Obfuscation of client-side JavaScript

Below is a sample input file, prepared for obfuscation with JavaScript Obfuscator - all names of variables are wrapped into calls of OBJNAME function.

function OBJNAME(n) { return n; }
function dw(str) { document.write(str); }
function dumptbl(obj,row_callback_str,cell_callback_str)
{
    dw('<table border=1>');
    for(var i=0;i<obj.length;++i)
    {
	var tr = '<tr>';
	eval(row_callback_str);
	dw(tr);
	for(var j=0;j<obj[i].length;++j)
	{
	    var td_s = '<td>', td_e = '</td>';
	    eval(cell_callback_str);
	    dw(td_s); dw(obj[i][j]); dw(td_e);
	}
    }
    dw('</table>');
}

dumptbl([[1,2,3],[4,5,6],[7,8,9],[10,11,12],[13,14,15],[16,17,18]],
    OBJNAME('tr') + "= '<tr style=\"background: ' + ( " 
	    + OBJNAME('i') + '%2 ? "red" : "yellow") + \'">\';',
    "");

Below is that file with just obfuscation applied (though by default JavaScript Obfuscator applies encoding too). No encoding was applied to the result of obfuscation, so it still looks like difficult-to-understand JavaScript code.

 function z8c231aa888(z14851c4b0f){return z14851c4b0f;}function z0ab1f0a49e(
z0721975593){document.write(z0721975593);}function zcd8c17c79d(z4716861143,
z500f443098,z9bc82e0042){z0ab1f0a49e(
"\x3c\x74\x61\x62\x6c\x65\x20\x62\x6f\x72\x64\x65\x72\x3d\x31\x3e");for(var 
zd1ea46315e=(0x8e9+2039-0x10e0);zd1ea46315e<z4716861143.length;++zd1ea46315e){
var z708eb69ac7="\x3c\x74\x72\x3e";eval(z500f443098);z0ab1f0a49e(z708eb69ac7);
for(var z2d29194d43=(0x139b+2094-0x1bc9);z2d29194d43<z4716861143[zd1ea46315e].
length;++z2d29194d43){var z23b8891aeb="\x3c\x74\x64\x3e",z7f5411ee29=
"\x3c\x2f\x74\x64\x3e";eval(z9bc82e0042);z0ab1f0a49e(z23b8891aeb);z0ab1f0a49e(
z4716861143[zd1ea46315e][z2d29194d43]);z0ab1f0a49e(z7f5411ee29);}}z0ab1f0a49e(
"\x3c\x2f\x74\x61\x62\x6c\x65\x3e");}zcd8c17c79d([[(0x2d7+5314-0x1798),
(0xf7c+295-0x10a1),(0x900+1599-0xf3c)],[(0x1e8+1063-0x60b),(0xfc1+580-0x1200),
(0x1cf5+1843-0x2422)],[(0x9f9+4410-0x1b2c),(0x1c6+8452-0x22c2),
(0x28a+2774-0xd57)],[(0xcc0+2614-0x16ec),(0x7ee+1483-0xdae),(0xab2+6657-0x24a7)]
,[(0xa14+2966-0x159d),(0x63c+7549-0x23ab),(0x7e2+5079-0x1baa)],[
(0x14bc+296-0x15d4),(0x720+6090-0x1ed9),(0xfba+3045-0x1b8d)]],
"\x7a\x37\x30\x38\x65\x62\x36\x39\x61\x63\x37"+
"\x3d\x20\x27\x3c\x74\x72\x20\x73\x74\x79\x6c\x65\x3d\x22\x62\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x3a\x20\x27\x20\x2b\x20\x28\x20"
+"\x7a\x64\x31\x65\x61\x34\x36\x33\x31\x35\x65"+
"\x25\x32\x20\x3f\x20\x22\x72\x65\x64\x22\x20\x3a\x20\x22\x79\x65\x6c\x6c\x6f\x77\x22\x29\x20\x2b\x20\x27\x22\x3e\x27\x3b"
,"");

Below is that file with obfuscation and encoding applied. As you can see, there is no resemblense of the original or just obfuscated file. (Users of standards non-compliant browsers like Opera6 or Konqueror, please see the sample here).

