Compiled javascript('.jsc' file), is it secure enough and cannot be decompiled?

kory · August 12, 2013, 7:16am

Compiled javascript(‘.jsc’ file compiled using “cocos2d-console/cocos2d.py jscompile” ), is it secure enough?
I found spidermonkey support API JS_DecompileScript( https://developer.mozilla.org/en-US/docs/SpiderMonkey/JSAPI_Reference/JS_DecompileScript ),
I want to know whether jsc file can be decompiled or not.

Thanks.

dumganhar · August 13, 2013, 9:18am

Did you try that API to decompile script object?
I will test it and give you feedback.

dumganhar · August 13, 2013, 10:57am

I have tested it, the result was that using jsc is safe for protecting your game sources.

How to Test?

By adding the following code in ScriptingCore::runScript

JSBool ScriptingCore::runScript(const char *path, JSObject* global, JSContext* cx)
{
    if (!path) {
        return false;
    }
    cocos2d::FileUtils *futil = cocos2d::FileUtils::getInstance();
    std::string fullPath = futil->fullPathForFilename(path);
    if (global == NULL) {
        global = global_;
    }
    if (cx == NULL) {
        cx = cx_;
    }
    JSScript *script = NULL;    
    js::RootedObject obj(cx, global);
    JS::CompileOptions options(cx);
    options.setUTF8(true).setFileAndLine(fullPath.c_str(), 1);

    // a) check jsc file first
    std::string byteCodePath = RemoveFileExt(std::string(path)) + BYTE_CODE_FILE_EXT;
    unsigned long length = 0;
    void *data = futil->getFileData(byteCodePath.c_str(),
                                    "rb",
                                    &length);
    if (data) {
        script = JS_DecodeScript(cx, data, length, NULL, NULL);
    }

    // b) no jsc file, check js file
// Commentting for loading js files, for testing, we only care about loading jsc files.
//     if (!script) {
//         /* Clear any pending exception from previous failed decoding.  */
//         ReportException(cx);
//         
// #if (CC_TARGET_PLATFORM == CC_PLATFORM_ANDROID)
//         String* content = String::createWithContentsOfFile(path);
//         if (content) {
//             // Not supported in SpiderMonkey 19.0
//             //JSScript* script = JS_CompileScript(cx, global, (char*)content, contentSize, path, 1);
//             const char* contentCStr = content->getCString();
//             script = JS::Compile(cx, obj, options, contentCStr, strlen(contentCStr));
//         }
// #else
//         script = JS::Compile(cx, obj, options, fullPath.c_str());
// #endif
//     }

    JSBool evaluatedOK = false;
    if (script) {
        jsval rval;
        filename_script[path] = script;
        JSAutoCompartment ac(cx, global);
        evaluatedOK = JS_ExecuteScript(cx, global, script, &rval);
        if (JS_FALSE == evaluatedOK) {
            cocos2d::log("(evaluatedOK == JS_FALSE)");
            JS_ReportPendingException(cx);
        }

// Next three lines were added for testing decompiling jsc script object.
        JSString* jsstr = JS_DecompileScript(cx, script, "ppscript", 4);
        JSStringWrapper wrapper(jsstr);
        CCLOG("%s", (char*)(wrapper));

    }
    return evaluatedOK;
}

And the output was:

OpenGL version = 2.1.0 - Build 8.15.10.2858
Ready for GLSL
Ready for OpenGL 2.0
'TestJavascript.exe' (Win32): Loaded 'C:\Windows\SysWOW64\ole32.dll'. Cannot find or open the PDB file.
'TestJavascript.exe' (Win32): Loaded 'C:\Windows\SysWOW64\SHCore.dll'. Cannot find or open the PDB file.


    cocos2d.x.version: 3.0-pre-alpha0
    cocos2d.x.compiled_with_profiler: false
    cocos2d.x.compiled_with_gl_state_cache: true
    gl.vendor: Intel
    gl.renderer: Intel(R) HD Graphics
    gl.version: 2.1.0 - Build 8.15.10.2858
    gl.max_texture_size: 8192
    gl.max_texture_units: 16
    gl.supports_ETC: false
    gl.supports_S3TC: true
    gl.supports_PVRTC: false
    gl.supports_NPOT: true
    gl.supports_BGRA8888: false
    gl.supports_discard_framebuffer: false
    gl.supports_vertex_array_object: true

[no source]
[no source]
[no source]
[no source]
[no source]
[no source]
[no source]
[no source]
[no source]

It will show sources only when using pure js files.

kory · August 19, 2013, 2:59am

That’s great! Thanks James.

piatenko · January 22, 2016, 8:18am

Actually, it’s no SO great ((
I also compiled my script, and then I examined a binary .JSC file -
what I found there are my variable names from the script.

If binary contains your local variable names, then somebody can decompile it and he will see all your business logic.

So, before compilation I have to use some “obfuscator” to strip all names, and only then compile the script.

Question: Maybe somebody have “ready to use” solution or guide for “obfuscation+encode+pack+compile” for game release?

mmmjsc · May 6, 2019, 8:27am

no secure, jsc file can be decompiled.

SuppressWarnings · October 11, 2019, 9:35am

I can decompile jsc, yes, I can and I accept requests. contact my assistant
on wechat:
lab-robot
also, I can tell you how to protect your js file by enhance it before compile.