Hiding code

@firebomb___Nov 15.2003

ok i need a java code that hides all my code on my page for security reasons, can anyone help me?

to post a comment

124 Comments(s) _↴

@Jeff_MottNov 15.2003 — #Nope. No way to do that. There are many types of tricks that may delay a user by a few seconds. Though these tricks create accessibility problems and are incredibly annoying to all your legitimate users.

@xdigitalxrainxNov 15.2003 — #Hey firebomb....you told me you knew how to do that already...and you said you had the code to do it...hmm

@firebomb___authorNov 15.2003 — #the code turned out to be whack so it didn't work i reied it on my site but no dice?

@Code_OneNov 15.2003 — #is impossible....muhahahah, not really i know some tricks to keep average users off your code, but hackers, hmmm, now thats another topic. co

@Jeff_MottNov 15.2003 — #is impossible...not really[/quote]Yes, really.i know some tricks to keep average users off your code[/quote]The average user doesn't even care to see your code. They're just there to browse the Web. But, when they find all their browser features disabled, you can bet they won't be browsing back to your site ever again.

@pyroNov 15.2003 — #...and those who might care to see you code are going to know how to get it.

@Code_OneNov 15.2003 — #

The average user doesn't even care to see your code. They're just there to browse the Web. But, when they find all their browser features disabled, you can bet they won't be browsing back to your site ever again.
---------------------------------------------------------------------

Not true, I never disable right click on main pages, only on apps, because I dont have to disable the right click on the main page, due to the fact that I add right click menus, takes care of that. Plus I never take away the users location, tool, andnavigation bars, only on Apps. So that way the user still has complete control over the site, plus a few editions, but can not see my source. Though like pyro stated, if someone was determined enough, to see it, then we all know how he can. But there are methods of hiding jscript, which is helpful, but not hacker proof, of course. But as far as html is concerned at this point in time, NO, you can't truly hide it.

are you happy now...lol

Code One

@Jeff_MottNov 15.2003 — #You missed the point. Whether it is on your main pages or on your apps (whatever it is you mean by that), the [i]only[/i] people you will be able to keep out are the ones not trying to get in. It is a complete waste of time.

@firebomb___authorNov 16.2003 — #so basically i can't do crap right? is there something? what if i put it in a like a crazy font and encrypted it would the code still work?

ps whats the code to take away the right mouse click? listen fellas i'm not sayin i want it FULLY hacker proof just good enough that to where every joe can still my stuff, ya know?

@-kde-Nov 16.2003 — #You can block user's right click by means of corresponding java event to prohibit "view source" or simply fill the beginning of your HTML-document with empty lines to confuse hacker ?

@-kde-Nov 16.2003 — #As for the code blocking right mouse click, here it is:

[code=php]
 <script> 
 function menu(){
 if(event.button==2 || event.button==3){
 alert('Not permitted!');
 } return true;
 }
 window.document.onmousedown=menu;
 window.document.onmouseup=menu;
 </script>
 [/code]

@Paul_JrNov 16.2003 — #[i]Originally posted by firebomb™ [/i]

[B]so basically i can't do crap right? is there something? what if i put it in a like a crazy font and encrypted it would the code still work?

ps whats the code to take away the right mouse click? listen fellas i'm not sayin i want it FULLY hacker proof just good enough that to where every joe can still my stuff, ya know? [/B][/QUOTE]

As stated before, the Every Joe does not want to see your code. Anyone who wants to look at your code, can. There is nothing you can do to keep him out.

@Jeff_MottNov 16.2003 — #ps whats the code to take away the right mouse click? listen fellas i'm not sayin i want it FULLY hacker proof just good enough that to where every joe can still my stuff, ya know?[/quote]There is of course in the toolbar [font=courier]View->Source[/font]. Anyone computer illiterate enough to not know how to use that has most likely never heard the term HTML before in their life.

@Code_OneNov 16.2003 — #though I constantly try to prove them wrong, their right, all one has to do, is use view source, but you can always open your page with a poup and turn off the location bar, nav, etc. and the popuped window wont have any of that crap, and then insert a right click button, to keep people totally out, but still all they gotta do is turn of javascript and bamb their inside snaking your script. If your that worried about your scripts keep em off your page and just reference them.

hope this helps,

code one

@VladdyNov 16.2003 — #Besides the fact that those who want it will get it, there is one more thing to consider: what you are trying to hide is most probably not worth being hidden.

@Paul_JrNov 16.2003 — #[i]Originally posted by Code One [/i]

[B]...but still all they gotta do is turn of javascript and bamb their inside snaking your script...[/B][/QUOTE]

You don't even need to do that...it's much simpler.

