MichaelXF / js-confuser

JS-Confuser is a JavaScript obfuscation tool to make your programs *impossible* to read.
https://js-confuser.com
MIT License
230 stars 35 forks source link

Better way of counter measures #147

Open doctor8296 opened 3 weeks ago

doctor8296 commented 3 weeks ago

In your current implementation, you're using an infinite loop, such as while (true) or for(;;)0, to halt script execution. While this approach works, it quickly reveals the source of the blockage when using standard debugging tools or breakpoints and for an experienced developer it will be pretty easy to prevent or cancel this.

Screenshot 2024-10-10 at 19 07 12

However, I've discovered a more advanced and less detectable method by leveraging an immediately invoked asynchronous function, like this:

(async function f() { f(), f() });
Screenshot 2024-10-10 at 19 08 00

(just stucks)

What's remarkable is that, when using this method, it becomes extremely difficult to trace where the execution is getting stuck, as debugging tools—at least in Chromium and Firefox—fail to provide any clear indication. Additionally, by embedding a redirect inside this function, such as: window.location.href = "https://example.com/script-is-blocked"; the behavior becomes even harder to track or bypass.

It's important to note that the function must be asynchronous for this technique to work effectively.

MichaelXF commented 3 days ago

Great find, will add this for 2.0

MichaelXF commented 3 days ago
image

NodeJS reveals a trace when trying this

doctor8296 commented 3 days ago

@MichaelXF this is interesting behaviour. Probably have to research how different JavaScript engines react to that. But in most cases I am talking about browsers. For node you can try add more functions inside, if it will help.

doctor8296 commented 2 days ago

@MichaelXF It seems you cannot trick node.js with such a construction. However you can come up with analog for node.js:

(async function f() { setTimeout(f); setTimeout(f); })()

I less like this approach since it is uses redefinable constructions such as setTimeout

Also the main point was to trick and confuse browser debuggers, so I have no idea will it be any useful for node.