diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6bb2352bf..9f85a9b02 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,9 +2,9 @@ name: JavaScript Obfuscator CI on: push: - branches: [master] + branches: [master, release-**] pull_request: - branches: [master] + branches: [master, release-**] schedule: - cron: '0 1 * * *' @@ -44,9 +44,23 @@ jobs: key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} - run: yarn install - run: yarn run build + - run: yarn run test:mocha-coverage - run: yarn run test:mocha-coverage:report - name: Coveralls - uses: coverallsapp/github-action@master + uses: coverallsapp/github-action@v2 with: github-token: ${{ secrets.GITHUB_TOKEN }} - path-to-lcov: './coverage/lcov.info' \ No newline at end of file + path-to-lcov: './coverage/lcov.info' + parallel: true + flag-name: node-${{ matrix.node-version }}-${{ matrix.os }} + + coveralls-finish: + needs: build + if: always() + runs-on: ubuntu-latest + steps: + - name: Coveralls Finished + uses: coverallsapp/github-action@v2 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + parallel-finished: true \ No newline at end of file diff --git a/.gitignore b/.gitignore index cfe4fd231..ac8242982 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ npm-debug.log /test/benchmark/**/** *dockerfile /test*.js +/reproductions diff --git a/.npmignore b/.npmignore index e7fb7148d..2157c5a98 100644 --- a/.npmignore +++ b/.npmignore @@ -12,3 +12,4 @@ /test*.js index.ts index.cli.ts +/reproductions \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index f7f00f9e9..839cef024 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,60 @@ Change Log +v5.4.2 +--- +* Fixed obfuscated code hanging in Bun when `selfDefending` is enabled. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1404 + +v5.4.1 +--- +* Fixed `Utils.nodeRequire` causing `ReferenceError: require is not defined` in browser build by making it lazy-evaluated +* Fixed missing space between keywords (`return`, `throw`, `typeof`) and Unicode surrogate pair identifiers in compact mode. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1112 +* Fixed `domainLock` being case-sensitive — domain values are now normalized to lowercase. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1182 +* Removed `source-map-support` runtime dependency. Use `node --enable-source-maps` instead. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1149 + +v5.4.0 +--- +* Add support for `import attributes`. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1256 +* Add `renameProperties` support for private class fields and methods (`#foo`, `#bar()`). Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1220 +* Fixed `reservedNames` not preserving class method and property names when `stringArray` or `deadCodeInjection` is enabled. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1279 +* Fixed infinite loop / stack overflow when `reservedNames` patterns match all generated identifier names. Now throws a descriptive error instead. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1382 +* Fixed `transformObjectKeys` changing evaluation order when object expression is inside a sequence expression with preceding side effects (e.g. `return aux(ys), { min }`). Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1246 +* Fixed destructuring patterns inside class static blocks not being renamed when `renameGlobals` is disabled. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1141 +* Fixed CLI `--options-preset` not applying preset values for options not explicitly set via command line (e.g. `splitStrings` from `high-obfuscation` preset was ignored). Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1236 +* Replaced `mkdirp` dependency with native `fs.mkdirSync({ recursive: true })`. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1275. Thank you https://github.com/roli-lpci! +* Updated reserved DOM properties list, fixing `renameProperties` breaking modern built-in methods like `Array.prototype.at()`. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1066 +* Replaced `conf` dependency with custom implementation using `env-paths` and native `fs` + +v5.3.1 +--- +* Fixed class expression name references inside class body being incorrectly resolved to an import binding with the same name, causing broken code at runtime. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1386 + +v5.3.0 +--- +* Add Pro API support to CLI +* Add large files upload support to Pro API + +v5.2.1 +--- +* Fixed `transformObjectKeys` incorrectly hoisting object literal outside of loop when loop body is a single statement without braces, causing all iterations to share the same object reference. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1300 +* Fixed parsing error when `await` is used as an identifier in non-async context. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1127 +* Fixed `deadCodeInjection` causing SyntaxError when `arguments` from collected block statements was injected into class field initializers or static initialization blocks. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1166 +* Fixed `transformObjectKeys` with `mangled` identifier generator causing variable shadowing when extracted object variable name matched an existing inner scope variable. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1232 + +v5.2.0 +--- +* Skip obfuscation of `process.env.