This demonstration will be based on a video presenting the self defending transformation in action. This transformation can be used to avoid tampering and debugging of JavaScript code.
This is an unprotected space shooter. Note at the top of the screen there are 3 rockets. There is also a ‘Buy Rockets’ button. The goal here is to add rockets without clicking the button. In this case there is no payment when we click the button, but if there was, the game creator would be losing money with the tampering that’ll be demonstrated.
When the button is clicked, the number of rockets increases. One of the things that can be done now is inspect the button element, and access the onClick
function. Add a breakpoint to the function, and analyze the existing cr
Object for any ‘Rocket’ reference.
A script was previously developed, to analyze the cr
Object, and return any property with a ‘Rocket’ reference, so it will be placed on our browser’s console and executed.
The returned properties that reference ‘Rocket’ are presented on the bottom of the console.
The correct property had already been noted during a previous test where the script was used and each property was analyzed. This property can be used to add rockets. In this case 10 rockets will be added to the game.
Note there are now 14 rockets in of the game
Now to try the same thing on the protected game. This version is protected with anti-debugging and anti-tampering, meaning that what was just shown won’t be possible in this version.
Starting by running the protected game, it pauses as the browser’s debugger is open. Once it is closed the game will resume.
If developer tools is opened and someone tries to resume the game they become stuck on a loop. Multiple JavaScript VMs are created, and the call stack keeps increasing. Continuous attempts will lead to the browser crashing.
Another addition is that the code is harder to understand, the code suffered several transformations to make it harder to interpret and replicate.
Once again there’s an attempt to inspect the rockets button, which lead back into the VM loop.
Using the event listener for onClick
, connects to the triggered function. But adding a breakpoint isn’t possible, and resuming execution will go back to the VM loop.
A tampering attempt can be made by using the rocket element from the unprotected version, but due to Jscrambler’s polymorphic behaviour the element is different and can’t be found.
This sums up how the self defending transformation works, with anti-debugging and anti-tampering. You can also check out this example in a video format.