js-confuser-vm 0.1.0 → 0.1.1

package/dist/transforms/runtime/classObfuscation.js

@@ -0,0 +1,43 @@
+import * as t from "@babel/types";
+import { shuffle } from "../../utils/random-utils.js";
+function hasComment(node, text) {
+  const all = [...(node.leadingComments ?? []), ...(node.innerComments ?? []), ...(node.trailingComments ?? [])];
+  return all.some(c => c.value.includes(text));
+}
+function isPrototypeAssignment(stmt) {
+  if (!t.isExpressionStatement(stmt)) return false;
+  const expr = stmt.expression;
+  if (!t.isAssignmentExpression(expr)) return false;
+  const left = expr.left;
+  return t.isMemberExpression(left) && t.isMemberExpression(left.object) && t.isIdentifier(left.object.property, {
+    name: "prototype"
+  });
+}
+export function applyClassObfuscation(ast, _compiler) {
+  const body = ast.program.body;
+
+  // Split at the first statement that carries the @BOOT comment.
+  // Everything from that statement onward is the boot section and must stay last.
+  let bootIdx = body.findIndex(stmt => hasComment(stmt, "@BOOT"));
+  if (bootIdx === -1) bootIdx = body.length;
+  const shufflable = body.slice(0, bootIdx);
+  const boot = body.slice(bootIdx);
+
+  // Partition the shufflable section into two independent groups.
+  // Group A: variable/function declarations (constructors, standalone vars).
+  // Group B: prototype method assignments (X.prototype.Y = ...).
+  // Both groups are shuffled independently; A always precedes B so that
+  // constructors are defined before methods reference them.
+  const varDecls = [];
+  const methodDefs = [];
+  for (const stmt of shufflable) {
+    if (isPrototypeAssignment(stmt)) {
+      methodDefs.push(stmt);
+    } else {
+      varDecls.push(stmt);
+    }
+  }
+  shuffle(varDecls);
+  shuffle(methodDefs);
+  ast.program.body = [...varDecls, ...methodDefs, ...boot];
+}

package/dist/transforms/runtime/handlerTable.js

@@ -0,0 +1,91 @@
+import * as t from "@babel/types";
+import traverseImport from "@babel/traverse";
+import { ok } from "assert";
+import { parse } from "@babel/parser";
+const traverse = traverseImport.default || traverseImport;
+
+// Converts the switch-case dispatch into a handler table:
+//
+// Before (in .run):
+//   switch(op) { case OP.ADD: { ... break; } default: { ... } }
+//
+// After (in .init):
+//   this[OP.ADD] = function(){ ... }
+//   this["default"] = function(){ ... }
+//
+// After (in .run, replacing the switch):
+//   if(!this[op]) this["default"]();
+//   else this[op]();
+//
+export function applyHandlerTable(ast) {
+  // 1. Find the @SWITCH statement
+  let switchPath = null;
+  traverse(ast, {
+    SwitchStatement(path) {
+      if (path.node.leadingComments?.some(c => c.value.includes("@SWITCH"))) {
+        switchPath = path;
+        path.stop();
+      }
+    }
+  });
+  ok(switchPath, "Could not find opcode handlers switch statement");
+  const switchNode = switchPath.node;
+  const discriminant = switchNode.discriminant; // `op`
+
+  // 2. Find the @INIT method
+  let initPath = null;
+  traverse(ast, {
+    BlockStatement(path) {
+      if (path.node.innerComments?.some(c => c.value.includes("@INIT"))) {
+        initPath = path;
+        path.stop();
+      }
+    }
+  });
+  ok(initPath, "Could not find @INIT method");
+  const initFn = initPath.parentPath;
+
+  // 3. Build handler assignments for each case
+  const handlerAssignments = [];
+  for (const switchCase of switchNode.cases) {
+    // Strip trailing `break` from body
+    let body = [...switchCase.consequent];
+    if (body.length === 1 && t.isBlockStatement(body[0])) {
+      body = body[0].body;
+    }
+    if (body.length > 0 && t.isBreakStatement(body[body.length - 1])) {
+      body.pop();
+    }
+    body.unshift(...parse("var frame = this._currentFrame; var base = frame._base; var pc = frame._pc - 1; var regs = this._regs; ").program.body);
+    const block = t.blockStatement(body);
+    traverse(block, {
+      noScope: true,
+      ThisExpression(path) {
+        path.replaceWith(t.identifier("_this"));
+      },
+      Function(path) {
+        path.skip();
+      }
+    });
+
+    // Key: the case test, or "default" for the default case
+    const key = switchCase.test ? switchCase.test : t.stringLiteral("default");
+
+    // this[key] = function(){ ...body }
+    const handlerFn = t.functionExpression(null, [], block);
+    const assignment = t.expressionStatement(t.assignmentExpression("=", t.memberExpression(t.thisExpression(), key, true), handlerFn));
+    handlerAssignments.push(assignment);
+  }
+
+  // 4. Inject handler assignments into the @INIT body
+  initPath.node.body = handlerAssignments;
+
+  // 5. Replace the switch statement with handler dispatch:
+  //    if(!this[op]) this["default"]();
+  //    else this[op]();
+  const thisLookup = t.memberExpression(t.thisExpression(), discriminant, true);
+  const defaultCall = t.expressionStatement(t.callExpression(t.memberExpression(t.thisExpression(), t.stringLiteral("default"), true), []));
+  const handlerCall = t.expressionStatement(t.callExpression(thisLookup, []));
+  const dispatch = t.ifStatement(t.unaryExpression("!", thisLookup), t.blockStatement([defaultCall]), t.blockStatement([handlerCall]));
+  switchPath.replaceWith(dispatch);
+}

