Actually I'm developing a Chrome extension and a jQuery plugin to upload it and sell it on Codecanyon. When I "Inspect source" of the page and I click on the "Resources" tab, the javascript file looks empty. How does Codecanyon do that? I want to have file theft prevention in my own website too, but I don't know how to do it. I know php and javascript and there's no method to do it, because the browser downloads the file to execute it.
实际上我正在开发一个Chrome扩展程序和一个jQuery插件来上传它并在Codecanyon上出售它。当我“检查页面的源代码”并单击“资源”选项卡时,javascript文件看起来是空的。 Codecanyon是如何做到的?我想在我自己的网站上有防盗文件,但我不知道怎么做。我知道php和javascript并没有办法做到这一点,因为浏览器下载文件来执行它。
You can see the example here.
你可以在这里看到这个例子。
6 个解决方案
#1
10
You can only try to make it less readable (through minifiaction and obfuscation), but the code is still tranferred and it can be reverse engineered.
您只能尝试降低其可读性(通过微小化和混淆),但代码仍然可以转移,并且可以进行逆向工程。
The actual code in your example is downloaded with the jquery.js file.
使用jquery.js文件下载示例中的实际代码。
#2
36
You cannot hide it because your browser needs it to perform it. Simple as that.
您无法隐藏它,因为您的浏览器需要它来执行它。就那么简单。
You need to understand that it is a script executed on the client side. It is not compiled (meaning it's not a binary (0 and 1 machine language)). So it is freely readable.
您需要了解它是在客户端执行的脚本。它没有编译(意味着它不是二进制(0和1机器语言))。所以它是可以*阅读的。
Nevertheless you can obfuscate it using tools like YUI compressor
不过,您可以使用YUI压缩器等工具对其进行模糊处理
Basically this kind of tools remove extra spacing, tabs line returns and rename methods (like method "a" standing for "MyShinyMethodWhoMakesNiceStuff") and variables. That makes it very difficult to read and understand code. Reverse engineering is thus harder to achieve.
基本上这种工具删除额外的间距,制表符行返回和重命名方法(如方法“a”代表“MyShinyMethodWhoMakesNiceStuff”)和变量。这使得阅读和理解代码变得非常困难。因此,逆向工程难以实现。
Some uses some tricks like base64 or other encode and decode part of code with a function but it's only tricks and will not fool the sharp eye.
有些使用一些技巧,如base64或其他编码和解码部分代码与功能,但它只是技巧,不会愚弄敏锐的眼睛。
By obfuscation, you make people spend much more time in analyzing your code and stealing is thus much more complex, and takes time. Let's say you made a nice javascript plugin that makes every white background in purple (ok, not so great example but used it just for having an imaged example). Somebody might want to steal it and makes it blue instead of purple. If code is obfuscated, he might think that's easier to copy your idea and rewrites it on his own with his own code and blue background, it will takes him less time than reverse engineers and understanding wells yours, easier to maintain in the time too. In the end he will "only" "steal" your idea but not your code.
通过混淆,您可以让人们花更多的时间来分析您的代码,因此窃取更加复杂,并且需要时间。假设您制作了一个漂亮的javascript插件,使每个白色背景都呈紫色(好吧,不是那么好的例子,但只是用于拍摄成像的例子)。有人可能想偷它而不是紫色。如果代码被混淆了,他可能会认为更容易复制你的想法并用他自己的代码和蓝色背景重写它,这将花费他比逆向工程师更少的时间和理解井,更容易维护。最后,他将“只”“窃取”你的想法,而不是你的代码。
I think that in the end, it's just a matter of time.
我认为最终,这只是一个时间问题。
#3
14
If you see it's empty, it means that it's empty. There is no way to hide your javascript code from a client that must execute the code.
如果你看到它是空的,那就意味着它是空的。无法从必须执行代码的客户端隐藏您的javascript代码。
#4
2
On JavaScript "protection" - basically what everyone else said.
