What a wonderful language JavaScript is. It's the only language where "(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]" is equal to just simple "." character.

Drunk programming is the best obfuscation. Tomorrow morning I'll have no idea how any of this works.

One of my favourite, encryption puzzles is this:

ITuyVT93oUZtLKWyVT5iqPO3nTS0VUEbMKxtp2IyoD==

Answer is plain text string in english. Good luck, post solution in the comments!

At least doesn't require obfuscation 😣

In all the things related to code and Art , code obfuscation is my favorite

Having to review an offshore C++ codebase made in Romania that the company I worked for they bought to control a wifi module on a complex RF mobile tech device that I can't legally give more details on.

If I could legally post this masterpiece, or should I say masterpiece-of-shit, all of you C++ dev would instantly get AIDS and all the existing types of cancer upon browsing it for 2 minutes.

It's laughably bad and unmaintainable. One of my colleague called it "the perfect example of human obfuscation" and it fits perfectly.

Think of a 100k LoC main function with nested loops and ifs with random sleep values, 1000 values of hardcoded 32 bits arrays declared globally in the first 10k lines for unknown reasons. Comments in Romanian mixed with english. Somehow, this shit works by some miracle.

The worst intern you can think of, while being piss drunk, could do better and it's no joke.

Android really gets on my goat. They are moving things so far that they are actually doing more damage than good.

Upgrade my build tools to v25? sure! Now all my BLE code is borked, thanks for nothing.

Go to the documentation? Lol, that's deprecated fool!

At least now it can all fail to function in Kotlin, a wrapper for Java 6. Instead of keeping your tools up to date you just create another layer of obfuscation. Well done, so proud.

Evil af...Yet classy... XD

One of the many problems with AWS free tier is the obfuscation of expenditure by design. This is NOT OK.

I'm currently one of two "pen testers" for the anticheat system of a game.

It all started a few days ago when the developer handed me the obfuscated package and told me to go at it. No big deal, I've bypassed it before the obfuscation, so I just changed some imports and sent in the screenshot.

Fast forward 100+ hours, it's turned into a cat-and-mouse game. He sends us (the testers) an update, we break it within hours. We show him what we exploited and he attempts to fix it. Rinse and repeat.

Finally, today he patched the one hole that I've been using all this time: a field in a predictable location that contains the object used for networking. Did that stop me? No!

After hours of searching, I found the field in an inner class of an inner class. Here we go again.

We were running an obfuscator as part of our build pipeline, but also were not. I discovered we had disabled every rule, and after asking around it turns out that the obfuscator broke the app (because of reflection and things I won't go into).

So I turned it off.

An hour later the CTO came to me and said to put it back. "We have to obfuscate, put it back."

"But... it wasn't doing anything, other than slowing the build down."

"I don't care, we HAVE to run obfuscation. It's in our contract with the client."

...

I need to encrypt some large files at rest and then decrypt them immediately prior to processing.

App and files are on a Linux system (CentOS). App is in C. Machine is controlled by a third party.

What encryption libraries would you recommend? And, is there any clever way of managing the decryption key beyond compiling it in the code and doing some basic obfuscation?

Are they fancy obfuscation libraries out there, for example?

And, the reason I'm not going to SO (well, one reason) is that I don't want to have 50 answers that tell me that's it's impossible to 100% protect data on a machine you don't control. This I understand---just looking for "best effort" solution.

Imagine implementing PHP scripts which execute shell commands defined in URL GET query params on your customer's dedicated server without any basic authentication or similar. The only security is by barely obfuscating it's URL.
I think I've seen it all now...

I need guidance about my current situation.
I am perfectionist believing in OOP, preventing memory leak in advance, following clean code, best practices, constantly learning about new libraries to reduce custom implementation & improve efficiency.
So even a single bad variable name can trigger my nerves.

I am currently working in a half billion $ IT service company on a maintenance project of 8 year old Android app of security domain product of 1 of the top enterprise company of the world, which sold it to the many leading companies in the world in Govt service, banking, insurance sectors.

It's code quality is such a bad that I get panic attacks & nightmares daily.

Issues are like
- No apk obfuscation, source's everything is openbook, anybody can just unzip apk & open it in Android Studio to see the source.
- logs everywhere about method name invoked,
- static IV & salt for encryption.
- thousands of line code in God classes.
- Irrelevant method names compared to it's functionality.
- Even single item having list takes 2-3 seconds to load
- Lag in navigation between different features' screens.
- For even single thing like different dimension values for different density whole 100+ lines separate layout files for 6 types of densities are written.
- No modularized packages, every class is in single package & there are around 100+ classes.

Owner of the code, my team lead, is too terrified to change even single thing as he don't have coding maturity & no understanding of memory leak, clean code, OOP, in short typical IT 'service' company mentality.

Client is ill-informed or cost-cutting centric so no code review done by them in 8 years.

Feeling much frustrated as I can see it's like a bomb is waiting to blast anytime when some blackhat cracker will take advantage of this.

Need suggestions about this to tackle the situation.

C# is getting so fucking obfuscated with these null check inceptions. Found the following in my company's code base. Why did it take me and 3 other devs an hour to figure out how to write this if statement into a flowchart?

if(!string.IsNullOrEmpty(a?.Id ?? b[0]?.Id))...😫😫😫

FYI: We figured it and also found some bugs with logic, but can you? I'll post our flowchart if ranters are interested.

