Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Deobfuscation of minified JS with source maps [closed]

Can source maps help to deobfuscate the code that was previously minified with Closure/Uglifyjs?

Are there real obstacles in how source maps work, or is it not there just because nobody cared about it? I'm not quite sure if it may work in a similar way to debug symbols in compiled languages (which are widely used to decompile binaries).

I'm interested in the answer from the developer's perspective. It would be nice to know if unauthorized access to source maps may potentially result in unimpeded code borrowing.

like image 412
Estus Flask Avatar asked Apr 05 '15 23:04

Estus Flask


1 Answers

JavaScript source maps are very similar to debug symbols in compiled languages. In fact, two of the three stated goals of the Source Map Revision 3 Proposal are:

  • Support source level debugging allowing bidirectional mapping
  • Support server side stack trace deobfuscation

Therefore, unauthorized access to source maps can definitely result in deobfuscation.

There is a Node package called maximize which can deobfuscate minified JavaScript using a source map.

Note that the current version of maximize (0.0.1) does not work with falafel 1.0.0+. You will need to clone the maximize git repo and make the following change:

--- a/package.json
+++ b/package.json
@@ -18,7 +18,7 @@
   },
   "dependencies": {
     "argparse": "*",
-    "falafel": "*",
+    "falafel": "0.3.1",
     "js-beautify": "*",
     "seq": "*",
     "source-map": "*"

This will allow you to try out maximize on the example:
http://dev.fontdragr.com/scripts/scripts.js

See also: Can I re-construct the original JavaScript source file from a minified version and the corresponding source-map file?

like image 67
Daniel Trebbien Avatar answered Oct 15 '22 23:10

Daniel Trebbien