package/dist/transforms/runtime/semanticOpcodes.js

@@ -0,0 +1,35 @@
+import { parse } from "@babel/parser";
+import * as t from "@babel/types";
+import traverseImport from "@babel/traverse";
+import { ok } from "assert";
+const traverse = traverseImport.default || traverseImport;
+function parseStatements(code) {
+  const parsed = parse(code, {
+    sourceType: "unambiguous"
+  });
+  const [statement] = parsed.program.body;
+  ok(statement && t.isBlockStatement(statement), "Expected semantic opcode block");
+  return statement.body;
+}
+export function applySemanticOpcodes(ast, compiler) {
+  let switchStatement = null;
+  traverse(ast, {
+    SwitchStatement(path) {
+      if (path.node.leadingComments?.some(c => c.value.includes("@SWITCH"))) {
+        switchStatement = path.node;
+        path.stop();
+      }
+    }
+  });
+  ok(switchStatement, "Could not find @SWITCH statement for semantic opcodes");
+  for (const [semanticOpStr, info] of Object.entries(compiler.SEMANTIC_OPS)) {
+    const semanticOpCode = Number(semanticOpStr);
+    const originalName = compiler.OP_NAME[info.originalOp] ?? `OP_${info.originalOp}`;
+    const bodyStmts = parseStatements(info.code).map(statement => t.cloneNode(statement, true));
+    if (bodyStmts.length > 0) {
+      t.addComment(bodyStmts[0], "leading", ` ${compiler.OP_NAME[semanticOpCode]} -> ${originalName}`, true);
+    }
+    bodyStmts.push(t.breakStatement());
+    switchStatement.cases.push(t.switchCase(t.numericLiteral(semanticOpCode), [t.blockStatement(bodyStmts)]));
+  }
+}

package/dist/transforms/runtime/specializedOpcodes.js

@@ -20,7 +20,9 @@ function extractCaseBody(switchCase) {
 // Because specialized opcodes are only created for instructions that have
 // *exactly one* numeric operand, every `_operand()` call inside the original
 // handler is replaced by the constant value that was baked into the opcode.
-function inlineFixedOperands(bodyStmts, resolvedValues) {
+function inlineFixedOperands(newName,
+// for debugging
+info, bodyStmts, resolvedValues) {
   // Wrap the statements in a temporary BlockStatement so traverse has a root.
   // The replacement mutates the original statement objects in place.
   var replaced = 0;
@@ -46,7 +48,10 @@ function inlineFixedOperands(bodyStmts, resolvedValues) {
       }
     }
   });
-  ok(replaced === resolvedValues.length, `Expected to replace ${resolvedValues.length} operands, but replaced ${replaced}`);
+  if (replaced !== resolvedValues.length) {
+    console.error(resolvedValues, info);
+    throw new Error(`Specialized Opcode Inline Error: Given ${resolvedValues.length} operands to replace, but only found ${replaced} for ${newName}`);
+  }
 }
 
