js-confuser 1.5.6 → 1.5.8

package/src/transforms/string/stringConcealing.ts

@@ -6,22 +6,18 @@ import { isDirective } from "../../util/compare";
 import {
   ArrayExpression,
   CallExpression,
-  ConditionalExpression,
-  FunctionDeclaration,
   FunctionExpression,
   Identifier,
-  IfStatement,
   Literal,
   MemberExpression,
   Node,
-  ReturnStatement,
-  SequenceExpression,
+  ObjectExpression,
+  Property,
   ThisExpression,
-  UpdateExpression,
   VariableDeclaration,
   VariableDeclarator,
 } from "../../util/gen";
-import { append, isLexContext, isVarContext, prepend } from "../../util/insert";
+import { append, prepend } from "../../util/insert";
 import { choice, getRandomInteger, getRandomString } from "../../util/random";
 import Transform from "../transform";
 import Encoding from "./encoding";
@@ -65,6 +61,7 @@ export default class StringConcealing extends Transform {
   ignore = new Set<string>();
   variablesMade = 1;
   encoding: { [type: string]: string } = Object.create(null);
+  gen: ReturnType<Transform["getGenerator"]>;
 
   hasAllEncodings: boolean;
 
@@ -75,11 +72,12 @@ export default class StringConcealing extends Transform {
     this.index = Object.create(null);
     this.arrayExpression = ArrayExpression([]);
     this.hasAllEncodings = false;
+    this.gen = this.getGenerator();
 
     // Pad array with useless strings
-    var dead = getRandomInteger(4, 10);
+    var dead = getRandomInteger(5, 15);
     for (var i = 0; i < dead; i++) {
-      var str = getRandomString(getRandomInteger(4, 20));
+      var str = getRandomString(getRandomInteger(5, 40));
       var fn = this.transform(Literal(str), []);
       if (fn) {
         fn();
@@ -134,7 +132,7 @@ export default class StringConcealing extends Transform {
                   VariableDeclarator("a", this.arrayExpression)
                 ),
                 Template(
-                  `return (${flowIntegrity} ? a.pop() : ${flowIntegrity}++, a)`
+                  `return (${flowIntegrity} ? a["pop"]() : ${flowIntegrity}++, a)`
                 ).single(),
               ]
             ),
@@ -159,7 +157,11 @@ export default class StringConcealing extends Transform {
   transform(object: Node, parents: Node[]) {
     return () => {
       // Empty strings are discarded
-      if (!object.value || this.ignore.has(object.value)) {
+      if (
+        !object.value ||
+        this.ignore.has(object.value) ||
+        object.value.length == 0
+      ) {
         return;
       }
 
@@ -188,69 +190,131 @@ export default class StringConcealing extends Transform {
       var encoded = encoder.encode(object.value);
       if (encoder.decode(encoded) != object.value) {
         this.ignore.add(object.value);
-        this.warn(object.value.slice(0, 100));
+        this.warn(type, object.value.slice(0, 100));
         return;
       }
 
-      // Fix 1. weird undefined error
-      if (object.value && object.value.length > 0) {
-        var index = -1;
-        if (!this.set.has(object.value)) {
-          this.arrayExpression.elements.push(Literal(encoded));
-          index = this.arrayExpression.elements.length - 1;
-          this.index[object.value] = [index, fnName];
+      var index = -1;
+      if (!this.set.has(object.value)) {
+        this.arrayExpression.elements.push(Literal(encoded));
+        index = this.arrayExpression.elements.length - 1;
+        this.index[object.value] = [index, fnName];
 
-          this.set.add(object.value);
-        } else {
-          [index, fnName] = this.index[object.value];
-          ok(typeof index === "number");
-        }
+        this.set.add(object.value);
+      } else {
+        [index, fnName] = this.index[object.value];
+        ok(typeof index === "number");
+      }
 
-        ok(index != -1, "index == -1");
+      ok(index != -1, "index == -1");
 
-        var callExpr = CallExpression(Identifier(fnName), [Literal(index)]);
+      var callExpr = CallExpression(Identifier(fnName), [Literal(index)]);
 
-        // use `.apply` to fool automated de-obfuscators
-        if (Math.random() > 0.5) {
-          callExpr = CallExpression(
-            MemberExpression(Identifier(fnName), Identifier("apply"), false),
-            [ThisExpression(), ArrayExpression([Literal(index)])]
-          );
-        }
+      // use `.apply` to fool automated de-obfuscators
+      if (Math.random() > 0.5) {
+        callExpr = CallExpression(
+          MemberExpression(Identifier(fnName), Identifier("apply"), false),
+          [ThisExpression(), ArrayExpression([Literal(index)])]
+        );
+      }
+
+      // use `.call`
+      else if (Math.random() > 0.5) {
+        callExpr = CallExpression(
+          MemberExpression(Identifier(fnName), Identifier("call"), false),
+          [ThisExpression(), Literal(index)]
+        );
+      }
+
+      var referenceType = "call";
+      if (parents.length && Math.random() < 0.5 / this.variablesMade) {
+        referenceType = "constantReference";
+      }
+
+      var newExpr: Node = callExpr;
+
+      if (referenceType === "constantReference") {
+        // Define the string earlier, reference the name here
+        this.variablesMade++;
 
