JavaScript obfuscator

JavaScript Obfuscator is a powerful free obfuscator for JavaScript, containing a variety of features which provide protection for your source code.

Key features: - variables renaming - strings extraction and encryption - dead code injection - control flow flattening - various code transformations - and more...

The example of obfuscated code: github.com

Online version:

obfuscator.io

Plugins:

• Webpack plugin: webpack-obfuscator
• Webpack loader: obfuscator-loader
• Gulp: gulp-javascript-obfuscator
• Grunt: grunt-contrib-obfuscator
• Rollup: rollup-plugin-javascript-obfuscator
• Weex: weex-devtool
• Malta: malta-js-obfuscator
• Netlify plugin: netlify-plugin-js-obfuscator

You can support this project by donating:

• (OpenCollective) https://opencollective.com/javascript-obfuscator
• PayPal credit card https://www.paypal.com/donate
• PayPal https://www.paypal.me/javascriptobfuscator
• (Bitcoin) bc1q203p8nyrstwm7vwzjg3h9l9t6y9ka0umw0rx96

Huge thanks to all supporters!

NOTE! the README on the master branch might not match that of the latest stable release!

If you have a question, check this section first: FAQ

:warning: Important

Only obfuscate the code that belongs to you.

It is not recommended to obfuscate vendor scripts and polyfills, since the obfuscated code is 15-80% slower (depends on options) and the files are significantly larger.

Installation

Using Yarn or NPM

Install the package with Yarn or NPM and add it to your

dependencies

devDependencies

$ yarn add --dev javascript-obfuscator

or

sh
$ npm install --save-dev javascript-obfuscator

In a Browser

From CDN:

From

node_modules

Usage

var JavaScriptObfuscator = require('javascript-obfuscator');

var obfuscationResult = JavaScriptObfuscator.obfuscate(
            (function(){             var variable1 = '5' - 3;             var variable2 = '5' + 3;             var variable3 = '5' + - '2';             var variable4 = ['10','10','10','10','10'].map(parseInt);             var variable5 = 'foo ' + 1 + 1;             console.log(variable1);             console.log(variable2);             console.log(variable3);             console.log(variable4);             console.log(variable5);         })();    ,
    {
        compact: false,
        controlFlowFlattening: true,
        controlFlowFlatteningThreshold: 1,
        numbersToExpressions: true,
        simplify: true,
        stringArrayShuffle: true,
        splitStrings: true,
        stringArrayThreshold: 1
    }
);
console.log(obfuscationResult.getObfuscatedCode());
/*
var _0x9947 = [
    'map',
    'log',
    'foo\x20',
    'bvmqO',
    '133039ViRMWR',
    'xPfLC',
    'ytpdx',
    '1243717qSZCyh',
    '2|7|4|6|9|',
    '1ErtbCr',
    '1608314VKvthn',
    '1ZRaFKN',
    'XBoAA',
    '423266kQOYHV',
    '3|0|5|8|1',
    '235064xPNdKe',
    '13RUDZfG',
    '157gNPQGm',
    '1639212MvnHZL',
    'rDjOa',
    'iBHph',
    '9926iRHoRl',
    'split'
];
function _0x33e4(_0x1809b5, _0x37ef6e) {
    return _0x33e4 = function (_0x338a69, _0x39ad79) {
        _0x338a69 = _0x338a69 - (0x1939 + -0xf * 0x1f3 + 0x1 * 0x469);
        var _0x2b223a = _0x9947[_0x338a69];
        return _0x2b223a;
    }, _0x33e4(_0x1809b5, _0x37ef6e);
}
(function (_0x431d87, _0x156c7f) {
    var _0x10cf6e = _0x33e4;
    while (!![]) {
        try {
            var _0x330ad1 = -parseInt(_0x10cf6e(0x6c)) * -parseInt(_0x10cf6e(0x6d)) + -parseInt(_0x10cf6e(0x74)) * -parseInt(_0x10cf6e(0x78)) + parseInt(_0x10cf6e(0x6a)) + -parseInt(_0x10cf6e(0x70)) + parseInt(_0x10cf6e(0x6e)) * -parseInt(_0x10cf6e(0x75)) + parseInt(_0x10cf6e(0x72)) + -parseInt(_0x10cf6e(0x67)) * parseInt(_0x10cf6e(0x73));
            if (_0x330ad1 === _0x156c7f)
                break;
            else
                _0x431d87'push';
        } catch (_0x9f878) {
            _0x431d87'push';
        }
    }
}(_0x9947, -0xb6270 + 0x4dfd2 * 0x2 + 0x75460 * 0x2), function () {
    var _0x1f346d = _0x33e4, _0x860db8 = {
            'ytpdx': _0x1f346d(0x6b) + _0x1f346d(0x71),
            'bvmqO': function (_0x560787, _0x519b9e) {
                return _0x560787 - _0x519b9e;
            },
            'rDjOa': function (_0x4501fe, _0x2b07a3) {
                return _0x4501fe + _0x2b07a3;
            },
            'xPfLC': function (_0x5f3c9b, _0x434936) {
                return _0x5f3c9b + _0x434936;
            },
            'XBoAA': function (_0x535b8a, _0x42eef4) {
                return _0x535b8a + _0x42eef4;
            },
            'iBHph': _0x1f346d(0x65)
        }, _0x346c55 = _0x860db8[_0x1f346d(0x69)]_0x1f346d(0x79), _0x3bf817 = 0x4bb * 0x1 + 0x801 + -0xcbc;
    while (!![]) {
        switch (_0x346c55[_0x3bf817++]) {
        case '0':
            console_0x1f346d(0x7b);
            continue;
        case '1':
            console_0x1f346d(0x7b);
            continue;
        case '2':
            var _0x65977d = _0x860db8[_0x1f346d(0x66)]('5', -0x586 + -0x2195 + -0x6 * -0x685);
            continue;
        case '3':
            console_0x1f346d(0x7b);
            continue;
        case '4':
            var _0x56d39b = _0x860db8[_0x1f346d(0x76)]('5', -'2');
            continue;
        case '5':
            console_0x1f346d(0x7b);
            continue;
        case '6':
            var _0x544285 = [
                '10',
                '10',
                '10',
                '10',
                '10'
            ]_0x1f346d(0x7a);
            continue;
        case '7':
            var _0x4c96d8 = _0x860db8[_0x1f346d(0x68)]('5', 0x622 * -0x6 + 0x4a * 0x3 + 0x1 * 0x23f1);
            continue;
        case '8':
            console_0x1f346d(0x7b);
            continue;
        case '9':
            var _0x101028 = _0x860db8_0x1f346d(0x6f)], 0x6fb * 0x5 + 0x1ebf * 0x1 + -0x41a5), 0x209 * 0xa + 0x1314 + -0x276d);
            continue;
        }
        break;
    }
}());
*/