 // Append a generated switch case for every entry in compiler.SPECIALIZED_OPS.
@@ -84,18 +89,19 @@ export function applySpecializedOpcodes(ast, compiler) {
     const bodyStmts = extractCaseBody(originalCase).map(s => t.cloneNode(s, true));
     const placedOperands = info.operands;
     ok(placedOperands, `Could not find operand for original opcode ${newName}`);
-    const resolvedValues = placedOperands.map(placedOperand => {
+    const resolvedValues = placedOperands
+    // .filter((x) => !(x as any)?.placeholder)
+    .map(placedOperand => {
       return placedOperand?.resolvedValue ?? placedOperand;
     });
     if (resolvedValues.find(v => typeof v !== "number")) {
-      console.error(info);
       throw new Error("Expected all resolved operand values to be numbers");
     }
     newName = `${originalName}_${resolvedValues.join("_")}`;
     compiler.OP_NAME[specialOpCode] = newName;
 
     // Replace this._operand() with the baked-in constant
-    inlineFixedOperands(bodyStmts, resolvedValues);
+    inlineFixedOperands(newName, info, bodyStmts, resolvedValues);
 
     // Add a leading comment so the generated source stays readable
     if (bodyStmts.length > 0) {

package/dist/types.js

@@ -1,5 +1,5 @@
 // Bytecode supports both real instructions and IR pseudo-instructions
-// Real instruction: [OP.ADD, 5]  or multi-operand: [OP.MAKE_CLOSURE, labelRef, 2, 3, 0]
+// Real instruction: [OP.ADD, 5]  or multi-operand: [OP.MAKE_CLOSURE, labelRef, 2, 3, 0, 0]
 // IR instruction: [null, { type: "defineLabel", label: "FN_ENTRY_1" }]
 
 // IR instructions are used to hold symbolic information during compilation

package/dist/utils/ast-utils.js

@@ -0,0 +1,14 @@
+import traverseImport from "@babel/traverse";
+const traverse = traverseImport.default || traverseImport;
+export function getSwitchStatement(ast) {
+  let switchStatement = null;
+  traverse(ast, {
+    SwitchStatement(path) {
+      if (path.node.leadingComments?.some(c => c.value.includes("@SWITCH"))) {
+        switchStatement = path.node;
+        path.stop();
+      }
+    }
+  });
+  return switchStatement;
+}

package/dist/utils/op-utils.js

@@ -13,7 +13,6 @@ export function nextFreeSlot(compiler) {
     while (attempts++ < 512) {
       const candidate = getRandomInt(0, U16_MAX);
       if (!usedOpcodes.has(candidate)) {
-        usedOpcodes.add(candidate);
         return candidate;
       }
     }
@@ -24,7 +23,6 @@ export function nextFreeSlot(compiler) {
   for (let i = 0; i <= U16_MAX; i++) {
     const v = start + i & U16_MAX;
     if (!usedOpcodes.has(v)) {
-      usedOpcodes.add(v);
       return v;
     }
   }

