Deobfuscation of minified JS with source maps
Can source maps help to deobfuscate the code that was previously minified with Closure/Uglifyjs?
Are there real obstacles in how source maps work, or is it not there just because nobody cared about it? I'm not quite sure if it may work in a similar way to debug symbols in compiled languages (which are widely used to decompile binaries).
I'm interested in the answer from the developer's perspective. It would be nice to know if unauthorized access to source maps may potentially result in unimpeded code borrowing.
Answer
JavaScript source maps are very similar to debug symbols in compiled languages. In fact, two of the three stated goals of the Source Map Revision 3 Proposal are:
- Support source level debugging allowing bidirectional mapping
- Support server side stack trace deobfuscation
Therefore, unauthorized access to source maps can definitely result in deobfuscation.
There is a Node package called maximize which can deobfuscate minified JavaScript using a source map.
Note that the current version of maximize (0.0.1) does not work with falafel 1.0.0+. You will need to clone the maximize git repo and make the following change:
--- a/package.json
+++ b/package.json
@@ -18,7 +18,7 @@
},
"dependencies": {
"argparse": "*",
- "falafel": "*",
+ "falafel": "0.3.1",
"js-beautify": "*",
"seq": "*",
"source-map": "*"
This will allow you to try out maximize on the example:
http://dev.fontdragr.com/scripts/scripts.js