obfuscate(sourceCode, options)

Returns

ObfuscationResult

• getObfuscatedCode()

  - returns

  string

  with obfuscated code;

• getSourceMap()

  - if

  sourceMap

  option is enabled - returns

  string

  with source map or an empty string if

  sourceMapMode

  option is set as

  inline

  ;

• getIdentifierNamesCache()

  - returns object with identifier names cache if

  identifierNamesCache

  option is enabled,

  null

  overwise.

Calling

toString()

ObfuscationResult

string

Method takes two parameters,

sourceCode

options

• sourceCode

  (

  string

  , default:

  null

  ) – any valid source code, passed as a string;

• options

  (

  Object

  , default:

  null

  ) – an object with options.

For available options, see options.

obfuscateMultiple(sourceCodesObject, options)

Accepts

sourceCodesObject

{
    foo: 'var foo = 1;',
    bar: 'var bar = 2;'
}

Returns a map object which keys are identifiers of source codes and values are

ObfuscationResult

getOptionsByPreset(optionsPreset)

Returns an options object for the passed options preset name.

CLI usage

See CLI options.

Obfuscate single file

Usage:

sh
javascript-obfuscator input_file_name.js [options]
javascript-obfuscator input_file_name.js --output output_file_name.js [options]
javascript-obfuscator input_file_name.js --output output_folder_name [options]
javascript-obfuscator input_folder_name --output output_folder_name [options]

Obfuscation of single input file with

.js

If the destination path is not specified with the

--output

INPUT_FILE_NAME-obfuscated.js

Some examples: ```sh javascript-obfuscator samples/sample.js --compact true --self-defending false // creates a new file samples/sample-obfuscated.js

javascript-obfuscator samples/sample.js --output output/output.js --compact true --self-defending false // creates a new file output/output.js ```

Obfuscate directory recursively

Usage: ``

sh
javascript-obfuscator ./dist [options]
// creates a new obfuscated files under

directory near the input files with

javascript-obfuscator ./dist --output ./dist/obfuscated [options] // creates a folder structure with obfuscated files under

./dist/obfuscated

Obfuscation of all

.js

-obfuscated

Obfuscated files will saved into the input directory under

INPUT_FILE_NAME-obfuscated.js

Conditional comments

You can disable and enable obfuscation for specific parts of the code by adding following comments: * disable:

// javascript-obfuscator:disable

/* javascript-obfuscator:disable */

// javascript-obfuscator:enable

/* javascript-obfuscator:enable */

Example: ```javascript // input var foo = 1; // javascript-obfuscator:disable var bar = 2;

// output var _0xabc123 = 0x1; var bar = 2; ``` Conditional comments affect only direct transformations of AST-tree nodes. All child transformations still will be applied to the AST-tree nodes.

For example: * Obfuscation of the variable's name at its declaration is called direct transformation; * Obfuscation of the variable's name beyond its declaration is called child transformation.

Kind of variables

Kind of variables of inserted nodes will auto-detected, based on most prevailing kind of variables of source code.

Conflicts of identifier names between different files

During obfuscation of the different files, the same names can be generated for the global identifiers between these files. To prevent this set the unique prefix for all global identifiers for each obfuscated file with

identifiersPrefix

When using CLI this prefix will be added automatically.