var xgLfsT = unescape('%7bvar xWKHCx %3d unescape%28%27%252d%257benvar xbmOKD %253d unescape%2528%2527tvChOZdtXvmNOdJdvL8hidwtfYssRqAIcfmNidIZvfmhitJZIvChiJsJWfS3idd2g1SNiJsdGL83idsZIvmNOZxtIL8NyJgtLf8xyZMZ0v8xidYZc1CxOZYZq1mxiZZgXLmxOdItGvm3ydYJs1ChytNd5LChydMt1f8xOdgwd18xytgwtLS3yd2gMLm3OJhtN18xyJcZcvCNiJcJjLmxydstGv8x4dIwcL834dstavS34tYtxvm3ytsdYvShOdZgLfm34dId3fS3iZtMsIsGQIScIcsczt7W6%252527%25253b%25253bfunction __zb8%252528z94%252529%25257bvar z8d%25253d%25255b%25255d%25252czc9%25253d%25255b%25255d%25253bvar zd2%25253d%25255b%25255d%25253bvar z3f%25253d%252522%25255cx61%25255cx7a%25255cx41%25255cx5a%25255cx30%25255cx39%252522%25253b%25257bvar z9e%25253d%2525280xd%25252b263%25252d0x114%252529%25253bfor%252528var zd1%25253d%2525280xcc7%25252b5582%25252d0x2295%252529%25253bzd1%25253cz3f%25252elength%25253bzd1%25252b%25253d%2525280x12bb%25252b4530%25252d0x246b%252529%252529%25257bvar zca%25253dz3f%25252echarCodeAt%252528zd1%252529%25252cz56%25253dz3f%25252echarCodeAt%252528zd1%25252b%2525280x7ae%25252b3578%25252d0x15a7%252529%252529%25253bfor%252528%25253bzca%25253c%25253dz56%25253b%25252b%25252bzca%252529%25257bvar z14%25253d%252528z9e%25252b%25252b%252525%2525280x3c5%25252b7196%25252d0x1fd1%252529%252529%25253bz8d%25255bzca%25255d%25253dz14%25252a%2525280x204f%25252b1178%25252d0x24d9%252529%25253bzc9%25255bzca%25255d%25253dz14%25253b%25257d%25257dfor%252528var z2d%25253d%2525280x872%25252b273%25252d0x983%252529%25253bz2d%25253c%2525280x1a85%25252b2777%25252d0x245e%252529%25253b%25252b%25252bz2d%252529zd2%25255bz2d%25255d%25253dString%25252efromCharCode%252528z2d%252529%25253b%25257dvar z84%25253d%252527%252527%25253bfor%252528var zd1%25253d%2525280x6eb%25252b4793%25252d0x19a4%252529%25253bzd1%25253cz94%25252elength%25253bzd1%25252b%25253d%2525280x111f%25252b5358%25252d0x260b%252529%252529%25257bz84%25252b%25253dzd2%25255bz8d%25255bz94%25252echarCodeAt%252528zd1%252529%25255d%25252bzc9%25255bz94%25252echarCodeAt%252528zd1%25252b%2525280x271%25252b7213%25252d0x1e9d%252529%252529%25255d%25255d%25253b%25257dreturn z84%25253b%25257d%25253b xDRMdB %25253d __zb8%252528xDRMdB%252529%25253b eval%252528xDRMdB%252529%25253b xDRMdB %25253d %252527%252527%25253b S%25257bvar xDRMdB %25253d %252527YWwMhvwE2JhKg5gpwEcqh6tyMZtsdZtbwH2XJityJOYiNkdbd0JiJfJX2Jt0MsdGggsjxRI3I3JRxYgLh0xLhIMosGh6ZHd0ZOJvZHgdd0wYJW22t7hD2whvwU2dhu2jgp2UYa3AtWgH2Ytr2gJawHZ0tPwvc4GQ36Jqd3JsZbdPt3ZLZvdzJdsjh72KwFwJ31wTMf2UheIUNhNYwzhKMfI4hAJWd3tsdXJPJNJ1tvZztZI5Z7h9wwxfgUwZhugPMVgUYGN6wZg0ZywJZXdN2JJNJPgeYO36dKZhJrdwtiZMZHJHZ0ZdYSWkhkJvJWZa2MZKZuttdGdPtisCNkJ52cgJJOtI2fZGdWdutsYzGAN7NAtWwbMsdH2MJW2bdKZjgLs4aQYI1m3iJJMJv83OJxZ0LSNOZgJXf8NOdwdcfSxidMgd1C3iJgdvLS3yJIJGfmh4ZMdYvmhOtMMwLS3iZ3dIfCx4JwJufCx4ZgZvLmNOZxZI18hOZtwKvCN4tdJH1S3Odd21cIcztlgMgFNcYONg2b3IYGWkN6geZrwvMbtuJMtZJHZf2LJ9syJWNOdbwcJjcltJZ2dLZuYTZq3iwgwgw2YPZBhQw0dbwLwbteJgZdtXJ1wLtmN6JeZNdbtMdydgZbtXZ0dZIowm21goghhKgOd7cBIBN62etX212XJud2ZttrJLM1YPq6hBGAxMMHhcsWNAdhZWZOMvgYJwZ5wHMZJhZDcc1SxOZJ2ZvmhiJ3Zu1SN4t3dYLCNOttwfYItBM1x2wH2Csi3Ad1daZawMduZetttGt5Z4szZR3kdGwX2stHMgJawHZKtP2LIi3Qt3dqZiw12YZMZzwHMtdNYPtBW6ggwpxcY4N2wrhIcqN6dcgKtcJ5JHd5d0wedKdddDciJGhOgHZtdLIBdgJzZqJYsnZa34ZcdfZcMYczdR3QtYw0dYJzJXd5tu2uJKttJm3kdKJ3drJwtOdMtrtrZ0dZLR36wedr2LgrZuJ2JdJbtLw11DcEqAMmMfwowxhuwitRcBIlh6dcMuZcdjdHdPdu2uZeZZszWQ3R32wXhcYaNQZIZJMcdydyZPJHMXM12ItTssvSNyJJMdfmx4Z3du1Shyd2tK1S3idd21css8xQZxgwJLdudXZH2vwLtIJPJDGAcc1SxiZt2tvCxOJIggLmxit3duvm34tgJK1mhyddgLIstRgvhM2bMCYyNAt52IwtdyZIM1tGJGdutcY5ZRx6JWMHwcZbgwdWMrJuZPw1I43AJIJtwIZ4d4tzdrwr2vMYI5dBx6JWwbgcJr2gdqwHdKZ5MfciWAh6Z0JxdHd2ZOdgZHtrduZdf7x6MudrMfgXZ0J2ZdZHZ12f1D1lxkZs20ZYJ5dHJ5ZeMetudd1ncPdlhkJGwr2sZHg2dagHZeZ5gLY4xQZxMwZvZetHJXw1gvZYJPsjZBhDNDh6tq2rwsdb22dagbtutj21ciqkII1m3OtdgZ1mhyZYw2LSN4Z3ZKfmNOJwJHfmh4ZMdcvCxOd2wdvC3id2dLL8x4JJ21sssjJR3D362dgeZOwdZXJNMZJxJzg0ciLRL7IydqN4MfwLgHYBJ2tjInJa3yMgZIg1YjcSqAYyZGhyggM2tycldtd5tfJycnta3yJHMMt2MJsjISYOtWxitbZsZxdMcRdrJqtdZOcDJa3yZXtMdiJHcj19sC1lIytGxiZbJXMYtdIBtItYdOtdcTdGhidXwXd52bczsSWkIyJqxidXdPwtJycBZ1JjtucTdq34dbMZJrd1sjI8YyJaNyZYgHcBdvdJJHdjYTZG3itrJeMvwsIjLDsSLBsiZaxOZYdZd2IlZuJcJ4t2sTZGhOZXtcMfgusjsmIOdGN4ZHgcMJMgc7dOdXd4I9ZWNitb2f2gt5I5a6ISIOJa3OtXtNtGJWcRdMZKZ5cnZaN4tHJzd4tWs5vTICfRIydqNOt3JOgeI7JbtPJLJGc9tGxOwwZYdHsPY8IOtW3OJ2weZwY7dutGtGtrITdqx4drdwdggdIjYSYyZGxOJsZd2LcRZIdutwZcYTJqhi2sgudGszqkL9YCL7sidGNiM0tLd3IBZbdadOtWI9dq3itbtHdidcYjICYyZq3yt3dcMJcBtIJNJPtXInZaNyJXtctadvsPYmsiZqxyd0ZdZZY7ZItztWZrIntW3ig2d3djcjfTIm1lqkcyda34JOddw0YldLZOZMZhIDtq34ZHMwtrtiIzsSs4ZaN4ZNJHMesRZudZZsZwcntGh4JXJhw2dIs5cSIitaNiJvMXtrIBdXZOdzZgYTta3ywJ22ZNs5vDfDICGAcsf8h4ZhwHLmxyddJNfmx4dZtafS3itddivCx4ZgZLLSN4Z2JcvSNOtJdMLSNOJZdPL8NidgdXLm3iZwdtfm3OZtJ3csclWAIILC34ZJ20LCh4JsZGf8NOtYdhvC34JtgZfm3OZNZKfChid3tY1Sx4ZcZa1mx4ZhtJv8xyJxdK18xyt3tPLCxitgMdLCNyZ2tL18h4ttwufC3iJsdsfmxOJgJcLS3OtgtbLCNidgZJfmNOd2MILSx4t2Jxv83OdxJsLSNiZwM2f8hOZNtLfChyd2g1vC3iZgte1S3itJgrfm34tcZavmh4tYZ3fChOdcZavShOJYMsf8hOtItaL83yJcZyv8NOtYJWYIGQWkIBYILCNyt3MbLCNidgtu1mxiZtZbLCxiZwdL1Ch4t2dXvmxOZZte18hytJdwf8h4tJti%2527%2529%253bxbmOKD %253d xbmOKD%252esubstr%2528981%252c1092%2529%252bxbmOKD%252esubstr%25282073%252c1670%2529%252bxbmOKD%252esubstr%25280%252c980%2529%252b%2528xbmOKD%252echarCodeAt%25280%2529%253e4%253fString%252efromCharCode%2528%2528554%252bxbmOKD%252echarCodeAt%2528980%2529%2529%2525256%2529%253axbmOKD%252echarAt%25283743%2529%2529%253b xbmOKD %253d eval%2528xbmOKD%2529%253b%253b %257d%27%29%3bxWKHCx %3d %28xWKHCx%2echarCodeAt%284%29%3e166%3fString%2efromCharCode%28%284%2bxWKHCx%2echarCodeAt%280%29%29%25256%29%3axWKHCx%2echarAt%281%29%29%2bxWKHCx%2esubstr%284%2c4350%29%2b%28xWKHCx%2echarCodeAt%284%29%3e69%3fString%2efromCharCode%28%28461%2bxWKHCx%2echarCodeAt%283%29%29%25256%29%3axWKHCx%2echarAt%282%29%29%3b xWKHCx %3d eval%28xWKHCx%29%3b%3b %7d%3b');{var z82="\x5c";function __z9b(z07){while(z82.length<(0x5b0+4306-0x15ba)){z82+=z82+z82+z82+z82+z82;}var z84='',z5d=(0x613+5902-0x1d21);while((0x6ae+4399-0x17dc)){var zff=z07.indexOf("\x5e",z5d);if(zff==-(0x2203+1166-0x2690))return z84+z07.substr(z5d);else{z84+=z07.substr(z5d,zff-z5d);var zd1=(0x1e93+1313-0x23b2);var z21=z07.charAt(zff+(0x907+1781-0xffb));while((0x1451+3608-0x2268)){var zab=z07.charAt(zff+zd1++);if(!(zab>="\x30"&&zab<="\x39"))break;else z21+=zab;}z21=parseInt(z21);z5d=zff+zd1-(0x194+2657-0xbf4);do{var z14=z21>z82.length?z82.length:z21;z21-=z14;z84+=z82.substr((0x27b+7467-0x1fa6),z14);}while(z21>z82.length);}}return z84;}};xgLfsT = __z9b(xgLfsT);eval(xgLfsT);

As you can see, it's extremely difficult to analyze the code that was just obfuscated, even without encoding applied.