-        // use `.call`
-        else if (Math.random() > 0.5) {
-          callExpr = CallExpression(
-            MemberExpression(Identifier(fnName), Identifier("call"), false),
-            [ThisExpression(), Literal(index)]
-          );
+        var constantReferenceType = choice(["variable", "array", "object"]);
+
+        var place = choice(parents.filter((node) => isBlock(node)));
+        if (!place) {
+          this.error(new Error("No lexical block to insert code"));
         }
 
-        var constantReference =
-          parents.length && Math.random() > 0.5 / this.variablesMade;
+        switch (constantReferenceType) {
+          case "variable":
+            var name = this.getPlaceholder();
+
+            prepend(
+              place,
+              VariableDeclaration(VariableDeclarator(name, callExpr))
+            );
+
+            newExpr = Identifier(name);
+            break;
+          case "array":
+            if (!place.$stringConcealingArray) {
+              place.$stringConcealingArray = ArrayExpression([]);
+              place.$stringConcealingArrayName = this.getPlaceholder();
 
-        if (constantReference) {
-          // Define the string earlier, reference the name here
+              prepend(
+                place,
+                VariableDeclaration(
+                  VariableDeclarator(
+                    place.$stringConcealingArrayName,
+                    place.$stringConcealingArray
+                  )
+                )
+              );
+            }
 
-          var name = this.getPlaceholder();
+            var arrayIndex = place.$stringConcealingArray.elements.length;
 
-          var place = choice(parents.filter((node) => isBlock(node)));
-          if (!place) {
-            this.error(Error("No lexical block to insert code"));
-          }
+            place.$stringConcealingArray.elements.push(callExpr);
 
-          place.body.unshift(
-            VariableDeclaration(VariableDeclarator(name, callExpr))
-          );
+            var memberExpression = MemberExpression(
+              Identifier(place.$stringConcealingArrayName),
+              Literal(arrayIndex),
+              true
+            );
 
-          this.replaceIdentifierOrLiteral(object, Identifier(name), parents);
+            newExpr = memberExpression;
+            break;
+          case "object":
+            if (!place.$stringConcealingObject) {
+              place.$stringConcealingObject = ObjectExpression([]);
+              place.$stringConcealingObjectName = this.getPlaceholder();
 
-          this.variablesMade++;
-        } else {
-          // Direct call to the getter function
-          this.replaceIdentifierOrLiteral(object, callExpr, parents);
+              prepend(
+                place,
+                VariableDeclaration(
+                  VariableDeclarator(
+                    place.$stringConcealingObjectName,
+                    place.$stringConcealingObject
+                  )
+                )
+              );
+            }
+
+            var propName = this.gen.generate();
+            var property = Property(Literal(propName), callExpr, true);
+            place.$stringConcealingObject.properties.push(property);
+
+            var memberExpression = MemberExpression(
+              Identifier(place.$stringConcealingObjectName),
+              Literal(propName),
+              true
+            );
+
+            newExpr = memberExpression;
+            break;
         }
       }
+
+      this.replaceIdentifierOrLiteral(object, newExpr, parents);
     };
   }
 }

package/src/transforms/transform.ts

@@ -407,7 +407,7 @@ export default class Transform {
   }
 
   /**
-   * Verbose logging for warning/importing messages.
+   * Verbose logging for warning/important messages.
    * @param messages
    */
   warn(...messages: any[]) {

package/test/transforms/controlFlowFlattening/controlFlowFlattening.test.ts

@@ -672,3 +672,39 @@ test("Variant #20: Don't apply when functions are redefined", async () => {
   eval(output);
   expect(TEST_ARRAY).toStrictEqual([0, 0, 0]);
 });
+
+// https://github.com/MichaelXF/js-confuser/issues/70
+test("Variant #21: Don't move Import Declarations", async () => {
+  var output = await JsConfuser(
+    `
+    import {createHash} from "crypto";
+    var inputString = "Hash this string";
+    var hashed = createHash("sha256").update(inputString).digest("hex");
+    TEST_OUTPUT = hashed;
+  `,
+    {
+      target: "node",
+      controlFlowFlattening: true,
+    }
+  );
+
+  // Ensure Control Flow FLattening was applied
+  expect(output).toContain("switch");
+
+  // Ensure the import declaration wasn't moved
+  expect(output.startsWith("import")).toStrictEqual(true);
+
+  // Convert to runnable code
+  output = output.replace(
+    `import{createHash}from'crypto';`,
+    "const {createHash}=require('crypto');"
+  );
+
+  var TEST_OUTPUT = "";
+
+  eval(output);
+
+  expect(TEST_OUTPUT).toStrictEqual(
+    "1cac63f39fd68d8c531f27b807610fb3d50f0fc3f186995767fb6316e7200a3e"
+  );
+});