JavaScript Obfuscator Options

Following options are available for the JS Obfuscator:

options:

{
    compact: true,
    controlFlowFlattening: false,
    controlFlowFlatteningThreshold: 0.75,
    deadCodeInjection: false,
    deadCodeInjectionThreshold: 0.4,
    debugProtection: false,
    debugProtectionInterval: false,
    disableConsoleOutput: false,
    domainLock: [],
    domainLockRedirectUrl: 'about:blank',
    forceTransformStrings: [],
    identifierNamesCache: null,
    identifierNamesGenerator: 'hexadecimal',
    identifiersDictionary: [],
    identifiersPrefix: '',
    ignoreRequireImports: false,
    inputFileName: '',
    log: false,
    numbersToExpressions: false,
    optionsPreset: 'default',
    renameGlobals: false,
    renameProperties: false,
    renamePropertiesMode: 'safe',
    reservedNames: [],
    reservedStrings: [],
    seed: 0,
    selfDefending: false,
    simplify: true,
    sourceMap: false,
    sourceMapBaseUrl: '',
    sourceMapFileName: '',
    sourceMapMode: 'separate',
    sourceMapSourcesMode: 'sources-content',
    splitStrings: false,
    splitStringsChunkLength: 10,
    stringArray: true,
    stringArrayIndexesType: [
        'hexadecimal-number'
    ],
    stringArrayEncoding: [],
    stringArrayIndexShift: true,
    stringArrayRotate: true,
    stringArrayShuffle: true,
    stringArrayWrappersCount: 1,
    stringArrayWrappersChainedCalls: true,
    stringArrayWrappersParametersMaxCount: 2,
    stringArrayWrappersType: 'variable',
    stringArrayThreshold: 0.75,
    target: 'browser',
    transformObjectKeys: false,
    unicodeEscapeSequence: false
}

CLI options:

    -v, --version
    -h, --help

-o, --output

--compact <boolean>
--config <string>
--control-flow-flattening <boolean>
--control-flow-flattening-threshold <number>
--dead-code-injection <boolean>
--dead-code-injection-threshold <number>
--debug-protection <boolean>
--debug-protection-interval <boolean>
--disable-console-output <boolean>
--domain-lock '<list>' (comma separated)
--domain-lock-redirect-url <string>
--exclude '<list>' (comma separated)
--force-transform-strings '<list>' (comma separated)
--identifier-names-cache-path <string>
--identifier-names-generator <string> [dictionary, hexadecimal, mangled, mangled-shuffled]
--identifiers-dictionary '<list>' (comma separated)
--identifiers-prefix <string>
--ignore-imports <boolean>
--log <boolean>
--numbers-to-expressions <boolean>
--options-preset <string> [default, low-obfuscation, medium-obfuscation, high-obfuscation]
--rename-globals <boolean>
--rename-properties <boolean>
--rename-properties-mode <string> [safe, unsafe]
--reserved-names '<list>' (comma separated)
--reserved-strings '<list>' (comma separated)
--seed <string>
--self-defending <boolean>
--simplify <boolean>
--source-map <boolean>
--source-map-base-url <string>
--source-map-file-name <string>
--source-map-mode <string> [inline, separate]
--source-map-sources-mode <string> [sources, sources-content]
--split-strings <boolean>
--split-strings-chunk-length <number>
--string-array <boolean>
--string-array-indexes-type '<list>' (comma separated) [hexadecimal-number, hexadecimal-numeric-string]
--string-array-encoding '<list>' (comma separated) [none, base64, rc4]
--string-array-index-shift <boolean>
--string-array-rotate <boolean>
--string-array-shuffle <boolean>
--string-array-wrappers-count <number>
--string-array-wrappers-chained-calls <boolean>
--string-array-wrappers-parameters-max-count <number>
--string-array-wrappers-type <string> [variable, function]
--string-array-threshold <number>
--target <string> [browser, browser-no-eval, node]
--transform-object-keys <boolean>
--unicode-escape-sequence <boolean>

compact

Type:

boolean

true

Compact code output on one line.

config

Type:

string

Name of JS/JSON config file which contains obfuscator options. These will be overridden by options passed directly to CLI

controlFlowFlattening

Type:

boolean

false

:warning: This option greatly affects the performance up to 1.5x slower runtime speed. Use

controlFlowFlatteningThreshold

to set percentage of nodes that will affected by control flow flattening.

Enables code control flow flattening. Control flow flattening is a structure transformation of the source code that hinders program comprehension.