Example of obfuscation of Active Server Pages files

Here is another example of obfuscation, applied to .ASP file containing scripts in both server-side and client-side JavaScript, and containing client-side scripts in other languages.

Here is the original source - it's trivial guestbook. Further commandline strings refer to it as to file named dbit.asp. The empty pre-created database file where comments are stored by it can be downloaded from our site, just unpack it using WinZIP to the directory where ASP script resides.


<%@ Language=JScript %>
<HTML>
<HEAD>
<%
    var srvnm =  Request.ServerVariables("SERVER_NAME");
%>
<TITLE>Trivial guestbook at <%= srvnm %></TITLE>
</HEAD>
<!-- plain html comment. It will be automatically removed. -->

<script language=vbscript>
<!--
'example of script on different scripting language
function validateEmail(email)
    if InStr(email,"@")=0 then
	validateEmail = false 
    else
	validateEmail = true
    end if
end function
-->
</script>


<script language=javascript>
<!--
function validateAndSubmitForm()
{
    var f = document.forms.MainForm
    if (!validateEmail(f.email.value))
    {
	alert("Email address you've entered is not valid");
	return;
    };
    if (!f.email.value.length)
    {
	alert("Posting anonymous comments on <%= srvnm %> is prohibitted!");
    };
    //server-side script inside client-side!
    if (confirm("Owners of <%= srvnm %> require not to " + 
	    "post offensive comments. Does you post agree with their "+
	    "requirements?"))
    {
	f.submit()
    };
}
-->
</script>


<form method=post name=MainForm> 
<table border=0 cellpadding=2 cellspacing=0>
<tr><td align=right>Name:</td><td
    ><input type=text size=50 name=name value='' maxlength=60></td></tr>
<tr><td align=right>Email:</td><td
    ><input type=text size=50 name=email value='' maxlength=100></td></tr>
<tr><td valign=top align=right>Comments:</td><td
    ><textarea name=comments rows=4 cols=40 wrap=virtual></textarea></td></tr>
<tr><td> </td><td><input type=button value='Submit' onclick=validateAndSubmitForm()><input type=reset value=Clear></td></tr>
</table>
</form>
<script language=javascript runat=server>
//this function adds comment to the table
function addcomment(objrs,m)
{
    var nm 	= "" + Request.Form("name")
;
    var email 	= "" + Request.Form("email");
    var cmnt 	= "" + Request.Form("comments")
;

    var D =  new Date();
    var d = D.getYear() + '.' + (1+D.getMonth()) + '.' + D.getDate() + ' ' +
	    D.getHours() + ':' + D.getMinutes() + ':' + D.getSeconds();

    if (nm.length > 1 && email.length > 1 && cmnt.length > 1)
    {
	objrs.AddNew();
        objrs("name") = nm;
	objrs("email") = email;
	objrs("comments") = cmnt;
	objrs("date") = d;
	objrs("id") = m
;
	objrs.Update();
    }
};

function q(s)
{
    return Server.HTMLEncode(s)
}
</script>
<%

var strConnect = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" + 
             Server.MapPath("guestbook.mdb")
;
var objConn = Server.CreateObject("ADODB.Connection")
;
objConn.open(strConnect
);
var objRS = Server.CreateObject("ADODB.RecordSet")
;
objRS.open("select * from guestbook  order by date",objConn,2,2
);

var m
;
if (objRS.BOF && objRS.EOF)
{
    m = 1
} else
 {
    var maxid = Server.CreateObject("ADODB.RecordSet")
;
    maxid.open("select max(id) from guestbook",objConn,2,2
);
    m = maxid(0) + 1
;
}

addcomment(objRS, m);

if (objRS.BOF && objRS.EOF)
{
    Response.Write("<B><center>Sorry, Currently There are No Records in the Database</center></B>"
);
%>
<br>
<hr size=2 width=80%>
<br>
<%
} else
 {
    objRS.MoveLast();
    while (!objRS.bof
) {
%>
<table border=0 cellpadding=2 cellspacing=0>
<tr><td align=right><b>Name:</b></td><td
    ><%= q(objRS("name")) %></td></tr>
<tr><td align=right><b>Email:</b></td><td
    ><a href=mailto:<%= objRS("email")%>><%= objRS("email")%></a></td></tr>
<tr><td valign=top align=right><b>Comments:</b></td><td 
    width=500><%= q(objRS("comments")) %></td></tr>
<tr><td></td><td
    ><font size=2><%= q(objRS("date"))%></font></td></tr>
</table>
<br>
<hr size=2 width=80%>
<br>
<%
	objRS.MovePrevious();
    };
};
%>
<P><a href=http://<%= srvnm %>>Back to homepage</a></P>

</BODY>
</HTML>

Despite it looks not very complicated, it demonstrates some key features of JS-Obfus:

Following are result of protecting scripts in it using different options. Since client-side script references values of form fields, the names of these form fields should be listed in a special file as exceptions in order result of processing to function as original script; we've put the list to the file dbit-exceptions:


MainForm
email
validateEmail

Protecting scripts in ASP file using default options

Applying protection to the server-side scripts using default options produces the following output (we saved it to file dbit-so-simple-nonpacked.asp):


<%@ Language=JScript %>
<HTML>
<HEAD>
<% 
var z843165b685=Request.ServerVariables(
"\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"); %>
<TITLE>Trivial guestbook at <%= z843165b685 %></TITLE>
</HEAD>
<!-- plain html comment. It will be automatically removed. -->

<script language=vbscript><!--

'example of script on different scripting language
function validateEmail(email)
    if InStr(email,"@")=0 then
	validateEmail = false 
    else
	validateEmail = true
    end if
end function

--></script>


<script language=javascript><!--

function validateAndSubmitForm()
{
    var f = document.forms.MainForm
    if (!validateEmail(f.email.value))
    {
	alert("Email address you've entered is not valid");
	return;
    };
    if (!f.email.value.length)
    {
	alert("Posting anonymous comments on <%= z843165b685 %> is prohibitted!");
    };
    //server-side script inside client-side!
    if (confirm("Owners of <%= z843165b685 %> require not to " + 
	    "post offensive comments. Does you post agree with their "+
	    "requirements?"))
    {
	f.submit()
    };
}

--></script>


<form method=post name=MainForm> 
<table border=0 cellpadding=2 cellspacing=0>
<tr><td align=right>Name:</td><td
    ><input type=text size=50 name=name value='' maxlength=60></td></tr>
<tr><td align=right>Email:</td><td
    ><input type=text size=50 name=email value='' maxlength=100></td></tr>
<tr><td valign=top align=right>Comments:</td><td
    ><textarea name=comments rows=4 cols=40 wrap=virtual></textarea></td></tr>
<tr><td> </td><td><input type=button value='Submit' onclick=validateAndSubmitForm()><input type=reset value=Clear></td></tr>
</table>
</form>
<script language=javascript runat=server>

function zf2e3f42341(z861252a0a6,z5ed7bfc7c1)
{var zb1f650e8a0=""+Request.Form("\x6e\x61\x6d\x65")
;var z63907942ed=""+Request.Form("\x65\x6d\x61\x69\x6c");var z9b081ecd8b=""+
Request.Form("\x63\x6f\x6d\x6d\x65\x6e\x74\x73")
;var z12e0092364=new Date();var zcb5de2c6e1=z12e0092364.getYear()+"\x2e"+(
(0x12a7+829-0x15e3)+z12e0092364.getMonth())+"\x2e"+z12e0092364.getDate()+"\x20"+
z12e0092364.getHours()+"\x3a"+z12e0092364.getMinutes()+"\x3a"+z12e0092364.
getSeconds();if(zb1f650e8a0.length>(0x1133+4274-0x21e4)&&z63907942ed.length>
(0x452+5847-0x1b28)&&z9b081ecd8b.length>(0x875+2420-0x11e8))
{z861252a0a6.AddNew();z861252a0a6("\x6e\x61\x6d\x65")=zb1f650e8a0;z861252a0a6(
"\x65\x6d\x61\x69\x6c")=z63907942ed;z861252a0a6(
"\x63\x6f\x6d\x6d\x65\x6e\x74\x73")=z9b081ecd8b;z861252a0a6("\x64\x61\x74\x65")=
zcb5de2c6e1;z861252a0a6("\x69\x64")=z5ed7bfc7c1
;z861252a0a6.Update();}};function z34d15a68ff(z9459b9c7af)
{return Server.HTMLEncode(z9459b9c7af)
}
</script>
<% 

