13 Replies Latest reply on Mar 7, 2011 9:40 AM by Dave Merchant

    How do I disable the JavaScript debugger in my PDF documents?

    DHeadrick Level 1

      Hi,

       

      I'm doing everything I can to disable the JavaScript debugger in my documents created using Adobe Acrobat. Under Acrobat's Edit>Preferences, I de-select (uncheck) "Enable JavaScript debugger after Acrobat is restarted", "Enable interactive console", and "Show console on errors and messages".

       

      Yet, when I go to Advanced > Document Processing > JavaScript Debugger, it starts the debugger right up!!  How do I prevent the debugger from being started?  Even after I apply strict password security to the document where hardly anything other than opening it is allowed, Acrobat still allows me to perform Advanced > Document Processing > JavaScript Debugger, and start the debugger!

       

      I'm operating under the assumption that the debugger might allow people to somehow view my JavaScript source, so I want to keep the debugger from being used.  Even if they can't read my source, I don't see any upside to allowing the debugger to be opened.  How do I disable the debugger from being selectable from Advanced > Document Processing??

       

      Thanks.  I thought this would be a common question, but I spent a couple of hours searching with no luck.

       

      Dave

       

      P.S. I'm using Acrobat 9.1.  I did read somewhere that Acrobat X has more ability to disable the debugger.  I saw a mention of "XFA" in this regard, whatever that is.  In any case, if Acrobat X has some extra capabilities to disable the debugger, please let me know.

        • 1. Re: How do I disable the JavaScript debugger in my PDF documents?
          maxwyss Level 4

          Have you secured a document, and then tried to use the Debugger to snoop around it?

           

          Also note that you have no control over the user's JavaScript settings (unless you control a centralized installation).

           

          HTH.

           

          Max Wyss.

          1 person found this helpful
          • 2. Re: How do I disable the JavaScript debugger in my PDF documents?
            George_Johnson MVP & Adobe Community Professional

            And stop worrying about people being able to look at your code, because anyone can regardless of what the debugger setting are. If a document can be opened, everything in it can be examined, no matter how well hidden.

            1 person found this helpful
            • 3. Re: How do I disable the JavaScript debugger in my PDF documents?
              Dave Merchant MVP & Adobe Community Professional

              As George says there's no way to prevent someone from extracting the scripts in a file if they really want to (though with security applied to the PDF, it takes a more circuitous route to get there), however many people will use obfuscation tools to make it a more tedious process for the novice. Acrobat doesn't support encrypted (JSX-BIN) files as does Creative Suite, but there are many tools out there which basically take your script, turn it into a complex jumble of random references and hex strings, then execute it using an equally-complex de-jumbler function. It's crackable of course, but unless your code is worth a fortune, it makes it too much like hard work for most hackers to bother.

              • 4. Re: How do I disable the JavaScript debugger in my PDF documents?
                DHeadrick Level 1

                Thanks, everyone.

                 

                Dave mentioned that there are "obfuscation tools" that semi-hide the code.  Does anyone have a pointer to a good tool for doing this for the JavaScript within a PDF document?  Offhand, it seems like it would be difficult to "intercept" the JavaScript (in order to de-obfuscate it) within a secured (password-protected) PDF document that is on its way to being executed, but it sounds like it can be done.  Any pointers anyone has to such a tool for Acrobat JavaScript would be appreciated.

                 

                Thanks again!


                Dave

                • 6. Re: How do I disable the JavaScript debugger in my PDF documents?
                  DHeadrick Level 1

                  Thanks, try67.

                   

                  I think I am seeing how this works.  I was first thinking the obfuscation somehow encodes/encrypts the JavaScript, which made me wonder how the Acrobat JavaScript engine would know how to decrypt it.  After reading more about it, it sounds like the obfuscator deletes white spaces, deletes comments, changes names of functions to be meaningless, etc.  In other words, the Acrobat JavaScript engine will still see the same code, it will just harder for us humans to recognize the code.  Am I catching on?

                   

                  Overall, I *really* like this idea because my JavaScript code is *well* commented but that's for me, not others.  So I like the idea of making the source code less recognizable/meaningful.

                   

                  If I'm still missing the intent of obfuscators, please let me know.

                   

                  Thanks again, everyone.

                   

                  Dave

                  • 7. Re: How do I disable the JavaScript debugger in my PDF documents?
                    try67 MVP & Adobe Community Professional

                    You got it right.

                    However, I would test the code after obfuscating it. Sometimes it can go

                    wrong.

                    • 8. Re: How do I disable the JavaScript debugger in my PDF documents?
                      DHeadrick Level 1

                      Back again.