package/test/transforms/identifier/nameRecycling.test.ts

@@ -164,3 +164,42 @@ it("should convert variable declarations in for loop initializers properly", asy
   expect(TEST_VAR_1).toStrictEqual("Hello World");
   expect(TEST_VAR_2).toStrictEqual("Number: 0");
 });
+
+// https://github.com/MichaelXF/js-confuser/issues/68
+it("should work on Function Declarations that are defined later in the code", async () => {
+  var output = await JsConfuser(
+    `
+  var result = MyFunction();
+  TEST_VAR = result;
+  
+  function MyFunction(b) {
+    return "Hello World";
+  }
+  `,
+    { target: "node", nameRecycling: true }
+  );
+
+  var TEST_VAR;
+  eval(output);
+
+  expect(TEST_VAR).toStrictEqual("Hello World");
+});
+
+// https://github.com/MichaelXF/js-confuser/issues/71
+it("should work on Import Declarations", async () => {
+  var output = await JsConfuser(
+    `
+  import crypto from 'node:crypto'
+
+  var x = 1;
+  
+  console.log(x);
+  `,
+    {
+      target: "node",
+      nameRecycling: true,
+    }
+  );
+
+  expect(output).not.toContain("crypto=");
+});

package/test/transforms/identifier/renameVariables.test.ts

@@ -436,3 +436,41 @@ test("Variant #18: Catch parameter and lexical variable clash", async () => {
 
   eval(output);
 });
+
+// https://github.com/MichaelXF/js-confuser/issues/69
+test("Variant #19: Don't break Import Declarations", async () => {
+  var output = await JsConfuser(
+    `
+  import { createHash } from 'node:crypto'
+
+  function sha256(content) {  
+    return createHash('sha256').update(content).digest('hex')
+  }
+
+  TEST_OUTPUT = sha256("Hash this string");
+  `,
+    {
+      target: "node",
+      renameVariables: true,
+    }
+  );
+
+  // Ensure the createHash got renamed
+  expect(output).toContain("createHash as ");
+
+  // Convert to runnable code
+  // This smartly changes the `import` statement to a require call, keeping the new variable name intact
+  var newVarName = output.split("createHash as ")[1].split("}")[0];
+  output = output
+    .split(";")
+    .filter((s) => !s.startsWith("import"))
+    .join(";");
+  output = `var {createHash: ${newVarName}}=require('crypto');` + output;
+
+  var TEST_OUTPUT;
+  eval(output);
+
+  expect(TEST_OUTPUT).toStrictEqual(
+    "1cac63f39fd68d8c531f27b807610fb3d50f0fc3f186995767fb6316e7200a3e"
+  );
+});

package/test/transforms/lock/countermeasures.test.ts

@@ -80,3 +80,21 @@ test("Variant #4: Should work when countermeasures is variable declaration", asy
     }
   );
 });
+
+// https://github.com/MichaelXF/js-confuser/issues/66
+test("Variant #5: Should work with RGF enabled", async () => {
+  await JsConfuser.obfuscate(
+    `
+  function myCountermeasuresFunction(){
+
+  }
+  `,
+    {
+      target: "node",
+      lock: {
+        countermeasures: "myCountermeasuresFunction",
+      },
+      rgf: true,
+    }
+  );
+});

package/test/transforms/rgf.test.ts

@@ -251,6 +251,43 @@ input(console.log, result)
     eval(output);
     expect(TEST_VALUE).toStrictEqual("undefined");
   });
+
+  it("should not apply to functions that reference their parent scope in the parameters", async () => {
+    var output = await JsConfuser.obfuscate(
+      `
+      var outsideVar = 0;
+      function myFunction(insideVar = outsideVar){
+      }
+      `,
+      {
+        target: "node",
+        rgf: true,
+      }
+    );
+
+    expect(output).not.toContain("new Function");
+  });
+
+  it("should not apply to functions that reference their parent scope in previously defined names", async () => {
+    var output = await JsConfuser.obfuscate(
+      `
+      var outsideVar = 0;
+      function myFunction(){
+        (function (){
+          var outsideVar;
+        })();
+
+        console.log(outsideVar);
+      }
+      `,
+      {
+        target: "node",
+        rgf: true,
+      }
+    );
+
+    expect(output).not.toContain("new Function");
+  });
 });
 
 describe("RGF with the 'all' mode", () => {