@hodgesj312Nov 16.2003 — #You can save the code you want to hide as a .js file. Don't embedd it in HTML or put 'script' tags in the .js file. Now in your actual page put the following:

<script language="JavaScript" src="whatever.js">

</script>

P.S. where it says 'whatever.js' it doesn't mean literally. Put the name of the .js file there. If anything doesn't work then make sure your the .js file is in the same folder as the actual page. If it isn't then you have to put the exact path of the .js file. You might want to make sure that your FTP is not acessable by people who don't have a password and anonymous logins aren't aloud or they will find your script.

your unknown buddy

@Khalid_AliNov 16.2003 — #[i]Originally posted by Code One [/i]

[B], but you can always open your page with a poup and turn off the location bar,

code one [/B][/QUOTE]

You've got to be joking,

I seriously don't see any reason prolonging this thread.

The work around you suggested above is worthless if I had my JavaScript disabled. Any other script base solution is worthless..

You can not hide your code on the internet in HTML browsers.

I don't see any reason for which this thread should continue.Please don't make me close it.

@Jeff_MottNov 16.2003 — #You might want to make sure that your FTP is not acessable[/quote]What makes you think anyone would even bother with ftp? When it is perfectly accessible from HTTP. In fact, the moment the user browses the page your precious JS file is already on the user's machine.

P.S., why?... why must there always be some newbie that comes along thinking they've found the perfect solution?

@pyroNov 16.2003 — #[i]Originally posted by Jeff Mott [/i]

[B]P.S., why?... why must there always be some newbie that comes along thinking they've found the perfect solution? [/B][/QUOTE]I hear you there... Also, why do they never accept "no" as an answer from those who know far more than they?

@firebomb___authorNov 16.2003 — #thanx i did accept it man, thanx for the help.

@James_L_Nov 16.2003 — #And, it is extremely easy to view the code in an external js file... I can definitely see this thread going in circles....

@Jeff_MottNov 16.2003 — #i did accept it man[/quote]In fact, I think you are the very first one in the history of this board to do so. ?

@Code_OneNov 16.2003 — #And, it is extremely easy to view the code in an external js file... I can definitely see this thread going in circles....

How, how?

@pyroNov 16.2003 — #Typing the url for the .js file into your location bar would be one good way.

@Code_OneNov 16.2003 — #ok, first you make vbs server side script that loads, when the page loads, and this code will go into the users system and delete their notepad. And at the same time, it will delete their browser and install a browser that you have already tweaked, by changing it's reg. info, making view source obsolete. This all wil happen at the speed of light. If all goes as according to plan, the user will have no notepad to view source in, and no way to view source at all, and if you want, you can even add a pretty little flower picture, as your icon.

Code One

What now gurus??? ?

@pyroNov 16.2003 — #[i]Originally posted by Code One [/i]

[B]If all goes as according to plan[/B][/QUOTE]All will not go according to plan. ?

@hodgesj312Nov 19.2003 — #Give me a break! I am only 10 years old and it's even a start knowing any languages!

?

@96turnerriNov 19.2003 — #10years old god :eek: i wish i had started at 10 think of the stuff id know now nearly 9years later ?

@hodgesj312Nov 19.2003 — #Thanks for the links. I'll check them out!

?

@96turnerriNov 19.2003 — #ok cool sounds good, top two are still work in progress so remember that b4 u comment lol ?

@hodgesj312Nov 19.2003 — #Thanx

?

@hodgesj312Nov 19.2003 — #What is RT designs about?

?

@NevermoreNov 19.2003 — #Disclaimer:

[color=red]

BEFORE YOU READ THIS PLEASE NOTE THAT I AM NOT SUGGESTING A PRACTICAL IDEA, JUST AN EXPERIMENT!

[/color]

I read the idea of forcing your users to use the browser of your choice. Obviously that isn't possible, bu if you really care so much, I suppose you could write a Java Applet/flash movie that reads encrypted source code from another page and interprets it just like the browser would. It would still be possible to get your code, but you could then CHMOD your encrypted source code file or use PHP to check that the request has come from the page. That way, I don't think it would be possible to get your code.

What's your verdict? Would it work? If you think it would, I might just make it and find out!

Probably be easier just to let people get your code, though.

@Paul_JrNov 19.2003 — #[i]Originally posted by hodgesj312 [/i]

[B]Give me a break! I am only 10 years old and it's even a start knowing any languages!

? [/B][/QUOTE]

Wow...and I thought I was half-way special; being 15 and all...?

