Can source maps help to deobfuscate the code that was previously minified with Closure/Uglifyjs?
Are there real obstacles in how source maps work, or is it not there just because nobody cared about it? I'm not quite sure if it may work in a similar way to debug symbols in compiled languages (which are widely used to decompile binaries).
I'm interested in the answer from the developer's perspective. It would be nice to know if unauthorized access to source maps may potentially result in unimpeded code borrowing.
JavaScript source maps are very similar to debug symbols in compiled languages. In fact, two of the three stated goals of the Source Map Revision 3 Proposal are:
- Support source level debugging allowing bidirectional mapping
- Support server side stack trace deobfuscation
Therefore, unauthorized access to source maps can definitely result in deobfuscation.
There is a Node package called maximize which can deobfuscate minified JavaScript using a source map.
Note that the current version of maximize (0.0.1) does not work with falafel 1.0.0+. You will need to clone the maximize git repo and make the following change:
--- a/package.json +++ b/package.json @@ -18,7 +18,7 @@ }, "dependencies": { "argparse": "*", - "falafel": "*", + "falafel": "0.3.1", "js-beautify": "*", "seq": "*", "source-map": "*"
This will allow you to try out maximize on the example:
http://dev.fontdragr.com/scripts/scripts.js
See also: Can I re-construct the original JavaScript source file from a minified version and the corresponding source-map file?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With