Variable Masking

Potency Medium
Resilience High
Cost Medium
Tags: obfuscation, variables, parameters, arguments

Description

Variable Masking hides local variables and function parameters from the source code, replacing them with array subscripts which are harder to read.

Consider the following code snippet holding local variables and function parameters:

function getUrl(protocol, domain) {
  if(!protocol || !domain) throw new Error("Invalid Arguments");
  var url = protocol + '://' + domain;
  var endpoint = '/app';
  return url + endpoint;
}

Here is an example of what the code would look like after transformed:

function getUrl(q,m) {
  var a=[arguments];
  if(!a[0][0] || !a[0][1])
    throw new Error("Invalid Arguments");
  a[5] = a[0][0] + '://' + a[0][1];
  a[7] = '/app';
  return a[5] + a[7];
}

Optionally, you can target global variables too. Please be advised that global variables shared between HTML/JavaScript files won't work with this transformation.

The following code snippet holds both local and global variables, and also function parameters:

// ...
var globalDomain = "jscrambler.com";
// ...
function getUrl(protocol) {
  if(!protocol) throw new Error("Invalid Arguments");
  var url = protocol + '://' + globalDomain;
  var endpoint = '/app';
  return url + endpoint;
}

Here is an example of what the code would look like after transformed:

var a = [];
// ...
a[9] = "jscrambler.com";
// ...
function getUrl(q) {
  var b=[arguments];
  if(!b[0][0])
    throw new Error("Invalid Arguments");
  b[5] = b[0][0] + '://' + a[9];
  b[7] = '/app';
  return b[5] + b[7];
}

Code Annotation Example

// @jscrambler define variableMasking {options: [targetGlobalVars]} as varmask
// @jscrambler enable varmask

Note: Variable masking annotations should only be placed before function expressions or function declarations.

Compatibility with AngularJS

Variable Masking may cause AngularJS applications to break. This happens when using the names of function parameters to identify dependencies to be injected, specifically the ones started by "$". Variable Masking will rename those parameters and cause the injection to fail, in which case the transformation should be disabled.

Option Types

Name Required Default Value Description
options No [] List of available options

Options

Name Description
targetGlobalVars Target global variables
subscriptOutlining Array subscripts generated by this transformation will have their own declarations, therefore becoming more friendly for control flow obfuscation

Browser Compatibility

Browser Compatible Versions Tested Versions Notes
Chrome 80+ 80+
Firefox 90+ 90+
Internet Explorer 8+ 8+
Microsoft Edge 116+ 116+
Safari 13.1+ 13.1+

API Parameters

Example:

{
  "keys": {
    "accessKey": "XXXXXX",
    "secretKey": "YYYYYY"
  },
  "applicationId": "ZZZZZZ",
  "params": [
    {
      "name": "variableMasking",
      "options": {
        "options": []
      }
    }
  ]
}