So to add to the madness:
if(!string.IsNullOrEmpty(a?.Id ?? (b?.Any() ? b[0].Id : null)))...🤯🤯🤯

God damn it, if you (libGDX) have default values for public methods then make those constants public. Now I am writing wrapper and I either create my constant with same value as your private one, or do some reflection black magic which will probably break after obfuscation. *sigh* Going with my copy of the constant, not happy about that...

Would you use jsfuck for to make it a little harder on people to read the scripts?

Any idea of how to protect your nodejs source code on a client's onsite server ?

If they can SSH, they can get the entire source.

This is built into the angular framework very well but I don't know how to do this on a server.

Any neat packages for obfuscation, uglification etc ?

How do you hide your javascript file from showing for your client..aside from using obfuscation... do you know anyway to do this using npm and where you would just go

Var hide = require(‘hide something’);
hide(“public/my.js”);
hide(“public/my2.js”);
Hides it from clients and still able to access functions by these javascript files?

For F^^k sake Microsoft give us some way to protect .net code from easy reflection / decompilation ..... Obfuscation just doesn't cut it.

Gotta love JavaScript obfuscation!

((_)=>{_=["cnVjdG9y","Y29uc3Q=",(_)=>{return atob(_)},2,0,1],_=_[_[3]](_[_[5]])+_[_[3]](_[_[4]]),_=((+[])[_][_]),_("console.log('Xaotic <3')")()})([])

// We need a [code] tag guys

How do you guys prefer to hide the API keys you use in your (native) Android apps?

I'm an Android noob and the app I'm building uses some NLP services which are accessed through a key. I searched around and found a few techniques (obfuscation, serverside storage, etc.), just wanted to know what you folks recommend.

Pro tip: write ugly codes to obfuscate code

Crypto. I've seen some horrible RC4 thrown around and heard of 3DES also being used, but luckily didn't lay my eyes upon it.
Now to my current crypto adventure.
Rule no.1: Never roll your own crypto.
They said.
So let's encrypt a file for upload. OK, there doesn't seem to be a clear standard, but ya'know combine asymmetric cipher to crypt the key with a symmetric. Should be easy. Take RSA and whatnot from some libraries. But let's obfuscate it a bit so nobody can reuse it. - Until today I thought the crypto was alright, but then there was something off. On two layers there were added hashes, timestamps or length fields, which enlarges the data to encrypt. Now it doesn't add up any more: Through padding and hash verification RSA from OpenSSL throws an error, because the data is too long (about 240 bytes possible, but 264 pumped in). Probably the lib used just didn't notify, silently truncating stuff or resorting to other means. Still investigation needed. - but apart from that: why the fuck add own hash verification, with weak non-cryptographic hashes(!) if the chosen RSA variant already has that with SHA-256. Why this sick generation of key material with some md5 artistic stunts - is there no cryptographically safe random source on Windows? Why directly pump some structs (with no padding and magic numbers) into the file? Just so it's a bit more fucked up?
Thanks, that worked.

C obfuscation
This is a good use of flags

alrite devs, hardmode:
i have an obfuscation algo that cannot be defeated even by quantum computing (like infinite parralelism if i got that one right [i mean understanding what is Qcompute])

how can i take advantage of it? (get phd/big money payroll/sell it)
it could be implemented as impossible to defeat ssh for instance

So today I had to fiddle around with obfuscation software to obfuscate software we are going to release....

4 tries in and the software is still crashing with different exceptions each time....

And at the same moment this text came in to my mind:
"If software is working after obfuscation it's not obfuscated enough"

You know when I think back to the ideas I've had and the things I've worked on. I'm having difficulty, with the exception of certain far out projects that were like unattainable, in thinking of anything I've done or thought of that does not involve: data visualization, data gathering, encryption/obfuscation, inventory/storage and/or communication.

am I just unimaginative ?

I did have an idea for a code translator and how it would work and what interfaces you'd have to adopt and how you'd attack implementing things that don't translate well like c++ to js for example. or c++ to c# for that matter ! but I never got far into it. though that would have been attainable as long as you had easy ways of generating bindings.

i mean pathing and navigation were things I thought of too but... that would pretty much be implementing someone else's stuff

I FUCKING HATE TYPEDEF.
I have NEVER seen a use of typedef that wasn't UTTERLY pointless AND did absolutely nothing except add obfuscation to code.

What the fuck is the point of typedeffing a size_t to "MapIndex".. And THEN typedeffing a vector... Of vectors... Of size_t (not MapIndex!) AND THEN TYPEDEFFING A MAP OF "MapIndex" to that previously typedeffed vector of vectors....

ITS FUCKING BEYOND STUPID. I absolutely hate typedef. I have never seen a single NOT RETARDED usage of it.

Have you?

I need some clarity with the situation below.

I have my API ready.
Let's say I have a route /reset/token,
I want to be able to serve a html file with css and all that once I've processed the token internally.

I've not worked with the whole stack before so I've never really served files based on conditions i.e if the token is valid serve x else serve y.html

Also, I'm pretty sure node.js isn't the best for serving files.

So I'm taking another approach with nginx which is to implement /reset/token to serve the static file with it's coupled js file to query the API. Seems standard to me but I have this feeling that a prefilled html would be more secure than one with exposed js.

Is this the right way? Should I worry about my API calls being exposed via the js fil ? Is obfuscation the only way to handle this ? Is this the way everyone does it cause somehow I don't see the key js files in most sites. How are they hidden if so? Or are they?

I'm confused and also nginx won't let me rewrite /reset/token to something else without changing the browser url field. How do I prevent that ?