String Concealing

Potency High
Resilience Medium
Cost Medium
Tags: string, conceal, obfuscation


Consider the following variable declarations holding string literal values:

var protocol = 'http';
var domain = '';
var url = protocol + '://' + domain;

The code will look something like this after transformation:

var o = {
  f: function() { /* decoding algorithm and encoded data */ }
var protocol = o.f(13);
var domain = o.f(32);
var url = protocol + o.f(7) + domain;

Consider using Identifiers Renaming to remove the remaining information that is useful for a human to understand what the variables mean, forcing the user to debug the code in run-time.

Code Annotation Example

// @jscrambler enable stringConcealing

Option Types

Name Required Default Value Description
options No [] List of available options
freq No 1 Probability of applying the transformation when the node allows for the transformation to happen.
min No N/A Minimum number of times the transformation is applied to each JavaScript file. This number may still not be reached if there are not enough candidates to apply the transformation to.
max No -1 Maximum number of times the transformation is applied to each JavaScript file.


Name Description
deadTraps Increases the resilience against deobfuscation attempts, when combined with dead code injection transformations.

Browser Compatibility

Browser Compatible Versions Tested Versions Notes
Chrome 80+ 80+
Firefox 90+ 90+
Internet Explorer 9+ 8+
Microsoft Edge 116+ 116+
Safari 13.1+ 13.1+

API Parameters


  "keys": {
    "accessKey": "XXXXXX",
    "secretKey": "YYYYYY"
  "applicationId": "ZZZZZZ",
  "params": [
      "name": "stringConcealing",
      "options": {
        "options": []