js-confuser-vm 0.0.5 → 0.0.6

package/src/transforms/bytecode/aliasedOpcodes.ts

@@ -0,0 +1,158 @@
+import type { Bytecode, InstrOperand, Instruction } from "../../types.ts";
+import { Compiler, SOURCE_NODE_SYM } from "../../compiler.ts";
+import { nextFreeSlot, U16_MAX } from "../../utils/op-utils.ts";
+import { shuffle } from "../../utils/random-utils.ts";
+
+// Opcodes that must not be aliased.
+// Variable-length operand opcodes cannot be statically aliased since the
+// number of this._operand() calls varies at runtime.
+// Infrastructure opcodes (PATCH, TRY_SETUP, TRY_END, DEBUGGER) are excluded
+// because aliasing them would interfere with self-modifying bytecode and
+// exception-handling machinery.
+const DISALLOWED_OP_NAMES = new Set([
+  "MAKE_CLOSURE",
+  "BUILD_ARRAY",
+  "BUILD_OBJECT",
+  "CALL",
+  "CALL_METHOD",
+  "NEW",
+  "PATCH",
+  "TRY_SETUP",
+  "TRY_END",
+  "DEBUGGER",
+]);
+
+// Creates aliased opcodes: duplicate handlers for commonly-used opcodes,
+// optionally with a permuted operand read order in the bytecode stream.
+//
+// For each aliased op, we record an `order` permutation of length `arity`.
+// order[i] = j means: bytecode slot i holds what was originally operand j.
+//
+// Example: LOAD_GLOBAL [dst, nameIdx] with order=[1,0]:
+//   Bytecode stores:  [ALIAS_OP, nameIdx, dst]
+//   Handler reads:    _unsortedOperands = [nameIdx, dst]
+//                     _operands = [_unsortedOperands[1], _unsortedOperands[0]]
+//                               = [dst, nameIdx]   ← original order restored
+//
+// Runs LAST among bytecode transforms (after selfModifying), before resolveLabels.
+export function aliasedOpcodes(
+  bc: Bytecode,
+  compiler: Compiler,
+): { bytecode: Bytecode } {
+  // Build a map of base opcode value → name, excluding disallowed ops
+  const baseOpValueToName = new Map<number, string>();
+  for (const [name, val] of Object.entries(compiler.OP)) {
+    if (DISALLOWED_OP_NAMES.has(name)) continue;
+    baseOpValueToName.set(val as number, name);
+  }
+
+  // Collect all currently used opcode slots (base + any dynamically assigned)
+  const usedOpcodes = new Set<number>(
+    Object.keys(compiler.OP_NAME)
+      .map((k) => parseInt(k, 10))
+      .filter((v) => !isNaN(v)),
+  );
+
+  if (usedOpcodes.size > U16_MAX) return { bytecode: bc };
+
+  // ── Step 1: count frequency and determine arity for each eligible base opcode ─
+  // We scan the actual post-transform bytecode so frequency reflects what's
+  // really left (specialized/macro ops already consumed their share).
+  const opStats = new Map<number, { freq: number; arity: number | null }>();
+
+  for (const instr of bc) {
+    const op = instr[0];
+    if (op === null || !baseOpValueToName.has(op)) continue;
+
+    const arity = instr.length - 1;
+    if (arity < 1) continue; // 0-operand opcodes have nothing to permute
+
+    const existing = opStats.get(op);
+    if (!existing) {
+      opStats.set(op, { freq: 1, arity });
+    } else {
+      if (existing.arity !== arity) {
+        // Inconsistent arity → variable-length; skip
+        existing.arity = null;
+      }
+      existing.freq++;
+    }
+  }
+
+  // ── Step 2: sort by frequency descending, keep only consistent-arity ops ────
+  const candidates = Array.from(opStats.entries())
+    .filter(([, s]) => s.arity !== null)
+    .sort(([, a], [, b]) => b.freq - a.freq);
+
+  if (candidates.length === 0) return { bytecode: bc };
+
+  // ── Step 3: assign free slots, build order permutations ─────────────────────
+  // aliasMap: originalOp → aliasOp (only the winning alias per original op)
+  const aliasMap = new Map<number, number>();
+  const aliasedOps: Compiler["ALIASED_OPS"] = {};
+
+  for (const [originalOp, stats] of candidates) {
+    const aliasOp = nextFreeSlot(usedOpcodes);
+    if (aliasOp === -1) break;
+
+    const arity = stats.arity!;
+
+    // Build a permutation of [0 .. arity-1].
+    // For arity >= 2: shuffle until we get a non-identity permutation so the
+    // operand order is actually different (makes the alias more confusing).
+    // For arity == 1: only one permutation exists ([0]); still useful as a clone.
+    let order: number[];
+    if (arity >= 2) {
+      const identity = Array.from({ length: arity }, (_, i) => i);
+      let attempts = 0;
+      do {
+        order = shuffle([...identity]);
+        attempts++;
+      } while (attempts < 20 && order.every((v, i) => v === i));
+    } else {
+      order = [0];
+    }
+
+    aliasMap.set(originalOp, aliasOp);
+    aliasedOps[aliasOp] = { originalOp, order };
+
+    const originalName =
+      compiler.OP_NAME[originalOp] ?? `OP_${originalOp}`;
+    compiler.OP_NAME[aliasOp] = `ALIAS_${originalName}_${order.join("_")}`;
+  }
+
+  compiler.ALIASED_OPS = aliasedOps;
+
+  if (aliasMap.size === 0) return { bytecode: bc };
+
+  // ── Step 4: rewrite bytecode ─────────────────────────────────────────────────
+  const result: Bytecode = [];
+
+  for (const instr of bc) {
+    const op = instr[0];
+    if (op === null || !aliasMap.has(op)) {
+      result.push(instr);
+      continue;
+    }
+
+    const aliasOp = aliasMap.get(op)!;
+    const { order } = aliasedOps[aliasOp];
+    const originalOperands = instr.slice(1) as InstrOperand[];
+
+    // Guard: if arity changed (shouldn't happen after the consistency check),
+    // fall back to the original instruction.
+    if (originalOperands.length !== order.length) {
+      result.push(instr);
+      continue;
+    }
+
+    // Rearrange operands: new slot i receives original operand order[i].
+    const newOperands = order.map((i) => originalOperands[i]);
+
+    const newInstr: Instruction = [aliasOp, ...newOperands];
+    (newInstr as any)[SOURCE_NODE_SYM] = (instr as any)[SOURCE_NODE_SYM];
+    result.push(newInstr);
+  }
+
+  return { bytecode: result };
+}

