js-confuser 1.7.1 → 1.7.3

package/test/transforms/identifier/renameVariables.test.ts

@@ -509,7 +509,14 @@ test.each(["hexadecimal", "mangled", "number", "zeroWidth"])(
       `
   var myVar1 = "Correct Value";
 
-  TEST_OUTPUT = myVar1;
+  function myFunction(myVar2){
+      myVar2 = myVar1;
+      let myVar3 = myVar2;
+      var myVar4 = myVar3;
+      return myVar4;
+  }
+
+  TEST_OUTPUT = myFunction();
   `,
       {
         target: "node",
@@ -619,3 +626,70 @@ test("Variant #25: Reference catch parameter", async () => {
 
   expect(TEST_OUTPUT).toStrictEqual("Correct Value");
 });
+
+test("Variant #26: Transform __JS_CONFUSER_VAR__ to access variable mappings", async () => {
+  var output = await JsConfuser(
+    `
+  var myVar1 = "Incorrect Value";
+
+  function myFunction(){
+    var myVar1 = "Correct Value";
+    TEST_OUTPUT =  eval( __JS_CONFUSER_VAR__(myVar1) );
+  }
+  
+  myFunction();
+  `,
+    { target: "node", renameVariables: true }
+  );
+
+  expect(output).not.toContain("myVar1");
+  expect(output).not.toContain("__JS_CONFUSER_VAR__");
+
+  var TEST_OUTPUT;
+
+  eval(output);
+  expect(TEST_OUTPUT).toStrictEqual("Correct Value");
+});
+
+test("Variant #27: Transform __JS_CONFUSER_VAR__ even when Rename Variables is disabled", async () => {
+  var output = await JsConfuser(
+    `
+  var name = "John Doe";
+  TEST_OUTPUT = __JS_CONFUSER_VAR__(name);
+  `,
+    { target: "node", renameVariables: false }
+  );
+
+  expect(output).not.toContain("__JS_CONFUSER_VAR__");
+
+  var TEST_OUTPUT;
+
+  eval(output);
+  expect(TEST_OUTPUT).toStrictEqual("name");
+});
+
+test("Variant #28: Transform __JS_CONFUSER_VAR__ on High Preset", async () => {
+  var output = await JsConfuser(
+    `
+    function myFunction(){
+      var a
+      var b
+      var c
+
+      return "Correct Value"
+    }
+    TEST_OUTPUT = eval(__JS_CONFUSER_VAR__(myFunction) + "()");
+    `,
+    {
+      target: "node",
+      preset: "high",
+    }
+  );
+
+  expect(output).not.toContain("__JS_CONFUSER_VAR__");
+
+  var TEST_OUTPUT;
+  eval(output);
+
+  expect(TEST_OUTPUT).toStrictEqual("Correct Value");
+});

