Dead Code Injection in JavaScript Shield

Protection ID: deadCodeInjection

Dead Code Injection is a powerful obfuscation technique that adds random blocks of non-functional code to your application. This protection makes it significantly harder for attackers to understand your code by increasing its complexity and obscuring the actual execution flow.

This protection is available in all editions of ByteHide Shield.

How It Works

Dead Code Injection works by analyzing your code and strategically inserting complex but unreachable or non-functional code blocks throughout the codebase. These injected blocks appear to be legitimate parts of your application but don't affect its actual functionality.

The result is a much more complex codebase where distinguishing between real functionality and decoy code becomes extremely challenging for anyone trying to reverse engineer your application.

This option significantly increases the size of obfuscated code (up to 200%), so it should be used carefully when code size is a concern. Use the threshold parameter to control how much dead code is injected.

Parameters

Enabled boolean : Determines whether Dead Code Injection is applied to your code. false by default
Threshold number : Sets the probability (from 0 to 1) that applicable code nodes will be affected by Dead Code Injection. 0.4 by default

This protection automatically enables the String Array protection, as it utilizes string array mechanisms for creating convincing dead code blocks.

Configuration Examples

Basic Configuration (shield.config.json)

{
  "deadCodeInjection": true
}

Advanced Configuration

{
  "deadCodeInjection": true,
  "deadCodeInjectionThreshold": 0.5,
  "stringArray": true
}

Build Tool Integration (Webpack)

// webpack.config.js
const ByteHideShieldPlugin = require('@bytehide/webpack-shield');

module.exports = {
  // ... other webpack config
  plugins: [
    new ByteHideShieldPlugin({
      projectToken: 'your-project-token',
      config: {
        deadCodeInjection: true,
        deadCodeInjectionThreshold: 0.4
      }
    })
  ]
}

Code Transformation Example

Original Code

function processUserData(user) {
  if (user.isActive) {
    let points = calculatePoints(user.activity);
    let level = determineLevel(points);
    
    return {
      userId: user.id,
      level: level,
      points: points,
      status: 'active'
    };
  } else {
    return {
      userId: user.id,
      level: 0,
      points: 0,
      status: 'inactive'
    };
  }
}

function calculatePoints(activity) {
  return activity * 10;
}

function determineLevel(points) {
  if (points < 100) return 1;
  if (points < 500) return 2;
  if (points < 1000) return 3;
  return 4;
}

Transformed Code (with Dead Code Injection)

var _0x42a8 = [
    'isActive',
    'level',
    'status',
    'setDefaults',
    'activity',
    'userId',
    'points',
    'active',
    'inactive',
    'updateMetrics',
    'id',
    'processAnalytics'
];

function _0x9f23(_0x140682, _0x31e724) {
    return _0x9f23 = function(_0x42a8e1, _0x9f23c7) {
        _0x42a8e1 = _0x42a8e1 - 0x154;
        var _0x140682 = _0x42a8[_0x42a8e1];
        return _0x140682;
    }, _0x9f23(_0x140682, _0x31e724);
}

function processUserData(user) {
    const _0x31e724 = _0x9f23;
    
    function _0x3da421(_0x140682) {
        const _0x5bfd74 = _0x9f23;
        if (_0x5bfd74(0x159) === 'updateMetrics') {
            return _0x140682 ? _0x140682['totalScore'] * 0.8 : 0x0;
        }
        return _0x140682 * 0.8;
    }
    
    if (user[_0x31e724(0x154)]) {
        let points = calculatePoints(user[_0x31e724(0x158)]);
        let level = determineLevel(points);
        
        // Dead code block that appears to be legitimate but never executes
        if (_0x31e724(0x159) === _0x31e724(0x15e)) {
            let _0x1af834 = _0x3da421(user[_0x31e724(0x158)]);
            return {
                'metadata': _0x1af834,
                'configured': !![]
            };
        }
        
        return {
            [_0x31e724(0x15a)]: user[_0x31e724(0x15e)],
            [_0x31e724(0x155)]: level,
            [_0x31e724(0x15b)]: points,
            [_0x31e724(0x156)]: _0x31e724(0x15c)
        };
    } else {
        // More dead code that looks functional
        if (_0x31e724(0x157) === 'setDefaults') {
            _0x3da421(0x50);
        }
        
        return {
            [_0x31e724(0x15a)]: user[_0x31e724(0x15e)],
            [_0x31e724(0x155)]: 0x0,
            [_0x31e724(0x15b)]: 0x0,
            [_0x31e724(0x156)]: _0x31e724(0x15d)
        };
    }
}

function calculatePoints(activity) {
    return activity * 10;
}

function determineLevel(points) {
    if (points < 100) return 1;
    if (points < 500) return 2;
    if (points < 1000) return 3;
    return 4;
}

When to Use

Dead Code Injection is particularly beneficial in these scenarios:

Critical business logic: When you need to hide implementation details of key algorithms
Premium features: To protect code that implements premium features
License verification: For code that handles license validation logic
Intellectual property: When implementing proprietary algorithms or unique solutions

For optimal results:

Apply this protection to critical parts of your application rather than the entire codebase
Combine with String Array and Control Flow Flattening for maximum protection
Adjust the threshold based on your size constraints

Compatibility Notes

Dead Code Injection is compatible with all JavaScript environments but has these considerations:

Bundle size: Significantly increases code size, which may impact load times in web applications
Performance: Generally has minimal runtime performance impact as the injected code is mostly unreachable
Mobile apps: Consider using a lower threshold for mobile web applications to reduce bundle size

For maximum security, combine Dead Code Injection with: