Sunday, 25 September 2011

Javascript Obfuscation - The variables

The variables

One of the thing about variables in Javascript that is not so known is that their name can contains a very width range of character. Lets take a peak look at what the Ecmascript specification allow :

  • Your variable name can start with $, _ or a Unicode Letter (Lu, Ll, Lt, Lm, Lo, Nl).
  • For the rest of the name of the variable you can use $, _, Unicode Letter or Unicode Number (Nd).
There's ton of stuff that is considered as a valid variable name and what's really interesting for obfuscation is that there are a lot of letter that are very similar and there are also letter for which most people will only see a square when they will view the source. The only thing you need to be careful about is encoding. If you're using UTF-8 and your Javascript file is not recognize as a UTF-8 file on the client side, that will break your script. The same thing applies to all encoding of course.

If you don't feel in a comfort zone when using Unicode extensively, there are other thing you can abuse. One of the other thing you can abuse is the way some character are displayed. The best example of this is the character underscore. In most text editor, it's very hard to know how much of them there is when you place them one after the other. Are _____ and ______ the same variable name ?


External Links

1 comment: