js-confuser-vm 0.1.1 → 0.1.2

package/dist/transforms/bytecode/stringConcealing.js

@@ -1,110 +1,288 @@
 // String Concealing
 //
-// Encodes every string constant in each function with base64, then inserts a
-// decode closure (atob) that is called immediately after each LOAD_CONST to
-// recover the original value at runtime.
+// Replaces every string constant with a slice into a single shared "string
+// bank" that is decoded at runtime with a position-dependent keystream cipher.
 //
-// ── How it works ─────────────────────────────────────────────────────────────
+// ── Why a bank ───────────────────────────────────────────────────────────────
+// Previously each string was its own encoded constant, so the encoded length
+// leaked the plaintext length (an attacker could map by length + frequency).
+// Here every string is concatenated into ONE opaque blob padded with random
+// decoy bytes, so individual boundaries and lengths are no longer visible from
+// static inspection of the constant pool.
 //
-// Each function that contains at least one string LOAD_CONST gets:
+//   bank = [100‑250 decoys] str0 [0‑5 decoys] str1 [0‑5 decoys] … [100‑250 decoys]
 //
-//   rClosure — a register holding the decode closure, created ONCE at function
-//              entry (hoisted).  All decode calls within the function reuse it.
+// Each original string is referenced by the triple (key, start, length).
 //
-// The decode function is compiled ONCE (shared across all functions) from a
-// Template:
+// ── Cipher ───────────────────────────────────────────────────────────────────
+// A Weyl-sequence keystream (golden-ratio increment + xorshift mix) produces a
+// fresh 16-bit keyword per character, XOR'd against the char code:
 //
-//   function decode(encoded) { return atob(encoded); }
+//   key = (key + 0x9e3779b9) | 0          // 32-bit Weyl step
+//   ks  = (key ^ (key >>> 13)) & 0xffff   // 16-bit keystream word
+//   enc = charCode ^ ks                   // XOR (self-inverse)
 //
-// String constant transformations:
+// XOR over the full 16-bit range means EVERY UTF-16 code unit round-trips,
+// including control characters, newlines and non-ASCII / astral text. The
+// per-string key is a full 32-bit seed (2^32 keyspace) so the encoding is not
+// trivially enumerable.
 //
-//   Original:  LOAD_CONST  rDst, "hello"
-//   Becomes:   LOAD_CONST  rDst, "aGVsbG8="        (base64-encoded)
-//              CALL        rDst, rClosure, 1, rDst  (decode in-place)
+// ── Transport / storage ──────────────────────────────────────────────────────
+// The encoded bank is full-range u16, which would serialise as a wall of CJK /
+// control glyphs. Instead it is packed as u16-LE bytes and base64-encoded, so
+// the stored constant is pure ASCII (and smaller on disk than the raw glyphs).
+//
+// ── Runtime shape — PROGRAM-LEVEL bank ───────────────────────────────────────
+// The bank is inflated EXACTLY ONCE, in the program's main scope, into a plain
+// main-scope register (NOT a global — nothing is written to globalThis). That
+// register is shared with the functions that need it through the VM's ordinary
+// upvalue mechanism: an extra upvalue is threaded down the closure-creation tree
+// to every string-using function and its ancestors. Each string-using function
+// reads the already-inflated bank from that upvalue and passes it to a small
+// per-function `decode` closure (decode itself is function-level — cheap):
+//
+//   main:               MAKE_CLOSURE rInflate
+//                       LOAD_CONST   rB64, <base64 bank>
+//                       CALL         rBankMain, rInflate, 1, rB64   (once)
+//   string-using fn:    LOAD_UPVALUE rBank, <threaded idx>
+//                       MAKE_CLOSURE rDecode
+//   per site:           LOAD_INT     rKey/rStart/rLen
+//                       CALL         rDst, rDecode, 4, rBank, rKey, rStart, rLen
 //
 // ── Pipeline position ─────────────────────────────────────────────────────────
-// Runs BEFORE resolveRegisters and resolveLabels (same slot as Dispatcher/CFF).
+// Runs BEFORE resolveRegisters and resolveLabels (same slot as Dispatcher/CFF),
+// and FIRST among the bytecode passes so each FnDescriptor.upvalues count is
+// still pristine (used to pick the threaded upvalue index).
 
 import { Template } from "../../template.js";
 import * as b from "../../types.js";
 import { ref, buildMaxIdMap, allocReg, forEachFunction } from "../../utils/pass-utils.js";
+import { getRandomInt } from "../../utils/random-utils.js";
+import { U32_MAX } from "../../utils/op-utils.js";
 
-// ── Per-function transformation ──────────────────────────────────────────────
-
-function processFunctionBlock(instrs, fnId, compiler, maxId, decodeDesc) {
-  const OP = compiler.OP;
-
-  // Only transform functions that contain string constants.
-  const hasStringConst = instrs.some(instr => {
-    if (instr[0] !== OP.LOAD_CONST) return false;
-    const operands = instr.slice(1);
-    return operands.length === 2 && operands[1]?.type === "constant" && typeof operands[1].value === "string";
-  });
-  if (!hasStringConst) return {
-    instrs
-  };
-  const rClosure = allocReg(fnId, maxId);
-  const out = [];
-
-  // Hoist: create the decode closure once at function entry.
-  out.push([OP.MAKE_CLOSURE, ref(rClosure), {
-    type: "label",
-    label: decodeDesc.entryLabel
-  }, decodeDesc.paramCount,
-  // 1 (encoded)
-  b.fnRegCountOperand(decodeDesc._fnIdx), 0,
-  // no upvalues
-  0 // hasRest = false
-  ]);
-
-  // Transform each instruction.
-  for (const instr of instrs) {
-    if (instr[0] === OP.LOAD_CONST && instr.length === 3 && instr[2]?.type === "constant" && typeof instr[2].value === "string") {
-      const dst = instr[1];
-      const constOp = instr[2];
+// ── Cipher ────────────────────────────────────────────────────────────────────
+// Encode mirrors the runtime decode EXACTLY (see the decode template). XOR is
+// self-inverse. `key` must be the raw (unmasked) seed emitted as the LOAD_INT
+// operand, so both sides begin the Weyl sequence from the same integer.
+function xorEncode(str, key) {
+  let k = key;
+  let out = "";
+  for (let i = 0; i < str.length; i++) {
+    k = k + 0x9e3779b9 | 0;
+    const ks = (k ^ k >>> 13) & 0xffff;
+    out += String.fromCharCode(str.charCodeAt(i) ^ ks);
+  }
+  return out;
+}
 
-      // Encode the string in-place.
-      constOp.value = Buffer.from(constOp.value, "utf-8").toString("base64");
-      out.push(instr);
+// Random decoy run, full 16-bit range so decoys look like encoded payload.
+function decoyRun(count) {
+  let out = "";
+  for (let i = 0; i < count; i++) out += String.fromCharCode(getRandomInt(0, 0xffff));
+  return out;
+}
 
-      // Decode: rDst = decode(rDst)
-      out.push([OP.CALL, ref(dst),
-      // dst — receives decoded string
-      ref(rClosure),
-      // the hoisted decode closure
-      1,
-      // argc
-      ref(dst) // arg[0] = encoded value
-      ]);
-    } else {
-      out.push(instr);
-    }
+// Pack the u16 bank as little-endian bytes and base64-encode (ASCII, compact).
+// Mirrored at runtime by the inflate template: byte[2i] = low, byte[2i+1] = high.
+function bankToBase64(bank) {
+  const bytes = new Uint8Array(bank.length * 2);
+  for (let i = 0; i < bank.length; i++) {
+    const c = bank.charCodeAt(i);
+    bytes[i * 2] = c & 0xff;
+    bytes[i * 2 + 1] = c >> 8 & 0xff;
   }
+  return Buffer.from(bytes).toString("base64");
+}
+function buildBank(strings) {
+  const parts = [];
+  const table = new Map();
+  let pos = 0;
+  const lead = decoyRun(getRandomInt(100, 250)); // leading decoys
+  parts.push(lead);
+  pos += lead.length;
+  for (const str of strings) {
+    const gap = decoyRun(getRandomInt(0, 5)); // 0‑5 decoys between strings
+    parts.push(gap);
+    pos += gap.length;
+    const key = getRandomInt(1, U32_MAX);
+    const encoded = xorEncode(str, key);
+    table.set(str, {
+      key,
+      start: pos,
+      length: str.length
+    });
+    parts.push(encoded);
+    pos += encoded.length;
+  }
+  parts.push(decoyRun(getRandomInt(100, 250))); // trailing decoys
   return {
-    instrs: out
+    bank: parts.join(""),
+    table
   };
 }
+function isStringLoadConst(instr, OP) {
+  return instr[0] === OP.LOAD_CONST && instr.length === 3 && instr[2]?.type === "constant" && typeof instr[2].value === "string";
+}
 