package/test/transforms/lock/tamperProtection.test.ts

@@ -0,0 +1,336 @@
+import JsConfuser from "../../../src/index";
+
+var _eval = eval;
+
+function evalInNonStrictMode(str: string) {
+  var TEST_OUTPUT;
+
+  function TEST_OUTPUT_SET(value) {
+    TEST_OUTPUT = value;
+  }
+
+  try {
+    // 'new Function' runs in non-strict mode
+    // The original 'eval' function is passed in each test
+    // This is because once 'eval' is changed, it is changed for all new Function() calls!
+    var fn = new Function("TEST_OUTPUT_SET", "eval", str);
+
+    fn(TEST_OUTPUT_SET, _eval);
+  } catch (err) {
+    return { error: err, TEST_OUTPUT: TEST_OUTPUT };
+  }
+
+  return { error: null, TEST_OUTPUT: TEST_OUTPUT };
+}
+
+describe("Global Concealing", () => {
+  test("Variant #1: Detect Eval tamper (no tamper)", async () => {
+    var code = `
+    global.TEST_GLOBAL_OUTPUT = global.TEST_GLOBAL;
+    `;
+
+    var output = await JsConfuser(code, {
+      target: "node",
+      globalConcealing: true,
+      lock: {
+        tamperProtection: true,
+      },
+    });
+
+    var TEST_GLOBAL = {};
+    (global as any).TEST_GLOBAL = TEST_GLOBAL;
+
+    evalInNonStrictMode(output);
+
+    // Make reuse global variable as 'new Function' runs in isolated environment
+    var TEST_OUTPUT = (global as any).TEST_GLOBAL_OUTPUT;
+
+    expect(TEST_OUTPUT).toStrictEqual(TEST_GLOBAL);
+  });
+
+  test("Variant #2: Detect Eval tamper (tampered)", async () => {
+    var code = `
+    function onTamperDetected(){
+      TEST_OUTPUT_SET(true);
+    }
+    global.TEST_GLOBAL_VARIANT_7_OUTPUT = global.TEST_GLOBAL_VARIANT_7;
+    `;
+
+    var output = await JsConfuser(code, {
+      target: "node",
+      globalConcealing: (varName) => varName != "TEST_OUTPUT_SET",
+      lock: {
+        tamperProtection: true,
+        countermeasures: "onTamperDetected",
+      },
+    });
+
+    // Inject 'eval' tamper code
+    output =
+      `var _eval = eval;
+       eval = (codeStr)=>( console.log(codeStr), _eval(codeStr) );
+    ` + output;
+
+    var TEST_GLOBAL_VARIANT_7 = {};
+    (global as any).TEST_GLOBAL_VARIANT_7 = TEST_GLOBAL_VARIANT_7;
+
+    var { error, TEST_OUTPUT } = evalInNonStrictMode(output);
+
+    expect(error).toBeNull();
+    expect(TEST_OUTPUT).toStrictEqual(true);
+  });
+
+  test("Variant #3: Native check on functions", async () => {
+    var mockConsoleLog = (...msgs) => {
+      console.log(...msgs);
+    };
+    mockConsoleLog.toString = () => "{ [native code] }";
+    (global as any).mockConsoleLog = mockConsoleLog;
+
+    var output = await JsConfuser(
+      `
+      function onTamperDetected(){
+        TEST_OUTPUT_SET(true);
+      }
+      mockConsoleLog("console.log was not tampered")
+      `,
+      {
+        target: "node",
+        globalConcealing: (varName) => varName != "TEST_OUTPUT_SET",
+        lock: {
+          tamperProtection: true,
+          countermeasures: "onTamperDetected",
+        },
+      }
+    );
+
+    var getOwnPropertyDescriptor = Object.getOwnPropertyDescriptor;
+    (global as any).Object.getOwnPropertyDescriptor = () => undefined;
+
+    var { TEST_OUTPUT, error } = evalInNonStrictMode(output);
+
+    (global as any).Object.getOwnPropertyDescriptor = getOwnPropertyDescriptor;
+
+    expect(TEST_OUTPUT).not.toStrictEqual(true);
+    expect(error).toBeNull();
+  });
+
+  test("Variant #4: Native check on functions (tampered)", async () => {
+    var mockConsoleLog = (...msgs) => {
+      console.log(...msgs);
+    };
+    mockConsoleLog.toString = () => "[native code]";
+    (global as any).mockConsoleLog = mockConsoleLog;
+
+    var output = await JsConfuser(
+      `
+      function onTamperDetected(){
+        TEST_OUTPUT_SET(true);
+      }
+
+      mockConsoleLog("console.log was not tampered")
+      `,
+      {
+        target: "node",
+        globalConcealing: (varName) => varName != "TEST_OUTPUT_SET",
+        lock: {
+          tamperProtection: true,
+          countermeasures: "onTamperDetected",
+        },
+      }
+    );
+
+    (global as any).mockConsoleLog = (...str) =>
+      console.log("Tampered console.log: ", ...str);
+
+    // Unfortunately the program errors dude to console.log being tampered
+    var { TEST_OUTPUT, error } = evalInNonStrictMode(output);
+
+    expect(TEST_OUTPUT).toStrictEqual(true);
+
+    // Ensure error was thrown
+    expect(error).not.toBeNull();
+  });
+
+  test("Variant #5: Native check on non-existent functions", async () => {
+    var output = await JsConfuser(
+      `
