jsguardian 1.2.0

package/cne.js

@@ -0,0 +1,686 @@
+"use strict";
+// ============================================================================
+// CNE — Criptor Native Engine  (replaces javascript-obfuscator)
+//
+// Design goals:
+//   - ZERO public deobfuscation tooling written against this output
+//   - No recognisable string-array/shuffler/RC4/wrapper-function pattern
+//   - Full scope-aware identifier rename (every name, including injected
+//     __hsh / __anc / __vmq / __ksq) → _0x<hex><salt> names
+//   - Inline XOR string encoding with per-string random key (no central table)
+//   - Hex-literal conversion for all numeric literals
+//   - Variable-length string splitting (2–12 chars, random, seed-driven)
+//   - Control-flow flattening on function bodies (state-machine dispatcher)
+//   - Opaque true/false constants guarding dead branches
+//   - Self-contained: one Babel AST pass, no external tool dependency
+//
+// What we intentionally do NOT do here (already handled by earlier pipeline stages):
+//   - MBA constant encoding         (transforms.ts applyConstMba)
+//   - Opaque predicates             (transforms.ts applyOpaque)
+//   - VM bytecode virtualization    (transform-vm.ts)
+//   - String cipher (custom RC4)    (transforms.ts applyStringCipher)
+//   - Integrity anchors __anc/__hsh (integrity.ts + pipeline.ts)
+// ============================================================================
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.makeNameGen = makeNameGen;
+exports.normalizeEsmExports = normalizeEsmExports;
+exports.applyFullRename = applyFullRename;
+exports.applyHexLiterals = applyHexLiterals;
+exports.applyStringSplit = applyStringSplit;
+exports.applyCneFlattening = applyCneFlattening;
+exports.applyOpaqueConstants = applyOpaqueConstants;
+exports.applyDeadCodeInjection = applyDeadCodeInjection;
+exports.buildEncodedAnchorSource = buildEncodedAnchorSource;
+exports.obfuscateExportNames = obfuscateExportNames;
+exports.cneObfuscate = cneObfuscate;
+const parser_1 = require("@babel/parser");
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const generator_1 = __importDefault(require("@babel/generator"));
+const t = __importStar(require("@babel/types"));
+const traverse = traverse_1.default.default || traverse_1.default;
+const generate = generator_1.default.default || generator_1.default;
+// ----------------------------------------------------------------------------
+// Helpers
+// ----------------------------------------------------------------------------
+function mark(node) { if (node)
+    node.__cne = true; }
+function markDeep(node) {
+    if (!node || typeof node !== "object")
+        return;
+    node.__cne = true;
+    for (const k of Object.keys(node)) {
+        const v = node[k];
+        if (Array.isArray(v))
+            v.forEach(markDeep);
+        else if (v && typeof v === "object" && v.type)
+            markDeep(v);
+    }
+}
+// ----------------------------------------------------------------------------
+// A — Identifier Name Generator
+//
+// All output names look like  _0x<4 hex><salt suffix>
+// Salt is per-build (derived from seed), suffix is per-identifier index.
+// Format: _0x + 4 hex chars from (seed XOR idx rotated) + 1-2 salt chars
+//
+// Crucially: we rename ALL binding names in scope — including our own injected
+// names like __hsh, __anc, __vmq, __ksq, __dc, __bk, __ca, __drift, __toc.
+// ----------------------------------------------------------------------------
+function makeNameGen(seed) {
+    // Two independent hash rounds to spread entropy
+    const a = (seed ^ 0xdeadbeef) >>> 0;
+    const b = (seed ^ 0xcafebabe) >>> 0;
+    return (idx) => {
+        let h = (a ^ Math.imul(idx + 1, 0x9e3779b9)) >>> 0;
+        h = Math.imul(h ^ (h >>> 15), 0x85ebca6b);
+        h = Math.imul(h ^ (h >>> 13), 0xc2b2ae35);
+        h = (h ^ (h >>> 16)) >>> 0;
+        const part1 = (h & 0xffff).toString(16).padStart(4, "0");
+        const part2 = ((b ^ (idx * 0x6b43)) & 0xff).toString(16).padStart(2, "0");
+        return `_0x${part1}${part2}`;
+    };
+}
+// ----------------------------------------------------------------------------
+// B — Full Scope Rename
+//
+// Walks every scope in the AST. For each scope, collects all local bindings
+// (var, let, const, function, param) and renames them with the name generator.
+// Uses Babel's scope.rename() so all references update atomically.
+//
+// Special handling:
+//   - Names already looking like _0x... are left alone (already renamed or
+//     externally injected from an earlier pass we don't want to double-rename).
+//   - Global references (no binding found) are left alone.
+//   - module.exports / exports.X property names are NOT renamed (they're
+//     external API surface).
+// ----------------------------------------------------------------------------
+// ----------------------------------------------------------------------------
+// ESM export normalisation — MUST run before applyFullRename.
+//
+// Babel's scope.rename() is buggy for *declaration exports* (`export class Foo`,
+// `export function Foo`, `export default …`): the binding path points at the
+// inner declaration while the export lives on the wrapping node, so renaming
+// desyncs the auto-generated specifier from the declaration and emits
+// "Export 'X' is not defined" (rejected by both Babel re-parse and V8).
+// Known upstream bugs: babel/babel#11591, #9266, PR #3629.
+//
+// Workaround (community-standard): rewrite every declaration-export into a plain
+// declaration followed by a separate `export { local as public }` specifier, so
+// rename only ever touches ordinary declarations + ordinary reference
+// identifiers — never the broken declaration-export path.
+function normalizeEsmExports(ast) {
+    const body = ast.program.body;
+    const out = [];
+    let defIdx = 0;
+    for (const node of body) {
+        // `export <decl>` with no `from` source
+        if (t.isExportNamedDeclaration(node) && node.declaration && !node.source) {
+            const decl = node.declaration;
+            const names = [];
+            if (t.isFunctionDeclaration(decl) || t.isClassDeclaration(decl)) {
+                if (decl.id)
+                    names.push(decl.id.name);
+            }
+            else if (t.isVariableDeclaration(decl)) {
+                for (const d of decl.declarations) {
+                    if (t.isIdentifier(d.id))
+                        names.push(d.id.name);
+                }
+            }
+            out.push(decl);
+            if (names.length) {
+                out.push(t.exportNamedDeclaration(null, names.map((n) => t.exportSpecifier(t.identifier(n), t.identifier(n)))));
+            }
+            continue;
+        }
+        // `export default <decl|expr>`
+        if (t.isExportDefaultDeclaration(node)) {
+            const d = node.declaration;
+            if ((t.isFunctionDeclaration(d) || t.isClassDeclaration(d)) && d.id) {
+                out.push(d);
+                out.push(t.exportNamedDeclaration(null, [
+                    t.exportSpecifier(t.identifier(d.id.name), t.identifier("default")),
+                ]));
+            }
+            else {
+                const local = `__crxDef${defIdx++}`;
+                const expr = t.isFunctionDeclaration(d) || t.isClassDeclaration(d)
+                    ? t.toExpression(d)
+                    : d;
+                out.push(t.variableDeclaration("const", [
+                    t.variableDeclarator(t.identifier(local), expr),
+                ]));
+                out.push(t.exportNamedDeclaration(null, [
+                    t.exportSpecifier(t.identifier(local), t.identifier("default")),
+                ]));
+            }
+            continue;
+        }
+        out.push(node);
+    }
+    ast.program.body = out;
+}
+function applyFullRename(ast, _rng, nameGen) {
+    // Post-order (exit) traversal: rename bindings in children first, then parents.
+    // This avoids Babel scope-cache stale-reference bugs that occur when you
+    // rename a parent binding before its shadowing children have been processed.
+    //
+    // scope.rename(old, new) is Babel's own API — it finds every reference to
+    // `old` reachable from this scope (respecting shadows in child scopes) and
+    // rewrites them atomically including the declaration node.
+    let idx = 0;
+    traverse(ast, {
+        Scope: {
+            exit(path) {
+                const scope = path.scope;
+                // snapshot the binding names before we start renaming (rename mutates bindings)
+                const names = Object.keys(scope.bindings);
+                for (const name of names) {
+                    const binding = scope.bindings[name];
+                    if (!binding)
+                        continue;
+                    // Already mangled — skip
+                    if (/^_0x[0-9a-f]{4,}/.test(name))
+                        continue;
+                    // Skip VM runtime internals: names inside __vmq / __ksq / __gfdXXXX functions
+                    // These must stay stable because the VM runtime references them by name.
+                    if (/^(__vmq|__ksq|__gfd)/.test(name))
+                        continue;
+                    // Walk up the scope chain to see if we're inside a VM runtime function
+                    let _sc = path.scope;
+                    let _inVmFn = false;
+                    while (_sc) {
+                        const _fn = _sc.block;
+                        if (_fn && _fn.type === 'FunctionDeclaration' && _fn.id &&
+                            /^(__vmq|__ksq|__gfd)/.test(_fn.id.name)) {
+                            _inVmFn = true;
+                            break;
+                        }
+                        _sc = _sc.parent;
+                    }
+                    if (_inVmFn)
+                        continue;
+                    // Skip if the declaration node is marked __cne (our own injected infra)
+                    if (binding.path?.node?.__cne)
+                        continue;
+                    if (binding.path?.parent?.__cne)
+                        continue;
+                    const newName = nameGen(idx++);
+                    try {
+                        scope.rename(name, newName);
+                    }
+                    catch {
+                        // scope.rename can throw on parse-error-recovery phantom nodes — ignore
+                    }
+                }
+            },
+        },
+    });
+}
+// ----------------------------------------------------------------------------
+// C — Hex Numeric Literals
+//
+// Converts integer literals to hex representation so the output has no decimal
+// numbers. Floating-point and special values (NaN, Infinity) are left as-is.
+// Excludes literals already marked __cne (our own injected constants).
+// ----------------------------------------------------------------------------
+function applyHexLiterals(ast) {
+    traverse(ast, {
+        NumericLiteral(path) {
+            if (path.node.__cne)
+                return;
+            const v = path.node.value;
+            if (!Number.isInteger(v) || v < 0 || v > 0xffffffff)
+                return;
+            // Already hex — check if source is hex (not reliable from AST alone, so skip
+            // if value is small enough to not matter, or just always convert)
+            const hex = t.numericLiteral(v);
+            hex.extra = { raw: `0x${v.toString(16)}` };
+            mark(hex);
+            path.replaceWith(hex);
+            path.skip();
+        },
+    });
+}
+// ----------------------------------------------------------------------------
+// D — Inline String Splitting
+//
+// Splits string literals into variable-size chunks (2–12 chars, seed-driven)
+// concatenated with + operators. No central string table — each string is
+// independently fragmented. No RC4, no base64 ciphertext, no shuffler.
+//
+// Also inserts synthetic "fake" string concatenations (~15% chance) that
+// resolve to unused strings — makes manual reassembly ambiguous.
+//
+// Strings shorter than 4 chars are left as-is (splitting adds no noise).
+// Strings already marked __cne (our runtime infra) are left as-is.
+// ----------------------------------------------------------------------------
+function applyStringSplit(ast, rng) {
+    traverse(ast, {
+        StringLiteral(path) {
+            if (path.node.__cne)
+                return;
+            const s = path.node.value;
+            if (s.length < 4)
+                return;
+            // Don't touch import/require paths
+            const p = path.parent;
+            if (t.isImportDeclaration(p) ||
+                t.isExportNamedDeclaration(p) ||
+                t.isExportAllDeclaration(p) ||
+                (t.isCallExpression(p) && p.callee && p.callee.name === "require"))
+                return;
+            // Don't touch property keys
+            if ((t.isObjectProperty(p) || t.isObjectMethod(p)) && p.key === path.node && !p.computed)
+                return;
+            if ((t.isClassMethod(p) || t.isClassProperty(p)) && p.key === path.node && !p.computed)
+                return;
+            // Split into variable-size chunks
+            const chunks = [];
+            let i = 0;
+            while (i < s.length) {
+                const size = 2 + Math.floor(rng.next() * 11); // 2..12
+                chunks.push(s.slice(i, i + size));
+                i += size;
+            }
+            if (chunks.length <= 1)
+                return; // too short to split
+            // Build left-associative + chain
+            let expr = makeStr(chunks[0]);
+            for (let j = 1; j < chunks.length; j++) {
+                expr = t.binaryExpression("+", expr, makeStr(chunks[j]));
+                mark(expr);
+            }
+            mark(expr);
+            path.replaceWith(expr);
+            path.skip();
+        },
+    });
+}
+function makeStr(s) {
+    const node = t.stringLiteral(s);
+    mark(node);
+    return node;
+}
+// ----------------------------------------------------------------------------
+// E — Control Flow Flattening (lightweight, CNE-specific)
+//
+// For function bodies with 4+ statements, wraps them in a while(true)/switch
+// state-machine dispatcher. The state numbers are seeded-random hex constants.
+// This is independent of the jsobf CFG pass — and looks completely different
+// because there is no dispatch-object pattern.
+//
+// Only applied to functions from USER code (no __cne marker).
+// Rate: controlled by opts.cneFlattening (default 0.5)
+// ----------------------------------------------------------------------------
+function applyCneFlattening(ast, parse, rng, rate = 0.5) {
+    traverse(ast, {
+        FunctionDeclaration(path) {
+            if (path.node.__cne || path.node.__obf)
+                return;
+            if (rng.next() > rate)
+                return;
+            flattenBody(path, rng);
+        },
+        FunctionExpression(path) {
+            if (path.node.__cne || path.node.__obf)
+                return;
+            if (rng.next() > rate)
+                return;
+            flattenBody(path, rng);
+        },
+        ArrowFunctionExpression(path) {
+            if (path.node.__cne || path.node.__obf)
+                return;
+            if (!path.node.body || path.node.body.type !== "BlockStatement")
+                return;
+            if (rng.next() > rate)
+                return;
+            flattenBody(path, rng);
+        },
+    });
+}
+// Recursively check if a statement subtree contains a ReturnStatement,
+// or any const/let VariableDeclaration (those create TDZ issues inside
+// switch-case blocks that CFF generates).
+function containsReturn(node) {
+    if (!node || typeof node !== "object")
+        return false;
+    if (node.type === "ReturnStatement")
+        return true;
+    // const/let inside a CFF switch-case block causes TDZ errors at runtime
+    if (node.type === "VariableDeclaration" &&
+        (node.kind === "const" || node.kind === "let"))
+        return true;
+    // Don't descend into nested functions — their returns don't affect outer scope
+    if (node.type === "FunctionDeclaration" || node.type === "FunctionExpression" ||
+        node.type === "ArrowFunctionExpression")
+        return false;
+    for (const k of Object.keys(node)) {
+        const v = node[k];
+        if (Array.isArray(v)) {
+            if (v.some(containsReturn))
+                return true;
+        }
+        else if (v && typeof v === "object" && v.type) {
+            if (containsReturn(v))
+                return true;
+        }
+    }
+    return false;
+}
+function flattenBody(path, rng) {
+    const body = path.node.body;
+    if (!body || body.type !== "BlockStatement")
+        return;
+    const stmts = body.body;
+    if (!stmts || stmts.length < 4)
+        return;
+    // Skip if body has return statements or const/let declarations
+    // (const/let inside CFF switch cases cause TDZ errors at runtime)
+    const hasReturn = stmts.some((s) => containsReturn(s));
+    if (hasReturn)
+        return;
+    // Assign a random state key to each statement
+    const stateKeys = stmts.map(() => (rng.int32() >>> 0) & 0xfffffff);
+    // Entry state = first key
+    const entryState = stateKeys[0];
+    // Label for the while loop so we can break out of it from inside the switch
+    const loopLabel = `_L${((rng.int32() >>> 0) & 0xffff).toString(16)}`;
+    const loopLabelId = t.identifier(loopLabel);
+    // State variable name (unique per function)
+    const stVar = `_st${((rng.int32() >>> 0) & 0xffff).toString(16)}`;
+    const stId = t.identifier(stVar);
+    markDeep(stId);
+    // Build: var _stXXXX = <entryState>;
+    const stDecl = t.variableDeclaration("var", [
+        t.variableDeclarator(stId, Object.assign(t.numericLiteral(entryState), { extra: { raw: `0x${entryState.toString(16)}` } })),
+    ]);
+    markDeep(stDecl);
+    // Build switch cases. Each non-last case: exec stmt, set next state, continue.
+    // Last case: exec stmt, labeled-break exits the while(true).
+    const cases = stmts.map((stmt, i) => {
+        const isLast = i === stmts.length - 1;
+        const caseBody = [stmt];
+        if (!isLast) {
+            const nextKey = stateKeys[i + 1];
+            caseBody.push(t.expressionStatement(t.assignmentExpression("=", t.identifier(stVar), Object.assign(t.numericLiteral(nextKey), { extra: { raw: `0x${nextKey.toString(16)}` } }))));
+            caseBody.push(t.continueStatement(loopLabelId));
+        }
+        else {
+            // labeled break exits the while(true)
+            caseBody.push(t.breakStatement(loopLabelId));
+        }
+        const c = t.switchCase(Object.assign(t.numericLiteral(stateKeys[i]), { extra: { raw: `0x${stateKeys[i].toString(16)}` } }), caseBody);
+        markDeep(c);
+        return c;
+    });
+    // Default: labeled break (safety — should never fire for correct state machine)
+    const defCase = t.switchCase(null, [t.breakStatement(loopLabelId)]);
+    markDeep(defCase);
+    cases.push(defCase);
+    const switchStmt = t.switchStatement(t.identifier(stVar), cases);
+    markDeep(switchStmt);
+    const loop = t.labeledStatement(loopLabelId, t.whileStatement(t.booleanLiteral(true), t.blockStatement([switchStmt])));
+    markDeep(loop);
+    path.node.body = t.blockStatement([stDecl, loop]);
+    markDeep(path.node.body);
+    path.skip();
+}
+// ----------------------------------------------------------------------------
+// F — Opaque constant injection
+//
+// Replaces `true` / `false` literals in conditions with expressions that
+// evaluate to the same value but cannot be statically resolved:
+//   true  →  (typeof undefined === 'undefined')
+//   false →  (typeof null === 'function')
+//
+// Seeded random selection from a set of opaque true/false expressions.
+// Rate-controlled (default 0.4).
+// ----------------------------------------------------------------------------
+const OPAQUE_TRUE_EXPRS = [
+    `(typeof undefined==='undefined')`,
+    `(0x0===0x0)`,
+    `([][0x0]===undefined)`,
+    `(!![])`,
+    `(typeof ''==='string')`,
+];
+const OPAQUE_FALSE_EXPRS = [
+    `(typeof null==='function')`,
+    `(0x1===0x0)`,
+    `([][0x0]===null)`,
+    `(typeof undefined==='number')`,
+    `(!![]===[])`,
+];
+function applyOpaqueConstants(ast, rng, rate = 0.4) {
+    traverse(ast, {
+        BooleanLiteral(path) {
+            if (path.node.__cne || path.node.__obf)
+                return;
+            // Only inside conditions / test expressions
+            const p = path.parent;
+            if (!t.isIfStatement(p) &&
+                !t.isWhileStatement(p) &&
+                !t.isConditionalExpression(p) &&
+                !t.isLogicalExpression(p) &&
+                !t.isUnaryExpression(p))
+                return;
+            if (rng.next() > rate)
+                return;
+            const exprs = path.node.value ? OPAQUE_TRUE_EXPRS : OPAQUE_FALSE_EXPRS;
+            const src = exprs[Math.floor(rng.next() * exprs.length)];
+            try {
+                const mini = (0, parser_1.parse)(`(${src})`, { sourceType: "module" });
+                const expr = mini.program.body[0].expression;
+                markDeep(expr);
+                path.replaceWith(expr);
+                path.skip();
+            }
+            catch {
+                // parse failed — leave original
+            }
+        },
+    });
+}
+// ----------------------------------------------------------------------------
+// G — Dead code injection (looks like real logic, not constant-folded junk)
+//
+// Inserts fake hash/cipher rounds that look structurally identical to the real
+// FNV/RC4 patterns in the output but are unreachable via opaque predicates.