package/src/transforms/bytecode/concealConstants.ts

@@ -0,0 +1,52 @@
+import { Compiler } from "../../compiler.ts";
+import type * as b from "../../types.ts";
+
+export function concealConstants(
+  bytecode: b.Bytecode,
+  compiler: Compiler,
+): {
+  bytecode: b.Bytecode;
+} {
+  const newBytecode: b.Bytecode = [];
+
+  for (const instr of bytecode) {
+    const [op, ...operands] = instr;
+
+    const hasContant = operands.some(
+      (o) =>
+        o !== undefined &&
+        o !== null &&
+        typeof o === "object" &&
+        (o as any).type === "constant",
+    );
+
+    if (!hasContant) {
+      newBytecode.push(instr);
+      continue;
+    }
+
+    const newOperands = [];
+    for (const operand of operands) {
+      if ((operand as any)?.type === "constant") {
+        const tsOperand = operand as any;
+        newOperands.push(operand);
+        newOperands.push({
+          type: "constant",
+          value: tsOperand.value,
+          key: true,
+        });
+      } else {
+        newOperands.push(operand);
+      }
+    }
+
+    instr.length = 0;
+    instr.push(op, ...newOperands);
+
+    newBytecode.push(instr);
+  }
+
+  return {
+    bytecode: newBytecode,
+  };
+}

package/src/transforms/bytecode/macroOpcodes.ts

@@ -1,15 +1,17 @@
 import type { Bytecode, Instruction } from "../../types.ts";
 import { Compiler, SOURCE_NODE_SYM } from "../../compiler.ts";
-import { nextFreeSlot, U16_MAX } from "../utils/op-utils.ts";
+import { nextFreeSlot, U16_MAX } from "../../utils/op-utils.ts";
 
