simple-javascript-obf 0.1.1

package/bin/obf.sh

@@ -0,0 +1,257 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+prompt() {
+  local text="$1"
+  local value=""
+  read -r -p "$text" value
+  printf "%s" "$value"
+}
+
+prompt_yes_no() {
+  local text="$1"
+  local value=""
+  read -r -p "$text" value
+  case "${value}" in
+    y|Y|yes|YES) return 0 ;;
+    *) return 1 ;;
+  esac
+}
+
+now_ms() {
+  date +%s%3N
+}
+
+format_duration() {
+  local ms="$1"
+  awk -v ms="${ms}" 'BEGIN { printf "%.3f", ms / 1000 }'
+}
+
+root_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)
+
+input_path=$(prompt "Enter a JS file or directory path: ")
+if [[ -z "${input_path}" ]]; then
+  echo "No input path provided." >&2
+  exit 1
+fi
+
+input_kind=""
+if [[ -f "${input_path}" ]]; then
+  input_kind="file"
+elif [[ -d "${input_path}" ]]; then
+  input_kind="dir"
+else
+  echo "Input path not found: ${input_path}" >&2
+  exit 1
+fi
+
+abs_input=$(readlink -f "${input_path}")
+if [[ "${input_kind}" == "dir" ]]; then
+  input_dir="${abs_input}"
+else
+  input_dir=$(dirname "${abs_input}")
+fi
+
+echo "Input directory: ${input_dir}"
+if [[ "${input_kind}" == "file" ]]; then
+  output_dir=$(prompt "Output directory (default: ${input_dir}, use . for current dir): ")
+  if [[ -z "${output_dir}" ]]; then
+    output_dir="${input_dir}"
+  fi
+  output_dir=$(readlink -f "${output_dir}")
+  mkdir -p "${output_dir}"
+else
+  output_dir="${input_dir}"
+  if ! prompt_yes_no "This will overwrite all JS files in the directory. Continue? [y/N]: "; then
+    echo "Cancelled." >&2
+    exit 1
+  fi
+fi
+echo "Output directory: ${output_dir}"
+
+max_jobs=1
+if [[ "${input_kind}" == "dir" ]]; then
+  max_jobs=$(prompt "Concurrency (default 1): ")
+  if [[ -z "${max_jobs}" ]]; then
+    max_jobs=1
+  fi
+  if ! [[ "${max_jobs}" =~ ^[0-9]+$ ]] || [[ "${max_jobs}" -lt 1 ]]; then
+    echo "Concurrency must be a positive integer." >&2
+    exit 1
+  fi
+fi
+
+preset=$(prompt "Preset strength (high/balanced/low, default high): ")
+if [[ -z "${preset}" ]]; then
+  preset="high"
+fi
+
+enable_rename=true
+enable_strings=true
+enable_cff=true
+enable_dead=true
+enable_vm=false
+enable_anti_hook=false
+enable_anti_hook_lock=false
+
+if ! prompt_yes_no "Enable variable renaming? [y/N]: "; then
+  enable_rename=false
+fi
+if ! prompt_yes_no "Enable string encryption? [y/N]: "; then
+  enable_strings=false
+fi
+if ! prompt_yes_no "Enable control-flow flattening? [y/N]: "; then
+  enable_cff=false
+fi
+if ! prompt_yes_no "Enable dead-code injection? [y/N]: "; then
+  enable_dead=false
+fi
+if prompt_yes_no "Enable VM virtualization? [y/N]: "; then
+  enable_vm=true
+fi
+if prompt_yes_no "Enable anti-hook runtime guard? [y/N]: "; then
+  enable_anti_hook=true
+  if prompt_yes_no "Freeze built-in prototype chains (anti-hook-lock)? [y/N]: "; then
+    enable_anti_hook_lock=true
+  fi
+fi
+
+vm_include=""
+if ${enable_vm}; then
+  vm_include=$(prompt "Only virtualize function names (comma-separated, optional): ")
+fi
+
+seed=$(prompt "PRNG seed (optional): ")
+enable_sourcemap=false
+enable_compact=false
+if prompt_yes_no "Generate source map? [y/N]: "; then
+  enable_sourcemap=true
+fi
+if prompt_yes_no "Use compact output? [y/N]: "; then
+  enable_compact=true
+fi
+
+common_args=(--preset "${preset}")
+
+if ! ${enable_rename}; then