package/dist/utils/pass-utils.js

@@ -0,0 +1,100 @@
+// Shared utilities for bytecode transformation passes.
+//
+// All three patterns below are identical across dispatcher, controlFlowFlattening,
+// and stringConcealing.  Centralising them here keeps each pass focused on its
+// own logic and makes the shared contract explicit.
+
+import * as b from "../types.js";
+// Return a fresh RegisterOperand object with the same (id, fnId).
+// IMPORTANT: operand objects must be unique throughout compilation —
+// other passes (e.g. specializedOpcodes) mutate operands in-place and a
+// shared reference would corrupt both sites.
+export function ref(r) {
+  return b.registerOperand(r.id, r.fnId);
+}
+
+// Scan bc and return the highest virtual register id seen for each fnId.
+// Used by passes that allocate new registers after the compiler has finished.
+export function buildMaxIdMap(bc) {
+  const maxId = new Map();
+  for (const instr of bc) {
+    for (let j = 1; j < instr.length; j++) {
+      const op = instr[j];
+      if (op && op.type === "register") {
+        const cur = maxId.get(op.fnId) ?? -1;
+        if (op.id > cur) maxId.set(op.fnId, op.id);
+      }
+    }
+  }
+  return maxId;
+}
+
+// Allocate the next virtual register id for fnId, updating maxId in-place.
+export function allocReg(fnId, maxId) {
+  const next = (maxId.get(fnId) ?? -1) + 1;
+  maxId.set(fnId, next);
+  return b.registerOperand(next, fnId);
+}
+
+// Return the label string if the operand is a { type:"label" } object,
+// otherwise return null.  Used by passes that need to identify jump targets.
+export function extractLabel(op) {
+  if (op && typeof op === "object" && op.type === "label") return op.label;
+  return null;
+}
+
+// Walk bc, call transform() for every function body, and reassemble the output.
+//
+// For each function entry label the scanner collects all instructions up to the
+// next entry label (or end-of-bytecode) into fnInstrs and passes them to
+// transform() along with the function's fnId.
+//
+// The transform callback returns:
+//   instrs — the (possibly rewritten) function body to emit in place of fnInstrs
+//   tail   — optional bytecode to append AFTER all function bodies
+//             (e.g. template-compiled decode closures)
+//
+// Instructions that appear before any entry label (the top-level preamble) are
+// passed through unchanged.
+export function forEachFunction(bc, compiler, transform) {
+  const entryLabels = new Set(compiler.fnDescriptors.map(d => d.entryLabel));
+  const entryLabelToFnId = new Map(compiler.fnDescriptors.map(d => [d.entryLabel, d._fnIdx]));
+  const result = [];
+  const tails = [];
+  let i = 0;
+  while (i < bc.length) {
+    const instr = bc[i];
+    const [op, operand0] = instr;
+    const isEntryLabel = op === null && operand0?.type === "defineLabel" && entryLabels.has(operand0.label);
+    if (!isEntryLabel) {
+      result.push(instr);
+      i++;
+      continue;
+    }
+    const entryLabel = operand0.label;
+    const fnId = entryLabelToFnId.get(entryLabel);
+    i++; // step past the defineLabel itself
+
+    const fnInstrs = [];
+    while (i < bc.length) {
+      const next = bc[i];
+      const [nextOp, nextOp0] = next;
+      if (nextOp === null && nextOp0?.type === "defineLabel" && entryLabels.has(nextOp0.label)) break;
+      fnInstrs.push(next);
+      i++;
+    }
+    result.push(instr); // emit the entry defineLabel
+    const {
+      instrs,
+      tail
+    } = transform(fnInstrs, fnId);
+    result.push(...instrs);
+    if (tail && tail.length > 0) tails.push(tail);
+  }
+  for (const tail of tails) {
+    result.push(...tail);
+  }
+  return {
+    bytecode: result
+  };
+}

package/dist/utils/profile-utils.js

@@ -0,0 +1,3 @@
+export function now() {
+  return performance?.now() || Date.now();
+}

package/index.ts

@@ -7,32 +7,37 @@ async function main() {
 
   const { code: orginalOutput } = await JsConfuserVM.obfuscate(sourceCode, {});
 
-  const { code: output } = await JsConfuserVM.obfuscate(sourceCode, {
+  const result = await JsConfuserVM.obfuscate(sourceCode, {
     target: "browser", // or "node"
-    randomizeOpcodes: true, // randomize the opcode numbers?
-    shuffleOpcodes: true, // shuffle order of opcode handlers in the runtime?
-    encodeBytecode: true, // encode the bytecode array?
-    concealConstants: true, // conceal strings and integers in the constant pool?
-    dispatcher: true, // create middleman blocks to process jumps?
-    selfModifying: true, // do self-modifying bytecode for function bodies?
-    macroOpcodes: true, // create combined opcodes for repeated instruction sequences?
-    microOpcodes: true, // break opcodes into sub-opcodes?
-    specializedOpcodes: true, // create specialized opcodes for commonly used opcode+operand pairs?
-    aliasedOpcodes: true, // create duplicate opcodes for commonly used opcodes?
-    timingChecks: true, // add timing checks to detect debuggers?
-    minify: true, // pass final output through Google Closure Compiler? (Renames VM class properties)
+    // randomizeOpcodes: true, // randomize the opcode numbers?
+    // shuffleOpcodes: true, // shuffle order of opcode handlers in the runtime?
+    // encodeBytecode: true, // encode the bytecode array?
+    // concealConstants: true, // conceal strings and integers in the constant pool?
+    // dispatcher: true, // create middleman blocks to process jumps?
+    // selfModifying: true, // do self-modifying bytecode for function bodies?
+    // macroOpcodes: true, // create combined opcodes for repeated instruction sequences?
+    // specializedOpcodes: true, // create specialized opcodes for commonly used opcode+operand pairs?
+    // aliasedOpcodes: true, // create duplicate opcodes for commonly used opcodes?
+    // timingChecks: true, // add timing checks to detect debuggers?
+    // minify: true, // pass final output through Google Closure Compiler? (Renames VM class properties)
+    controlFlowFlattening: true,
+    // stringConcealing: true,
+    verbose: true,
+    // classObfuscation: true,
   });
 
