Compiled javascript('.jsc' file), is it secure enough and cannot be decompiled?

Compiled javascript('.jsc' file), is it secure enough and cannot be decompiled?

Compiled javascript(‘.jsc’ file compiled using “cocos2d-console/ jscompile” ), is it secure enough?
I found spidermonkey support API JS_DecompileScript( ),
I want to know whether jsc file can be decompiled or not.



Did you try that API to decompile script object?
I will test it and give you feedback.


I have tested it, the result was that using jsc is safe for protecting your game sources.

How to Test?

By adding the following code in ScriptingCore::runScript

JSBool ScriptingCore::runScript(const char *path, JSObject* global, JSContext* cx)
    if (!path) {
        return false;
    cocos2d::FileUtils *futil = cocos2d::FileUtils::getInstance();
    std::string fullPath = futil->fullPathForFilename(path);
    if (global == NULL) {
        global = global_;
    if (cx == NULL) {
        cx = cx_;
    JSScript *script = NULL;    
    js::RootedObject obj(cx, global);
    JS::CompileOptions options(cx);
    options.setUTF8(true).setFileAndLine(fullPath.c_str(), 1);

    // a) check jsc file first
    std::string byteCodePath = RemoveFileExt(std::string(path)) + BYTE_CODE_FILE_EXT;
    unsigned long length = 0;
    void *data = futil->getFileData(byteCodePath.c_str(),
    if (data) {
        script = JS_DecodeScript(cx, data, length, NULL, NULL);

    // b) no jsc file, check js file
// Commentting for loading js files, for testing, we only care about loading jsc files.
//     if (!script) {
//         /* Clear any pending exception from previous failed decoding.  */
//         ReportException(cx);
//         String* content = String::createWithContentsOfFile(path);
//         if (content) {
//             // Not supported in SpiderMonkey 19.0
//             //JSScript* script = JS_CompileScript(cx, global, (char*)content, contentSize, path, 1);
//             const char* contentCStr = content->getCString();
//             script = JS::Compile(cx, obj, options, contentCStr, strlen(contentCStr));
//         }
// #else
//         script = JS::Compile(cx, obj, options, fullPath.c_str());
// #endif
//     }

    JSBool evaluatedOK = false;
    if (script) {
        jsval rval;
        filename_script[path] = script;
        JSAutoCompartment ac(cx, global);
        evaluatedOK = JS_ExecuteScript(cx, global, script, &rval);
        if (JS_FALSE == evaluatedOK) {
            cocos2d::log("(evaluatedOK == JS_FALSE)");

// Next three lines were added for testing decompiling jsc script object.
        JSString* jsstr = JS_DecompileScript(cx, script, "ppscript", 4);
        JSStringWrapper wrapper(jsstr);
        CCLOG("%s", (char*)(wrapper));

    return evaluatedOK;

And the output was:

OpenGL version = 2.1.0 - Build
Ready for GLSL
Ready for OpenGL 2.0
'TestJavascript.exe' (Win32): Loaded 'C:\Windows\SysWOW64\ole32.dll'. Cannot find or open the PDB file.
'TestJavascript.exe' (Win32): Loaded 'C:\Windows\SysWOW64\SHCore.dll'. Cannot find or open the PDB file.

    cocos2d.x.version: 3.0-pre-alpha0
    cocos2d.x.compiled_with_profiler: false
    cocos2d.x.compiled_with_gl_state_cache: true
    gl.vendor: Intel
    gl.renderer: Intel(R) HD Graphics
    gl.version: 2.1.0 - Build
    gl.max_texture_size: 8192
    gl.max_texture_units: 16
    gl.supports_ETC: false
    gl.supports_S3TC: true
    gl.supports_PVRTC: false
    gl.supports_NPOT: true
    gl.supports_BGRA8888: false
    gl.supports_discard_framebuffer: false
    gl.supports_vertex_array_object: true

[no source]
[no source]
[no source]
[no source]
[no source]
[no source]
[no source]
[no source]
[no source]

It will show sources only when using pure js files.


That’s great! Thanks James.


Actually, it’s no SO great ((
I also compiled my script, and then I examined a binary .JSC file -
what I found there are my variable names from the script.

If binary contains your local variable names, then somebody can decompile it and he will see all your business logic.

So, before compilation I have to use some “obfuscator” to strip all names, and only then compile the script.

Question: Maybe somebody have “ready to use” solution or guide for “obfuscation+encode+pack+compile” for game release?


no secure, jsc file can be decompiled.