pwned VS javascript-obfuscator

If only this Troy guy would've told us how the passwords are checked. Oh, wait. He did. And if only this Troy guy would've provided an API to use in case we don't trust the site (since sites can be hacked and code can be changed). Ah, would you look at that. Now if only there weren't some developers out there that could use this API to make tools that'd check for passwords in the same way that's documented in that blog post. Like these ones or this one or other ones which I haven't searched for.

I don't need/use IDA, Nemlei just used https://obfuscator.io/, which just obfuscates the crap out of the code using various known methods (which I won't go into detail, it's public knowledge) and an un-obfuscation was cooked up by others. The one fucked-up thing the website does is randomizing function names, it just changes every variable/function name. We can't "un-obfuscate" those, so it's up to our brains to figure out what the code does, and change the names back.

I was considering using a obfuscation library (https://github.com/javascript-obfuscator/javascript-obfuscator) and noticed in the usage example that backticks are used and the javascript is enclosed within. The issue is that my javascript already has backticks from using template literals so my code then errors out.

Obfuscation: JavaScript Obfuscator

What I ended up doing is having two build steps, one for renderer and other for the main process, in the main process build I use https://github.com/javascript-obfuscator/javascript-obfuscator. Works pretty fine.

It's to purposefully makes your code harder to read so it prevents people from stealing your work. Here's a tool that does it: https://obfuscator.io/

I just tested it on a little snippet of my code obfuscated with https://obfuscator.io/ and it worked seemingly perfectly.

My original code:

  function resizeImage(img) {

https://obfuscator.io/ produces a similar result, perhaps that's all they used.