+// ----------------------------------------------------------------------------
+function buildFakeHashRound(rng) {
+    const v1 = `_${(rng.int32() >>> 0 & 0xfff).toString(16)}`;
+    const v2 = `_${(rng.int32() >>> 0 & 0xfff).toString(16)}`;
+    const seed = (rng.int32() >>> 0).toString(16);
+    const prime = rng.next() < 0.5 ? `0x01000193` : `0x9e3779b9`;
+    return `var ${v1}=0x${seed}>>>0x0;` +
+        `var ${v2}=Math.imul(${v1}^(${v1}>>>0xf),${prime});` +
+        `${v2}=(${v2}+Math.imul(${v2}^(${v2}>>>0x7),0x61|${v2}))^${v2};`;
+}
+function applyDeadCodeInjection(ast, rng, rate = 0.35) {
+    traverse(ast, {
+        Function(path) {
+            if (path.node.__cne || path.node.__obf)
+                return;
+            const body = path.get("body");
+            if (!body.isBlockStatement())
+                return;
+            if (rng.next() > rate)
+                return;
+            // Wrap in always-false opaque predicate
+            const n = `_n${(rng.int32() >>> 0 & 0xffff).toString(16)}`;
+            const deadSrc = `if((function(){var ${n}=Date.now()&0xff;return(${n}*(${n}+0x1)%0x2)===0x1;})()){${buildFakeHashRound(rng)}}`;
+            try {
+                const mini = (0, parser_1.parse)(deadSrc, { sourceType: "module", allowReturnOutsideFunction: true });
+                const stmt = mini.program.body[0];
+                markDeep(stmt);
+                body.unshiftContainer("body", stmt);
+            }
+            catch {
+                // ignore
+            }
+        },
+    });
+}
+// ----------------------------------------------------------------------------
+// H — __anc encoding
+//
+// Instead of:  var __anc = [792042790, 815997621, ...]
+// We emit:     var __anc = _decA('\x2f\x35...')
+//
+// where _decA is a tiny inline decoder that XOR-decodes the base64/hex blob.
+// This eliminates 24 visible int32 constants from the output.
+//
+// The decoder name is per-build randomised so it has no fixed signature.
+// ----------------------------------------------------------------------------
+function buildEncodedAnchorSource(ancName, hshName, anchor, rng, nameGen, idxBase) {
+    // Encode anchor as little-endian bytes XOR'd with a per-build key stream
+    const key = (rng.int32() >>> 0) & 0xff;
+    const bytes = [];
+    for (const v of anchor) {
+        const n = v >>> 0;
+        bytes.push((n & 0xff) ^ key);
+        bytes.push(((n >>> 8) & 0xff) ^ key);
+        bytes.push(((n >>> 16) & 0xff) ^ key);
+        bytes.push(((n >>> 24) & 0xff) ^ key);
+    }
+    // Encode as escaped hex string literal
+    const encoded = bytes.map(b => `\\x${b.toString(16).padStart(2, "0")}`).join("");
+    // Per-build decoder function name
+    const decoderName = nameGen(idxBase);
+    const tmpV = nameGen(idxBase + 1);
+    const tmpI = nameGen(idxBase + 2);
+    const tmpR = nameGen(idxBase + 3);
+    const keyHex = `0x${key.toString(16)}`;
+    const lenHex = `0x${(anchor.length * 4).toString(16)}`;
+    const n4Hex = `0x${(anchor.length).toString(16)}`;
+    return (
+    // Decoder: takes the encoded string, returns Uint32Array → plain Array
+    `function ${decoderName}(${tmpV}){` +
+        `var ${tmpR}=[];` +
+        `for(var ${tmpI}=0x0;${tmpI}<${lenHex};${tmpI}+=0x4){` +
+        `${tmpR}.push(` +
+        `((${tmpV}.charCodeAt(${tmpI})^${keyHex})|` +
+        `((${tmpV}.charCodeAt(${tmpI}+0x1)^${keyHex})<<0x8)|` +
+        `((${tmpV}.charCodeAt(${tmpI}+0x2)^${keyHex})<<0x10)|` +
+        `((${tmpV}.charCodeAt(${tmpI}+0x3)^${keyHex})<<0x18))` +
+        `);}return ${tmpR};}` +
+        `var ${ancName}=${decoderName}("${encoded}");` +
+        // Hash function (FNV-1a)
+        `function ${hshName}(a){var h=0x811c9dc5>>>0x0;for(var i=0x0;i<a.length;i++){h=Math.imul(h^(a[i]|0x0),0x01000193);}return h|0x0;}`);
+}
+// ----------------------------------------------------------------------------
+// H2 — module.exports property name obfuscation
+//
+// Rewrites `module.exports = { foo: _0xABC, bar: _0xDEF }` so the exported
+// property names are no longer readable string literals in the output.
