唾手可得的成果:混淆 JavaScript 中的值
我正在使用 Google Maps JS API v3 制作“猜猜这个卫星/鸟瞰图中有什么地方/纪念碑/等”类型的浏览器内游戏。我不能只截取屏幕截图,因为Google 地图权限指南<似乎明确禁止这样做/a>.
但是,我需要防止作弊 - 您必须传递 google.maps.LatLng 和缩放级别 到地图构造函数,这意味着作弊用户只需要查看源代码即可获取此数据:
<script type="text/javascript"
src="http://maps.google.com/maps/api/js?sensor=false"></script>
<script type="text/javascript">
function initialize() {
var myOptions = {
center: new google.maps.LatLng(55, 145), /* this */
zoom: 10, /* and possibly this */
mapTypeId: google.maps.MapTypeId.SATELLITE,
}
var map = new google.maps.Map(document.getElementById("map_canvas"),
myOptions);
}
</script>
我已经在不破坏地图的情况下取消了所有可能的值(例如 < code>center 和诸如 setZoom() 之类的操作函数),并在匿名函数中初始化地图(因此该对象在全局命名空间中不可见)。
现在,这当然是浏览器内、客户端、不受信任的 JavaScript;我已经阅读了很多 obfuscation 标签,并且我我并不是想让脚本变得防弹(毕竟这只是一个游戏)。 我只需要对 1337 Java5kryp7 haxz0rz - “小妹妹加密”进行相当严格的混淆,正如 Bruce Schneier 所说。任何比 base64 编码更难的编码都会通过消除 最容易实现的目标 - 如果作弊者足够聪明并且有足够的决心使用 JS 调试器,他可以绕过我能做的任何事情(因为我需要以明文形式将值传递给 Google Maps API),但这不太可能大规模发生(还有其他与代码无关的方法来防止作弊)。
我尝试过各种 最小化器 和混淆器,但是这些主要处理代码(在这种情况下不是“秘密”),变量的值仍然逐字显示。
根据@Pointy的建议,我仔细检查了HTTP请求,其中一个请求确实在URL中发送了纬度/经度;尽管这令人失望,但该请求发生在许多其他请求之间,因此不会立即被注意到。幸运的是,我们的目标只是让查找纬度/经度变得更加困难,而不是万无一失。
TL;DR:我需要在 JavaScript 中混淆三个值。我不是在寻找防弹衣,只是在寻找防喷嚏装置。我应该使用什么?
I'm making an in-browser game of the type "guess what place/monument/etc. is in this satellite/aerial view", using Google Maps JS API v3. I can't just take a screenshot, as this seems to be specifically forbidden by Permission Guidelines for Google Maps.
However, I need to protect against cheaters - you have to pass a google.maps.LatLng and a zoom level to the map constructor, which means a cheating user only needs to view source to get to this data:
<script type="text/javascript"
src="http://maps.google.com/maps/api/js?sensor=false"></script>
<script type="text/javascript">
function initialize() {
var myOptions = {
center: new google.maps.LatLng(55, 145), /* this */
zoom: 10, /* and possibly this */
mapTypeId: google.maps.MapTypeId.SATELLITE,
}
var map = new google.maps.Map(document.getElementById("map_canvas"),
myOptions);
}
</script>
I am already unsetting every value I possibly can without breaking the map (such as center and the manipulation functions like setZoom()), and initializing the map in an anonymous function (so the object is not visible in global namespace).
Now, this is of course in-browser, client-side, untrusted JavaScript; I've read much of the obfuscation tag and I'm not trying to make the script bullet-proof (it's just a game, after all). I only need to make the obfuscation reasonably hard against the 1337 Java5kryp7 haxz0rz - "kid sister encryption", as Bruce Schneier puts it. Anything harder than base64 encoding would deter most cheaters by eliminating the lowest-hanging fruit - if the cheater is smart and determined enough to use a JS debugger, he can bypass anything I can do (as I need to pass the value to Google Maps API in plaintext), but that's unlikely to happen on a mass scale (there will also be other, not-code-related ways to prevent cheating).
I've tried various minimizers and obfuscators, but those will mostly deal with code (which in this case is not the "secret"), the values of variables are still shown verbatim.
At @Pointy's suggestion, I checked the HTTP requests closely, and one of them does send the lat/lon in the URL; although that's disappointing, this request happens between many other requests, so it won't be noticed right away. Fortunately, the goal is only to make it harder to find the lat/lon, not bulletproof.
TL;DR: I need to obfuscate three values in JavaScript. I'm not looking for bullet-proof armor, just a sneeze-guard. What should I use?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
最好混淆整个代码库,而不仅仅是缩小。这样,用户就很难知道要查找哪个变量来查找纬度/经度值。
Dojo Toolkit 可以与高级模式下的 Closure Compiler 一起使用,以实现完全混淆。如果您使用 JavaScript 库,但还需要混淆整个代码以保护您的 IP,那么您应该考虑 Dojo。
http://dojo-toolkit.33424 .n3.nabble.com/file/n2636749/Using_the_Dojo_Toolkit_with_the_Closure_Compiler.pdf?by-user=t
It will be best to obfuscate your entire code base, instead of just minification. That way, it would be extremely difficult for the user to know which variable to look for the lat/long values.
The Dojo Toolkit can be used with the Closure Compiler in Advanced mode for complete obfuscation. If you use a JavaScript library but also need to obfuscate your whole code to protect your IP, you should consider Dojo.
http://dojo-toolkit.33424.n3.nabble.com/file/n2636749/Using_the_Dojo_Toolkit_with_the_Closure_Compiler.pdf?by-user=t
不要因为混淆而浪费时间。压缩代码(yuic,closure)并完成。正如你所说,代码在@client端运行,没有必要混淆任何东西。
例如,像这样的东西:
被“封闭”成这样:
你可以使用在线封闭
如果您想显式“隐藏”数据段:以某种形式压缩/“加密”它们, JavaScript 实现Gzip 可能会有所帮助。
dont waste your time with the obsfucation. compress the code (yuic, closure) and done with it. as you said, the code runs @client side, no point in obsfucating anything.
eg, something like this:
gets 'closured' into this:
you can play around with closure online
if you want to explicitly 'hide' data segments: compress / 'crypt' them in some form, JavaScript implementation of Gzip might help with that.