Example: ```ts // input (function(){ function foo () { return function () { var sum = 1 + 2; console.log(1); console.log(2); console.log(3); console.log(4); console.log(5); console.log(6); } }

foo()();

})();

// output (function () { function 0x3bfc5c() { return function () { var _0x3260a5 = { 'WtABe': '4|0|6|5|3|2|1', 'GokKo': function _0xf87260(0x427a8e, 0x43354c) { return _0x427a8e + _0x43354c; } }; var _0x1ad4d6 = _0x3260a5['WtABe']'split', _0x1a7b12 = 0x0; while (!![]) { switch (0x1ad4d6[_0x1a7b12++]) { case '0': console'log'; continue; case '1': console'log'; continue; case '2': console'log'; continue; case '3': console'log'; continue; case '4': var _0x1f2f2f = _0x3260a5'GokKo'; continue; case '5': console'log'; continue; case '6': console'log'; continue; } break; } }; }

_0x3bfc5c()();

}()); ```

controlFlowFlatteningThreshold

Type:

number

0.75

0

1

The probability that the

controlFlowFlattening

This setting is especially useful for large code size because large amounts of control flow transformations can slow down your code and increase code size.

controlFlowFlatteningThreshold: 0

controlFlowFlattening: false

deadCodeInjection

Type:

boolean

false

:warning: Dramatically increases size of obfuscated code (up to 200%), use only if size of obfuscated code doesn't matter. Use

deadCodeInjectionThreshold

to set percentage of nodes that will affected by dead code injection.

:warning: This option forcibly enables

stringArray

option.

With this option, random blocks of dead code will be added to the obfuscated code.

Example: ```ts // input (function(){ if (true) { var foo = function () { console.log('abc'); }; var bar = function () { console.log('def'); }; var baz = function () { console.log('ghi'); }; var bark = function () { console.log('jkl'); }; var hawk = function () { console.log('mno'); };

    foo();
    bar();
    baz();
    bark();
    hawk();
}

})();

// output var 0x37b8 = [ 'YBCtz', 'GlrkA', 'urPbb', 'abc', 'NMIhC', 'yZgAj', 'zrAId', 'EtyJA', 'log', 'mno', 'jkl', 'def', 'Quzya', 'IWbBa', 'ghi' ]; function _0x43a7(0x12cf56, 0x587376) { _0x43a7 = function (0x2f87a8, 0x47eac2) { _0x2f87a8 = _0x2f87a8 - (0x16a7 * 0x1 + 0x5 * 0x151 + -0x1c92); var _0x341e03 = _0x37b8[0x2f87a8]; return 0x341e03; }; return _0x43a7(0x12cf56, 0x587376); } (function () { if (!![]) { var _0xbbe28f = function () { var _0x2fc85f = _0x43a7; if (0x2fc85f(0xaf) === 0x2fc85f(0xae)) { _0x1dd94f_0x2fc85f(0xb2); } else { console_0x2fc85f(0xb2); } }; var _0x5e46bc = function () { var _0x15b472 = _0x43a7; if (0x15b472(0xb6) !== 0x15b472(0xaa)) { console_0x15b472(0xb2); } else { _0x47eac2_0x15b472(0xb2); } }; var _0x3669e8 = function () { var _0x47a442 = _0x43a7; if (0x47a442(0xb7) !== 0x47a442(0xb0)) { console_0x47a442(0xb2); } else { _0x24e0bf_0x47a442(0xb2); } }; var _0x28b05a = function () { var _0x497902 = _0x43a7; if (0x497902(0xb1) === 0x497902(0xb1)) { console_0x497902(0xb2); } else { _0x59c9c6_0x497902(0xb2); } }; var _0x402a54 = function () { var _0x1906b7 = _0x43a7; if (0x1906b7(0xab) === _0x1906b7(0xac)) { _0xb89cd0_0x1906b7(0xb2); } else { console_0x1906b7(0xb2); } }; _0xbbe28f(); _0x5e46bc(); _0x3669e8(); _0x28b05a(); _0x402a54(); } }()); ```

deadCodeInjectionThreshold

Type:

number

0.4

0

1

Allows to set percentage of nodes that will affected by

deadCodeInjection

debugProtection

Type:

boolean

false

:warning: Can freeze your browser if you open the Developer Tools.

This option makes it almost impossible to use the

debugger

debugProtectionInterval

Type:

boolean

false

:warning: Can freeze your browser! Use at own risk.

If checked, an interval is used to force the debug mode on the Console tab, making it harder to use other features of the Developer Tools. Works if

debugProtection

disableConsoleOutput

Type:

boolean

false

:warning: This option disables

console

calls globally for all scripts

Disables the use of

console.log

console.info

console.error

console.warn

console.debug

console.exception

console.trace

domainLock

Type:

string[]

[]

:warning: This option does not work with

target: 'node'

Allows to run the obfuscated source code only on specific domains and/or sub-domains. This makes really hard for someone to just copy and paste your source code and run it elsewhere.

If the source code isn't run on the domains specified by this option, the browser will be redirected to a passed to the

domainLockRedirectUrl

Multiple domains and sub-domains

It's possible to lock your code to more than one domain or sub-domain. For instance, to lock it so the code only runs on www.example.com add

www.example.com

example.com

sub.example.com

.example.com

domainLockRedirectUrl

Type:

string

about:blank

:warning: This option does not work with

target: 'node'

Allows the browser to be redirected to a passed URL if the source code isn't run on the domains specified by

domainLock

exclude

Type:

string[]

[]

A file names or globs which indicates files to exclude from obfuscation.

forceTransformStrings

Type:

string[]

[]

Enables force transformation of string literals, which being matched by passed RegExp patterns.