var ze21f4c397b=
"\x50\x72\x6f\x76\x69\x64\x65\x72\x3d\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e\x4a\x65\x74\x2e\x4f\x4c\x45\x44\x42\x2e\x34\x2e\x30\x3b\x20\x44\x61\x74\x61\x20\x53\x6f\x75\x72\x63\x65\x3d"
+Server.MapPath("\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b\x2e\x6d\x64\x62")
;var zffc88513a7=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e")
;zffc88513a7.open(ze21f4c397b
);var z867294fea2=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x52\x65\x63\x6f\x72\x64\x53\x65\x74")
;z867294fea2.open(
"\x73\x65\x6c\x65\x63\x74\x20\x2a\x20\x66\x72\x6f\x6d\x20\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b\x20\x20\x6f\x72\x64\x65\x72\x20\x62\x79\x20\x64\x61\x74\x65"
,zffc88513a7,(0xa98+625-0xd07),(0x1cf8+672-0x1f96)
);var z5ed7bfc7c1
;if(z867294fea2.BOF&&z867294fea2.EOF)
{z5ed7bfc7c1=(0x1afd+2461-0x2499)
}else
{var z2951a043e3=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x52\x65\x63\x6f\x72\x64\x53\x65\x74")
;z2951a043e3.open(
"\x73\x65\x6c\x65\x63\x74\x20\x6d\x61\x78\x28\x69\x64\x29\x20\x66\x72\x6f\x6d\x20\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b"
,zffc88513a7,(0x1cda+1020-0x20d4),(0x69+1996-0x833)
);z5ed7bfc7c1=z2951a043e3((0x5a1+7358-0x225f))+(0xdb5+3845-0x1cb9)
;}zf2e3f42341(z867294fea2,z5ed7bfc7c1);if(z867294fea2.BOF&&z867294fea2.EOF)
{Response.Write(
"\x3c\x42\x3e\x3c\x63\x65\x6e\x74\x65\x72\x3e\x53\x6f\x72\x72\x79\x2c\x20\x43\x75\x72\x72\x65\x6e\x74\x6c\x79\x20\x54\x68\x65\x72\x65\x20\x61\x72\x65\x20\x4e\x6f\x20\x52\x65\x63\x6f\x72\x64\x73\x20\x69\x6e\x20\x74\x68\x65\x20\x44\x61\x74\x61\x62\x61\x73\x65\x3c\x2f\x63\x65\x6e\x74\x65\x72\x3e\x3c\x2f\x42\x3e"
); %>
<br>
<hr size=2 width=80%>
<br>
<% }else
{z867294fea2.MoveLast();while(!z867294fea2.bof
){ %>
<table border=0 cellpadding=2 cellspacing=0>
<tr><td align=right><b>Name:</b></td><td
    ><%= z34d15a68ff(z867294fea2("\x6e\x61\x6d\x65")) %></td></tr>
<tr><td align=right><b>Email:</b></td><td
    ><a href=mailto:<%= z867294fea2("\x65\x6d\x61\x69\x6c") %>><%= z867294fea2("\x65\x6d\x61\x69\x6c") %></a></td></tr>
<tr><td valign=top align=right><b>Comments:</b></td><td 
    width=500><%= z34d15a68ff(z867294fea2("\x63\x6f\x6d\x6d\x65\x6e\x74\x73")) %></td></tr>
<tr><td></td><td
    ><font size=2><%= z34d15a68ff(z867294fea2("\x64\x61\x74\x65")) %></font></td></tr>
</table>
<br>
<hr size=2 width=80%>
<br>
<% 
z867294fea2.MovePrevious();};}; %>
<P><a href=http://<%= z843165b685 %>>Back to homepage</a></P>

</BODY>
</HTML>


Commandline used was:
js-obfus -E asp dbit.asp -o dbit-so-simple-nonpacked.asp
As you can see, client-side scripts were not protected at all - that's because js-obfus can protect either server-side or client-side scripts when invoked. But it's possible to protect both server-side or client-side scripts by just protecting server-side scripts, and then calling js-obfus on the result to protect client-side scripts.

Here is a result of such two-stage protection:


<%@ Language=JScript %>
<HTML>
<HEAD>
<% 
var z843165b685=Request.ServerVariables(
"\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"); %>
<TITLE>Trivial guestbook at <%= z843165b685 %></TITLE>
</HEAD>
<!-- plain html comment. It will be automatically removed. -->

<script language=vbscript><!--

'example of script on different scripting language
function validateEmail(email)
    if InStr(email,"@")=0 then
	validateEmail = false 
    else
	validateEmail = true
    end if
end function

--></script>


<script language=javascript><!--
function z7acc451790()
{var z320685341b=document.forms.MainForm
if(!validateEmail(z320685341b.email.value))
{alert(
"\x45\x6d\x61\x69\x6c\x20\x61\x64\x64\x72\x65\x73\x73\x20\x79\x6f\x75\x27\x76\x65\x20\x65\x6e\x74\x65\x72\x65\x64\x20\x69\x73\x20\x6e\x6f\x74\x20\x76\x61\x6c\x69\x64"
);return;};if(!z320685341b.email.value.length)
{alert("Posting anonymous comments on <%= z843165b685 %> is prohibitted!");};
if(confirm("Owners of <%= z843165b685 %> require not to "+
"\x70\x6f\x73\x74\x20\x6f\x66\x66\x65\x6e\x73\x69\x76\x65\x20\x63\x6f\x6d\x6d\x65\x6e\x74\x73\x2e\x20\x44\x6f\x65\x73\x20\x79\x6f\x75\x20\x70\x6f\x73\x74\x20\x61\x67\x72\x65\x65\x20\x77\x69\x74\x68\x20\x74\x68\x65\x69\x72\x20"
+"\x72\x65\x71\x75\x69\x72\x65\x6d\x65\x6e\x74\x73\x3f"))
{z320685341b.submit()
};}
--></script>


<form method=post name=MainForm> 
<table border=0 cellpadding=2 cellspacing=0>
<tr><td align=right>Name:</td><td
    ><input type=text size=50 name=name value='' maxlength=60></td></tr>
<tr><td align=right>Email:</td><td
    ><input type=text size=50 name=email value='' maxlength=100></td></tr>
<tr><td valign=top align=right>Comments:</td><td
    ><textarea name=comments rows=4 cols=40 wrap=virtual></textarea></td></tr>
<tr><td> </td><td><input  type="button" value="Submit" onclick="z7acc451790()
"><input type=reset value=Clear></td></tr>
</table>
</form>
<script language=javascript runat=server>

function zf2e3f42341(z861252a0a6,z5ed7bfc7c1)
{var zb1f650e8a0=""+Request.Form("\x6e\x61\x6d\x65")
;var z63907942ed=""+Request.Form("\x65\x6d\x61\x69\x6c");var z9b081ecd8b=""+
Request.Form("\x63\x6f\x6d\x6d\x65\x6e\x74\x73")
;var z12e0092364=new Date();var zcb5de2c6e1=z12e0092364.getYear()+"\x2e"+(
(0x12a7+829-0x15e3)+z12e0092364.getMonth())+"\x2e"+z12e0092364.getDate()+"\x20"+
z12e0092364.getHours()+"\x3a"+z12e0092364.getMinutes()+"\x3a"+z12e0092364.
getSeconds();if(zb1f650e8a0.length>(0x1133+4274-0x21e4)&&z63907942ed.length>
(0x452+5847-0x1b28)&&z9b081ecd8b.length>(0x875+2420-0x11e8))
{z861252a0a6.AddNew();z861252a0a6("\x6e\x61\x6d\x65")=zb1f650e8a0;z861252a0a6(
"\x65\x6d\x61\x69\x6c")=z63907942ed;z861252a0a6(
"\x63\x6f\x6d\x6d\x65\x6e\x74\x73")=z9b081ecd8b;z861252a0a6("\x64\x61\x74\x65")=
zcb5de2c6e1;z861252a0a6("\x69\x64")=z5ed7bfc7c1
;z861252a0a6.Update();}};function z34d15a68ff(z9459b9c7af)
{return Server.HTMLEncode(z9459b9c7af)
}
</script>
<% 