+  common_args+=(--no-rename)
+fi
+if ! ${enable_strings}; then
+  common_args+=(--no-strings)
+fi
+if ! ${enable_cff}; then
+  common_args+=(--no-cff)
+fi
+if ! ${enable_dead}; then
+  common_args+=(--no-dead)
+fi
+if ${enable_vm}; then
+  common_args+=(--vm)
+  if [[ -n "${vm_include}" ]]; then
+    common_args+=(--vm-include "${vm_include}")
+  fi
+fi
+if ${enable_anti_hook_lock}; then
+  common_args+=(--anti-hook-lock)
+elif ${enable_anti_hook}; then
+  common_args+=(--anti-hook)
+fi
+if [[ -n "${seed}" ]]; then
+  common_args+=(--seed "${seed}")
+fi
+if ${enable_sourcemap}; then
+  common_args+=(--sourcemap)
+fi
+if ${enable_compact}; then
+  common_args+=(--compact)
+fi
+
+if [[ "${input_kind}" == "file" ]]; then
+  base_name=$(basename "${abs_input}")
+  base_no_ext="${base_name%.*}"
+  output_path="${output_dir}/${base_no_ext}.obf.js"
+  cmd=(node "${root_dir}/bin/js-obf" "${abs_input}" -o "${output_path}" "${common_args[@]}")
+  total_start_ms=$(now_ms)
+  start_ms=$(now_ms)
+  echo "Run: ${cmd[*]}"
+  "${cmd[@]}"
+  end_ms=$(now_ms)
+  duration_ms=$((end_ms - start_ms))
+  duration_sec=$(format_duration "${duration_ms}")
+  echo "Done: ${output_path} (${duration_sec}s)"
+  total_end_ms=$(now_ms)
+  total_ms=$((total_end_ms - total_start_ms))
+  total_sec=$(format_duration "${total_ms}")
+  echo "Total time: ${total_sec}s"
+else
+  prune_paths=(
+    -type d -name node_modules
+    -o -type d -name node_packge
+    -o -type d -name node_package
+  )
+  if [[ "${output_dir}" != "${input_dir}" && "${output_dir}" == "${input_dir}"/* ]]; then
+    prune_paths+=(-o -path "${output_dir}")
+  fi
+
+  files=()
+  while IFS= read -r -d '' file; do
+    files+=("${file}")
+  done < <(
+    find "${input_dir}" \( "${prune_paths[@]}" \) -prune -o \
+      -type f -name "*.js" ! -name "*.obf.js" -print0
+  )
+
+  if [[ ${#files[@]} -eq 0 ]]; then
+    echo "No JS files found to obfuscate." >&2
+    exit 1
+  fi
+
+  total_start_ms=$(now_ms)
+  echo "Found ${#files[@]} JS files. Starting obfuscation..."
+  failed=false
+  run_file() {
+    local file="$1"
+    local rel_path="${file#${input_dir}/}"
+    local output_path="${output_dir}/${rel_path}"
+    mkdir -p "$(dirname "${output_path}")"
+    local cmd=(node "${root_dir}/bin/js-obf" "${file}" -o "${output_path}" "${common_args[@]}")
+    local start_ms
+    local end_ms
+    start_ms=$(now_ms)
+    echo "Run: ${cmd[*]}"
+    "${cmd[@]}"
+    end_ms=$(now_ms)
+    local duration_ms=$((end_ms - start_ms))
+    local duration_sec
+    duration_sec=$(format_duration "${duration_ms}")
+    echo "Done: ${output_path} (${duration_sec}s)"
+  }
+
+  if [[ "${max_jobs}" -le 1 ]]; then
+    for file in "${files[@]}"; do
+      run_file "${file}"
+    done
+  else
+    for file in "${files[@]}"; do
+      run_file "${file}" &
+      while (( $(jobs -pr | wc -l) >= max_jobs )); do
+        if ! wait -n; then
+          failed=true
+        fi
+      done
+    done
+    while (( $(jobs -pr | wc -l) > 0 )); do
+      if ! wait -n; then
+        failed=true
+      fi
+    done
+    if ${failed}; then
+      echo "Some files failed to obfuscate. Check the logs." >&2
+      exit 1
+    fi
+  fi
+  total_end_ms=$(now_ms)
+  total_ms=$((total_end_ms - total_start_ms))
+  total_sec=$(format_duration "${total_ms}")
+  echo "All done: ${#files[@]} files in ${total_sec}s"
+fi