:warning: This option affects only strings that shouldn't be transformed by

stringArrayThreshold

(or possible other thresholds in the future)

The option has a priority over

reservedStrings

conditional comments

Example:

ts
    {
        forceTransformStrings: [
            'some-important-value',
            'some-string_\d'
        ]
    }

identifierNamesCache

Type:

Object | null

null

The main goal for this option is the ability to use the same identifier names during obfuscation of multiple sources/files.

Currently the two types of the identifiers are supported: - Global identifiers: * All global identifiers will be written to the cache; * All matched undeclared global identifiers will be replaced by the values from the cache. - Property identifiers, only when

renameProperties

Node.js API

If a

null

If an empty object (

{}

TIdentifierNamesCache

getIdentifierNamesCache

ObfuscationResult

The resulting cache-object can be next used as

identifierNamesGenerator

Example: ``

ts
const source1ObfuscationResult = JavaScriptObfuscator.obfuscate(

    function bar() {
        var bark = 2;
    }
`,
{
    compact: false,
    identifierNamesCache: {},
    renameGlobals: true
}

)

console.log(source1ObfuscationResult.getIdentifierNamesCache()); /* { globalIdentifiers: { foo: '0x5de86d', bar: '0x2a943b' } } */

const source2ObfuscationResult = JavaScriptObfuscator.obfuscate( ` // Expecting that these global functions are defined in another obfuscated file foo(1); bar();

    // Expecting that this global function is defined in third-party package
    baz();
`,
{
    compact: false,
    identifierNamesCache: source1ObfuscationResult.getIdentifierNamesCache(),
    renameGlobals: true
}

)

console.log(source2ObfuscationResult.getObfuscatedCode()); /* _0x5de86d(0x1); _0x2a943b(); baz(); */ ```

CLI

CLI has a different option

--identifier-names-cache-path

.json

If a path to the empty file will be passed - identifier names cache will be written to that file.

This file with existing cache can be used again as

--identifier-names-cache-path

identifierNamesGenerator

Type:

string

hexadecimal

Sets identifier names generator.

Available values: *

dictionary

identifiersDictionary

hexadecimal

_0xabc123

mangled

a

b

c

mangled-shuffled

mangled

identifiersDictionary

Type:

string[]

[]

Sets identifiers dictionary for

identifierNamesGenerator

dictionary

identifiersPrefix

Type:

string

''

Sets prefix for all global identifiers.

Use this option when you want to obfuscate multiple files. This option helps to avoid conflicts between global identifiers of these files. Prefix should be different for every file.

ignoreRequireImports

Type:

boolean

false

Prevents obfuscation of

require

inputFileName

Type:

string

''

Allows to set name of the input file with source code. This name will be used internally for source map generation. Required when using NodeJS API and

sourceMapSourcesMode

sources

log

Type:

boolean

false

Enables logging of the information to the console.

numbersToExpressions

Type:

boolean

false

Enables numbers conversion to expressions

Example: ```ts // input const foo = 1234;

// output const foo=-0xd93+-0x10b4+0x410x67+0x84e0x3+-0xff8; ```

optionsPreset

Type:

string

default

Allows to set options preset.

Available values: *

default

low-obfuscation

medium-obfuscation

high-obfuscation

All addition options will be merged with selected options preset.

renameGlobals

Type:

boolean

false

:warning: this option can break your code. Enable it only if you know what it does!

Enables obfuscation of global variable and function names with declaration.

renameProperties

Type:

boolean

false

:warning: this option MAY break your code. Enable it only if you know what it does!

Enables renaming of property names. All built-in DOM properties and properties in core JavaScript classes will be ignored.

To switch between

safe

unsafe

renamePropertiesMode

To set format of renamed property names use

identifierNamesGenerator

To control which properties will be renamed use

reservedNames

Example: ```ts // input (function () { const foo = { prop1: 1, prop2: 2, calc: function () { return this.prop1 + this.prop2; } };

console.log(foo.calc());

})();

// output (function () { const 0x46529b = { '0x10cec7': 0x1, '0xc1c0ca': 0x2, '0x4b961d': function () { return this['0x10cec7'] + this['0xc1c0ca']; } }; console'log'; }()); ```

renamePropertiesMode

Type:

string

safe

:warning: Even in

safe

mode,

renameProperties

option MAY break your code.

Specifies

renameProperties

safe

2.11.0

unsafe

2.11.0

If one file is using properties from other file, use

identifierNamesCache

reservedNames

Type:

string[]

[]

Disables obfuscation and generation of identifiers, which being matched by passed RegExp patterns.

Example:

ts
    {
        reservedNames: [
            '^someVariable',
            'functionParameter_\d'
        ]
    }

reservedStrings

Type:

string[]

[]

Disables transformation of string literals, which being matched by passed RegExp patterns.