var ze21f4c397b=
"\x50\x72\x6f\x76\x69\x64\x65\x72\x3d\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e\x4a\x65\x74\x2e\x4f\x4c\x45\x44\x42\x2e\x34\x2e\x30\x3b\x20\x44\x61\x74\x61\x20\x53\x6f\x75\x72\x63\x65\x3d"
+Server.MapPath("\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b\x2e\x6d\x64\x62")
;var zffc88513a7=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e")
;zffc88513a7.open(ze21f4c397b
);var z867294fea2=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x52\x65\x63\x6f\x72\x64\x53\x65\x74")
;z867294fea2.open(
"\x73\x65\x6c\x65\x63\x74\x20\x2a\x20\x66\x72\x6f\x6d\x20\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b\x20\x20\x6f\x72\x64\x65\x72\x20\x62\x79\x20\x64\x61\x74\x65"
,zffc88513a7,(0xa98+625-0xd07),(0x1cf8+672-0x1f96)
);var z5ed7bfc7c1
;if(z867294fea2.BOF&&z867294fea2.EOF)
{z5ed7bfc7c1=(0x1afd+2461-0x2499)
}else
{var z2951a043e3=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x52\x65\x63\x6f\x72\x64\x53\x65\x74")
;z2951a043e3.open(
"\x73\x65\x6c\x65\x63\x74\x20\x6d\x61\x78\x28\x69\x64\x29\x20\x66\x72\x6f\x6d\x20\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b"
,zffc88513a7,(0x1cda+1020-0x20d4),(0x69+1996-0x833)
);z5ed7bfc7c1=z2951a043e3((0x5a1+7358-0x225f))+(0xdb5+3845-0x1cb9)
;}zf2e3f42341(z867294fea2,z5ed7bfc7c1);if(z867294fea2.BOF&&z867294fea2.EOF)
{Response.Write(
"\x3c\x42\x3e\x3c\x63\x65\x6e\x74\x65\x72\x3e\x53\x6f\x72\x72\x79\x2c\x20\x43\x75\x72\x72\x65\x6e\x74\x6c\x79\x20\x54\x68\x65\x72\x65\x20\x61\x72\x65\x20\x4e\x6f\x20\x52\x65\x63\x6f\x72\x64\x73\x20\x69\x6e\x20\x74\x68\x65\x20\x44\x61\x74\x61\x62\x61\x73\x65\x3c\x2f\x63\x65\x6e\x74\x65\x72\x3e\x3c\x2f\x42\x3e"
); %>
<br>
<hr size=2 width=80%>
<br>
<% }else
{z867294fea2.MoveLast();while(!z867294fea2.bof
){ %>
<table border=0 cellpadding=2 cellspacing=0>
<tr><td align=right><b>Name:</b></td><td
    ><%= z34d15a68ff(z867294fea2("\x6e\x61\x6d\x65")) %></td></tr>
<tr><td align=right><b>Email:</b></td><td
    ><a href=mailto:<%= z867294fea2("\x65\x6d\x61\x69\x6c") %>><%= z867294fea2("\x65\x6d\x61\x69\x6c") %></a></td></tr>
<tr><td valign=top align=right><b>Comments:</b></td><td 
    width=500><%= z34d15a68ff(z867294fea2("\x63\x6f\x6d\x6d\x65\x6e\x74\x73")) %></td></tr>
<tr><td></td><td
    ><font size=2><%= z34d15a68ff(z867294fea2("\x64\x61\x74\x65")) %></font></td></tr>
</table>
<br>
<hr size=2 width=80%>
<br>
<% 
z867294fea2.MovePrevious();};}; %>
<P><a href=http://<%= z843165b685 %>>Back to homepage</a></P>

</BODY>
</HTML>



Commandline used was:
js-obfus -E html dbit-so-simple-nonpacked.asp -x dbit-exceptions -o dbit-o-simple-nonpacked.asp
Nothing changed in the server-side scripts (they are already protected), though client-side scripts in JavaScript were protected. Please note that: We could make the result more cryptic even further if we use html packing available in JS-Obfus - that removes extra whitespaces and newlines in the html content and markup (of course where it's allowed to remove them per specifications):

Here is a sample output (protecting result of protecting server-side scripts in same file) with extra whitespaces in html automatically removed:


<%@ Language=JScript %> <html> <head> <% 
var z843165b685=Request.ServerVariables(
"\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"); %> <title>Trivial guestbook at <%= z843165b685 %></TITLE> </HEAD> <!-- plain html comment. It will be automatically removed. --> <script language=vbscript><!--

'example of script on different scripting language
function validateEmail(email)
    if InStr(email,"@")=0 then
	validateEmail = false 
    else
	validateEmail = true
    end if
end function

--></script> <script language=javascript><!--
function z7acc451790()
{var z320685341b=document.forms.MainForm
if(!validateEmail(z320685341b.email.value))
{alert(
"\x45\x6d\x61\x69\x6c\x20\x61\x64\x64\x72\x65\x73\x73\x20\x79\x6f\x75\x27\x76\x65\x20\x65\x6e\x74\x65\x72\x65\x64\x20\x69\x73\x20\x6e\x6f\x74\x20\x76\x61\x6c\x69\x64"
);return;};if(!z320685341b.email.value.length)
{alert("Posting anonymous comments on <%= z843165b685 %> is prohibitted!");};
if(confirm("Owners of <%= z843165b685 %> require not to "+
"\x70\x6f\x73\x74\x20\x6f\x66\x66\x65\x6e\x73\x69\x76\x65\x20\x63\x6f\x6d\x6d\x65\x6e\x74\x73\x2e\x20\x44\x6f\x65\x73\x20\x79\x6f\x75\x20\x70\x6f\x73\x74\x20\x61\x67\x72\x65\x65\x20\x77\x69\x74\x68\x20\x74\x68\x65\x69\x72\x20"
+"\x72\x65\x71\x75\x69\x72\x65\x6d\x65\x6e\x74\x73\x3f"))
{z320685341b.submit()
};}
--></script> <form method="post" name="MainForm"> <table border="0" cellpadding="2" cellspacing="0"> <tr><td align="right">Name:</td><td><input type="text" size="50" name="name" value="" maxlength="60"></td></tr> <tr><td align="right">Email:</td><td><input type="text" size="50" name="email" value="" maxlength="100"></td></tr> <tr><td valign="top" align="right">Comments:</td><td><textarea name="comments" rows="4" cols="40" wrap="virtual"></textarea></td></tr> <tr><td> </td><td><input  type="button" value="Submit" onclick="z7acc451790()
"><input type="reset" value="Clear"></td></tr> </table> </form> <script language=javascript runat=server>

function zf2e3f42341(z861252a0a6,z5ed7bfc7c1)
{var zb1f650e8a0=""+Request.Form("\x6e\x61\x6d\x65")
;var z63907942ed=""+Request.Form("\x65\x6d\x61\x69\x6c");var z9b081ecd8b=""+
Request.Form("\x63\x6f\x6d\x6d\x65\x6e\x74\x73")
;var z12e0092364=new Date();var zcb5de2c6e1=z12e0092364.getYear()+"\x2e"+(
(0x1292+2153-0x1afa)+z12e0092364.getMonth())+"\x2e"+z12e0092364.getDate()+"\x20"
+z12e0092364.getHours()+"\x3a"+z12e0092364.getMinutes()+"\x3a"+z12e0092364.
getSeconds();if(zb1f650e8a0.length>(0x204+6132-0x19f7)&&z63907942ed.length>
(0xf8a+84-0xfdd)&&z9b081ecd8b.length>(0x7f+510-0x27c))
{z861252a0a6.AddNew();z861252a0a6("\x6e\x61\x6d\x65")=zb1f650e8a0;z861252a0a6(
"\x65\x6d\x61\x69\x6c")=z63907942ed;z861252a0a6(
"\x63\x6f\x6d\x6d\x65\x6e\x74\x73")=z9b081ecd8b;z861252a0a6("\x64\x61\x74\x65")=
zcb5de2c6e1;z861252a0a6("\x69\x64")=z5ed7bfc7c1
;z861252a0a6.Update();}};function z34d15a68ff(z9459b9c7af)
{return Server.HTMLEncode(z9459b9c7af)
}
</script> <% 