关于JavaScript“保护” - 基本上是其他人所说的。
Explaining the example you provided:
解释您提供的示例:
Indeed, http://demos.pixelworkshop.fr/circular_countdown_cc/js/countdown.min.js appears to be empty, however the actual plugin code is appended to the jquery.js file, starting at line 58:
实际上,http://demos.pixelworkshop.fr/circular_countdown_cc/js/countdown.min.js似乎是空的,但实际的插件代码会附加到jquery.js文件,从第58行开始:
http://demos.pixelworkshop.fr/circular_countdown_cc/js/jquery.js
http://demos.pixelworkshop.fr/circular_countdown_cc/js/jquery.js
#5
1
You can use this javascript obfuscator tools:
你可以使用这个javascript混淆工具:
http://www.javascriptobfuscator.com
http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
http://www.javascriptobfuscator.com http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
#6
-8
Liblock is a small tool built by myself. It encrypts your JS-sources - it's no simple obscurity by obfuscation, but good security by encryption.
Liblock是我自己建造的一个小工具。它加密了你的JS源代码 - 混淆不是简单的模糊,而是加密的良好安全性。
When you inspect the DOM in your client, all you'll see is: nplreq(url) for each script that you bind into HTML head.
当您检查客户端中的DOM时,您将看到的是:绑定到HTML头的每个脚本的nplreq(url)。
See how it works here liblock-demo - this is a demo only for hiding the scripts in "nopro_lib" and "xscroll.js".
看看它是如何工作的liblock-demo - 这是一个仅用于将脚本隐藏在“nopro_lib”和“xscroll.js”中的演示。
Encryption and decryption are totally transparent to the browser. It is tested with Firefox, Chrome, Opera, Konqueror, IE8-10 on PC, and with Dolphin and Safari on an Android tablet.
加密和解密对浏览器完全透明。它在PC上与Firefox,Chrome,Opera,Konqueror,IE8-10以及Android平板电脑上的Dolphin和Safari进行了测试。
The sources are securely hidden, and only with really great efforts they may be layed open again. Encryption is done with AES (Rijndael 256) using one-shot-keys which are negotiated between client and (liblock-)server using Diffie-Hellman.
这些消息来源是安全隐藏的,只有付出巨大的努力才能再次打开。使用AES(Rijndael 256)使用一次性密钥完成加密,一次性密钥使用Diffie-Hellman在客户端和(liblock-)服务器之间协商。
#1
10
You can only try to make it less readable (through minifiaction and obfuscation), but the code is still tranferred and it can be reverse engineered.
您只能尝试降低其可读性(通过微小化和混淆),但代码仍然可以转移,并且可以进行逆向工程。
The actual code in your example is downloaded with the jquery.js file.
使用jquery.js文件下载示例中的实际代码。
#2
36
You cannot hide it because your browser needs it to perform it. Simple as that.
您无法隐藏它,因为您的浏览器需要它来执行它。就那么简单。
You need to understand that it is a script executed on the client side. It is not compiled (meaning it's not a binary (0 and 1 machine language)). So it is freely readable.
您需要了解它是在客户端执行的脚本。它没有编译(意味着它不是二进制(0和1机器语言))。所以它是可以*阅读的。
Nevertheless you can obfuscate it using tools like YUI compressor
不过,您可以使用YUI压缩器等工具对其进行模糊处理
Basically this kind of tools remove extra spacing, tabs line returns and rename methods (like method "a" standing for "MyShinyMethodWhoMakesNiceStuff") and variables. That makes it very difficult to read and understand code. Reverse engineering is thus harder to achieve.
基本上这种工具删除额外的间距,制表符行返回和重命名方法(如方法“a”代表“MyShinyMethodWhoMakesNiceStuff”)和变量。这使得阅读和理解代码变得非常困难。因此,逆向工程难以实现。
Some uses some tricks like base64 or other encode and decode part of code with a function but it's only tricks and will not fool the sharp eye.