@Code_OneNov 19.2003 — #ive been doing this since i was two. ehhmmm Bullshhhhiiittt, it would be a sad thing if that were true since, I still struggle, with arays. LOL

code one

@Code_OneNov 19.2003 — #I think it's actually good to share your code, or atleast be able to sneek peaks at someones code, because I know for me thats how I learn, I look at their codes, snippit, figure out why it's working, and try to replicate it in diffferent ways, really helps you learn. So Mr.Hodges, even if you did what the gentlemen told you about java, I still think someone will find their way into your script, people could FTP your site, crack the user name and pass, quite easily I must say, and gank your stuff by force, if you somehow built a script or program, that kept everyone out of your stuff, then you would become thetarget of many hackers, and one of them evil genious's would finally get in, and when they do they are going to let you know they were there.

So I suggest you focus more on learning code, than hiding it, for now.

Code One

@Paul_JrNov 20.2003 — #[i]Originally posted by Code One [/i]

[B]...and gank your stuff by force...

Code One [/B][/QUOTE]

I've never heard that expression used before, and it cracked me up when I saw it...

[i]Ganked[/i] Lmao. ?

@96turnerriNov 20.2003 — #rt designs is gonna be a web design company once i get everything sorted and finsihed ?

@Code_OneNov 20.2003 — #spammer...spammer...spammer....woo, woo, woo, LOL JK ?

@96turnerriNov 20.2003 — #whose a spammer?? we know zachzach is :p

@K____g___f___________10Nov 20.2003 — #There is a progam called TagsLockPro 'n' there is a option to hide the source code of your html document and there is a javascript to scramble the source code [URL=http://www.dynamicdrive.com/dynamicindex9/encrypter.htm]source code encripter[/URL] is not 100% foolprof but works.

@saintgregorNov 20.2003 — #well THIS tool really rocks!

didn't believe that something like that is possible.

saint

@96turnerriNov 20.2003 — #yeah thats good but if like we say if some1 knows what youve done then they can get the code back ?

@pyroNov 20.2003 — #Here's the decrypter, if anyone's interested :rolleyes:

&lt;script type="text/javascript"&gt;
 code = "%3Cb%3Etest%3C/b%3E";
 document.write("&lt;textarea rows="5" cols="50"&gt;"+unescape(code)+"&lt;/textarea");
 &lt;/script&gt;

@LittleRedNov 20.2003 — #hey, if you can't hide the code, you can always try and distract people who do view it...

check out the source to this site: http://www.ths.nu/

@96turnerriNov 20.2003 — #and that distracts us how????!, its the same as any sites code

@NevermoreNov 20.2003 — #[i]Originally posted by Code One [/i]

[B] So Mr.Hodges, even if you did what the gentlemen told you about java, I still think someone will find their way into your script, people could FTP your site, crack the user name and pass, quite easily I must say, and gank your stuff by force, if you somehow built a script or program, that kept everyone out of your stuff, then you would become thetarget of many hackers, and one of them evil genious's would finally get in, and when they do they are going to let you know they were there.

So I suggest you focus more on learning code, than hiding it, for now.

Code One [/B][/QUOTE]

If you went through everything I was talking about, I don't think you could get round it, because there would be no way to get the unencrypted source code.

If your FTP password is that easy to crack, then you're stupid. Mine requires secure login, only works from a selected set of computers and the password is 25 letters long, all random. Hard to remember, but very secure.

'Evil geniuses' would be more likely to DOS your site to knock it off the web.

And if you are worried enough about your code to go to those extremes the risks of exposing your code must be pretty extreme, so it would be worth it.

@hodgesj312Nov 20.2003 — #Thanks for the tip!?

@greenpizza13Nov 20.2003 — #The only thing I can think of would be an external script... or you could use asp or XML or one of those new things I know absolutely nothing about to hide ur code... I think if a hacker wants in, hes ganna get in!

@NevermoreNov 20.2003 — #asp: Active Server Pages :

A server side scripting language that allows pages to be dynamically created by the server. However, they still have to use HTML or XML like normal, so no help here.

XML: eXtensible Markup Language :

The big brother of HTML, and many other languages. Wouldn't help, because XML is no more powerful, with regard to scripting languages, than HTML.

The only way to hide the code is to stop the view source command, by controlling the broser yourself. For example by displaying the page in an applet, or writing a view source killing plug in - although I can't see people liking that one!

@hodgesj312Nov 20.2003 — #You can use this code to stop right clicking:

<script language="JavaScript">

function right(e) {

if (navigator.appName == 'Netscape' &&

(e.which == 3 || e.which == 2))

return false;

else if (navigator.appName == 'Microsoft Internet Explorer' &&

(event.button == 2 || event.button == 3)) {

alert("Ooops! Wrong Click");

return false;

}

return true;

}

document.onmousedown=right;

document.onmouseup=right;

if (document.layers) window.captureEvents(Event.MOUSEDOWN);

if (document.layers) window.captureEvents(Event.MOUSEUP);

window.onmousedown=right;

window.onmouseup=right;

</script>

But you can still use the view button across the top and then go to source.