var ze21f4c397b=
"\x50\x72\x6f\x76\x69\x64\x65\x72\x3d\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e\x4a\x65\x74\x2e\x4f\x4c\x45\x44\x42\x2e\x34\x2e\x30\x3b\x20\x44\x61\x74\x61\x20\x53\x6f\x75\x72\x63\x65\x3d"
+Server.MapPath("\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b\x2e\x6d\x64\x62")
;var zffc88513a7=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e")
;zffc88513a7.open(ze21f4c397b
);var z867294fea2=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x52\x65\x63\x6f\x72\x64\x53\x65\x74")
;z867294fea2.open(
"\x73\x65\x6c\x65\x63\x74\x20\x2a\x20\x66\x72\x6f\x6d\x20\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b\x20\x20\x6f\x72\x64\x65\x72\x20\x62\x79\x20\x64\x61\x74\x65"
,zffc88513a7,(0x464+4509-0x15ff),(0x46f+3475-0x1200)
);var z5ed7bfc7c1
;if(z867294fea2.BOF&&z867294fea2.EOF)
{z5ed7bfc7c1=(0x2c8+3283-0xf9a)
}else
{var z2951a043e3=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x52\x65\x63\x6f\x72\x64\x53\x65\x74")
;z2951a043e3.open(
"\x73\x65\x6c\x65\x63\x74\x20\x6d\x61\x78\x28\x69\x64\x29\x20\x66\x72\x6f\x6d\x20\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b"
,zffc88513a7,(0xace+5667-0x20ef),(0xb2b+6192-0x2359)
);z5ed7bfc7c1=z2951a043e3((0x19c7+38-0x19ed))+(0x36+2240-0x8f5)
;}zf2e3f42341(z867294fea2,z5ed7bfc7c1);if(z867294fea2.BOF&&z867294fea2.EOF)
{Response.Write(
"\x3c\x42\x3e\x3c\x63\x65\x6e\x74\x65\x72\x3e\x53\x6f\x72\x72\x79\x2c\x20\x43\x75\x72\x72\x65\x6e\x74\x6c\x79\x20\x54\x68\x65\x72\x65\x20\x61\x72\x65\x20\x4e\x6f\x20\x52\x65\x63\x6f\x72\x64\x73\x20\x69\x6e\x20\x74\x68\x65\x20\x44\x61\x74\x61\x62\x61\x73\x65\x3c\x2f\x63\x65\x6e\x74\x65\x72\x3e\x3c\x2f\x42\x3e"
); %> <br> <hr size="2" width="80%"> <br> <% }else
{z867294fea2.MoveLast();while(!z867294fea2.bof
){ %> <table border="0" cellpadding="2" cellspacing="0"> <tr><td align="right"><b>Name:</b></td><td><%= z34d15a68ff(z867294fea2("\x6e\x61\x6d\x65")) %></td></tr> <tr><td align="right"><b>Email:</b></td><td><a href="mailto:<%= z867294fea2("\x65\x6d\x61\x69\x6c") %>"><%= z867294fea2("\x65\x6d\x61\x69\x6c") %></a></td></tr> <tr><td valign="top" align="right"><b>Comments:</b></td><td width="500"><%= z34d15a68ff(z867294fea2("\x63\x6f\x6d\x6d\x65\x6e\x74\x73")) %></td></tr> <tr><td></td><td><font size="2"><%= z34d15a68ff(z867294fea2("\x64\x61\x74\x65")) %></font></td></tr> </table> <br> <hr size="2" width="80%"> <br> <% 
z867294fea2.MovePrevious();};}; %> <p><a href="http://<%= z843165b685 %>">Back to homepage</a></P> </BODY> </HTML> 

Commandline used was:
js-obfus -E html,pack-html=1 dbit-so-simple-nonpacked.asp -x dbit-exceptions -o dbit-o-simple-packed.asp

Protecting scripts in ASP file using 'combs' obfuscation engine for symbols

Here is a result of processing server-side and client-side scripts in ASP page using 'combs' obfuscation engine for symbols, that produces visually difficult to distinguish identifiers like IlIIlllI:


<%@ Language=JScript %> <html> <head> <% 
var OLfUZRNKWX=Request.ServerVariables(
"\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"); %> <title>Trivial guestbook at <%= OLfUZRNKWX %></TITLE> </HEAD> <!-- plain html comment. It will be automatically removed. --> <script language=vbscript><!--

'example of script on different scripting language
function validateEmail(email)
    if InStr(email,"@")=0 then
	validateEmail = false 
    else
	validateEmail = true
    end if
end function

--></script> <script language=javascript><!--
function TLgzmPh8pZ()
{var WeiTYv_OI5=document.forms.MainForm
if(!validateEmail(WeiTYv_OI5.email.value))
{alert(
"\x45\x6d\x61\x69\x6c\x20\x61\x64\x64\x72\x65\x73\x73\x20\x79\x6f\x75\x27\x76\x65\x20\x65\x6e\x74\x65\x72\x65\x64\x20\x69\x73\x20\x6e\x6f\x74\x20\x76\x61\x6c\x69\x64"
);return;};if(!WeiTYv_OI5.email.value.length)
{alert("Posting anonymous comments on <%= OLfUZRNKWX %> is prohibitted!");};
if(confirm("Owners of <%= OLfUZRNKWX %> require not to "+
"\x70\x6f\x73\x74\x20\x6f\x66\x66\x65\x6e\x73\x69\x76\x65\x20\x63\x6f\x6d\x6d\x65\x6e\x74\x73\x2e\x20\x44\x6f\x65\x73\x20\x79\x6f\x75\x20\x70\x6f\x73\x74\x20\x61\x67\x72\x65\x65\x20\x77\x69\x74\x68\x20\x74\x68\x65\x69\x72\x20"
+"\x72\x65\x71\x75\x69\x72\x65\x6d\x65\x6e\x74\x73\x3f"))
{WeiTYv_OI5.submit()
};}
--></script> <form method="post" name="MainForm"> <table border="0" cellpadding="2" cellspacing="0"> <tr><td align="right">Name:</td><td><input type="text" size="50" name="name" value="" maxlength="60"></td></tr> <tr><td align="right">Email:</td><td><input type="text" size="50" name="email" value="" maxlength="100"></td></tr> <tr><td valign="top" align="right">Comments:</td><td><textarea name="comments" rows="4" cols="40" wrap="virtual"></textarea></td></tr> <tr><td> </td><td><input  type="button" value="Submit" onclick="TLgzmPh8pZ()
"><input type="reset" value="Clear"></td></tr> </table> </form> <script language=javascript runat=server>

function Bm62EOJLHc(BNkD0fdnQG,KblP8BMozN)
{var PAKX06b1W7=""+Request.Form("\x6e\x61\x6d\x65")
;var FPALVnZjIf=""+Request.Form("\x65\x6d\x61\x69\x6c");var Qq_X79S1d6=""+
Request.Form("\x63\x6f\x6d\x6d\x65\x6e\x74\x73")
;var DHAMDmdKsn=new Date();var aI8VPpY6a9=DHAMDmdKsn.getYear()+"\x2e"+(
(0x16c1+1475-0x1c83)+DHAMDmdKsn.getMonth())+"\x2e"+DHAMDmdKsn.getDate()+"\x20"+
DHAMDmdKsn.getHours()+"\x3a"+DHAMDmdKsn.getMinutes()+"\x3a"+DHAMDmdKsn.
getSeconds();if(PAKX06b1W7.length>(0x1f99+431-0x2147)&&FPALVnZjIf.length>
(0x4f5+8646-0x26ba)&&Qq_X79S1d6.length>(0x6af+1282-0xbb0))
{BNkD0fdnQG.AddNew();BNkD0fdnQG("\x6e\x61\x6d\x65")=PAKX06b1W7;BNkD0fdnQG(
"\x65\x6d\x61\x69\x6c")=FPALVnZjIf;BNkD0fdnQG("\x63\x6f\x6d\x6d\x65\x6e\x74\x73"
)=Qq_X79S1d6;BNkD0fdnQG("\x64\x61\x74\x65")=aI8VPpY6a9;BNkD0fdnQG("\x69\x64")=
KblP8BMozN
;BNkD0fdnQG.Update();}};function wUKMjGK7gQ(_UbZ6wxjha)
{return Server.HTMLEncode(_UbZ6wxjha)
}
</script> <% 