   writeFileSync("output.original.js", orginalOutput, "utf-8");
-  writeFileSync("output.js", output, "utf-8");
+  writeFileSync("output.js", result.code, "utf-8");
+
+  console.log("Saved");
 
   // Eval the code like our test suite does
   var window = { TEST_OUTPUT: null };
-  eval(output);
+  eval(result.code);
   console.log(window.TEST_OUTPUT);
 
-  // Minify using Google Closure Compiler (optional)
-  // import("./minify.js");
+  delete result.code;
+  console.log(JSON.stringify(result));
 }
 
 main();

package/jest.config.js

@@ -6,7 +6,6 @@ const OPTIONS_MATRIX = [
   { displayName: "selfModifying", VM_OPTIONS: { selfModifying: true } },
   { displayName: "timingChecks", VM_OPTIONS: { timingChecks: true } },
   { displayName: "macroOpcodes", VM_OPTIONS: { macroOpcodes: true } },
-  { displayName: "microOpcodes", VM_OPTIONS: { microOpcodes: true } },
   {
     displayName: "specializedOpcodes",
     VM_OPTIONS: { specializedOpcodes: true },
@@ -23,6 +22,18 @@ const OPTIONS_MATRIX = [
     displayName: "dispatcher",
     VM_OPTIONS: { dispatcher: true },
   },
+  {
+    displayName: "controlFlowFlattening",
+    VM_OPTIONS: { controlFlowFlattening: true },
+  },
+  {
+    displayName: "stringConcealing",
+    VM_OPTIONS: { stringConcealing: true },
+  },
+  {
+    displayName: "classObfuscation",
+    VM_OPTIONS: { classObfuscation: true },
+  },
   {
     displayName: "all",
     VM_OPTIONS: {
@@ -32,11 +43,12 @@ const OPTIONS_MATRIX = [
       selfModifying: true,
       timingChecks: true,
       macroOpcodes: true,
-      microOpcodes: true,
       specializedOpcodes: true,
       aliasedOpcodes: true,
       concealConstants: true,
       dispatcher: true,
+      stringConcealing: true,
+      classObfuscation: true,
     },
   },
 ];

package/output.disassembled.js

@@ -0,0 +1,41 @@
+// fn_0_0:
+  r1 = 969
+  r2 = r1
+// while_top_5:
+  r3 = 4439
+  r4 = r2 !== r3
+  if (!r4) goto: while_exit_6
+  r5 = 969
+  r6 = r2 === r5
+  if (!r6) goto: if_else_7
+  goto: cff_block_2
+// if_else_7:
+  r7 = 1317
+  r8 = r2 === r7
+  if (!r8) goto: if_else_8
+  goto: cff_block_3
+// if_else_8:
+  r9 = 58894
+  r10 = r2 === r9
+  if (!r10) goto: if_else_9
+  goto: if_else_1
+// if_else_9:
+  goto: while_top_5
+// while_exit_6:
+// cff_block_3:
+  r11 = "Hello World"
+  r0 = r11
+  r2 = 58894
+  goto: while_top_5
+// if_else_1:
+  r11 = undefined
+  return r11
+// cff_block_2:
+  r0 = undefined
+  r11 = true
+  if (r11) goto: cff_skip_10
+  r2 = 58894
+  goto: while_top_5
+// cff_skip_10:
+  r2 = 1317
+  goto: while_top_5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "js-confuser-vm",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "main": "dist/index.js",
   "scripts": {
     "build": "babel src --out-dir dist --extensions \".ts,.js\"",
@@ -36,6 +36,7 @@
     "@babel/core": "^7.29.0",
     "@babel/preset-env": "^7.29.0",
     "@babel/preset-typescript": "^7.28.5",
+    "@types/jest": "^30.0.0",
     "@types/node": "^25.3.0",
     "babel-plugin-module-resolver": "^5.0.2",
     "babel-plugin-replace-import-extension": "^1.1.5",