 // ── Pass entry point ──────────────────────────────────────────────────────────
 export function stringConcealing(bc, compiler) {
+  const OP = compiler.OP;
+  const mainId = compiler.mainFn._fnIdx;
+  const entryLabelToFnId = new Map(compiler.fnDescriptors.map(d => [d.entryLabel, d._fnIdx]));
+  const entryLabels = new Set(entryLabelToFnId.keys());
+
+  // ── Prescan: collect strings + closure-creation graph ───────────────────────
+  // directUser  — functions that contain a string LOAD_CONST.
+  // parentOf    — childFnId → creating (lexical parent) fnId.
+  const strings = new Set();
+  const directUser = new Set();
+  const parentOf = new Map();
+  let curFn = -1;
+  for (const instr of bc) {
+    if (instr[0] === null && instr[1]?.type === "defineLabel" && entryLabels.has(instr[1].label)) {
+      curFn = entryLabelToFnId.get(instr[1].label);
+      continue;
+    }
+    if (curFn < 0) continue;
+    if (isStringLoadConst(instr, OP)) {
+      strings.add(instr[2].value);
+      directUser.add(curFn);
+    } else if (instr[0] === OP.MAKE_CLOSURE) {
+      const childId = entryLabelToFnId.get(instr[2]?.label);
+      if (childId !== undefined) parentOf.set(childId, curFn);
+    }
+  }
+  if (strings.size === 0) return {
+    bytecode: bc
+  };
+
+  // ── needSet = string users ∪ all their ancestors (so the upvalue can be
+  // threaded down to them). Walking each user to the root adds every ancestor. ──
+  const needSet = new Set();
+  for (const u of directUser) {
+    let p = u;
+    while (p !== undefined && !needSet.has(p)) {
+      needSet.add(p);
+      p = parentOf.get(p);
+    }
+  }
+
+  // Threaded upvalue index per function = its ORIGINAL upvalue count (appended
+  // last). main holds the bank as a local, so it has no threaded index.
+  const bankUvIndex = new Map();
+  for (const f of needSet) {
+    if (f === mainId) continue;
+    bankUvIndex.set(f, compiler.fnDescriptors[f]?.upvalues?.length ?? 0);
+  }
   const maxId = buildMaxIdMap(bc);
+  const rBankMain = allocReg(mainId, maxId); // program-level inflated bank
+  const {
+    bank,
+    table
+  } = buildBank(strings);
+  const bankB64 = bankToBase64(bank);
 
