Let's use Chrome Profiler to research obfuscated code

mistomin

Mikhail Istomin

Posted on May 21, 2024

Let's use Chrome Profiler to research obfuscated code

Imagine you want to figure out how some interesting feature on a website works. The challenge is that on modern websites, the client-side JavaScript code is usually minified and obfuscated, making the research quite difficult.

Check out how the Chrome Performance tool can help you study twisted JS code.

Problem

I’m currently working on the React Donut chart with a big focus on accessibility (A11y). As an example, I took this chart. The problem is that I could not figure out how they managed to make the donut navigable with the keyboard arrows. Is it some combination of ARIA attributes or JS code involved? A deep dive into the code was needed.

Of course, the JS bundles were obfuscated, so I decided to give the Profiled a try.

Profiling

The plan is the following

  1. Start profiling
  2. Do some actions on the website to trigger the code I want to research (press the keyboard keys in my case )
  3. Stop profiling
  4. Analyze the generated diagram.

The diagram has the Interactions section that tracks keyboard events. Let’s zoom and scroll to the Arrow Key event I need.

Zoomed performance diagram

The bars on the diagram are clickable.

The summary of a selected bar is displayed below the diagram. If the selected bar represents a JS function, the profiler shows the link to the code. It’s amazingly helpful.

Clicked bar

Here is the keyboard event handler that I was looking for.

Source code location
Now, the Source tab shows me the exact function in the JS bundle that handles the event. The Profiles saved me a lot of time. No need to look through the huge codebase and obfuscated bundles. The function is located and I can proceed with my research.

Bonus

Also, the profiler shows the setTimeout statement which caused the function execution. Very helpful in some cases.

setTimeout on the diagram

💖 💪 🙅 🚩
mistomin
Mikhail Istomin

Posted on May 21, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related