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "simple-javascript-obf",
+  "version": "0.1.1",
+  "description": "Modular JavaScript obfuscator with optional VM and CFF",
+  "main": "src/index.js",
+  "bin": {
+    "js-obf": "bin/js-obf"
+  },
+  "scripts": {
+    "obf": "node bin/js-obf"
+  },
+  "keywords": [
+    "javascript",
+    "obfuscator",
+    "vm",
+    "control-flow-flattening"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "@babel/generator": "^7.26.0",
+    "@babel/parser": "^7.26.0",
+    "@babel/traverse": "^7.26.0",
+    "@babel/types": "^7.26.0",
+    "terser": "^5.44.1"
+  }
+}

package/src/index.js

@@ -0,0 +1,106 @@
+const parser = require("@babel/parser");
+const generate = require("@babel/generator").default;
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { minify } = require("terser");
+const { buildPipeline } = require("./pipeline");
+const { normalizeOptions } = require("./options");
+
+function parseSource(code, filename) {
+  return parser.parse(code, {
+    sourceType: "unambiguous",
+    sourceFilename: filename,
+    allowReturnOutsideFunction: true,
+    plugins: [
+      "jsx",
+      "typescript",
+      "classProperties",
+      "classPrivateProperties",
+      "classPrivateMethods",
+      "decorators-legacy",
+      "dynamicImport",
+      "objectRestSpread",
+      "optionalChaining",
+      "nullishCoalescingOperator",
+      "numericSeparator",
+      "logicalAssignment",
+      "topLevelAwait",
+      "exportDefaultFrom",
+      "exportNamespaceFrom",
+      "asyncGenerators",
+      "bigInt",
+      "optionalCatchBinding",
+      "privateIn",
+      "importAssertions"
+    ],
+  });
+}
+
+async function obfuscate(source, userOptions = {}) {
+  const options = normalizeOptions(userOptions);
+  const ast = parseSource(source, options.filename);
+
+  const pipeline = buildPipeline({
+    t,
+    traverse,
+    options,
+  });
+
+  for (const plugin of pipeline) {
+    plugin(ast);
+  }
+
+  const output = generate(
+    ast,
+    {
+      compact: options.compact,
+      sourceMaps: options.sourceMap,
+      sourceFileName: options.filename,
+      retainLines: false,
+      comments: false,
+    },
+    source
+  );
+
+  const ecma = Number.isFinite(options.ecma) ? options.ecma : 2015;
+  const minifyOptions = {
+    ecma,
+    compress: {
+      defaults: true,
+      ecma,
+    },
+    mangle: true,
+    format: { comments: false, ecma },
+  };
+  if (options.sourceMap) {
+    minifyOptions.sourceMap = { content: output.map, asObject: true };
+  }
+
+  const minified = await minify(output.code, minifyOptions);
+  if (minified && minified.error) {
+    throw minified.error;
+  }
+
+  let map = null;
+  if (options.sourceMap) {
+    if (typeof minified.map === "string") {
+      try {
+        map = JSON.parse(minified.map);
+      } catch {
+        map = null;
+      }
+    } else {
+      map = minified.map || null;
+    }
+  }
+
+  return {
+    code: minified.code || "",
+    map,
+  };
+}
+
+module.exports = {
+  obfuscate,
+  parseSource,
+};