+      a.b.c.d()
+      `,
+      {
+        target: "node",
+        globalConcealing: true,
+        lock: {
+          tamperProtection: true,
+        },
+      }
+    );
+  });
+
+  test("Variant #6: Custom implementation for lock.tamperProtection", async () => {
+    var foundNames = [];
+    var output = await JsConfuser(
+      `
+      fetch()
+      console.log()
+      shouldBeFound()
+      console["trace"]()
+      var NotFound = "NotFound"
+      console[NotFound]()
+
+      toString()
+
+      var shouldNotBeFound;
+
+      shouldNotBeFound()
+      `,
+      {
+        target: "node",
+        globalConcealing: true,
+        lock: {
+          tamperProtection: (fnName) => {
+            foundNames.push(fnName);
+
+            return false;
+          },
+        },
+      }
+    );
+
+    expect(foundNames).toContain("fetch");
+    expect(foundNames).toContain("console.log");
+    expect(foundNames).toContain("shouldBeFound");
+    expect(foundNames).toContain("console.trace");
+    expect(foundNames).toContain("toString");
+
+    expect(foundNames.join("")).not.toContain("NotFound");
+
+    expect(foundNames).not.toContain("shouldNotBeFound");
+  });
+
+  test("Variant #7: Protect native function Math.floor", async () => {
+    var output = await JsConfuser(
+      `
+      TEST_OUTPUT_SET(Math.floor(10.1));
+      `,
+      {
+        target: "node",
+        globalConcealing: (varName) => varName != "TEST_OUTPUT_SET",
+        lock: {
+          tamperProtection: true,
+        },
+      }
+    );
+
+    expect(output).not.toContain("Math['floor");
+
+    var { TEST_OUTPUT, error } = evalInNonStrictMode(output);
+
+    expect(error).toBeNull();
+    expect(TEST_OUTPUT).toStrictEqual(10);
+  });
+});
+
+describe("RGF", () => {
+  test("Variant #1: Use Eval instead of new Function", async () => {
+    var output = await JsConfuser(
+      `
+      function myFunction1(){
+        TEST_OUTPUT_SET(true);
+      }
+
+      myFunction1();
+      `,
+      {
+        target: "node",
+        rgf: true,
+        lock: {
+          tamperProtection: true,
+        },
+        renameVariables: true,
+
+        // Allow RGF to transform 'myFunction1'
+        // Otherwise, RGF will skip 'myFunction1' as 'TEST_OUTPUT_SET' is an outside variable
+        globalVariables: new Set(["TEST_OUTPUT_SET"]),
+      }
+    );
+
+    expect(output).not.toContain(
+      "function myFunction1(){TEST_OUTPUT_SET(true)"
+    );
+    expect(output).toContain("eval");
+    expect(output).not.toContain("new Function");
+
+    var { TEST_OUTPUT, error } = evalInNonStrictMode(output);
+
+    expect(error).toBeNull();
+    expect(TEST_OUTPUT).toStrictEqual(true);
+  });
+
+  test("Variant #2: Detect Eval tamper", async () => {
+    var output = await JsConfuser(
+      `
+      function onTamperDetected(){
+        TEST_OUTPUT_SET("Correct Value");
+      }
+      function myFunction1(){
+        TEST_OUTPUT_SET("Function still called");
+      }
+
+      myFunction1();
+      `,
+      {
+        target: "node",
+        rgf: true,
+        lock: {
+          tamperProtection: true,
+          countermeasures: "onTamperDetected",
+        },
+        renameVariables: true,
+
+        // Allow RGF to transform 'myFunction1'
+        // Otherwise, RGF will skip 'myFunction1' as 'TEST_OUTPUT_SET' is an outside variable
+        globalVariables: new Set(["TEST_OUTPUT_SET"]),
+      }
+    );
+
+    expect(output).not.toContain("function myFunction1(){TEST_OUTPUT_SET(");
+    expect(output).toContain("eval");
+
+    // Inject 'eval' tamper code
+    output =
+      `var _eval = eval;
+       eval = (code)=>( TEST_OUTPUT_SET(code), console.log(code), _eval(code) );` +
+      output;
+
+    var { TEST_OUTPUT, error } = evalInNonStrictMode(output);
+
+    expect(TEST_OUTPUT).toStrictEqual("Correct Value");
+    expect(error).toBeTruthy(); // An error occurs because the RGF array was not initialized
+  });
+});
+
+describe("Strict Mode", () => {
+  test("Variant #1: Disallow Strict Mode", async () => {
+    var output = await JsConfuser(
+      `
+      "use strict"; // Note: Jest testing environment is already in Strict Mode
+      function onTamperDetected(){
+        TEST_OUTPUT = true;
+      }
+      `,
+      {
+        target: "node",
+        lock: {
+          tamperProtection: true,
+          countermeasures: "onTamperDetected",
+        },
+      }
+    );
+
+    var TEST_OUTPUT;
+    eval(output);
+
+    expect(TEST_OUTPUT).toStrictEqual(true);
+  });
+});