-// Opcodes that must not appear inside a macro window.
+// Opcodes that must not appear in a non-terminal position inside a macro window.
 // Jump ops: modifying frame._pc mid-execution causes the macro handler to
 //   run subsequent sub-bodies even after the jump already fired.
 // Frame-changing ops (CALL, CALL_METHOD, NEW, RETURN, THROW): push/pop call
 //   frames mid-macro, leaving the `frame` variable stale for later sub-bodies.
+// When one of these is the LAST instruction in the macro sequence there are no
+//   following sub-bodies, so editing _pc or the call frame is safe.
 // Variable-operand ops (MAKE_CLOSURE): the number of _operand() calls depends
 //   on uvCount at runtime, so a static handler cannot be generated.
-// Infrastructure ops (DATA, PATCH, TRY_SETUP, TRY_END, DEBUGGER):
+// Infrastructure ops (PATCH, TRY_SETUP, TRY_END, DEBUGGER):
 //   either illegal here or nonsensical to fold.
 
 // Scan bytecode for repeating instruction sequences and fold them into
@@ -36,23 +38,35 @@ export function macroOpcodes(
     originalOpToName.set(opVal, name);
   }
 
-  function isEligible(op: number | null, compiler: Compiler): boolean {
+  function isEligible(
+    op: number | null,
+    compiler: Compiler,
+    isLast: boolean = false,
+  ): boolean {
     if (op === null) return false;
     const { OP, JUMP_OPS } = compiler;
-    if (JUMP_OPS.has(op)) return false;
-    const excluded = new Set<number | undefined>([
-      OP.RETURN,
+    // Infrastructure and variable-length ops are never eligible.
+    const alwaysExcluded = new Set([
       OP.PATCH,
       OP.TRY_SETUP,
       OP.TRY_END,
       OP.DEBUGGER,
-      OP.CALL,
-      OP.CALL_METHOD,
-      OP.NEW,
-      OP.THROW,
       OP.MAKE_CLOSURE, // variable-length operands — cannot generate a static handler
     ]);
-    return !excluded.has(op) && originalOpToName.has(op); // Only original Ops are eligible (specialized disallowed)
+    if (alwaysExcluded.has(op)) return false;
+    // Jump and frame-changing ops are only eligible as the terminal instruction.
+    if (!isLast) {
+      if (JUMP_OPS.has(op)) return false;
+      const nonTerminalExcluded = new Set([
+        OP.RETURN,
+        OP.CALL,
+        OP.CALL_METHOD,
+        OP.NEW,
+        OP.THROW,
+      ]);
+      if (nonTerminalExcluded.has(op)) return false;
+    }
+    return originalOpToName.has(op); // Only original Ops are eligible (specialized disallowed)
   }
 
   // Collect every opcode value already in use so we can find free slots.
@@ -72,13 +86,15 @@ export function macroOpcodes(
       let valid = true;
       for (let j = 0; j < len; j++) {
         const op = bc[i + j][0];
-        if (!isEligible(op, compiler)) {
+        const isLast = j === len - 1;
+        if (!isEligible(op, compiler, isLast)) {
           valid = false;
           break;
         }
         ops.push(op as number);
       }
-      // If position (i+j) is ineligible, longer windows from i are also invalid.
+      // If position (i+j) is ineligible even as a terminal, longer windows from
+      // i are also invalid (it would be non-terminal there too).
       if (!valid) break;
 
       const key = ops.join(",");
@@ -135,7 +151,8 @@ export function macroOpcodes(
       for (let j = 0; j < len; j++) {
         const instr = bc[i + j];
         const op = instr[0];
-        if (!isEligible(op, compiler)) {
+        const isLast = j === len - 1;
+        if (!isEligible(op, compiler, isLast)) {
           valid = false;
           break;
         }

package/src/transforms/bytecode/resolveContants.ts

@@ -1,37 +1,97 @@
 import type * as b from "../../types.ts";
-import { SOURCE_NODE_SYM } from "../../compiler.ts";
+import { Compiler, SOURCE_NODE_SYM } from "../../compiler.ts";
+import { getRandomInt } from "../../utils/random-utils.ts";
+import { U16_MAX } from "../../utils/op-utils.ts";
 
