodologies too like using the various onevent methods in the markup, or worse href="javascript:" -- good scripting should hook the markup, not the other way around.

    ... also saw mention of throwing jQuery at it... Oh yeah, GREAT idea there... -- you already have a fat bloated pig, last thing you need is to hang a dead albatross about it's neck.
     
    deathshadow, Jun 30, 2015 IP
  11. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #11
    2015 June 30, 20:22 CEST : current release : webappObfuscator-20150630_2021CET.zip.
    Status : now actually produces output! :D (javascript only for now).

    ---> off to have a life for the rest of the evening.. :)
     
    seductiveapps.com, Jun 30, 2015 IP
  12. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #12
    
    var dfo = { // demoForObfuscation (root javascript namespace variable name)
        apps  : { loaded : {} }   
    }; 
    
    dfo.s.c = dfo.site.code = {
        globals : { // to be treated as constants/PHP define()s
            urls : {
            // gets filled in by /public/siteLogic/get_javascripts_settings.php
                site : ''
            }
        }, 
        settings : { // allowed to change during runtime of code
        },
       
        startSiteCode : function () {
           
            History.Adapter.bind(window,'statechange', sa.s.c.stateChange); // use HTML5 History API if available:
    
           
            dfo.m.msgToEndUser ('siteCode started');
        },
       
        stateChange : function () {
            var 
            state = History.getState();
           
            dfo.s.c.urlSpecificSettings (state.url);
           
        },
       
        urlSpecificSettings : function (url) {
            // fill in, good luck..
        },
       
        loadContent : function (url) {
            var xhrCommand = {
                type : 'GET',
                url : dfo.s.c.globals.urls.site + 'public/siteLogic/get_content.php?url='+url,
                success : dfo.s.c.loadContent__loaded
            };
           
            jQuery.ajax(xhrCommand);
        },
       
        loadContent__loaded : function (data, ts, xhr) {
            jQuery('#dfo__content').fadeOut ('normal', function() {
                jQuery('#dfo__content').html(data).fadeIn('normal');
            });
        },
       
        testHTMLinsertion : function (str1, str2) {
            var html = 
                '<div id="thi_0">'
               
                // SINGLE QUOTES AT JS LEVEL, DOUBLE QUOTES FOR THE HTML = the best way to do things. You'll see the truth of that when your code's complexity increases.
                +'<p id="thi_1" class="thi_a">'+str1+'</p>' 
               
                // DOUBLE QUOTES = you still got a lot to learn, but that code-form is included here so you don't potentially have to change an entire stack of existing code to get obfuscated.
                +"<p id='thi_2' class='thi_b thi_c'>"+str2+"</p>" 
                +'</div>';
               
            jQuery('#dfo__content').append (html);
        },
       
        testRegexps : function (searchRegx, replaceRegx, haystack) {
            if (typeof searchRegx==='undefined') {
                searchRegx = new RegExp ('/H3ll0/');
            };
            if (typeof replaceRegx==="undefined") {
                replaceRegx = /Hello/;
            }
           
           
            if (typeof haystack==='string') {
                jQuery ("#dfo__content").append (haystack.replace (searchRegx, replaceRegx));
            }
        },
       
        getString : function (what) {
            switch (what) {
                case 'bla' : return 'test'; 
                case "blie" : var r = "test2"; break;
                default : 
                    var r = "test3"; 
                    break;
            };
            return r;
        }
    };
    
    
    
    dfo.m = dfo.misc = { // equivalent to a 'functions.php' - miscelleanous functions
        globals : {
            logLevel : 1000 // show all dfo.m.log() calls with a logLevel < 1000.
        },
        settings : {
        },
       
        msgToEndUser : function (msg) {
            dfo.m.log (1, msg);
            jQuery('#dfo__leftSidebar').fadeOut ('normal', function () {
                    jQuery('#dfo__leftSidebar').append('<p class="dfo__msgToEndUser">'+msg+'</p>').fadeIn('normal');
            }
        },
       
        log : function (logLevel, msg) {
            if (
                logLevel < dfo.m.globals.logLevel
                && typeof console=='object'
                && typeof console.log=='function')
            ) console.log (msg);
        }
    };
    