package/test/transforms/minify.test.ts

@@ -211,6 +211,16 @@ test("Variant #11: Shorten 'undefined' to 'void 0'", async () => {
   });
 
   expect(output2).toContain("var x={[void 0]:1}");
+
+  var output3 = await JsConfuser(
+    `try { var undefined; (undefined) = true } catch(e) {}`,
+    {
+      target: "node",
+      minify: true,
+    }
+  );
+
+  eval(output3);
 });
 
 test("Variant #11: Shorten 'Infinity' to 1/0", async () => {
@@ -536,3 +546,30 @@ test("Variant #27: Preserve function.length property", async () => {
 
   expect(TEST_OUTPUT).toStrictEqual(6);
 });
+
+// https://github.com/MichaelXF/js-confuser/issues/125
+test("Variant #28: Don't break destructuring assignment", async () => {
+  var output = await JsConfuser(
+    `
+    let objectSlice = [];
+    objectSlice.push({
+      a: 1,
+      b: 2,
+      c: 3,
+    })
+    for (let {
+      a,
+      b,
+      c
+    } of objectSlice) {
+      TEST_OUTPUT = a + b + c;
+    }
+  `,
+    { target: "node", minify: true }
+  );
+
+  var TEST_OUTPUT;
+  eval(output);
+
+  expect(TEST_OUTPUT).toStrictEqual(6);
+});

package/test/transforms/rgf.test.ts

@@ -326,3 +326,53 @@ test("Variant #10: Configurable by custom function option", async () => {
   expect(TEST_OUTPUT_1).toStrictEqual(false);
   expect(TEST_OUTPUT_2).toStrictEqual(true);
 });
+
+test("Variant #11: Function containing function should both be changed", async function () {
+  var output = await JsConfuser(
+    `
+    function FunctionA(){
+      function FunctionB(){
+        var bVar = 10;
+        return bVar
+      }
+
+      var bFn = FunctionB;
+      var aVar = bFn();
+      return aVar + 1
+    }
+
+    TEST_OUTPUT = FunctionA();
+  `,
+    { target: "node", rgf: true }
+  );
+
+  // 2 means one Function changed, 3 means two Functions changed
+  expect(output.split("new Function").length).toStrictEqual(3);
+
+  var TEST_OUTPUT;
+  eval(output);
+
+  expect(TEST_OUTPUT).toStrictEqual(11);
+});
+
+test("Variant #12: Preserve Function.length", async function () {
+  var output = await JsConfuser(
+    `
+  function myFunction(a,b,c,d = ""){ // Function.length = 3
+
+  }
+
+  myFunction()
+  TEST_OUTPUT = myFunction.length
+  `,
+    {
+      target: "node",
+      rgf: true,
+    }
+  );
+
+  var TEST_OUTPUT;
+  eval(output);
+
+  expect(TEST_OUTPUT).toStrictEqual(3);
+});

package/dist/transforms/controlFlowFlattening/choiceFlowObfuscation.js

@@ -1,62 +0,0 @@
-"use strict";
-
-Object.defineProperty(exports, "__esModule", {
-  value: true
-});
-exports.default = void 0;
-
-var _gen = require("../../util/gen");
-
-var _transform = _interopRequireDefault(require("../transform"));
-
-function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
-
-class ChoiceFlowObfuscation extends _transform.default {
-  constructor(o) {
-    super(o);
-  }
-
-  match(object, parents) {
-    return object.type == "IfStatement";
-  }
-
-  transform(object, parents) {
-    return () => {
-      var body = parents[0];
-      var element = object;
-
-      if (parents[0].type == "LabeledStatement") {
-        body = parents[1];
-        element = parents[0];
-      }
-
-      var before = [];
-      var isNested = parents[0].type == "IfStatement" && parents[0].alternate === object;
-
-      if (!isNested && (!Array.isArray(body) || body.indexOf(element) === -1)) {
-        return;
-      }
-
-      var result = this.getPlaceholder();
-      before.push((0, _gen.VariableDeclaration)((0, _gen.VariableDeclarator)(result)));
-      var yesBody = object.consequent ? object.consequent.type == "BlockStatement" ? [...object.consequent.body] : [object.consequent] : [];
-      yesBody.unshift((0, _gen.ExpressionStatement)((0, _gen.AssignmentExpression)("=", (0, _gen.Identifier)(result), (0, _gen.Literal)(1))));
-      var noBody = object.alternate ? object.alternate.type == "BlockStatement" ? [...object.alternate.body] : [object.alternate] : [];
-      noBody.unshift((0, _gen.ExpressionStatement)((0, _gen.AssignmentExpression)("=", (0, _gen.Identifier)(result), (0, _gen.Literal)(1))));
-      var elseTest = (0, _gen.UnaryExpression)("!", (0, _gen.Identifier)(result));
-      var newObject = (0, _gen.TryStatement)([(0, _gen.IfStatement)({ ...object.test
-      }, [(0, _gen.ThrowStatement)((0, _gen.Identifier)(result))])], (0, _gen.CatchClause)((0, _gen.Identifier)(this.getPlaceholder()), yesBody), [(0, _gen.IfStatement)(elseTest, noBody)]);
-
-      if (isNested) {
-        this.replace(object, (0, _gen.BlockStatement)([...before, { ...newObject
-        }]));
-      } else {
-        body.splice(body.indexOf(element), 0, ...before);
-        this.replace(object, newObject);
-      }
-    };
-  }
-
-}
-
-exports.default = ChoiceFlowObfuscation;