package/src/options.js

@@ -0,0 +1,128 @@
+const { DEFAULT_RESERVED } = require("./utils/reserved");
+
+const DEFAULT_ECMA = 2015;
+
+function normalizeEcma(value) {
+  if (value === undefined || value === null || value === "") {
+    return DEFAULT_ECMA;
+  }
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return value;
+  }
+  const text = String(value).trim().toLowerCase();
+  if (!text) {
+    return DEFAULT_ECMA;
+  }
+  const normalized = text.startsWith("es") ? text.slice(2) : text;
+  const parsed = Number(normalized);
+  if (Number.isFinite(parsed)) {
+    return parsed;
+  }
+  return DEFAULT_ECMA;
+}
+
+const PRESETS = {
+  high: {
+    rename: true,
+    strings: true,
+    cff: true,
+    dead: true,
+    vm: false,
+  },
+  balanced: {
+    rename: true,
+    strings: true,
+    cff: true,
+    dead: false,
+    vm: false,
+  },
+  low: {
+    rename: true,
+    strings: false,
+    cff: false,
+    dead: false,
+    vm: false,
+  },
+};
+
+function normalizeOptions(userOptions = {}) {
+  const presetName = userOptions.preset || "high";
+  const preset = PRESETS[presetName] || PRESETS.high;
+  const stringsUserOptions = userOptions.stringsOptions || {};
+  const antiHookUserOptions = userOptions.antiHook;
+  const ecma = normalizeEcma(userOptions.ecma);
+
+  const options = {
+    preset: presetName,
+    rename: userOptions.rename ?? preset.rename,
+    strings: userOptions.strings ?? preset.strings,
+    cff: userOptions.cff ?? preset.cff,
+    dead: userOptions.dead ?? preset.dead,
+    vm: userOptions.vm || { enabled: preset.vm },
+    seed: userOptions.seed || "js-obf",
+    filename: userOptions.filename || "input.js",
+    sourceMap: Boolean(userOptions.sourceMap),
+    compact: Boolean(userOptions.compact),
+    ecma,
+    stringsOptions: {
+      minLength: stringsUserOptions.minLength ?? 3,
+      maxCount: stringsUserOptions.maxCount ?? 5000,
+      encodeConsole: stringsUserOptions.encodeConsole !== false,
+    },
+    renameOptions: {
+      reserved: userOptions.reserved || DEFAULT_RESERVED,
+      renameGlobals: userOptions.renameGlobals ?? false,
+    },
+    deadCodeOptions: {
+      probability: 0.15,
+    },
+    cffOptions: {
+      minStatements: 3,
+    },
+    antiHook: {
+      enabled: false,
+      lock: false,
+    },
+  };
+
+  if (typeof antiHookUserOptions === "boolean") {
+    options.antiHook.enabled = antiHookUserOptions;
+  } else if (antiHookUserOptions && typeof antiHookUserOptions === "object") {
+    options.antiHook.enabled = antiHookUserOptions.enabled !== false;
+    options.antiHook.lock = Boolean(antiHookUserOptions.lock);
+  }
+
+  if (typeof options.vm === "boolean") {
+    options.vm = { enabled: options.vm };
+  }
+  const vmOptions = options.vm || {};
+  let fakeOpcodes = vmOptions.fakeOpcodes;
+  if (fakeOpcodes === undefined || fakeOpcodes === true) {
+    fakeOpcodes = 0.15;
+  } else if (fakeOpcodes === false) {
+    fakeOpcodes = 0;
+  } else {
+    fakeOpcodes = Number(fakeOpcodes);
+    if (Number.isNaN(fakeOpcodes)) {
+      fakeOpcodes = 0.15;
+    }
+  }
+  fakeOpcodes = Math.max(0, Math.min(1, fakeOpcodes));
+  options.vm = {
+    enabled: Boolean(vmOptions.enabled),
+    include: vmOptions.include || [],
+    all: Boolean(vmOptions.all),
+    opcodeShuffle: vmOptions.opcodeShuffle !== false,
+    fakeOpcodes,
+    bytecodeEncrypt: vmOptions.bytecodeEncrypt !== false,
+    constsEncrypt: vmOptions.constsEncrypt !== false,
+    downlevel: Boolean(vmOptions.downlevel),
+  };
+
+  return options;
+}
+
+module.exports = {
+  normalizeOptions,
+  PRESETS,
+};

package/src/pipeline.js

@@ -0,0 +1,56 @@
+const { RNG } = require("./utils/rng");
+const { NameGenerator } = require("./utils/names");
+const entryPlugin = require("./plugins/entry");
+const renamePlugin = require("./plugins/rename");
+const stringPlugin = require("./plugins/stringEncode");
+const memberEncodePlugin = require("./plugins/encodeMembers");
+const cffPlugin = require("./plugins/controlFlowFlatten");
+const deadPlugin = require("./plugins/deadCode");
+const antiHookPlugin = require("./plugins/antiHook");
+const vmPlugin = require("./plugins/vm");
+
+function buildPipeline({ t, traverse, options }) {
+  const rng = new RNG(options.seed);
+  const nameGen = new NameGenerator({
+    reserved: options.renameOptions.reserved,
+    rng,
+  });
+
+  const ctx = {
+    t,
+    traverse,
+    options,
+    rng,
+    nameGen,
+    state: {},
+  };
+
+  const plugins = [];
+
+  plugins.push((ast) => entryPlugin(ast, ctx));
+  if (options.vm.enabled) {
+    plugins.push((ast) => vmPlugin(ast, ctx));
+  }
+  if (options.cff) {
+    plugins.push((ast) => cffPlugin(ast, ctx));
+  }
+  if (options.strings) {
+    plugins.push((ast) => memberEncodePlugin(ast, ctx));
+    plugins.push((ast) => stringPlugin(ast, ctx));
+  }
+  if (options.dead) {
+    plugins.push((ast) => deadPlugin(ast, ctx));
+  }
+  if (options.antiHook && options.antiHook.enabled) {
+    plugins.push((ast) => antiHookPlugin(ast, ctx));
+  }
+  if (options.rename) {
+    plugins.push((ast) => renamePlugin(ast, ctx));
+  }
+
+  return plugins;
+}
+
+module.exports = {
+  buildPipeline,
+};