    Code (markup):
    becomes :
    
    var CiI={bXr:{QCm:{}}};
    CiI.s.c=CiI.ITo.slM={rDe:{KQJ:{ITo:''}},settings:{},CuN:reC(){History.Adapter.bind(window,'KLp',sa.s.c.stateChange);
    CiI.m.kje('siteCode started')},stateChange:reC(){var state=History.getState();
    CiI.s.c.SaH(state.url)},SaH:reC(url){},iZs:reC(url){var tbA={type:'cLe',url:CiI.s.c.rDe.KQJ.ITo+'dao.php?url='+url,success:CiI.s.c.VlZ};
    jQuery.ajax(tbA)},VlZ:reC(data,ts,xhr){jQuery('#aEG').fadeOut('uGv',reC(){jQuery('#aEG').html(data).fadeIn('uGv')})},jvJ:reC(ZhU,qVi){var html='<div id="OdC">'+'<p id="nWh"class="LSQ">'+ZhU+'</p>'+"<p id='ali'class='qQk WAt'>"+qVi+"</p>"+'</div>';
    jQuery('#aEG').append(html)},NWf:reC(Wbp,TgP,LjZ){if(typeof Wbp==='DJh'){Wbp=new RegExp('/H3ll0/')};
    if(typeof TgP==="DJh"){TgP=/Hello/}if(typeof LjZ==='oVs'){jQuery("#aEG").append(LjZ.replace(Wbp,TgP))}},KrJ:reC(vnK){switch(vnK){case'dZm':return'YSB';
    case"OIW":var r="gXY";
    break;
    default:var r="mob";
    break};
    return r}};
    CiI.m=CiI.RKY={rDe:{EDU:1000},settings:{},kje:reC(rKp){CiI.m.log(1,rKp);
    jQuery('#Aph').fadeOut('uGv',reC(){jQuery('#Aph').append('<p class="oQg">'+rKp+'</p>').fadeIn('uGv')}},log:reC(EDU,rKp){if(EDU<CiI.m.rDe.EDU&&typeof console=='eRo'&&typeof console.log=='reC'))console.log(rKp)}}
    
    Code (markup):
     
    seductiveapps.com, Jun 30, 2015 IP
  13. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #13
    http://seductiveapps.com/webappObfuscator

    Status : now actually produces output! :D (html + css + javascript).
    To-do : use that output in webappObfuscator__demoSite/index.php (and test... but chances are it'll work)..
    Status of author : havin a life (in the sunshine)
     
    seductiveapps.com, Jul 1, 2015 IP
  14. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #14
    http://seductiveapps.com/webappObfuscator

    Status of project :
    Just about functional. Will serve obfuscated website (html, css, javascript, content), siteCode seems to work.

    TODO:
    - tokens should not replaced inside the actual content (text encapsulated by html tags). will fix tomorrow.
    - test against my own seductiveapps.com sources.
     
    seductiveapps.com, Jul 1, 2015 IP
  15. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #15
    TODO:
    - tokens should not get replaced inside the actual content (meaning : in any normal human text encapsulated by html tags). will fix tomorrow.
    - URLs should not get obfuscated..
    - test against my own seductiveapps.com sources.
    - build some kinda interface to do dynamic obfuscation (for at least html, css, javascript) - my own seductiveapps.com/tarot-reading will need this too. - no aint gonna be hard or take long.. what might take long is getting the 1.5mb of js for my seductiveapps to run properly with the new faster obfuscation routines (skipping about 130 milliion preg_replace() interations atm - keeping fingers crossed..)

    ETA for delivery of what's listed above here: no more than a week i hope..

    - JSON obfuscation.... well... you're probably gonna need some kinda whitelisting functionality (not just for keys t get whitelisted (not obfuscated), but for values and even entire sub-objects.. for this reason it's last on the todo-list, but once again, my own seductiveapps.com could use json obfuscation (i do *everything* in json these days), so it'll get done ok..
    white listing method? meta-keys *inside the JSON to-be-obfuscated of course, named like "__wo__blabla" : "some_webappObfuscator_functionalitySwitch_ID" ofcourse..
    - SQL and XML obfuscation... argh.. ok ok, i'll do it (to keep things standard accross the web-industry)..
    - for SQL i'll include adodb.sourceforge.net into the webappObfuscator__demoSite code (yes, with a SQL hello-world example that gets obfuscated)
    - for XML i'll have to re-read the specs. never liked to use XML, but it's not mind-bogglingly hard..
    - naturally, SQL obfuscated output stays in SQL (tablename + "__webappObfuscated"), and XML in XML (ehh i'll look into how to store that neatly)

    - JSON inside SQL or XML, XML inside SQL, etc, etc, etc... ehh.. when i have time folks.. i do wanna make some long-overdue money with my own seductiveapps.com as well. but if it's not too hard, i'll include "something" for it ok..
     
    Last edited: Jul 1, 2015
    seductiveapps.com, Jul 1, 2015 IP
  16. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #16
    As for the license for this thing : webappObfuscator is copyrighted (c) 2015, by me Rene AJM Veerman, Amsterdam.nl, CEO + CTO of seductiveapps.com..

    webappObfuscator comes with NO WARRANTIES OF ANY KIND of course - if webappObfuscator ends up losing you money, or *any* other problem whatsoever - i can not be blamed for that, nor brought to any court for it, ok....

    Other than that : You and your company/companies/organisation(s)/government(s) may do with webappObfuscator as you please, at no cost of any kind to me at all, ever.. I don't think the Dutch government has an export-restriction for software that does what webappObfuscator does, but checking that is UP TO YOU.

