search

MichaelXF / js-confuser

JS-Confuser is a JavaScript obfuscation tool to make your programs *impossible* to read.
https://js-confuser.com
MIT License
168 stars 28 forks source link

implement number concealment #94

Closed Le0Developer closed 8 months ago

Le0Developer commented 1 year ago

Implements #93.

Example:

// before
let r = 100;
let pi = 3.14;
console.log(Math.pow(r, 2) * pi);

// after
let r = (0x4a1 ^ 0x4c5);
let pi = 31400e-4;
console['log'](Math['pow'](r, (-0x396c + 0x396e)) * pi);
Le0Developer commented 1 year ago

After implementing https://github.com/MichaelXF/js-confuser/issues/93#issuecomment-1596073599, I get the following output:

let r = ([0xe2f][-""] - {s: 0xdcb}.s);
let pi = {v: 314e-2}.v;
console['log'](Math['pow'](r, {r: ([0x5675][+[]] - [0x5673][+""])}.r) * pi);

Did not implement type coercion because it depends on the other expression, could do +"1337" though. IE(M)F also not implemented because I'm not sure how to switch between arrow functions and function syntax.

fuzzbuck commented 1 year ago

Perhaps number concealment can use the already built-in calculator transform during runtime?

Le0Developer commented 1 year ago

Perhaps number concealment can use the already built-in calculator transform during runtime?

@fuzzbuck number concealment is done in the finalizer, its basically the very last step. This means it runs on every single number. Even those introduced by any of the transformations (eg calculator itself) If number concealment used the calculator, we'd have a circular dependency.

fuzzbuck commented 12 months ago

Perhaps number concealment can use the already built-in calculator transform during runtime?

@fuzzbuck number concealment is done in the finalizer, its basically the very last step. This means it runs on every single number. Even those introduced by any of the transformations (eg calculator itself) If number concealment used the calculator, we'd have a circular dependency.

Hmm, perhaps in such case we can add another transform called runtimeNumberConcealment which runs before renameVariables?

This way, we can locate the calculator functions and exclude them.

MichaelXF commented 12 months ago

@fuzzbuck is correct. The transformation needs to use the proper AST nodes and ideally be it's own transformation! This way parenthesis can be properly handled. I appreciate your efforts but please do not submit PRs without approval!

Le0Developer commented 12 months ago

This is just a Proof-of-Concept to evaluate the effectiveness of some ideas.

but please do not submit PRs without approval

Just don't merge it?

MichaelXF commented 12 months ago

Oh okay. No worries then

Le0Developer commented 8 months ago

Continued in #114