Example:

ts
    {
        reservedStrings: [
            'react-native',
            '\.\/src\/test',
            'some-string_\d'
        ]
    }

seed

Type:

string|number

0

This option sets seed for random generator. This is useful for creating repeatable results.

If seed is

0

selfDefending

Type:

boolean

false

:warning: Don't change obfuscated code in any way after obfuscation with this option, because any change like uglifying of code can trigger self defending and code wont work anymore!

:warning: This option forcibly sets

compact

value to

true

This option makes the output code resilient against formatting and variable renaming. If one tries to use a JavaScript beautifier on the obfuscated code, the code won't work anymore, making it harder to understand and modify it.

simplify

Type:

boolean

true

Enables additional code obfuscation through simplification.

:warning: in future releases obfuscation of

boolean

literals (

true

=>

!![]

) will be moved under this option.

Example: ```ts // input if (condition1) { const foo = 1; const bar = 2;

console.log(foo);

return bar;

} else if (condition2) { console.log(1); console.log(2); console.log(3);

return 4;

} else { return 5; }

// output if (condition1) { const foo = 0x1, bar = 0x2; return console'log', bar; } else return condition2 ? (console'log', console'log', console'log', 0x4) : 0x5; ```

sourceMap

Type:

boolean

false

Enables source map generation for obfuscated code.

Source maps can be useful to help you debug your obfuscated JavaScript source code. If you want or need to debug in production, you can upload the separate source map file to a secret location and then point your browser there.

sourceMapBaseUrl

Type:

string

Sets base url to the source map import url when

sourceMapMode: 'separate'

CLI example:

javascript-obfuscator input.js --output out.js --source-map true --source-map-base-url 'http://localhost:9000'

Result:

//# sourceMappingURL=http://localhost:9000/out.js.map

sourceMapFileName

Type:

string

Sets file name for output source map when

sourceMapMode: 'separate'

CLI example:

javascript-obfuscator input.js --output out.js --source-map true --source-map-base-url 'http://localhost:9000' --source-map-file-name example

Result:

//# sourceMappingURL=http://localhost:9000/example.js.map

sourceMapMode

Type:

string

separate

Specifies source map generation mode: *

inline

separate

//# sourceMappingUrl=file.js.map

sourceMapSourcesMode

Type:

string

sources-content

Allows to control

sources

sourcesContent

sources-content

sources

sourcesContent

sources

sources

sourcesContent

inputFileName

sources

splitStrings

Type:

boolean

false

Splits literal strings into chunks with length of

splitStringsChunkLength

Example: ```ts // input (function(){ var test = 'abcdefg'; })();

// output (function(){ var _0x5a21 = 'ab' + 'cd' + 'ef' + 'g'; })(); ```

splitStringsChunkLength

Type:

number

10

Sets chunk length of

splitStrings

stringArray

Type:

boolean

true

Removes string literals and place them in a special array. For instance, the string

"Hello World"

var m = "Hello World";

var m = _0x12c456[0x1];

stringArrayEncoding

Type:

string[]

[]

:warning:

stringArray

option must be enabled

This option can slow down your script.

Encode all string literals of the

stringArray

base64

rc4

Each

stringArray

Available values: *

'none'

boolean

stringArray

'base64'

string

stringArray

base64

'rc4'

string

stringArray

rc4

base64

unicodeEscapeSequence

rc4

For example with the following option values some

stringArray

base64

rc4

stringArrayEncoding: [
    'none',
    'base64',
    'rc4'
]

stringArrayIndexesType

Type:

string[]

['hexadecimal-number']

:warning:

stringArray

option must be enabled

Allows to control the type of string array call indexes.

Each

stringArray

Available values: *

'hexadecimal-number'

default

'hexadecimal-numeric-string'

Before

2.9.0

javascript-obfuscator

hexadecimal-numeric-string

The new

hexadecimal-number

More types will be added in the future.

stringArrayIndexShift

Type:

boolean

true

:warning:

stringArray

option must be enabled

Enables additional index shift for all string array calls

stringArrayRotate

Type:

boolean

true

:warning:

stringArray

must be enabled

Shift the

stringArray

stringArrayShuffle

Type:

boolean

true

:warning:

stringArray

must be enabled

Randomly shuffles the

stringArray

stringArrayWrappersCount

Type:

number

1

:warning:

stringArray

option must be enabled

Sets the count of wrappers for the

string array

literal

Example: ```ts // Input const foo = 'foo'; const bar = 'bar';

function test () { const baz = 'baz'; const bark = 'bark'; const hawk = 'hawk'; }

const eagle = 'eagle';

