search

MichaelXF / js-confuser

JS-Confuser is a JavaScript obfuscation tool to make your programs *impossible* to read.
https://js-confuser.com
MIT License
230 stars 34 forks source link

With statement obfuscation #136

Open MichaelXF opened 2 months ago

MichaelXF commented 2 months ago

The with statement is able to obfuscate variable names, that could be very difficult for AST analyzers to understand. You can also do weird things with proxies.

const namespace = new Proxy(
  {},
  {
    has(target, key) {
      // Avoid trapping global properties like `console`
      if (key in globalThis) {
        return false;
      }
      // Trap all property lookups
      return true;
    },
    get(target, key) {
      return key;
    },
  }
);

with (namespace) {
  console.log(a, b, c); // "a" "b" "c"
}

Unfortunately, the with statement is deprecated, however it will most likely be supported for a very long time and every browser still supports it. You also lose various optimizations as variables cannot be assumed anymore.

doctor8296 commented 2 months ago

With that, I think, we can pretty much do the gloablConcealing

doctor8296 commented 2 months ago

Something like that I guess

let root = {};
eval("root=this");
const _Object = {}.constructor;
const globalDescriptors = _Object.getOwnPropertyDescriptors(root);
for (const globalName in globalDescriptors) {
  const descriptor = globalDescriptors[globalName];
  globalDescriptors[globalName] = {
    ...descriptor,
    ...("set" in descriptor
      ? {
          set(value) {
            root[globalName] = value;
          },
        }
      : {}),
    ...("get" in descriptor
      ? {
          get() {
            return root[globalName];
          },
        }
      : {}),
  };
}

const rootLike = _Object.defineProperties({}, globalDescriptors);

(() => {
  with (rootLike) {
    console.log(Function);
  }
}).call(rootLike);

image