First of all, I know that obfuscation doesn’t prevent reverse engineering; it just makes it harder and longer, which is what I am looking for.
My code uses jquery; it’s the only dependency. I’m looking at the google closure compiler and jscrambler which both seem to be well regarded. What would happen if I first passed my code through the google closure compiler and then through jscrambler?
Will the code still work in every browser/platform like it does now? Does double obfuscation add any complexity to reverse engineer the source?
Yes, the outer script would execute its inner script which again tells your browser to execute the inner script that is within the inner script. In other words, ou can put an
evalin aneval.It wouldn’t necessarily add complexity, but it does result in an extra step that needs to be taken to get towards your source. Note how the inner obfuscation that you use is itself obfuscated by the outer obfuscation, so on a single pass the reverse engineer is presented with the obfuscated code of your inner obfuscation but not your actual source code itself.
When I was reverse engineering in the past (to determine if some executable was a virus), I’ve literally came across a program in C# which in an obfuscated way first unpacks another file, that other file again unpacks yet another DLL file which then gets load and then it actually loads in code from a resource in that DLL file which is finally executed and does some nasty code to connect to some online service.
Bottom line is that this required me quite some more time to get to that obfuscated nasty code.
So yes, double obfuscation could increase the complexity and take it longer to get to your code.
But, make sure that you aren’t introducing performance or maintenance costs as a result.
And yeah, eventually everything they have obfuscated access to can be reverse engineered…