// Output, stringArrayWrappersCount: 5 const 0x3f6c = [ 'bark', 'bar', 'foo', 'eagle', 'hawk', 'baz' ]; const _0x48f96e = _0x2e13; const _0x4dfed8 = _0x2e13; const _0x55e970 = _0x2e13; function _0x2e13(0x33c4f5, 0x3f6c62) { _0x2e13 = function (0x2e1388, 0x60b1e) { _0x2e1388 = _0x2e1388 - 0xe2; let _0x53d475 = _0x3f6c[0x2e1388]; return 0x53d475; }; return _0x2e13(0x33c4f5, _0x3f6c62); } const foo = _0x48f96e(0xe4); const bar = _0x4dfed8(0xe3); function test() { const _0x1c262f = _0x2e13; const _0x54d7a4 = _0x2e13; const _0x5142fe = _0x2e13; const _0x1392b0 = _0x1c262f(0xe7); const _0x201a58 = _0x1c262f(0xe2); const _0xd3a7fb = _0x1c262f(0xe6); } const eagle = _0x48f96e(0xe5); ```

stringArrayWrappersChainedCalls

Type:

boolean

true

:warning:

stringArray

and

stringArrayWrappersCount

options must be enabled

Enables the chained calls between

string array

Example: ```ts // Input const foo = 'foo'; const bar = 'bar';

function test () { const baz = 'baz'; const bark = 'bark';

function test1() {
    const hawk = 'hawk';
    const eagle = 'eagle';
} 

}

// Output, stringArrayWrappersCount: 5, stringArrayWrappersChainedCalls: true const 0x40c2 = [ 'bar', 'bark', 'hawk', 'eagle', 'foo', 'baz' ]; const _0x31c087 = _0x3280; const _0x31759a = _0x3280; function _0x3280(0x1f52ee, 0x40c2a2) { _0x3280 = function (0x3280a4, 0xf07b02) { _0x3280a4 = _0x3280a4 - 0x1c4; let _0x57a182 = _0x40c2[0x3280a4]; return 0x57a182; }; return _0x3280(0x1f52ee, _0x40c2a2); } const foo = _0x31c087(0x1c8); const bar = _0x31c087(0x1c4); function test() { const _0x848719 = _0x31759a; const _0x2693bf = _0x31c087; const _0x2c08e8 = _0x848719(0x1c9); const _0x359365 = _0x2693bf(0x1c5); function _0x175e90() { const _0x310023 = _0x848719; const _0x2302ef = _0x2693bf; const _0x237437 = _0x310023(0x1c6); const _0x56145c = _0x310023(0x1c7); } } ```

stringArrayWrappersParametersMaxCount

Type:

number

2

:warning:

stringArray

option must be enabled

:warning: Currently this option affects only wrappers added by

stringArrayWrappersType

function

option value

Allows to control the maximum number of string array wrappers parameters. Default and minimum value is

2

2

5

stringArrayWrappersType

Type:

string

variable

:warning:

stringArray

and

stringArrayWrappersCount

options must be enabled

Allows to select a type of the wrappers that are appending by the

stringArrayWrappersCount

Available values: *

'variable'

'function'

variable

Highly recommended to use

function

Example of the

'function'

function test () { const bar = 'bar'; console.log(foo, bar); }

test();

// output const a = [ 'log', 'bar', 'foo' ]; const foo = d(0x567, 0x568); function b(c, d) { b = function (e, f) { e = e - 0x185; let g = a[e]; return g; }; return b(c, d); } function test() { const c = e(0x51c, 0x51b); function e (c, g) { return b(c - 0x396, g); } consolef(0x51b, 0x51d); function f (c, g) { return b(c - 0x396, g); } } function d (c, g) { return b(g - 0x3e1, c); } test(); ```

stringArrayThreshold

Type:

number

0.8

0

1

:warning:

stringArray

option must be enabled

You can use this setting to adjust the probability (from 0 to 1) that a string literal will be inserted into the

stringArray

This setting is especially useful for large code size because it repeatedly calls to the

string array

stringArrayThreshold: 0

stringArray: false

target

Type:

string

browser

Allows to set target environment for obfuscated code.

Available values: *

browser

browser-no-eval

node

Currently output code for

browser

node

node

browser-no-eval

eval

transformObjectKeys

Type:

boolean

false

Enables transformation of object keys.

Example: ```ts // input (function(){ var object = { foo: 'test1', bar: { baz: 'test2' } }; })();

// output var 0x4735 = [ 'foo', 'baz', 'bar', 'test1', 'test2' ]; function _0x390c(0x33d6b6, 0x4735f4) { _0x390c = function (0x390c37, 0x1eed85) { _0x390c37 = _0x390c37 - 0x198; var _0x2275f8 = _0x4735[0x390c37]; return 0x2275f8; }; return _0x390c(0x33d6b6, 0x4735f4); } (function () { var _0x17d1b7 = _0x390c; var _0xc9b6bb = {}; _0xc9b6bb[0x17d1b7(0x199)] = 0x17d1b7(0x19c); var _0x3d959a = {}; _0x3d959a[0x17d1b7(0x198)] = 0x17d1b7(0x19b); _0x3d959a[0x17d1b7(0x19a)] = _0xc9b6bb; var _0x41fd86 = _0x3d959a; }()); ```

unicodeEscapeSequence

Type:

boolean

false

Allows to enable/disable string conversion to unicode escape sequence.

