Andreas Bergmaier
4/13/2015 10:47:00 PM
MASTER TROLL BAIT schrieb:
> On Thursday, April 9, 2015 at 6:52:34 PM UTC-4, MASTER TROLL BAIT wrote:
>> [?]
>>
>> The pass word is never included in the script so it cannot be hacked
or even unpacked!
>
> Now you can use the full page URL as password, but the password prompt has been replaced by a check of the pages web address and it is used for the password, so now the JavaScript will only run from that exact URL or the page will fail!
You're contradicting yourself here. The password might not be included
in the script code itself, but it is an intrinsic property of the
resource you are trying to protect. Everybody who accesses your script
does know your domain.
And yes, it can be trivially unpacked. Just open the console on that
page that uses the script, paste the script there and replace
`this[__]($$)` (in the end) by `console.log($$)`. Hit enter and the
"decrypted" code is printed.
Bergi