-  // Compile the decode function ONCE — all functions share the same closure body.
-  const decodeTemplate = new Template(`
-    function decode(encoded) {
-      return atob(encoded);
+  // Helper closures, compiled once and shared by reference.
+  //   inflate(b64)                  → reconstruct the u16 bank from base64
+  //   decode(bank, key, start, len) → slice + keystream-decrypt one string
+  const helpers = new Template(`
+    function inflate(s) {
+      var bytes = atob(s);
+      var out = "";
+      for (var i = 0; i < bytes["length"]; i += 2) {
+        out += String["fromCharCode"](
+          bytes["charCodeAt"](i) | (bytes["charCodeAt"](i + 1) << 8)
+        );
+      }
+      return out;
+    }
+    function decode(bank, key, start, length) {
+      var result = "";
+      for (var i = 0; i < length; i++) {
+        key = (key + 0x9e3779b9) | 0;
+        var ks = (key ^ (key >>> 13)) & 0xffff;
+        result += String["fromCharCode"](bank["charCodeAt"](start + i) ^ ks);
+      }
+      return result;
     }
   `).compile({}, compiler);
-  const decodeDesc = decodeTemplate.functions[0];
+  const [inflateDesc, decodeDesc] = helpers.functions;
+  const mkClosure = (dst, desc, params) => [OP.MAKE_CLOSURE, ref(dst), {
+    type: "label",
+    label: desc.entryLabel
+  }, params, b.fnRegCountOperand(desc._fnIdx), 0,
+  // upvalue count
+  0 // hasRest
+  ];
   const {
     bytecode
-  } = forEachFunction(bc, compiler, (fnInstrs, fnId) => processFunctionBlock(fnInstrs, fnId, compiler, maxId, decodeDesc));
+  } = forEachFunction(bc, compiler, (fnInstrs, fnId) => {
+    if (!needSet.has(fnId)) return {
+      instrs: fnInstrs
+    };
+    const isMain = fnId === mainId;
+    const usesStrings = directUser.has(fnId);
+
+    // Bank source for closures created in THIS frame: main captures its local,
+    // every other frame inherits its own threaded upvalue.
+    const childUpvalue = isMain ? [1, ref(rBankMain)] : [0, bankUvIndex.get(fnId)];
+    const prologue = [];
+    let rBank = null;
+    let rDecode = null;
+    let rKey, rStart, rLen;
+    if (isMain) {
+      const rInflate = allocReg(fnId, maxId);
+      const rB64 = allocReg(fnId, maxId);
+      prologue.push(mkClosure(rInflate, inflateDesc, 1));
+      prologue.push([OP.LOAD_CONST, ref(rB64), b.constantOperand(bankB64)]);
+      prologue.push([OP.CALL, ref(rBankMain), ref(rInflate), 1, ref(rB64)]);
+      rBank = rBankMain;
+    } else if (usesStrings) {
+      rBank = allocReg(fnId, maxId);
+      prologue.push([OP.LOAD_UPVALUE, ref(rBank), bankUvIndex.get(fnId)]);
+    }
+    if (usesStrings) {
+      rDecode = allocReg(fnId, maxId);
+      prologue.push(mkClosure(rDecode, decodeDesc, 4));
+      rKey = allocReg(fnId, maxId);
+      rStart = allocReg(fnId, maxId);
+      rLen = allocReg(fnId, maxId);
+    }
+    const out = [...prologue];
+    for (const instr of fnInstrs) {
+      // Thread the bank upvalue into every closure this frame creates that
+      // needs it (string users + ancestors).
+      if (instr[0] === OP.MAKE_CLOSURE) {
+        const childId = entryLabelToFnId.get(instr[2]?.label);
+        if (childId !== undefined && needSet.has(childId)) {
+          instr[5] = instr[5] + 1; // bump uvCount
+          instr.push(childUpvalue[0], childUpvalue[1]);
+        }
+        out.push(instr);
+        continue;
+      }
+      if (usesStrings && isStringLoadConst(instr, OP)) {
+        const dst = instr[1];
+        const entry = table.get(instr[2].value);
+        out.push([OP.LOAD_INT, ref(rKey), entry.key]);
+        out.push([OP.LOAD_INT, ref(rStart), entry.start]);
+        out.push([OP.LOAD_INT, ref(rLen), entry.length]);
+        out.push([OP.CALL, ref(dst), ref(rDecode), 4, ref(rBank), ref(rKey), ref(rStart), ref(rLen)]);
+        continue;
+      }
+      out.push(instr);
+    }
+    return {
+      instrs: out
+    };
+  });
 