Unicode escape sequence increases code size greatly and strings easily can be reverted to their original view. Recommended to enable this option only for small source code.

Preset Options

High obfuscation, low performance

Performance will 50-100% slower than without obfuscation

{
    compact: true,
    controlFlowFlattening: true,
    controlFlowFlatteningThreshold: 1,
    deadCodeInjection: true,
    deadCodeInjectionThreshold: 1,
    debugProtection: true,
    debugProtectionInterval: true,
    disableConsoleOutput: true,
    identifierNamesGenerator: 'hexadecimal',
    log: false,
    numbersToExpressions: true,
    renameGlobals: false,
    selfDefending: true,
    simplify: true,
    splitStrings: true,
    splitStringsChunkLength: 5,
    stringArray: true,
    stringArrayEncoding: ['rc4'],
    stringArrayIndexShift: true,
    stringArrayRotate: true,
    stringArrayShuffle: true,
    stringArrayWrappersCount: 5,
    stringArrayWrappersChainedCalls: true,    
    stringArrayWrappersParametersMaxCount: 5,
    stringArrayWrappersType: 'function',
    stringArrayThreshold: 1,
    transformObjectKeys: true,
    unicodeEscapeSequence: false
}

Medium obfuscation, optimal performance

Performance will 30-35% slower than without obfuscation

{
    compact: true,
    controlFlowFlattening: true,
    controlFlowFlatteningThreshold: 0.75,
    deadCodeInjection: true,
    deadCodeInjectionThreshold: 0.4,
    debugProtection: false,
    debugProtectionInterval: false,
    disableConsoleOutput: true,
    identifierNamesGenerator: 'hexadecimal',
    log: false,
    numbersToExpressions: true,
    renameGlobals: false,
    selfDefending: true,
    simplify: true,
    splitStrings: true,
    splitStringsChunkLength: 10,
    stringArray: true,
    stringArrayEncoding: ['base64'],
    stringArrayIndexShift: true,
    stringArrayRotate: true,
    stringArrayShuffle: true,
    stringArrayWrappersCount: 2,
    stringArrayWrappersChainedCalls: true,
    stringArrayWrappersParametersMaxCount: 4,
    stringArrayWrappersType: 'function',
    stringArrayThreshold: 0.75,
    transformObjectKeys: true,
    unicodeEscapeSequence: false
}

Low obfuscation, High performance

Performance will slightly slower than without obfuscation

{
    compact: true,
    controlFlowFlattening: false,
    deadCodeInjection: false,
    debugProtection: false,
    debugProtectionInterval: false,
    disableConsoleOutput: true,
    identifierNamesGenerator: 'hexadecimal',
    log: false,
    numbersToExpressions: false,
    renameGlobals: false,
    selfDefending: true,
    simplify: true,
    splitStrings: false,
    stringArray: true,
    stringArrayEncoding: [],
    stringArrayIndexShift: true,
    stringArrayRotate: true,
    stringArrayShuffle: true,
    stringArrayWrappersCount: 1,
    stringArrayWrappersChainedCalls: true,
    stringArrayWrappersParametersMaxCount: 2,
    stringArrayWrappersType: 'variable',
    stringArrayThreshold: 0.75,
    unicodeEscapeSequence: false
}

Default preset, High performance

{
    compact: true,
    controlFlowFlattening: false,
    deadCodeInjection: false,
    debugProtection: false,
    debugProtectionInterval: false,
    disableConsoleOutput: false,
    identifierNamesGenerator: 'hexadecimal',
    log: false,
    numbersToExpressions: false,
    renameGlobals: false,
    selfDefending: false,
    simplify: true,
    splitStrings: false,
    stringArray: true,
    stringArrayEncoding: [],
    stringArrayIndexShift: true,
    stringArrayRotate: true,
    stringArrayShuffle: true,
    stringArrayWrappersCount: 1,
    stringArrayWrappersChainedCalls: true,
    stringArrayWrappersParametersMaxCount: 2,
    stringArrayWrappersType: 'variable',
    stringArrayThreshold: 0.75,
    unicodeEscapeSequence: false
}

Frequently Asked Questions

What javascript versions are supported?

es3

es5

es2015

es2016

es2017

es2018

es2019

es2020

I want to use feature that described in

README.md

but it's not working!

The README on the master branch might not match that of the latest stable release.

Why CLI command not working?

Try to run

npm link javascript-obfuscator

npm i -g javascript-obfuscator

Online version?

obfuscator.io

JSX support?

No. JSX support isn't planned.

How to change kind of variables of inserted nodes (

var

,

let

or

const

)?

See:

Kind of variables

Why I got

null

value instead of

BigInt

number?

BigInt

BigInt

I enabled

renameProperties

option, and my code broke! What to do?

Try

renamePropertiesMode: 'safe'

Backers

Support us with a monthly donation and help us continue our activities. [Become a backer]

Sponsors

Become a sponsor and get your logo on our README on Github with a link to your site. [Become a sponsor]

License

Copyright (C) 2016-2021 Timofey Kachalov.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.