feat: number concealing

MichaelXF / js-confuser

JS-Confuser is a JavaScript obfuscation tool to make your programs *impossible* to read.

https://js-confuser.com

MIT License

168 stars 28 forks source link

feat: number concealing #93

Open Le0Developer opened 1 year ago

Le0Developer commented 1 year ago

Is your feature request related to a problem? Please describe. Instead of a single "Hexadecimal numbers" option, I'd propose a new option: number concealing.

Number concealing will replace number literals with:

binary or hexadecimal notation (10 will turn into 0b1010 or 0xa)
decimal exponential notation (for floats) (10.1 could turn into 0.101e2)
simple math expressions (10 could turn into 15 - 5)

This option would replace the hexadecimalNumbers option, which is a breaking change.

I am currently working on a PR for this feature.

Le0Developer commented 1 year ago

https://github.com/MichaelXF/js-confuser/blob/30e4043a8b007a002648cb71ae0aef36bb5edf2e/CONTRIBUTING.md?plain=1#L45 That's exactly what squash merge is for :P

MichaelXF commented 1 year ago

Thank you for the contribution but I think this idea is too far. Deobufscators are able to simplify these expressions pretty easily like JSNice, synchrony, webcrack, etc. Decimal exponential notation could be added but again these obfuscations are very weak and just bloat file size.

Le0Developer commented 1 year ago

jsnice, synchrony and webcrack all (partly) fail with the example from the PR:

// jsnice, full fail
let r = 1185 ^ 1221;
let pi = 31400e-4;
console["log"](Math["pow"](r, -14700 + 14702) * pi);

// synchrony, xor fail
let r = 1185 ^ 1221
let pi = 3.14
console.log(Math.pow(r, 2) * pi)

// webcrack, xor fail
let r = 1185 ^ 1221;
let pi = 3.14;
console.log(Math.pow(r, 2) * pi);

If size is an concern, the option could simply be disabled by default.

Le0Developer commented 1 year ago

I've tested more operators:

Operator	JSNice	synchrony	webcrack	deobfuscate.io
`+`	x	√	√	√
`-`	x	√	√	√
`*`	x	√	√	√
`/`	x	√	√	√
`%`	x	x	x	√
`^`	x	x	x	√
`\\|`	x	x	x	√
`&`	x	x	x	√
`<<`	x	x	x	√
`>>`	x	x	x	√

Le0Developer commented 1 year ago

A few more ideas:

abusing type coercion: "10" / 2
immediately-indexed-array: [10][0] / 2
immediately-indexed-object: {a:10}.a / 2
immediately-executed-function: (()=>10)() / 2
immediately-executed-math-function: (a=>5*a)(2) / 2

Current effectiveness: Idea	synchrony	webcrack	deobfuscate.io
ATC	x	x	√
IIA	x	x	x
IIO	x	x	x
IEF	x	x	x
IEMF	x	x	x

MichaelXF commented 1 year ago

These are good ideas, maybe this could be expanded to more types of expressions too

j4k0xb commented 11 months ago

and webcrack all (partly) fail with the example from the PR:

edit: now it supports all operators

https://astexplorer.net/#/gist/63146255fa7fbfbe28cedbf776456aef/d53b2b5d59cd8fb5fafb0cefac5120467fb26736

more challenging are objects, functions, shadowing, multiple references/writes, etc, unless the structure is always the same (e.g. only the numbers and variable name changes in (a=>5*a)(2))