@pyroNov 20.2003 — #[i]Originally posted by hodgesj312 [/i]

[B]...But you can still use the view button across the top and then go to source. [/B][/QUOTE]Which makes it useless, and an annoyance to visitors. Why, oh why do people use them?

@hodgesj312Nov 20.2003 — #Ok, ok give me a break it was just a suggestion!

:mad:

@Code_OneNov 20.2003 — #If you went through everything I was talking about, I don't think you could get round it, because there would be no way to get the unencrypted source code.

If your FTP password is that easy to crack, then you're stupid. Mine requires secure login, only works from a selected set of computers and the password is 25 letters long, all random. Hard to remember, but very secure.

'Evil geniuses' would be more likely to DOS your site to knock it off the web.

And if you are worried enough about your code to go to those extremes the risks of exposing your code must be pretty extreme, so it would be worth it.

__________________
Your the only person I know that has a 25 letter password, for anything. I bet I could get into your FTP....lol. By the way if you had a code that blocked people from getting it, I guaruntee it wouldnt stay safe for very long, I guaruntee that there is no possible way to ever hide code, if a man broke out of alcatraz, then a man can break into one.

Code One

@Jeff_MottNov 21.2003 — #Ok, ok give me a break it was just a suggestion![/quote]Conduct some actual research on the subject rather than throwing out random and ill-conceived ideas, then we will give you a break. Otherwise you're just wasting our time.

Same with Kîñg øf ÐëåÐ§10. If you had researched the encoder you linked to you might have noted that it is nothing more than JavaScript's escape() function. Thus the reverse is nothing more than unescape(), as Pyro had demonstrated.

@Jeff_MottNov 21.2003 — #If you went through everything I was talking about, I don't think you could get round it, because there would be no way to get the unencrypted source code.[/quote]What is this you are referring to? Actually, nevermind. I don't even need to see it to know it won't work. Unless some extreme change is made for how the World Wide Web works, there is no way to hide your source. That's it. There is no grey area. You simply can't do it. Accept it and get on with life.

@Code_OneNov 23.2003 — #Alright ladies in gentlemen, Code One has just made a legendary webdevelopment discovery, how to hide code from everyone. I made a page, because I figured I outta stop talkin about it, and just do it, this example is exsclusive to you, because I love you. Please go here:

http://home.insightbb.com/~kingx2003/ST/index.htm

Now I inputted a comment in my script, with a phrase for you to post back here if you manage to get into my code, so remember if you do, post it here, and prove me wrong, if I prove you wrong, bring your admittance here as well, and I will teach you how I did it, if you want to know.

Code One

P.s. also posted in general

@Paul_JrNov 23.2003 — #

Took me all of about... 5 seconds.

@Paul_JrNov 23.2003 — #And...?

I'm not nearly a Web Guru. ?

@Code_OneNov 23.2003 — #did you do that, I've been provin wrong, good job, please share.

Code One ?

@modifier_guyNov 23.2003 — #ok i just need a scrpit to get rid of teh rite click stuff, i had one but i dont wnat it and i delted teh script from my pages but it is still there and i need to know how to get rid of it

www.modfreaks.host.sk

@Code_OneNov 23.2003 — #do you mean you added a no right click script to your page and tried to delete it and it is still there? If so, then try deleting the file from your FTP and reupload the revised version. Other than that I have no I idea what your talkin about.

sorry

Code One

@modifier_guyNov 23.2003 — #so i can delte that page and then redo it? cus i dont wnat to have to make my site over and i saw somewere a script to remove the no rite click

@Code_OneNov 23.2003 — #dont worry about it, just open your FTP program, locate the bad file(s) and delete them, and then just re-upload their revised versions, just keep in mind that you maintain the exact same file names, so you don't have a problem with your links and crap. Think of it is an interchangeable part like in an engine, a piston goes bad, just remove and replace, no need to replace the whole motor. ?

Like the analogy?

Code One

@modifier_guyNov 23.2003 — #thnkyou i will try that

@Paul_JrNov 23.2003 — #[i]Originally posted by Code One [/i]

[B]did you do that, I've been provin wrong, good job, please share.

Code One ? [/B][/QUOTE]

It was quite easy, you can do it in any browser. I did it in Moz, because I cannot view the source of ANY website no matter what I do in IE6. If I right-click, and then select "View Source" nothing happens. The button to view it on the browser is always disabled, and if I select "View>> Source," still, nothing happens. I'm very angered. Back to the point...

Look at your keyboard, man. Check out the right Ctrl button. Hop one button to the left, and check out that button. You hit it... displays the li'l menu that you get when you right-click. You hit V (View Source shortcut), and baddabing. It's what I use to get around annoying right-click scripts.