-  // Append the decode function's bytecode at the end (defines its entryLabel).
-  // This is a single shared closure, not per-function, so it lives outside
-  // forEachFunction's tail mechanism.
-  bytecode.push(...decodeTemplate.bytecode);
+  // Append the helper functions' bytecode (defines their entryLabels).
+  bytecode.push(...helpers.bytecode);
   return {
     bytecode
   };
-}
+}
+
+// [isLocal flag, upvalue source] — RegisterOperand when capturing a local,
+// plain number when inheriting a parent upvalue.

package/dist/utils/ast-utils.js

@@ -1,5 +1,66 @@
 import traverseImport from "@babel/traverse";
 const traverse = traverseImport.default || traverseImport;
+
+// Recursively visits every statement reachable from `stmts` within the current
+// function scope — traversing into blocks, if branches, loop bodies, switch
+// cases, try/catch/finally, and labeled statements — but never crossing into
+// nested FunctionDeclaration/FunctionExpression bodies (those are separate scopes).
+//
+// `visit` is called for each statement before its children are traversed.
+// ForStatement init and ForInStatement left VariableDeclarations are also
+// passed to `visit` so callers don't need to special-case them.
+export function walkHoistScope(stmts, visit) {
+  for (const stmt of stmts) {
+    visit(stmt);
+    switch (stmt.type) {
+      case "BlockStatement":
+        walkHoistScope(stmt.body, visit);
+        break;
+      case "IfStatement":
+        {
+          const cons = stmt.consequent.type === "BlockStatement" ? stmt.consequent.body : [stmt.consequent];
+          walkHoistScope(cons, visit);
+          if (stmt.alternate) {
+            const alt = stmt.alternate.type === "BlockStatement" ? stmt.alternate.body : [stmt.alternate];
+            walkHoistScope(alt, visit);
+          }
+          break;
+        }
+      case "WhileStatement":
+      case "DoWhileStatement":
+        {
+          const body = stmt.body.type === "BlockStatement" ? stmt.body.body : [stmt.body];
+          walkHoistScope(body, visit);
+          break;
+        }
+      case "ForStatement":
+        {
+          if (stmt.init?.type === "VariableDeclaration") visit(stmt.init);
+          const body = stmt.body.type === "BlockStatement" ? stmt.body.body : [stmt.body];
+          walkHoistScope(body, visit);
+          break;
+        }
+      case "ForInStatement":
+        {
+          if (stmt.left.type === "VariableDeclaration") visit(stmt.left);
+          const body = stmt.body.type === "BlockStatement" ? stmt.body.body : [stmt.body];
+          walkHoistScope(body, visit);
+          break;
+        }
+      case "SwitchStatement":
+        for (const c of stmt.cases) walkHoistScope(c.consequent, visit);
+        break;
+      case "TryStatement":
+        walkHoistScope(stmt.block.body, visit);
+        if (stmt.handler) walkHoistScope(stmt.handler.body.body, visit);
+        if (stmt.finalizer) walkHoistScope(stmt.finalizer.body, visit);
+        break;
+      case "LabeledStatement":
+        walkHoistScope([stmt.body], visit);
+        break;
+    }
+  }
+}
 export function getSwitchStatement(ast) {
   let switchStatement = null;
   traverse(ast, {

package/dist/utils/op-utils.js

@@ -1,5 +1,6 @@
 import { getRandomInt } from "./random-utils.js";
 export const U16_MAX = 0xffff; // bytecode operands are u16
+export const U32_MAX = 0xffffffff; // max sentinel / operand value
 
 /** Returns the next free opcode slot, or -1 when the space is exhausted. */
 export function nextFreeSlot(compiler) {

package/package.json

@@ -1,7 +1,13 @@
 {
   "name": "js-confuser-vm",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "main": "dist/index.js",
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md",
+    "package.json"
+  ],
   "scripts": {
     "build": "babel src --out-dir dist --extensions \".ts,.js\"",
     "index": "cross-env NODE_OPTIONS=\"--disable-warning=ExperimentalWarning\" node index.ts",

package/.gitmodules

@@ -1,4 +0,0 @@
-[submodule "test262"]
-	path = test262
-	url = https://github.com/tc39/test262
-	branch = es5-tests

package/.prettierignore

@@ -1 +0,0 @@
-*.md