Jscrambler 101 - Code Locks

Last updated on August 16th, 2023

Welcome back to Jscrambler 101! A collection of tutorials on how to use Jscrambler to protect your JavaScript. These tutorials cover Jscrambler version 8.2.

Introduction: Code Locks

Last time, on Jscrambler 101 - Control Flow Flattening, we talked about Control Flow Flattening and its properties against reverse engineering.

This time, we’re going to explore Code Locks.

If JavaScript-based apps are a central part of your business, whether standard JavaScript, mobile web applications, or HTML5, you will want to prevent someone who didn’t pay or whose license has expired from executing your code.

In cases where the app handles sensitive data or critical operations, you will want to prevent the app from running on dangerous devices. This is where our Code Locks come into play.

Code Locks

Jscrambler allows you to lock your code to a predefined list of domains, browsers, and operating systems and set expiration dates.

By using them, you can limit the execution of your code to a given set of browsers, a time frame (avoid demos runnable after the preview period is over), a given domain (usually yours), a particular operating system, or to devices that have not been rooted or jailbroken (dangerous devices).

This means, for example, that you can deliver expirable demos to your clients without incurring the fear of code or client loss.

Code Locks can trigger a function when someone tries to execute the code outside of the set parameters. This function has to be defined inside the unprotected code and can warn you when such an unwanted behavior occurs.

Application Locks

Date Lock

As the name suggests, Date Locks lock the code to a period.

The code can be locked to run until a certain date, after a specific date, or between two dates.

These are done by setting the startDate, the endDate, or both, respectively. This can be useful to enforce license expiration or send out demos of your code.

If we observe the following API parameters, we can see that the protected code will run from 01-09-2018 to 10-09-2018. If someone were to run the code outside of these dates, then the warningFunc function would be triggered.

{
// keys
 "params": [
   {
     "name": "dateLock",
     "options": {
       "startDate": "2018-09-01",
       "endDate": "2018-09-10",
       "warningFunction": "warningFunc"
     }
   }
 ]
}

Domain Lock

Domain Lock locks a code to a domain name or IP address. It is helpful to stop someone from copying your code and running it on another domain or locally.

Once again, it’s another great option if you want to enforce license agreements.

Some accepted examples are:

• mysite.com: code breaks outside of mysite.com

• mysite.com, www.mysite.com: code breaks outside of mysite.com or www.mysite.com

• *.mysite.com: code breaks outside of mysite.com and its sub-domains

• 192.168.*: The code breaks if it runs on an IP outside of the 192.168 network

• file://Users/you/*: code breaks outside of your user directory

As for the API, several domains can be inserted in a list, like this:

{
// keys
"params": [
   {
     "name": "domainLock",
     "options": {
       "domains": [
         "Domain1",
         "Domain2"
       ],
       "warningFunction": "VALUE"
     }
   }
 ]
}

Platform Locks

Browser Lock

Browser Locks lock the code to a list of Browsers. If you want to enforce license agreements, this is a transformation you should consider using.

The list of browsers works as an allow list, meaning that the selected browsers are the ones where the code can run.

As an example, if we observe the following API Parameters, the protected code will only run on Firefox and Chrome:

{
 "keys": {
   "accessKey": "XXXXXX",
   "secretKey": "YYYYYY"
 },
 "applicationId": "ZZZZZZ",
 "params": [
   {
     "name": "browserLock",
     "options": {
       "browsers": [
         "firefox",
         "chrome"
       ]
     }
   }
 ]
}

OS Lock

OS Lock locks the code to a list of operating systems. It’s relevant to force apps to run on a specific platform.

Similar to Domain locks and Browser locks, this can be applied for license enforcement.

Once again, the OSes can be defined in a list inside the API parameters:

{
// keys
"params": [
   {
     "name": "osLock",
     "options": {
       "oses": [
         "linux",
         "windows",
         "osx",
         "tizen",
         "android",
         "ios"
       ],
       "warningFunction": "VALUE"
     }
   }
 ]
}

Root/Jailbreak Detection Lock

When users root (Android) or jailbreak (iOS) their devices, they become more susceptible to attacks like data exfiltration. This lock prevents the whole app (or some application features) from running on these dangerous devices.

You can also add this lock to specific parts of the code using Code Annotations:

// @jscrambler define rootJailbreakDetectionLock {countermeasures: {breakApplication: 1, customCallback: testFunction}} as rj1
// @jscrambler enable rj1

Conclusion

Using Code Locks helps you protect your code by enforcing licenses and preventing it from running outside your set parameters, whether a Browser, Date, Domain, Operating System, or a Rooted or Jailbroken device.

Remember that you can test many of these locks in our Playground App (not applicable to the Root/Jailbreak Detection Lock).

Select one or more locks and use your domain, current date, browser, or operating system, depending on which locks you have selected, to have the app run properly.

After that, you can select a domain you don’t own, previous or later dates, a different browser, and an operating system from the ones you have, and you’ll see that the protected code won’t run properly.

Feel free to proceed to one of our other 101 Tutorials:

• Jscrambler 101 — First Use

• Jscrambler 101 — Code Annotations (Code Performance)

• Jscrambler 101 — Self-Defending

• Jscrambler 101 — Control Flow Flattening

• Jscrambler 101 — How to use the CLI

• Jscrambler 101 — Source Maps

• Jscrambler 101 — Countermeasures

• Jscrambler 101 — Self-Healing

• Jscrambler 101 — Profiling (Code Performance)

• Jscrambler 101 — App Classification

• Jscrambler 101 — Memory Protection

• Jscrambler 101 — SIEM Integration

• Jscrambler 101 — Anti-Tampering

Enjoy your testing. Start protecting your Applications today!

Go to our Help Center to learn more about our Code Locks.