@modifier_guyNov 23.2003 — #o i know that i wnat ti off ym site thought cus it annoys me and ppl

www.modfreaks.host.sk i ahve delketed the javascript from all my pages but nope it is still there i just wnat it gone

@Paul_JrNov 23.2003 — #It appears you have not deleted it off your site, because I nabbed this off the page you linked to in your post.

<i>
 </i>&lt;script language="JavaScript"&gt;
 &lt;!--
 function right(evnt) {
 if (navigator.appName.toUpperCase().match(/NETSCAPE/) != null) {
 if (evnt.which &gt;= 2){
 alert("Darkcrystal.net OWNS YOU!!!.");
 return false;
 }
 }
 else
 if (event.button&gt;=2)
 alert("Darkcrystal.net OWNS YOU!!!.");
 }
 document.onmousedown=right;
 if (document.layers) window.captureEvents(Event.MOUSEDOWN);
 window.onmousedown=right;
 //--&gt;
 
 &lt;/script&gt;

@modifier_guyNov 23.2003 — #i saw that but when i open up the index with my FTP it dont show any of that. but when i push teh veiw source it shows it what do i do do u got AIM or MSN?

@Paul_JrNov 23.2003 — #I don't have any experience with FTP, so I'm not sure if I could help you there... I just never got the reason to use an FTP program... ?

Yes, I have both AIM and MSN.

@modifier_guyNov 23.2003 — #what is it i want to talk to u on aim

@Paul_JrNov 23.2003 — #AIM: SchizophrenicSTD

(STD==Super Terrific Dude)

@modifier_guyNov 23.2003 — #i think the code could be hidden because my friend it and so i dont know how but he is a computer wiz(i would ask him but i dont knwo his msn) but i think he might have hidden it? i unno

my aim supermod03

@Code_OneNov 23.2003 — #listen it isnt hard to do.

Step by step guide to FTPing:

1. Load your FTP Program.

2. Log into your server.

3. Look threw your ROOT, locate bad files.

4. Right click file, and select delete.

5. Move over to your C: drive side, and dbl click the new version of the file you just deleted.

6. The program should do the rest, it configures the binary and all that boring crap.

7. Wait for the files to upload, you will know they have when they are showing once again in the server side of the program.

What I mean by server side and C: drive side of the program is that the program should basically have three windows, or really frames. The top one should tell you whats happen with log in and upload, delete, any kind of action taken place on your FTP site. Then there are two more below and side by side, the left side is your C: drive, and the right side is your server side. After all is done, log out and go to your page and check the source and see if it worked.

I recommend you get CuteFTP for a FTP program, it isnt very powerful, but it is highly user friendly, compared to others. Plus it's free!!!!

One other way to upload files to your FTP is to use your browser. Just go to your Ftp location, actually type in the address in your address bar. Something like:

[email protected]/">ftp://YourUsername:[email protected]/

Once your loged in you should see all your files just right click the files you want to change and delete them, then open "My Documents" or whatever folder you think is fastest route to your website files, once there, drag and drop each revised file into your ftp window, it will upload it for you, I think it only works with IE, so use that to do this way.

I really cannot explain this any better, just go get CuteFTP and use that, or use your browser, it's real simple, once you do it a couple times you'll be like, 'man...what was I worrying about.'

Good Luck!

Code One

@Code_OneNov 23.2003 — #this post went from how to hide code to how to reveal it...puzzling indeed...lol

Code One

@Paul_JrNov 23.2003 — #The circle is now complete! Muwahahahahaha!!! My Evil Genius Web Designer Plan for taking over the internet is moments away from being complete! Muwahahahahahaha!

@Code_OneNov 23.2003 — #'cos if that guy wants to get rid of that right click it doesnt mean he cant keep people from gankin his mod pics, all he's got to do is put a alpha opacity pic layer over each and when someone goes to right click and steal, they will simply be stealing a picture which is certainly not what they wanted. So there...LOL!!!

Code One

P.s. but if you do take over the net act like I never said that, I wanna be the vice president and spy on people while they are in Peer2Peer programs and chat rooms, and eventually directly into their homes via satellite, you know like the CIA!!!

@modifier_guyNov 23.2003 — #I need to know how to get rid of it it is dumb and anoying i hate it i dont care if ppl takje my pics

@pyroNov 23.2003 — #[i]Originally posted by Paul Jr [/i]

[B]...in IE6. If I right-click, and then select "View Source" nothing happens. The button to view it on the browser is always disabled, and if I select "View>> Source," still, nothing happens.[/B][/QUOTE]
The fix: http://forums.webdeveloper.com/showthread.php?s=&threadid=14779#post78188

@hodgesj312Nov 23.2003 — #Yeh, but you can still go to the img by just typing in the address of the site and then /img.gif

@modifier_guyNov 23.2003 — #hey

when i view teh wource on my ewb site ti shows the rite click blocker. but when i open up the index in my FTP prgram it will not show any javascript? cus i know the right vclick is still there it jus doenst show it?

