PHP Javascript Obfuscator

PHP Javascript Obfuscator

Anti-Theft Protection for JavaScript Source Code

Protection Techniques and Features

As you probably know, WiseLoop PHP Javascript Obfuscator is a JavaScript protector that allows you to obfuscate, scramble, minimize, domain lock, set an expiration date and encrypt your JavaScript source code in order to avoid theft.
This section will explain the features of this software product and it will show you how to achieve maximum protection level for your JavaScript files or applications.

Note:
Please note that what can be done, can be also undone.
Keep in mind that all the world's obfuscation techniques are meant to discourage the code thief and cannot guarantee a full bulletproof protection against theft due to the public and open architecture of JavaScript and web browser combination.
If the browser can see your JavaScript code (even obfuscated), the humans can see it too; so, a potentially attacker can try to deobfuscate it and reach closer to the original source code.
By using different techniques, WiseLoop PHP Javascript Obfuscator offers a high protection level for your JavaScript work and will surely discourage the unobfuscation attempts, forcing the thieves to think twice before stealing your code instead of buying it.

Most of the samples below are meant to be used inside a configuration preset file. Please refer to The Configuration Preset to find out more about configuration presets.

1. Source Code Repository Based Access Type

Supposing we use the obfuscator directly on JavaScript files like this:

 <script src="jso.php?js=some/real/path/to/js/my-js-code.js" type="text/javascript"></script>

WiseLoop PHP Javascript Obfuscator will of course, deliver the obfuscated version of "some/real/path/to/js/my-js-code.js".
But what if someone checks the page source and see the real path where "my-js-code.js" is located? A simple browser request to "some/real/path/to/js/my-js-code.js" will reveal the JavaScript source code.
Use code repository access to hide the real path to JavaScript files and increase the protection level.
Basically, the code repository consists of a list of directories containing the JavaScript files to be protected. The directories can be located anywhere on your server and they will not be revealed when using the obfuscator. So, when using the recommended code repository access the usage wil be:

 <script src="jso.php?rjs=repository-name/my-js-code.js" type="text/javascript"></script>

The obfuscator will search through all the directory entries under the "repository-name" for the "my-js-code.js" file. When founded, it wil obfuscate it and deliver it to the requester.
Please refer to The Code Repository section to find out how to setup a JavaScript source code repository.

2. Dynamic Bytecode Encryption

Using bytecode encryption, the code will be transformed into a byte string that will be decrypted by the JavaScript itself through an also obfuscated boot function.
The dynamic bytecode encryption feature will deliver a different encrypted byte string content on each request making decryption attempts very difficult.

Note:
Encryption enlarges payload size.
The higher encryption level, the higher protection is achieved and the larger processed obfuscated code will result.
Using high levels of encryption can cancel the minify effect feature by enlarging the size of the JavaScript code affecting the script performance also.


Note:
Browser needs valid JavaScript code to run, and the encrypted code is of course valid JavaScript also.
This is the reason that the encryption is made using a public key and a JavaScript boot loader function in order the be able to self-decrypt when the browser runs the encrypted code.
There is no other way to make the encryption safer.
If the browser manages to decrypt the encrypted code, also an ambitious thief can try this by using its own intelligence or some specialized tools.
There is no obfuscator out there on the market that can 100% guarantee that its encryption cannot be broken. Yes, it can be broken, because the decryption algorithm is there, embedded in the JavaScript boot loader function.

You should use the recommended setting value (1) in order to achieve a decent balance of protection level and payload size.
To enable encryption, put this in your configuration preset file (a zero value means that no encryption will be performed):

 $config->ENCRYPTION_LEVEL = 1; 

or

 $config->ENCRYPTION_LEVEL = 2; 

3. Current Internet Domain Lock

A thief might say: "It is obfuscated? So what? I don't need to understand it, I just want to use it. I will get it and copy it to my web site."
To stop this way of stealing, you have to make your script to work only on your domain.
The domain lock feature will limit the JavaScript code functionality to the current domain only, so the script will stop working if copied to another internet domain.
Of course, you can provide this kind of protection by yourself inside the JavaScript source code; but what if you have more domains? You will have to maintain multiple JavaScript files having exactly the same functionality for each internet domain you hold - this can become very unhandy.
Just put this in your configuration preset:

 $config->DO_LOCK_DOMAIN = true; 

4. Names Replacement and Obfuscation

But what if somehow after many, many hours of hard work a thief manages to decrypt the encrypted code and reach to more readable JavaScript source code that might look similar to your original source code?
"Similar" is the keyword here because if you apply the names replacement obfuscation technique over your original JavaScript code, all the declared variable names will be obfuscated and replaced with self generated ones consisting only of: 'I', 'l', '1' making the code very hard to understand and modify.
Just put this in your configuration preset:

 $config->DO_SCRAMBLE_VARS = true; 

5. Decoy Code Generation Upon Illegal HTTP Requests

Enabling Decoy Code Generation will test if the request to the obfuscation engine was made from inside a page and not directly.
This will protect the resulted obfuscated JavaScript code files against direct scrapping.
If direct access attempts to the obfuscated JavaScript code are detected, a trap bogus-decoy source code will be generated so that the possible thief will work in vain if he will try to deobfuscate the code.
Just put this in your configuration preset file:

 $config->DO_DECOY = true; 

6. Expiration Date Setup

Specifying an Expiration Date will apply a time limit to the functionality of the JavaScript code.
When the given date is reached, the script will stop working.
You can use this feature to enable a subscription type licenses on your JavaScript applications.
Just put this in your configuration preset file (modify the date according to your needs):

 $config->EXPIRATION_DATE = '2090-12-12'; 

7. Size Optimization

The size optimization feature will minify the code by removing comments, carriage returns, line feeds, tabs and white spaces from the original JavaScript source code, making smaller download sizes and also contributing to obfuscation.
Just put this in your configuration preset:

 $config->DO_MINIFY = true; 

8. The Cache

The integrated caching engine will provide fast delivery speeds by avoiding processing of already obfuscated JavaScript files and loading them directly from the cache instead.
Acceptable values:

  • 0 - (not recommended) no cache: full processing is done on each request;
    This can be painfully slow on large JavaScript files and/or slow machines.
  • 1 - (recommended) the following processing results will be cached: domain locking, minifying, variable scrambling.
    This is the most common value: because the encryption is not cached, the obfuscation will benefit of all the features including the dynamic bytecode encryption.
    Please pay attention to large JavaScript files and/or slow machines: the encryption process can be quite slow on these ones.
    If the resulting speed is unsatisfactory, you may need to disable the dynamic bytecode encryption by setting the CACHE_LEVEL to value 2.
  • 2 - (recommended) the full processing result will be cached: domain locking, minifying, variable scrambling, encryption.
    Because the encryption result is also cached, this will disable the dynamic feature of encryption.
    This is the recommended value for large JavaScript files and/or slow machines.

To enable caching, put this in your configuration preset:

 $config->CACHE_LEVEL = 1; 

or

 $config->CACHE_LEVEL = 2; 

9. User Messages

When setting expiration time limit and/or locking the internet domain, WiseLoop PHP Javascript Obfuscator can generate code that will alert the user when the time limit has been reached and the script has expired or when it detects running attempt on other internet domains.
Although this can be a fair behaviour, it is not advisable to enable this kind of messages because in this way you give to the potential attacker a clue on what's happening and why its stolen script does not work anymore.
To enable user messages, put this in your configuration preset:

 $config->SHOW_JS_LOCK_ALERTS = true; 

To disable user messages, put this in your configuration preset:

 $config->SHOW_JS_LOCK_ALERTS = false; 

You might also want to check wlJSOConfig (MSG_LOCK_DOMAIN and MSG_EXPIRED) properties in order to modify the actual messages.

Regular License $19.00
Use by you or one client, in a single end product which end users are not charged for.

Extended License $95.00
Use by you or one client, in a single end product which end users can be charged for.

Short Information

Obfuscate, scramble, minimize, domain lock, set an expiration date and encrypt your JavaScript code to protect it against theft!
This safe JavaScript anti-theft protection allows you to deliver live obfuscated encrypted JavaScript code by online processing the original source code directly on the server side, so no offline processing is needed. Just copy your original JavaScript source code to the server, and deliver it to the browser through the WiseLoop PHP Javascript Obfuscator and you will be protected against theft.

Buyer rating:
459 Sales