var e2yiSL9ov1=
"\x50\x72\x6f\x76\x69\x64\x65\x72\x3d\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e\x4a\x65\x74\x2e\x4f\x4c\x45\x44\x42\x2e\x34\x2e\x30\x3b\x20\x44\x61\x74\x61\x20\x53\x6f\x75\x72\x63\x65\x3d"
+Server.MapPath("\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b\x2e\x6d\x64\x62")
;var v5w5hjcTTf=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e")
;v5w5hjcTTf.open(e2yiSL9ov1
);var hLDSMalc3U=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x52\x65\x63\x6f\x72\x64\x53\x65\x74")
;hLDSMalc3U.open(
"\x73\x65\x6c\x65\x63\x74\x20\x2a\x20\x66\x72\x6f\x6d\x20\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b\x20\x20\x6f\x72\x64\x65\x72\x20\x62\x79\x20\x64\x61\x74\x65"
,v5w5hjcTTf,(0x242+5519-0x17cf),(0x10f3+1727-0x17b0)
);var KblP8BMozN
;if(hLDSMalc3U.BOF&&hLDSMalc3U.EOF)
{KblP8BMozN=(0x739+5679-0x1d67)
}else
{var pqRZN1flmY=Server.CreateObject(
"\x41\x44\x4f\x44\x42\x2e\x52\x65\x63\x6f\x72\x64\x53\x65\x74")
;pqRZN1flmY.open(
"\x73\x65\x6c\x65\x63\x74\x20\x6d\x61\x78\x28\x69\x64\x29\x20\x66\x72\x6f\x6d\x20\x67\x75\x65\x73\x74\x62\x6f\x6f\x6b"
,v5w5hjcTTf,(0x16e3+3915-0x262c),(0x58e+1682-0xc1e)
);KblP8BMozN=pqRZN1flmY((0x1556+2774-0x202c))+(0xa42+6252-0x22ad)
;}Bm62EOJLHc(hLDSMalc3U,KblP8BMozN);if(hLDSMalc3U.BOF&&hLDSMalc3U.EOF)
{Response.Write(
"\x3c\x42\x3e\x3c\x63\x65\x6e\x74\x65\x72\x3e\x53\x6f\x72\x72\x79\x2c\x20\x43\x75\x72\x72\x65\x6e\x74\x6c\x79\x20\x54\x68\x65\x72\x65\x20\x61\x72\x65\x20\x4e\x6f\x20\x52\x65\x63\x6f\x72\x64\x73\x20\x69\x6e\x20\x74\x68\x65\x20\x44\x61\x74\x61\x62\x61\x73\x65\x3c\x2f\x63\x65\x6e\x74\x65\x72\x3e\x3c\x2f\x42\x3e"
); %> <br> <hr size="2" width="80%"> <br> <% }else
{hLDSMalc3U.MoveLast();while(!hLDSMalc3U.bof
){ %> <table border="0" cellpadding="2" cellspacing="0"> <tr><td align="right"><b>Name:</b></td><td><%= wUKMjGK7gQ(hLDSMalc3U("\x6e\x61\x6d\x65")) %></td></tr> <tr><td align="right"><b>Email:</b></td><td><a href="mailto:<%= hLDSMalc3U("\x65\x6d\x61\x69\x6c") %>"><%= hLDSMalc3U("\x65\x6d\x61\x69\x6c") %></a></td></tr> <tr><td valign="top" align="right"><b>Comments:</b></td><td width="500"><%= wUKMjGK7gQ(hLDSMalc3U("\x63\x6f\x6d\x6d\x65\x6e\x74\x73")) %></td></tr> <tr><td></td><td><font size="2"><%= wUKMjGK7gQ(hLDSMalc3U("\x64\x61\x74\x65")) %></font></td></tr> </table> <br> <hr size="2" width="80%"> <br> <% 
hLDSMalc3U.MovePrevious();};}; %> <p><a href="http://<%= OLfUZRNKWX %>">Back to homepage</a></P> </BODY> </HTML> 

Commandline used for the first stage was:
js-obfus -i combs -E asp dbit.asp -o dbit-so-combs-packed.asp
Commandline used for the second stage was:
js-obfus -i combs -E html,pack-html=1 dbit-so-combs-packed.asp -x dbit-exceptions -o dbit-o-combs-packed.asp

Protecting scripts in ASP while applying source code compression

Here is a result of processing server-side and client-side scripts in ASP page using 'shortest' obfuscation engine for symbols, that produces shortest identifiers possible, thus allowing source code compression:


<%@ Language=JScript %> <html> <head> <% 
var W=Request.ServerVariables("SERVER_NAME"); %> <title>Trivial guestbook at <%= W %></TITLE> </HEAD> <!-- plain html comment. It will be automatically removed. --> <script language=vbscript><!--

'example of script on different scripting language
function validateEmail(email)
    if InStr(email,"@")=0 then
	validateEmail = false 
    else
	validateEmail = true
    end if
end function

--></script> <script language=javascript><!--
function i()
{var v=document.forms.MainForm
if(!validateEmail(v.email.value))
{alert("Email address you've entered is not valid");return;};if(!v.email.value.
length)
{alert("Posting anonymous comments on <%= W %> is prohibitted!");};
if(confirm("Owners of <%= W %> require not to "+
"post offensive comments. Does you post agree with their "+"requirements?"))
{v.submit()
};}
--></script> <form method="post" name="MainForm"> <table border="0" cellpadding="2" cellspacing="0"> <tr><td align="right">Name:</td><td><input type="text" size="50" name="name" value="" maxlength="60"></td></tr> <tr><td align="right">Email:</td><td><input type="text" size="50" name="email" value="" maxlength="100"></td></tr> <tr><td valign="top" align="right">Comments:</td><td><textarea name="comments" rows="4" cols="40" wrap="virtual"></textarea></td></tr> <tr><td> </td><td><input  type="button" value="Submit" onclick="i()
"><input type="reset" value="Clear"></td></tr> </table> </form> <script language=javascript runat=server>

function i(D,N)
{var u=""+Request.Form("name")
;var f=""+Request.Form("email");var e=""+Request.Form("comments")
;var U=new Date();var q=U.getYear()+'.'+(1+U.getMonth())+'.'+U.getDate()+' '+U.
getHours()+':'+U.getMinutes()+':'+U.getSeconds();if(u.length>1&&f.length>1&&e.
length>1)
{D.AddNew();D("name")=u;D("email")=f;D("comments")=e;D("date")=q;D("id")=N
;D.Update();}};function c(F)
{return Server.HTMLEncode(F)
}
</script> <% 

var o="Provider=Microsoft.Jet.OLEDB.4.0; Data Source="+Server.MapPath(
"guestbook.mdb")
;var a=Server.CreateObject("ADODB.Connection")
;a.open(o
);var T=Server.CreateObject("ADODB.RecordSet")
;T.open("select * from guestbook  order by date",a,2,2
);var N
;if(T.BOF&&T.EOF)
{N=1
}else
{var l=Server.CreateObject("ADODB.RecordSet")
;l.open("select max(id) from guestbook",a,2,2
);N=l(0)+1
;}i(T,N);if(T.BOF&&T.EOF)
{Response.Write(
"<B><center>Sorry, Currently There are No Records in the Database</center></B>"
); %> <br> <hr size="2" width="80%"> <br> <% }else
{T.MoveLast();while(!T.bof
){ %> <table border="0" cellpadding="2" cellspacing="0"> <tr><td align="right"><b>Name:</b></td><td><%= c(T("name")) %></td></tr> <tr><td align="right"><b>Email:</b></td><td><a href="mailto:<%= T("email") %>"><%= T("email") %></a></td></tr> <tr><td valign="top" align="right"><b>Comments:</b></td><td width="500"><%= c(T("comments")) %></td></tr> <tr><td></td><td><font size="2"><%= c(T("date")) %></font></td></tr> </table> <br> <hr size="2" width="80%"> <br> <% 
T.MovePrevious();};}; %> <p><a href="http://<%= W %>">Back to homepage</a></P> </BODY> </HTML> 