@Code_OneNov 24.2003 — #on your server side of the window? If you did it should show you a menu and within that menu should be edit, click that and it will show you the entire source. If it doesnt then that is very strange. Did you try deleting the file and reuploading the new version? If not do that.

regards

Code one

@Code_OneNov 24.2003 — #
hodgesj312

Member

Registered: Nov 2003

Location:

Posts: 9

Yeh, but you can still go to the img by just typing in the address of the site and then /img.gif
[/quote]

You can chop the image in blocks and positin them together on the page, throw a clear layer over them, and make it all that much harder to steal, so there!!! LOL

Code one

@pyroNov 24.2003 — #Print Screen would work well.... ?

@Code_OneNov 24.2003 — #you smarty pants, lol...alright then I would add some dang text to them as well, all over it, ...well actually that wouldnt be good either, cause then your pictures would be hard to see.

Dang you pyro, jk, lol

code one

@modifier_guyNov 24.2003 — #code one

i am using cute ftp and when i right click the file it shows edit, view delete ect........ but now when i click edit it just open it but it doenst show the right clcik down java script

@neil9999Nov 24.2003 — #Look at your keyboard, man. Check out the right Ctrl button. Hop one button to the left, and check out that button. You hit it... displays the li'l menu that you get when you right-click.[/QUOTE]

Is there any way to block this button? That would probably make code1's little script more secure.

Neil

@NevermoreNov 24.2003 — #You can always just type view-source:url to view the source of the url without the page being loaded.

@Paul_JrNov 24.2003 — #[i]Originally posted by pyro [/i]

[B]The fix: http://forums.webdeveloper.com/showthread.php?s=&threadid=14779#post78188 [/B][/QUOTE]

I think I accidentally already did that... 'cause a few days ago, it seemed to fix itself after I had screwed around with the Internet Options.

@GollumNov 25.2003 — #Wow, this thread just won't die!

Another way to look at the javascript code that will get around pretty much all the trickes suggested here is to debug the browser with something like InterDev and IE. At some point, the javascript needs to be held in the browser in a non-encrypted form so that it can be executed. At this point a debugger can display it in all its glory.

As with anything in the security business, there's no such thing as perfect security. But there is 'enough' security - i.e. just enough to make it not worth the effort. Judging just how much worth there is and how much effort is needed is the fun part.

@newathisNov 25.2003 — #My question: Can you "hide" a key somewhere in the code and scramble what the

viewer would see if he did use either the mouse right click or the ICON VIEW/SOURCE?

The code scramble would be initiated by any of the "view source" commands. A "legitimate" entry

by the WEB page designer would be by some other unique command.

Instead of expected code he would see )(*&&^{^^{^%^{^%!_}}}*!*!&, etc. The plot -- make it difficult to see the code

and only a few would take the time to root it out.

I'm new at this and should know better to enter in this dialog.

ZING ME and I'll go back to reading and learning.

Newathis

@Jeff_MottNov 25.2003 — #Unless you plan on requiring the user to enter a password to view the page, no. If the page must unscramble (decrypt) itself in a automatic process then that means everything any user would need to to decrypt the source made available to them.

@CardboardHammerNov 25.2003 — #[i]Originally posted by cijori [/i]

[B]You can always just type view-source:url to view the source of the url without the page being loaded. [/B][/QUOTE]

That doesn't always get you everything you want. Here's a page done by Adam Brill as an example.

view-source:http://www.code4ever.com/try3/index.php

You won't find "This code is HIDDEN!!! You might as well not even try to view it... ?" anywhere in the source.

Note: There is NO WAY to <EDIT> allow a page to render and simultaneously </EDIT> prevent viewing the source of a web page without some form of "Trustworthy Computing" being forced on the client side at both the software AND hardware levels (and even then, with sufficient resources, it should be obtainable). Everyone currently selling software that will allegedly prevent viewing of the page source code is either an outright fraud or an idiot.

@diamondsNov 26.2003 — #I didn't bother to read the 7+ pages of responses, but, did you know Mozilla can get through[I] any[/I] script like that in seconds. it has a script that prevents the right-click hiding, and just by going up to a menu you can see the html printed by javascript--after it is unscrambled by the browser(it's called inspect XML). Yes, the key-combo to open it [B]cannot[/B] be blocked. other related fratures is disabling "window.status" that hides the destination of the links when you roll over them.

http://www.vortex-webdesign.com/help/hidesource.htm - a way to [B]really[/B] hide your page source, do please ignore the junk I just posted up above.