                       

                      I guess my next question is whether anyone has actually obfuscated JavaScript in Adobe Acrobat?  As you know, Acrobat is pretty picky about its XML tags.  Whenever I obfuscate the code and close my editor, Acrobat seems to reject *all* changes and resorts back to its original code that existed before I opened up the editor.

                       

                      I'm guessing Acrobat is looking at the source and saying "Wait a minute, that doesn't look like anything I'm used to!" -- and then it rejects it all, going back to its original code.  Note that, in my obfuscation, I'm not replacing comments in order to preserve the XML.  Nonetheless, when Acrobat (appears to) parse the code coming back from obfuscation, it certainly won't see the standard XML tags.  So, I can't get to the code execution phase.

                       

                      So, my question again is: Has anyone actually performed obfuscation of JavaScript in Acrobat -- and got it to work??  If so, how did you bypass (what appears to be) Acrobat's parsing of the obfuscated code looking for familiar things like XML tags?

                       

                      I've got dozens of code snippets within XML comments, so it would be very tedious to obfuscate each snippet while trying to preserve the XML tags.

                       

                      Thanks again.


                      Dave

                      • 9. Re: How do I disable the JavaScript debugger in my PDF documents?
                        George_Johnson MVP & Adobe Community Professional

                        If you're feeding the obfuscator the XML tags as well, it won't work. So obfuscating each script is exactly what you will need to do. If you have included most of your code in document-level JavaScripts as is the recommended practice, it will be a little bit easier to do, but you'll have to figure out what the obfuscator renamed your functions and variables to. If most of your code is in individual field actions, it will indeed be even more tedious. This is one of the reasons I recommended that you stop worrying and learn to love the way things are. If someone copies your code, consider it flattery.

                         

                        Another option is to minify your code, which will remove comments and white space: http://www.crockford.com/javascript/jsmin.html

                         

                        This approach would make more sense if most of your code is in document-level scripts.

                        • 10. Re: How do I disable the JavaScript debugger in my PDF documents?
                          DHeadrick Level 1

                          Thanks, George, for the quick reply and thanks for confirming that I can't just feed the obfuscator the XML tags.  I had gotten my hopes up earlier that it would be (relatively) simple to obfuscate.  Now, back to the drawing boards.  Before I give up, I'm going to check out www.jasob.com and see if I can get that tool to do what I want -- it looks like it might have enough "knobs" to do *some* obfuscation while preserving the XML tags (if I protect them with "keepout tags").

                           

                          I'll do an update when I reach a conclusion on that tool, one way or the other.


                          Dave

                           

                          BTW, I do have dozens and dozens of individual field actions to deal with -- gasp!

                          • 11. Re: How do I disable the JavaScript debugger in my PDF documents?
                            maxwyss Level 4

                            Concerning the comments, you might keep a "development" version of your document, which is fully commented, and a "production" version which has no comments at all. Making the "produciton version" may be a bit of a bother and extra work, but that already helps quite a bit. In addition to that, you CAN do this in the edit all JavaScripts mode.

                             

                            Also, as your well-documented development version is the one you work with, you may also consider using non-self-explanatory variable and function names.

                             

                            HTH

                             

                            Max Wyss.

                            • 12. Re: How do I disable the JavaScript debugger in my PDF documents?
                              DHeadrick Level 1

                              Done & done!

                               

                              As I mentioned I was going to do, I downloaded/used the obfuscator from www.jasob.com -- worked like a champ!!  I put special Jasob-defined tags around the XML tags in my JavaScript so that Jasob wouldn't treat them as comments (which is what they really are from JavaScript's perspective).  I configured Jasob to eliminate all comments, except for the now-protected XML tags.  I also declared which functions and variables are mine so that Jasob could (cryptically) rename them.

                               

                              After a couple of hours of debugging some errors on my part (mistyped/misplaced a few of the Jasob-defined tags, accidentally declared an Adobe JavaScript variable (textSize) as mine, boy did that mess things up when Jasob re-defined "textSize" to be "bQ" ;-)

                               

                              Anyway, it all seems to work, thanks for everyone's help!  I would certainly hate to have to reverse engineer the now-obfuscated code, it's a mess!!!

                               

                              Dave

                               

                              P.S. As Max mentioned, I'll do all of my development on my fully-commented code which also has useful variable names.  When I need to release a production version of the PDF document containing the JavaScript, I'll do a one-time obfuscation of my development code -- then resume further development using my development code base.

                              • 13. Re: How do I disable the JavaScript debugger in my PDF documents?
                                Dave Merchant MVP & Adobe Community Professional

                                In response to the question about other people using this technique, it's actually very common in commercial PDF files with 3D scenes, as the scene controller scripts can be valuable intellectual property. PDF files exported by Deep Exploration, for example, use a two-pass encryption routine to obfuscate their animation and camera controller classes that goes beyond just renaming the variables and chopping out the line breaks.