    If you build any cool extensions (wait a few weeks, I suggest), I'd like a copy to include it in my distribution of webappObfuscator, but you're not obligated to pass ur improvements back to me ("forking allowed" + "porting to other server-side programming languages is allowed"). Please start the name of ur forks of this thing if distributed by you publicly, with "webappObfuscator_". You're not obligated to name ur fork that way, but it would b good for ppl searching the web for forks eh..

    Yes, you may even make your forks and ports (to other server-side programming languages) closed-source, and keep them to yourself/yourselves, and/or distribute them (as (obfuscated-)closed-source or open-source) any way you want - including selling them / renting them out.
     
    Last edited: Jul 1, 2015
    seductiveapps.com, Jul 1, 2015 IP
  17. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #17
    @deathshadow : I'll take ur methodology for designing webapps to heart for my next app.. I'll also do us both and everyone here the favor of not going to flamewar over ur 1980s mindset when it comes to bandwidth and amounts of Javascript on a page ;) please have good long toke of the peacepipe ;)
     
    seductiveapps.com, Jul 1, 2015 IP
  18. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #18
    http://seductiveapps.com/webappObfuscator

    2015 July 2nd, 09:26 CEST :
    Completed these two to-do-list items:
    • tokens should not get replaced inside the actual content (meaning : in any normal human text encapsulated by html tags). will fix tomorrow.
    • URLs should not get obfuscated..
     
    seductiveapps.com, Jul 2, 2015 IP
  19. seductiveapps.com

    seductiveapps.com Active Member

    Messages:
    200
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    60
    #19
    seductiveapps.com, Jul 2, 2015 IP
  20. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #20
    Welcome to one of the hardest parts about code parsing -- you may end up basically having to write your own lexical analyzer to deal with that since once you start having to filter out strings and things like URI's, you will quickly find that regex is no longer up to the task.

    ... sadly the point at which PHP becomes less than effective at doing this task.

    Decades ago I wrote a Pascal to Z80 machine language compiler that had similar issues where I ended up parsing out the strings for token replacement first. This had the advantage I could move the strings into their own storage area -- which worked out well since a compiler usually needs to do that anyways.

    Hmm. I wonder if that might HELP with the obfuscatin. You could parse out the strings FIRST doing your token replacements on them, storing their values in a global array. Code would run slower, but not having the strings in the code would make the output harder to follow. You could possibly even do that with all constants, though the execution penalty might be a bit hefty.

    Really though once you get into that I'd be looking at using a compiled language instead of PHP. Might make a really good command line utility.

    Please, for the love of ghu, lose the stupid internal scrollbar and just let the page expand! Do you have ANY idea how annoying (and inaccessible) that **** is? It's one of the reasons your main site was reacted to so negatively back in that massive thread from before.

    Of course the 1990's "tables for nothing" markup isn't helping... double breaks doing ending a P's job, and general "semantics, what's that" coding.

    I'd probably also lose the scripttard tabs nonsense and just make it separate pages; why load crap people probably aren't even going to VIEW before they need it, break proper site navigation, and generally miss opportunities for better search optimization? Scripted tabs is just recreating the same broken nonsense

    Of course, if it were marked up properly with an accessible layout, you could also make the page responsive and actually useful to visitors, two things currently woefully lacking.

    If you don't mind, I may do a rewrite of that page just to show you what I mean. You aren't doing anything that even warrants the PRESENCE of scripting, your markup is the worst of 1990's practices, you're using a lot of images where you don't even NEED images, and to be frank seem to be intentionally trying to make that site harder to use!

    I'm going to take that to PM when complete since I don't want to keep hijacking this thread about your project.

    It's not 1980's mindset, it's forward looking with the impending bandwidth crunch, ISP's slapping bandwidth caps on connections and charging for overages, and the fact that large sections of infrastructure are DECADES away from being build since the existing copper isn't even paid for.

    Much less Google and other search engines penalizing slow loading bloated sites. Massive sites sucking down RAM that doesn't even exist on mobile, etc, etc...

    99% of the time people have more than 32k of JS (not counting social media plugins, and usually those are poorly written crap too) it's providing nothing of actual use to visitors of a website; stuff that's either CSS' job or doesn't belong on a website in the first place! Same way there's no legitimate reason for an entire website to have more than 48k of CSS or to have markup to content ratios of more than 3:1 apart from outright developer ineptitude or willfully ignoring everything we are have been told for twenty-plus years of progress in usability and accessibility.

    -- edit -- oh, and you might want to fix those bizarre "media.localhost" URI's in your code.

    -- edit edit -- It's also ALWAYS invalid to use two periods. It's either one period or three. The latter is called an "ellipsis". There's even an extended character in UTF-8 for it as one character instead of three, though I prefer to just use the safe ASCII7 periods if dealing with English as the main language.
     
    Last edited: Jul 4, 2015
    deathshadow, Jul 4, 2015 IP