@pyroNov 26.2003 — #Lol... number 9 is very true... :p

@GollumNov 26.2003 — #[b]Re: Adam Brill's http://www.code4ever.com/try3/index.php[/b]
You won't find "This code is HIDDEN!!! You might as well not even try to view it... " anywhere in the source.[/QUOTE]
That's not quite true, it's right next to the comment that says
Nice try though?

@NevermoreNov 26.2003 — #Plus it doesn't always quite seem to work... Mozilla doesn't like it.

@GollumNov 26.2003 — #Probably because of the bit of code that says this:if (navigator.appName.indexOf("Microsoft") >= 0){document.location="code.php";}

@paulwongNov 26.2003 — #[i]Originally posted by LittleRed [/i]

[B]hey, if you can't hide the code, you can always try and distract people who do view it...

check out the source to this site: http://www.ths.nu/ [/B][/QUOTE]

hahahaha thats a good one, I should have that one in my source as well.

know any others?

@AdamBrillNov 26.2003 — #Gollum, how about telling us all how you broke it? I'm trying to fix every problem that I can as I go here... ?

BTW, I still know several ways of breaking it, and never claimed that it was unbreakable... I just want to make sure everyone knows that. ?

@hodgesj312Nov 26.2003 — #If I typed in this code for the style:



and instead of a background colour for the object I want a background image. How would I do that??

Thanks.

?

@anaw007Nov 26.2003 — #hi,

i got some code that might be bit bigger but seems to work out fine in several browsers, even with it in a seperate source file:

function click(e) {

var message="Sorry, that function is disabled!";

if (document.all) {
  if (event.button == 2) {
   alert(message);
   return false;
  }
  }
 
  if (document.layers) {
  if (e.which == 3) {
   alert(message);
   return false;
  }
  }

}

if (document.layers) {

document.captureEvents(Event.MOUSEDOWN);

}

document.onmousedown=click;

just check it and let me know if it works like i think it does.

having the source in a seperate file and/or working in frames makes it a bit more confusing to get to the source code,

and there are some html compressors that do a nice job in hiding source.

@pyroNov 26.2003 — #No, it does not work like you think it does... Anyone can simple hit view->source to get around it.

@anaw007Nov 26.2003 — #well, that's where the use of frames comes in, or, you can hide the code in a encrypted file somewhere else on youre site.

@AdamBrillNov 26.2003 — #How about disabling JS? I don't care how good of a script you get, if JS is disabled I can still right-click, right? So then how can a no right-click script possibly help? All anyone has to do is turn off JS and that script is completely useless...

Maybe you should just take our word for it that no right-click scripts are useless. ?

BTW, take a look at the link that CardboardHammer posted(http://www.code4ever.com/try3/index.php). I created this just to see how close I could get to hiding the source. It is the closest I've ever seen to actually getting it done, but as you will see, right-clicking works fine. I realized that no right-click scripts are completely useless, so I didn't even put it in...

@hodgesj312Nov 26.2003 — #If you read my post properly you would of seen it told you about that con.

@GollumNov 26.2003 — #Adam,

I broke it by first starting IE on a blank page and selecting "Script Debugger --> Break at next Statement". Then I typed in the URL and it stopped at the first line of Javascript. Very similar in a way to disabling Javascript except you get to step through it.

Then it was a case of stepping in and in until I reached the real code in code.php

Nice one though. I like the way it covers all its tracks by wiping the reference to its source page at the last minute ?

@AdamBrillNov 26.2003 — #[i]Originally posted by hodgesj312 [/i]

[B]If you read my post properly you would of seen it told you about that con. [/B][/QUOTE]If your talking to me, I have no idea what your talking about... I was commenting on anaw007's post, not yours...

Hmm... That's a new way, Gollum. I didn't even know you could do that. I'm now going to look into how to fix it... ?

@GollumNov 26.2003 — #PS. I'm interested to know - how does your code.php know the difference between normal usage and someone typing it in the address bar?

@unknownrangerJan 27.2004 — #whats this about a "Script Debugger --> Break at next Statement" command?

how do i get to it?

newbie question im sure, but hey, every1s a newbie at one time or another...