package/src/plugins/antiHook.js

@@ -0,0 +1,123 @@
+const parser = require("@babel/parser");
+
+function insertAtTop(programPath, nodes) {
+  const body = programPath.node.body;
+  let index = 0;
+  while (index < body.length) {
+    const stmt = body[index];
+    if (stmt.type === "ExpressionStatement" && stmt.directive) {
+      index += 1;
+      continue;
+    }
+    break;
+  }
+  body.splice(index, 0, ...nodes);
+}
+
+function buildRuntime({ lock }) {
+  const code = `
+(function () {
+  const g = typeof globalThis !== "undefined"
+    ? globalThis
+    : typeof window !== "undefined"
+      ? window
+      : typeof global !== "undefined"
+        ? global
+        : this;
+  const nativeMark = "[native code]";
+  const fnToString =
+    g.Function && g.Function.prototype && g.Function.prototype.toString;
+  const isNative = (fn) => {
+    if (typeof fn !== "function" || !fnToString) {
+      return false;
+    }
+    try {
+      return fnToString.call(fn).indexOf(nativeMark) !== -1;
+    } catch (err) {
+      return false;
+    }
+  };
+  const checkAll = () => {
+    const required = [
+      g.Function,
+      g.eval,
+      g.Object && g.Object.defineProperty,
+      g.Object && g.Object.getOwnPropertyDescriptor,
+      g.Function && g.Function.prototype && g.Function.prototype.toString,
+    ];
+    for (let i = 0; i < required.length; i += 1) {
+      const fn = required[i];
+      if (!isNative(fn)) {
+        return false;
+      }
+    }
+    const optional = [
+      g.Object && g.Object.getPrototypeOf,
+      g.Object && g.Object.keys,
+      g.Object && g.Object.freeze,
+      g.JSON && g.JSON.parse,
+      g.JSON && g.JSON.stringify,
+      g.Math && g.Math.random,
+      g.Date,
+      g.Date && g.Date.now,
+      g.Reflect && g.Reflect.apply,
+      g.Reflect && g.Reflect.construct,
+    ];
+    for (let i = 0; i < optional.length; i += 1) {
+      const fn = optional[i];
+      if (typeof fn !== "function") {
+        continue;
+      }
+      if (!isNative(fn)) {
+        return false;
+      }
+    }
+    return true;
+  };
+  if (!checkAll()) {
+    throw new Error("Hook detected");
+  }
+  if (${lock ? "true" : "false"}) {
+    const freeze = g.Object && g.Object.freeze;
+    if (typeof freeze === "function") {
+      const lockProto = (obj) => {
+        try {
+          if (obj) {
+            freeze(obj);
+          }
+        } catch (err) {}
+      };
+      lockProto(g.Function && g.Function.prototype);
+      lockProto(g.Object && g.Object.prototype);
+      lockProto(g.Array && g.Array.prototype);
+      lockProto(g.String && g.String.prototype);
+      lockProto(g.Number && g.Number.prototype);
+      lockProto(g.Boolean && g.Boolean.prototype);
+      lockProto(g.Date && g.Date.prototype);
+      lockProto(g.RegExp && g.RegExp.prototype);
+      lockProto(g.Error && g.Error.prototype);
+    }
+  }
+})();
+`;
+  return parser.parse(code, { sourceType: "script" }).program.body;
+}
+
+function antiHook(ast, ctx) {
+  if (!ctx.options.antiHook || !ctx.options.antiHook.enabled) {
+    return;
+  }
+  let programPathRef = null;
+  ctx.traverse(ast, {
+    Program(path) {
+      programPathRef = path;
+    },
+  });
+  if (!programPathRef) {
+    return;
+  }
+  const runtime = buildRuntime({ lock: ctx.options.antiHook.lock });
+  insertAtTop(programPathRef, runtime);
+}
+
+module.exports = antiHook;