有些使用一些技巧,如base64或其他编码和解码部分代码与功能,但它只是技巧,不会愚弄敏锐的眼睛。
By obfuscation, you make people spend much more time in analyzing your code and stealing is thus much more complex, and takes time. Let's say you made a nice javascript plugin that makes every white background in purple (ok, not so great example but used it just for having an imaged example). Somebody might want to steal it and makes it blue instead of purple. If code is obfuscated, he might think that's easier to copy your idea and rewrites it on his own with his own code and blue background, it will takes him less time than reverse engineers and understanding wells yours, easier to maintain in the time too. In the end he will "only" "steal" your idea but not your code.
通过混淆,您可以让人们花更多的时间来分析您的代码,因此窃取更加复杂,并且需要时间。假设您制作了一个漂亮的javascript插件,使每个白色背景都呈紫色(好吧,不是那么好的例子,但只是用于拍摄成像的例子)。有人可能想偷它而不是紫色。如果代码被混淆了,他可能会认为更容易复制你的想法并用他自己的代码和蓝色背景重写它,这将花费他比逆向工程师更少的时间和理解井,更容易维护。最后,他将“只”“窃取”你的想法,而不是你的代码。
I think that in the end, it's just a matter of time.
我认为最终,这只是一个时间问题。
#3
14
If you see it's empty, it means that it's empty. There is no way to hide your javascript code from a client that must execute the code.
如果你看到它是空的,那就意味着它是空的。无法从必须执行代码的客户端隐藏您的javascript代码。
#4
2
On JavaScript "protection" - basically what everyone else said.
关于JavaScript“保护” - 基本上是其他人所说的。
Explaining the example you provided:
解释您提供的示例:
Indeed, http://demos.pixelworkshop.fr/circular_countdown_cc/js/countdown.min.js appears to be empty, however the actual plugin code is appended to the jquery.js file, starting at line 58:
实际上,http://demos.pixelworkshop.fr/circular_countdown_cc/js/countdown.min.js似乎是空的,但实际的插件代码会附加到jquery.js文件,从第58行开始:
http://demos.pixelworkshop.fr/circular_countdown_cc/js/jquery.js
http://demos.pixelworkshop.fr/circular_countdown_cc/js/jquery.js
#5
1
You can use this javascript obfuscator tools:
你可以使用这个javascript混淆工具:
http://www.javascriptobfuscator.com
http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
http://www.javascriptobfuscator.com http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
#6
-8
Liblock is a small tool built by myself. It encrypts your JS-sources - it's no simple obscurity by obfuscation, but good security by encryption.
Liblock是我自己建造的一个小工具。它加密了你的JS源代码 - 混淆不是简单的模糊,而是加密的良好安全性。
When you inspect the DOM in your client, all you'll see is: nplreq(url) for each script that you bind into HTML head.
当您检查客户端中的DOM时,您将看到的是:绑定到HTML头的每个脚本的nplreq(url)。
See how it works here liblock-demo - this is a demo only for hiding the scripts in "nopro_lib" and "xscroll.js".
看看它是如何工作的liblock-demo - 这是一个仅用于将脚本隐藏在“nopro_lib”和“xscroll.js”中的演示。
Encryption and decryption are totally transparent to the browser. It is tested with Firefox, Chrome, Opera, Konqueror, IE8-10 on PC, and with Dolphin and Safari on an Android tablet.
加密和解密对浏览器完全透明。它在PC上与Firefox,Chrome,Opera,Konqueror,IE8-10以及Android平板电脑上的Dolphin和Safari进行了测试。
The sources are securely hidden, and only with really great efforts they may be layed open again. Encryption is done with AES (Rijndael 256) using one-shot-keys which are negotiated between client and (liblock-)server using Diffie-Hellman.
这些消息来源是安全隐藏的,只有付出巨大的努力才能再次打开。使用AES(Rijndael 256)使用一次性密钥完成加密,一次性密钥使用Diffie-Hellman在客户端和(liblock-)服务器之间协商。