@crh3675Jan 28.2004 — #Here is how to hide javascript code with PHP:

Create this PHP file with your <script> declaration:

<i>
 </i>&lt;? 
 session_start();
 
 $_SESSION["html_time"]=time();
 
 ?&gt;
 &lt;html&gt;
 &lt;head&gt;
 &lt;script src="jsencode.php" type="text/javascript"&gt;&lt;/script&gt;
 &lt;/head&gt;
 &lt;body&gt;
 &lt;script type="text/javascript"&gt;
 //&lt;![CDATA[
 document.write(test);  // To show you it works!
 //]]&gt;
 &lt;/script&gt;
 &lt;/body&gt;
 &lt;/html&gt;

Create teh "jsencode.php" file as follows:

<i>
 </i>&lt;?
 session_start(); 
 $script_time=time();
 
 if ($script_time&lt;=($_SESSION["html_time"]+1)){
 header("Content-type:text/javascript");
 include("jsinclude.js");
 } else{
 
 <i>	</i>echo "// No code for you buddy!";
 }
 ?&gt;

Finally, create your REAL javascript source file and name it "jsinclude.js"

<i>
 </i>
 // This is your real javascript file
 // JUST A SAMPLE
 
 function showtip(obj){
 if (obj.getAttribute("tooltip")!="null"){
 tt=document.getElementById("xTooltip");
 tt.style.left=(obj.offsetLeft+(obj.offsetWidth))+"px";
 tt.style.top=(obj.offsetTop+obj.offsetHeight)+"px";
 tt.style.visibility="visible";
 tt.innerHTML=obj.getAttribute("tooltip");
 }
 }
 
 function hidetip(){
 tt=document.getElementById("xTooltip");
 tt.style.visibility="hidden";
 }
 
 var test="this is my test text";

Then, load up "jsencodehtml.php" in your browser. Try to view the javascript source code file separately.

@crh3675Jan 28.2004 — #Here is a great Javascript encoder:

http://dean.edwards.name/packer/

@Jeff_MottJan 28.2004 — #[i]Here is a great Javascript encoder[/i]

The problem with scripts such as this, unfortunatly, is that all you need do is change [font=courier]eval[/font] to [font=courier]document.write[/font]. There's no need to even try to decipher the rest.

@crh3675Jan 28.2004 — #[i]Originally posted by Jeff Mott [/i]

[B][i]Here is a great Javascript encoder[/i]

The problem with scripts such as this, unfortunatly, is that all you need do is change [font=courier]eval[/font] to [font=courier]document.write[/font]. There's no need to even try to decipher the rest. [/B][/QUOTE]

Go ahead and try big shot ?

@Jeff_MottJan 28.2004 — #I already had. Worked just fine. Was it not supposed to?

@crh3675Jan 28.2004 — #I stand corrected. My word-wrap was on when I tried it. But the other solution that I posted a few posts ago works very well usnig PHP and session state.

@AdamBrillJan 30.2004 — #[i]Originally posted by crh3675 [/i]

[B]I stand corrected. My word-wrap was on when I tried it. But the other solution that I posted a few posts ago works very well usnig PHP and session state. [/B][/QUOTE]Actually, it does not work very well. It took me a very short amount of time to break it(most of the time that it did take was me copying your code into pages so that I could try it).

@crh3675Jan 30.2004 — #Which post are you speaking about?

@AdamBrillJan 30.2004 — #I'm talking about the post where you gave all of that code...

@crh3675Jan 30.2004 — #How did you break it? I assume it is easy to break if you know what is running it in the background.

@AdamBrillJan 30.2004 — #If you view the page, then view the script file, it will pull it out of the cache rather than downloading it again, thus you get the actual script file rather than the comment that you had as the error. Basically since the page is getting rendered, it is on my computer and I can view it...

@crh3675Jan 30.2004 — #Are you talking about viewing this file:

jsencode.php

The only way I was able to view it was by quickly clicking between both pages (jsencodehtml.php and jsencode.php) .

@AdamBrillJan 31.2004 — #Yes, that is the file I am talking about. If you set the browser to pull the file from the cache rather than re-downloading it, you can just view the file and it will pull it from the cache which will be what it loaded the first time, therefore your PHP code is not running and it will give me the source to the js file.

Basically I am just not giving the PHP a chance to run, so it takes out the usefullness of your code. It will help to stop the inexperienced users, though...

Also in #JavaScript _↴

IE setTimeout javascript & a form with multidimensional choices Adding JavaScript Arrays and alerting user

Success!

Help @firebomb___ spread the word by sharing this article on Twitter...

Tweet This

Hiding code

124 Comments(s) _↴

The average user doesn't even care to see your code. They're just there to browse the Web. But, when they find all their browser features disabled, you can bet they won't be browsing back to your site ever again.
---------------------------------------------------------------------

Also in #JavaScript _↴

Success!

Social

Version

Hiding code

124 Comments(s) ↴

The average user doesn't even care to see your code. They're just there to browse the Web. But, when they find all their browser features disabled, you can bet they won't be browsing back to your site ever again. ---------------------------------------------------------------------

Also in #JavaScript ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

124 Comments(s) _↴

The average user doesn't even care to see your code. They're just there to browse the Web. But, when they find all their browser features disabled, you can bet they won't be browsing back to your site ever again.
---------------------------------------------------------------------

Also in #JavaScript _↴