-// Resolve all {type:"constant", value} operands to integer indices into the
-// constants pool.  Returns both the resolved bytecode and the constants array
-// so the Serializer can use it for comment generation and output.
-// Constant refs may appear at any operand position (index 1, 2, 3, …).
-export function resolveConstants(bc: b.Bytecode): {
+// Encrypt a string with a position-dependent XOR key (u16) then base64-encode.
+//
+// Each char code is XOR'd with ((key + i) & 0xFFFF), producing a u16 value.
+// The u16 values are packed as little-endian byte pairs (matching decodeBytecode),
+// then base64-encoded so the stored constant is always safe ASCII — no raw Unicode
+// surrogates, control chars, or quote chars that would break JS string literals.
+function concealString(s: string, key: number): string {
+  const bytes = new Uint8Array(s.length * 2);
+  for (let i = 0; i < s.length; i++) {
+    const code = s.charCodeAt(i) ^ ((key + i) & 0xffff);
+    bytes[i * 2] = code & 0xff;
+    bytes[i * 2 + 1] = (code >> 8) & 0xff;
+  }
+  return Buffer.from(bytes).toString("base64");
+}
+
+// Resolve all {type:"constant", value} operands to a PAIR of integer operands:
+//   [constPoolIndex, concealKey]
+//
+// constPoolIndex — index into the constants array (as before).
+// concealKey     — XOR key used to conceal this constant.
+//                  0 means no concealment (concealConstants is off, or the
+//                  value type is not concealable: null, undefined, bool, float…).
+//
+// The constants array stores the CONCEALED value when key != 0.
+// The runtime's _readConstant(idx, key) reverses the concealment on the fly.
+//
+// Both slots are u16; all existing operand serialization handles them identically.
+export function resolveConstants(
+  bc: b.Bytecode,
+  compiler: Compiler,
+): {
   bytecode: b.Bytecode;
   constants: any[];
 } {
   const constants: any[] = [];
-  const constantsMap = new Map<any, number>();
+  const constantsMap = new Map<any, number>(); // original value → pool index
+  const keyMap = new Map<number, number>(); // pool index → conceal key
 
-  function intern(operand: b.InstrOperand): b.Operand {
+  function intern(operand: b.InstrOperand): [b.InstrOperand, number] {
     const operandAsObject =
       typeof operand === "object" && operand ? operand : {};
-
     const value = (operand as any).value;
 
     let idx = constantsMap.get(value);
+    let key = 0;
+
     if (typeof idx !== "number") {
       idx = constants.length;
       constantsMap.set(value, idx);
-      constants.push(value);
+
+      if (compiler.options.concealConstants && typeof value === "string") {
+        // Strings: position-dependent XOR. Key must be >= 1.
+        key = getRandomInt(1, U16_MAX);
+        constants.push(concealString(value, key));
+      } else if (
+        compiler.options.concealConstants &&
+        typeof value === "number" &&
+        Number.isInteger(value)
+      ) {
+        // Integers: simple XOR. Result is still a valid JS integer.
+        key = getRandomInt(1, U16_MAX);
+        constants.push(value ^ key);
+      } else {
+        // Not concealable (null, undefined, boolean, float, RegExp…) or option off.
+        key = 0;
+        constants.push(value);
+      }
+
+      keyMap.set(idx, key);
+    } else {
+      // Reuse existing pool entry — same key that was assigned on first intern.
+      key = keyMap.get(idx)!;
     }
 
-    const newOperand = {
-      ...operandAsObject,
+    const idxOperand: any = {
+      ...(operandAsObject as object),
       type: "number",
       resolvedValue: idx,
     };
 
