What Is Dead Code Injection?
Dead code injection is an obfuscation technique that inserts synthetic, unreachable code blocks into your JavaScript. This code never actually executes — its sole purpose is to confuse static analysis tools, automated deobfuscators, and human reverse engineers trying to understand what your code does.
How Dead Code Injection Works
The obfuscator generates realistic-looking but functionally inert code blocks and injects them throughout your script. These blocks contain fake conditionals, unused variables, and nonsense operations that look like real program logic but never affect execution.
A simple example — the obfuscator might inject:
if (0x1 === 0x2) {
var _fake = _0x3f2a['split']('|');
while (true) {
var _rnd = Math.random();
if (_rnd > 0.5) break;
}
}
// Your actual code continues here...The condition 0x1 === 0x2 (1 === 2) is always false, so this block never runs. But it looks exactly like real code and forces anyone analyzing the file to reason about it.
Why It's Effective Against Automated Tools
Modern deobfuscators and code analysis tools try to trace the execution flow of obfuscated code. Dead code injection attacks this approach by flooding the analysis with false paths. A tool trying to determine which branches are reachable must evaluate every condition — and with enough injected dead code, this becomes computationally expensive or even intractable.
It also defeats simple pattern matching. Automated tools that look for known obfuscation signatures find far more noise to sift through.
The Threshold Parameter
The dead code injection threshold controls how aggressively dead code is injected — typically between 0 and 1. A threshold of 0.4 means roughly 40% of code nodes will have dead code injected near them. Higher thresholds mean more protection but larger file sizes.
The javascript-obfuscator library (which powers our tool) defaults to a threshold of 0.4, which provides a good balance between file size growth and protection strength.
File Size Impact
Dead code injection is the option with the largest impact on file size. At a 0.4 threshold, you might see a 40–80% increase in file size. At maximum threshold, files can double or triple in size. For large applications, this matters — consider whether the protection is worth the bandwidth cost.
For small scripts (under 10KB), the absolute size increase is often acceptable. For large bundles, you might want to enable dead code injection only on the most sensitive modules rather than the entire bundle.
Combining With Other Techniques
Dead code injection is most effective when combined with other obfuscation techniques. When strings are encrypted and variable names are mangled, an analyst can't easily distinguish the injected dead code from real logic — everything looks equally opaque. Without string encryption, an analyst might spot patterns in the injected strings that identify them as dead code.