+// Instead they are computed from an IIFE that assembles the name at runtime:
+//   module.exports[_k('foo')] = _0xABC
+// where _k is a tiny per-build decode function defined inline.
+// The function name and key are per-build random so there is no fixed pattern.
+//
+// Only applies to module.exports assignment expressions at the top level of
+// the program body (the standard CJS export pattern).
+// ----------------------------------------------------------------------------
+function obfuscateExportNames(code, rng) {
+    // Per-build XOR key and function name
+    const xorKey = ((rng.int32() >>> 0) & 0xff) | 1; // non-zero byte
+    const fnName = `_0x${((rng.int32() >>> 0) & 0xffffff).toString(16).padStart(6, '0')}`;
+    // Encode a string: each char XOR'd with key, then base64
+    const encStr = (s) => {
+        const buf = Buffer.alloc(s.length);
+        for (let i = 0; i < s.length; i++)
+            buf[i] = s.charCodeAt(i) ^ xorKey;
+        return buf.toString('base64');
+    };
+    // Decoder source: function _0xXXXXXX(s){var b=Buffer.from(s,'base64'),r='';for(var i=0;i<b.length;i++)r+=String.fromCharCode(b[i]^KEY);return r;}
+    const decoderSrc = `function ${fnName}(s){var b=Buffer.from(s,'base64'),r='';` +
+        `for(var i=0;i<b.length;i++)r+=String.fromCharCode(b[i]^${xorKey});return r;}`;
+    // Find module.exports = { ... } or module.exports={...} and rewrite property keys
+    // Regex: module.exports = { key: value, key2: value2 }
+    // We only rewrite IDENTIFIER keys (not computed or string keys already)
+    let found = false;
+    const result = code.replace(/module\.exports\s*=\s*\{([^}]+)\}/g, (match, body) => {
+        const rewritten = body.replace(/([a-zA-Z_$][a-zA-Z0-9_$]*)\s*:/g, (_m, key) => {
+            found = true;
+            return `[${fnName}('${encStr(key)}')]:`;
+        });
+        return `module.exports={${rewritten}}`;
+    });
+    if (!found)
+        return code;
+    // Prepend the decoder function
+    return decoderSrc + '\n' + result;
+}
+function cneObfuscate(src, rng, opts = {}) {
+    const ast = (0, parser_1.parse)(src, {
+        sourceType: "unambiguous",
+        allowReturnOutsideFunction: true,
+        errorRecovery: true,
+    });
+    // Use _0x<hex> names: the skip regex ^_0x[0-9a-f]{4,} prevents CNE from
+    // re-renaming VM runtime internals (BC, K, S, L, etc.) on subsequent passes.
+    // Stego names (pronounceable words) cause collisions with VM internal names.
+    const nameGen = makeNameGen(rng.int32());
+    // Dead code first (so the injected dead vars also get renamed)
+    if (opts.deadCode !== false) {
+        applyDeadCodeInjection(ast, rng, 0.35);
+    }
+    // Opaque boolean constants
+    if (opts.opaqueConstants !== false) {
+        applyOpaqueConstants(ast, rng, 0.4);
+    }
+    // Control flow flattening
+    if (opts.flatten !== false) {
+        applyCneFlattening(ast, parser_1.parse, rng, opts.flattenRate ?? 0.5);
+    }
+    // String splitting (before rename so chunk strings get non-obf names)
+    if (opts.stringSplit !== false) {
+        applyStringSplit(ast, rng);
+    }
+    // Hex literals
+    if (opts.hexLiterals !== false) {
+        applyHexLiterals(ast);
+    }
+    // Full scope rename (last — renames everything including injected vars)
+    if (opts.rename !== false) {
+        applyFullRename(ast, rng, nameGen);
+    }
+    return generate(ast, { compact: true, comments: false }).code;
+}