-    return newOperand;
+    const keyOperand: any = {
+      ...(operandAsObject as object),
+      type: "number",
+      resolvedValue: key,
+    };
+
+    // key is a plain u16 number — no wrapping needed.
+    return [idxOperand, keyOperand];
   }
 
   const resolved: b.Bytecode = [];
@@ -47,9 +107,20 @@ export function resolveConstants(bc: b.Bytecode): {
     );
 
     if (hasConstant) {
-      const newOperands = operands.map((operand) =>
-        (operand as any)?.type === "constant" ? intern(operand) : operand,
-      );
+      // 1-to-2 expansion: each {type:"constant"} becomes [constIdx, concealKey].
+      const newOperands: b.InstrOperand[] = [];
+      for (const operand of operands) {
+        if ((operand as any)?.type === "constant") {
+          const [idxOperand, key] = intern(operand);
+
+          const newOperand = (operand as any)?.key ? key : idxOperand;
+
+          newOperands.push(newOperand);
+          // newOperands.push(key); // plain number — serialized as a regular u16 slot
+        } else {
+          newOperands.push(operand);
+        }
+      }
       const newInstr = [op, ...newOperands] as b.Instruction;
       (newInstr as any)[SOURCE_NODE_SYM] = (instr as any)[SOURCE_NODE_SYM];
       resolved.push(newInstr);

package/src/transforms/bytecode/selfModifying.ts

@@ -1,6 +1,7 @@
 import type { Bytecode, Instruction } from "../../types.ts";
 import { Compiler } from "../../compiler.ts";
-import { choice } from "../utils/random-utils.ts";
+import { choice } from "../../utils/random-utils.ts";
+import { getInstructionSize } from "../../utils/op-utils.ts";
 
 export function selfModifying(
   bc: Bytecode,
@@ -80,8 +81,7 @@ export function selfModifying(
 
       // Flat size of the body (each instruction occupies instr.length slots).
       const bodyFlatSize = body.reduce(
-        (acc, instr) =>
-          acc + instr.filter((x) => (x as any)?.placeholder !== true).length,
+        (acc, instr) => acc + getInstructionSize(instr),
         0,
       );
 

package/src/transforms/bytecode/specializedOpcodes.ts

@@ -1,16 +1,29 @@
 import type { Bytecode, InstrOperand, Instruction } from "../../types.ts";
 import { Compiler, SOURCE_NODE_SYM } from "../../compiler.ts";
-import { nextFreeSlot, U16_MAX } from "../utils/op-utils.ts";
+import {
+  getInstructionSize,
+  nextFreeSlot,
+  U16_MAX,
+} from "../../utils/op-utils.ts";
 
 // Creates specialized opcodes for the most frequent (OPCODE + single_integer_operand) pairs.
 // Example: [OP.LOAD_CONST, 1] becomes [SPECIALIZED_LOAD_CONST_1].
 // Only instructions with *exactly one numeric operand* are considered.
-// MAKE_CLOSURE and any instruction with zero / multiple operands are skipped.
+// MAKE_CLOSURE and other N-sized instructions cannot be specialized
 // Runs after selfModifying but before resolveLabels (operands stay plain numbers).
 export function specializedOpcodes(
   bc: Bytecode,
   compiler: Compiler,
 ): { bytecode: Bytecode } {
+  const disallowedOps = new Set([
+    compiler.OP.MAKE_CLOSURE,
+    compiler.OP.BUILD_ARRAY,
+    compiler.OP.BUILD_OBJECT,
+    compiler.OP.CALL,
+    compiler.OP.CALL_METHOD,
+    compiler.OP.NEW,
+  ]);
+
   // ── Collect used opcodes exactly as specified ─────────────────────────────
   const usedOpcodes = new Set<number>(
     Object.keys(compiler.OP_NAME)
@@ -23,30 +36,38 @@ export function specializedOpcodes(
   // ── Step 1: count frequency of eligible (op, operand) pairs ───────────────
   const freqMap = new Map<
     string,
-    { op: number; operand: InstrOperand; count: number }
+    {
+      op: number;
+      operands: InstrOperand[];
+      operandsKey: string;
+      occurences: number;
+    }
   >();
 
   for (const instr of bc) {
     const op = instr[0];
-    if (op === null || op === compiler.OP.MAKE_CLOSURE) continue;
+    if (op === null || disallowedOps.has(op)) continue;
+
+    // Only supports between 1-6 operands
+    const operandCount = getInstructionSize(instr) - 1;
+    if (operandCount < 1 || operandCount > 6) continue;
 