The following commands were invoked to produce it (on unix):
rm -f shortest-state shortest-counts
#protect server-side scripts first
js-obfus -s none -n none -i shortest,countupdate=1,countsfile=shortest-counts -E asp dbit.asp -o dbit-so-shortest-packed.asp
js-obfus -s none -n none -i shortest,countupdate=0,statefile=shortest-state,countsfile=shortest-counts -E asp dbit.asp -o dbit-so-shortest-packed.asp
rm -f shortest-state shortest-counts

#now protect client-side scripts
js-obfus -s none -n none -i shortest,countupdate=1,countsfile=shortest-counts -E html,pack-html=1 dbit-so-shortest-packed.asp -x ../dbit-exceptions -o dbit-o-shortest-packed.asp
js-obfus -s none -n none -i shortest,countupdate=0,statefile=shortest-state,countsfile=shortest-counts  -E html,pack-html=1 dbit-so-shortest-packed.asp -x dbit-exceptions -o dbit-o-shortest-packed.asp
rm -f shortest-state shortest-counts

As you can see, almost all identifiers were renamed to single-character identifiers and the resultant output is signtifically smaller. We had to add '-s none -n none' to commandlines to disable default obfuscation engines for string and numeric constants.

The following commands were invoked to produce it (on windows):

del shortest-state shortest-counts
rem protect server-side scripts first
js-obfus -s none -n none -i shortest,countupdate=1,countsfile=shortest-counts -E asp dbit.asp -o dbit-so-shortest-packed.asp
js-obfus -s none -n none -i shortest,countupdate=0,statefile=shortest-state,countsfile=shortest-counts -E asp dbit.asp -o dbit-so-shortest-packed.asp
del shortest-state shortest-counts

rem now protect client-side scripts
js-obfus -s none -n none -i shortest,countupdate=1,countsfile=shortest-counts -E html,pack-html=1 dbit-so-shortest-packed.asp -x ../dbit-exceptions -o dbit-o-shortest-packed.asp
js-obfus -s none -n none -i shortest,countupdate=0,statefile=shortest-state,countsfile=shortest-counts  -E html,pack-html=1 dbit-so-shortest-packed.asp -x dbit-exceptions -o dbit-o-shortest-packed.asp
del shortest-state shortest-counts

Protecting only client-side scripts in ASP files

In previous samples with our guestbook we've shown protecting both server-side and client-side scripts in ASP page, by protecting server-side scripts during the first stage and protecting client-side scripts during the second one. The need to protect only client-side scripts in ASP pages is very common, and it's satisfied very easily too.

Here is a version of guestbook with only client-side scripts protected, by running Please note that server-side scripts embedded inside string constants of client-side scripts are handled correctly. Extra white spaces in html were eliminated (due to presence of pack-html=1 option for html extractor in the commandline):


<%@ Language=JScript %> <html> <head> <%
    var srvnm =  Request.ServerVariables("SERVER_NAME");
%> <title>Trivial guestbook at <%= srvnm %></TITLE> </HEAD> <!-- plain html comment. It will be automatically removed. --> <script language=vbscript><!--

'example of script on different scripting language
function validateEmail(email)
    if InStr(email,"@")=0 then
	validateEmail = false 
    else
	validateEmail = true
    end if
end function

--></script> <script language=javascript><!--
function z7acc451790()
{var z320685341b=document.forms.MainForm
if(!validateEmail(z320685341b.email.value))
{alert(
"\x45\x6d\x61\x69\x6c\x20\x61\x64\x64\x72\x65\x73\x73\x20\x79\x6f\x75\x27\x76\x65\x20\x65\x6e\x74\x65\x72\x65\x64\x20\x69\x73\x20\x6e\x6f\x74\x20\x76\x61\x6c\x69\x64"
);return;};if(!z320685341b.email.value.length)
{alert("Posting anonymous comments on <%= srvnm %> is prohibitted!");};
if(confirm("Owners of <%= srvnm %> require not to "+
"\x70\x6f\x73\x74\x20\x6f\x66\x66\x65\x6e\x73\x69\x76\x65\x20\x63\x6f\x6d\x6d\x65\x6e\x74\x73\x2e\x20\x44\x6f\x65\x73\x20\x79\x6f\x75\x20\x70\x6f\x73\x74\x20\x61\x67\x72\x65\x65\x20\x77\x69\x74\x68\x20\x74\x68\x65\x69\x72\x20"
+"\x72\x65\x71\x75\x69\x72\x65\x6d\x65\x6e\x74\x73\x3f"))
{z320685341b.submit()
};}
--></script> <form method="post" name="MainForm"> <table border="0" cellpadding="2" cellspacing="0"> <tr><td align="right">Name:</td><td><input type="text" size="50" name="name" value="" maxlength="60"></td></tr> <tr><td align="right">Email:</td><td><input type="text" size="50" name="email" value="" maxlength="100"></td></tr> <tr><td valign="top" align="right">Comments:</td><td><textarea name="comments" rows="4" cols="40" wrap="virtual"></textarea></td></tr> <tr><td> </td><td><input  type="button" value="Submit" onclick="z7acc451790()
"><input type="reset" value="Clear"></td></tr> </table> </form> <script language=javascript runat=server>
//this function adds comment to the table
function addcomment(objrs,m)
{
    var nm 	= "" + Request.Form("name")
;
    var email 	= "" + Request.Form("email");
    var cmnt 	= "" + Request.Form("comments")
;

    var D =  new Date();
    var d = D.getYear() + '.' + (1+D.getMonth()) + '.' + D.getDate() + ' ' +
	    D.getHours() + ':' + D.getMinutes() + ':' + D.getSeconds();

    if (nm.length > 1 && email.length > 1 && cmnt.length > 1)
    {
	objrs.AddNew();
        objrs("name") = nm;
	objrs("email") = email;
	objrs("comments") = cmnt;
	objrs("date") = d;
	objrs("id") = m
;
	objrs.Update();
    }
};

function q(s)
{
    return Server.HTMLEncode(s)
}
</script> <%

var strConnect = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" + 
             Server.MapPath("guestbook.mdb")
;
var objConn = Server.CreateObject("ADODB.Connection")
;
objConn.open(strConnect
);
var objRS = Server.CreateObject("ADODB.RecordSet")
;
objRS.open("select * from guestbook  order by date",objConn,2,2
);

var m
;
if (objRS.BOF && objRS.EOF)
{
    m = 1
} else
 {
    var maxid = Server.CreateObject("ADODB.RecordSet")
;
    maxid.open("select max(id) from guestbook",objConn,2,2
);
    m = maxid(0) + 1
;
}

addcomment(objRS, m);

if (objRS.BOF && objRS.EOF)
{
    Response.Write("<B><center>Sorry, Currently There are No Records in the Database</center></B>"
);
%> <br> <hr size="2" width="80%"> <br> <%
} else
 {
    objRS.MoveLast();
    while (!objRS.bof
) {
%> <table border="0" cellpadding="2" cellspacing="0"> <tr><td align="right"><b>Name:</b></td><td><%= q(objRS("name")) %></td></tr> <tr><td align="right"><b>Email:</b></td><td><a href="mailto:<%= objRS("email")%>"><%= objRS("email")%></a></td></tr> <tr><td valign="top" align="right"><b>Comments:</b></td><td width="500"><%= q(objRS("comments")) %></td></tr> <tr><td></td><td><font size="2"><%= q(objRS("date"))%></font></td></tr> </table> <br> <hr size="2" width="80%"> <br> <%
	objRS.MovePrevious();
    };
};
%> <p><a href="http://<%= srvnm %>">Back to homepage</a></P> </BODY> </HTML> 

Commandline used was:
js-obfus -E html,pack-html=1 dbit.asp -x dbit-exceptions -o dbit-simple-cliside-packed.asp

See more JavaScript obfuscation samples and JavaScript obfuscation presets available in JavaScript Obfuscator.