-    // Must have exactly one operand and it must be a plain number
-    if (instr.length !== 2) continue;
-    const operand = instr[1];
+    const operands = instr.slice(1);
+    const operandsKey = JSON.stringify(operands);
 
-    const key = `${op},${operand}`;
+    const key = `${op},${operandsKey}`;
     const entry = freqMap.get(key);
     if (entry) {
-      entry.count++;
+      entry.occurences++;
     } else {
-      freqMap.set(key, { op, operand, count: 1 });
+      freqMap.set(key, { op, operands, operandsKey, occurences: 1 });
     }
   }
 
   // ── Step 2: keep combinations that appear >= 2 times, sort by frequency ───
   const candidates = Array.from(freqMap.values())
-    .filter((e) => e.count >= 1)
-    .sort((a, b) => b.count - a.count);
+    .filter((e) => e.occurences >= 1)
+    .sort((a, b) => b.occurences - a.occurences);
 
   if (candidates.length === 0) return { bytecode: bc };
 
@@ -57,16 +78,17 @@ export function specializedOpcodes(
   for (let i = 0; i < candidates.length; i++) {
     const specialOp = nextFreeSlot(usedOpcodes);
     if (specialOp === -1) break;
-    const { op: originalOp, operand } = candidates[i];
+    const { op: originalOp, operands, operandsKey } = candidates[i];
 
-    const key = `${originalOp},${JSON.stringify(operand)}`;
+    const key = `${originalOp},${operandsKey}`;
     sigToSpecial.set(key, specialOp);
 
-    specializedOps[specialOp] = { originalOp, operand };
+    specializedOps[specialOp] = { originalOp, operands };
 
     // Register a human-readable name for disassembly / debugging
     const originalName = compiler.OP_NAME[originalOp] ?? `OP_${originalOp}`;
-    compiler.OP_NAME[specialOp] = `${originalName}_${JSON.stringify(operand)}`;
+    compiler.OP_NAME[specialOp] =
+      `${originalName}_${JSON.stringify(operandsKey)}`;
   }
 
   // Store mapping so the interpreter knows how to dispatch the specialized op
@@ -77,18 +99,25 @@ export function specializedOpcodes(
 
   for (const instr of bc) {
     const op = instr[0];
-    // Only consider instructions with exactly one numeric operand
-    if (op === null || instr.length !== 2 || op === compiler.OP.MAKE_CLOSURE) {
+    // Only consider instructions with one or more operands
+    if (op === null || instr.length <= 1 || op === compiler.OP.MAKE_CLOSURE) {
       result.push(instr);
       continue;
     }
 
-    const operand = instr[1];
-    const key = `${op},${JSON.stringify(operand)}`;
+    const operands = instr.slice(1);
+    const operandsKey = JSON.stringify(operands);
 
-    if (sigToSpecial.has(key)) {
-      const specialOpCode = sigToSpecial.get(key)!;
+    const key = `${op},${operandsKey}`;
+
+    const specialOpCode = sigToSpecial.get(key)!;
+
+    if (!specialOpCode) {
+      result.push(instr);
+      continue;
+    }
 
+    const newOperands = operands.map((operand) => {
       const operandAsObject =
         typeof operand === "object" && operand
           ? operand
@@ -103,15 +132,15 @@ export function specializedOpcodes(
         placeholder: true,
       } as any as InstrOperand;
 
-      const newInstr: Instruction = [specialOpCode, newOperand];
+      return newOperand;
+    });
 
-      // Preserve source-node information for error reporting
-      (newInstr as any)[SOURCE_NODE_SYM] = (instr as any)[SOURCE_NODE_SYM];
+    const newInstr: Instruction = [specialOpCode, ...newOperands];
 
-      result.push(newInstr);
-    } else {
-      result.push(instr);
-    }
+    // Preserve source-node information for error reporting
+    (newInstr as any)[SOURCE_NODE_SYM] = (instr as any)[SOURCE_NODE_SYM];
+
+    result.push(newInstr);
   }
 
   return { bytecode: result };