*` +* Fixed `controlFlowFlattening` breaking short-circuit evaluation with spread operator and conditional objects. Fixes https://github.com/javascript-obfuscator/javascript-obfuscator/issues/1372 +* Fix Annex B function hoisting: block-scoped function declarations are now correctly linked to references outside the block in non-strict mode +* Fixed `NodeUtils.cloneRecursive` corrupting `range` property when cloning AST nodes, causing scope analysis to incorrectly resolve destructuring default parameter references + +v5.1.0 +--- +* Add `version` parameter to the `apiConfig` to use different versions JavaScript Obfuscator Pro via API + +v5.0.1 +--- +* Add JavaScript Obfuscator PRO advertisement message + v5.0.0 --- * Add JavaScript Obfuscator PRO support via calling its API diff --git a/CLAUDE.md b/CLAUDE.md index e55ec6c9c..0074f22d0 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -4,8 +4,8 @@ **JavaScript Obfuscator** is a powerful, enterprise-grade code obfuscation tool for JavaScript and Node.js applications. It transforms readable JavaScript code into a protected, difficult-to-understand format while maintaining full functionality. The project is widely used for protecting intellectual property and preventing reverse engineering. -- **Version**: 4.1.1 -- **Author**: Timofey Kachalov (@sanex3339) +- **Version**: 5.0.0 +- **Author**: Timofei Kachalov (@sanex3339) - **License**: BSD-2-Clause - **Repository**: https://github.com/javascript-obfuscator/javascript-obfuscator - **Homepage**: https://obfuscator.io/ @@ -42,7 +42,7 @@ - **Parser**: Acorn 8.8.2 (ES3-ES2020 support) - **Code Generator**: @javascript-obfuscator/escodegen 2.3.0 - **AST Traversal**: @javascript-obfuscator/estraverse 5.4.0 -- **DI Framework**: InversifyJS 6.0.1 +- **DI Framework**: InversifyJS 7.10.8 - **Testing**: Mocha 10.4.0 + Chai 4.3.7 - **Build System**: Webpack 5.75.0 @@ -210,7 +210,7 @@ The obfuscation process follows a multi-stage pipeline defined in `JavaScriptObf ### Dependency Injection Architecture -The project uses **InversifyJS** for dependency injection, providing: +The project uses **InversifyJS v7** for dependency injection, providing: - **Modularity**: Clean separation of concerns - **Testability**: Easy mocking and testing @@ -219,6 +219,13 @@ The project uses **InversifyJS** for dependency injection, providing: All components are registered in container modules located in `src/container/modules/`. +**Key Changes in InversifyJS v7:** +- Container modules now use `ContainerModuleLoadOptions` instead of separate `bind`, `unbind`, etc. parameters +- `getNamed`, `getTagged`, etc. are replaced by `get(serviceId, { name: ... })` or `get(serviceId, { tag: ... })` +- `load()` and `unload()` are now async, with `loadSync()` and `unloadSync()` alternatives for synchronous operations +- Types like `Context`, `Newable`, `Factory` are now directly exported instead of through `interfaces` namespace +- Custom metadata and middleware features have been removed + ## Key Components Deep Dive ### 1. JavaScriptObfuscator (Main Engine) @@ -1423,14 +1430,13 @@ Use [grunt-contrib-obfuscator](https://github.com/javascript-obfuscator/grunt-co - **GitHub Issues**: Bug reports and feature requests - **GitHub Discussions**: Questions and general discussion -- **OpenCollective**: Financial support and sponsorship - **GitHub Sponsors**: Direct sponsorship ## License **BSD-2-Clause License** -Copyright (C) 2016-2024 Timofey Kachalov +Copyright (C) 2016-2026 Timofei Kachalov See `LICENSE.BSD` for full license text. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index c2a51b853..14aa477fa 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -34,7 +34,7 @@ This Code of Conduct applies both within project spaces and in public spaces whe ## Enforcement -Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at sanex3339@yandex.ru. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at support@obfuscator.io. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. diff --git a/README.md b/README.md index 04313a8a5..3cd0786d4 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,63 @@ -#### You can support this project by donating: -* (Github) https://github.com/sponsors/sanex3339 -* (OpenCollective) https://opencollective.com/javascript-obfuscator - -Huge thanks to all supporters! - # JavaScript obfuscator ![logo](https://raw.githubusercontent.com/javascript-obfuscator/javascript-obfuscator/master/images/logo.png) +--- + +### Do you use JavaScript Obfuscator at your company? + +JavaScript Obfuscator has reached over **1 million npm downloads per week**. I am currently preparing an **EB-1 immigration case** and collecting independent evidence of the project’s real-world professional usage and impact. + +If you use JavaScript Obfuscator in a company project — especially at a well-known company, large organization, or widely used product — I would be very grateful if you could contact me. + +Helpful evidence may include a brief confirmation or, ideally, a 1–2 page reference letter describing: + +- how your team or company used JavaScript Obfuscator; +- why you chose it; +- what problem it helped solve; +- whether it was used in production or an important internal workflow; +- your role and how you are familiar with the usage. + +I can provide a simple draft/template to make this easy. + +Please contact me at: **referenceletter@obfuscator.io** + +Thank you for supporting the project. + +--- + +### :rocket: Obfuscator.io with VM Obfuscation + +**Obfuscator.io** adds **VM-based bytecode obfuscation** to this package - your JavaScript functions are compiled to custom bytecode that runs on an embedded virtual machine. Each build produces unique opcodes and VM structure, making reverse engineering and automated deobfuscation dramatically harder. + +| Protection goal | Free (this package) | [obfuscator.io](https://obfuscator.io) | +| --- |-----------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Rename identifiers | ✅ variable/function renaming | ✅ + VM-local symbols never exposed as JavaScript | +| Obscure strings | ✅ string array + base64/rc4 | ✅ + strings embedded in bytecode constants | +| Obscure control flow | ✅ control flow flattening | ✅ full bytecode virtualization, [`vmJumpsEncoding`](#vmjumpsencoding) (runtime-computed jump targets), [`vmDeadCodeInjection`](#vmdeadcodeinjection) (fake bytecode sequences) | +| Resist decompilation | ⚠️ output is still JavaScript | ✅ custom opcodes, [`vmStatefulOpcodes`](#vmstatefulopcodes) (position-dependent opcode mapping), [`vmMacroOps`](#vmmacroops) (fused instructions), [`vmDecoyOpcodes`](#vmdecoyopcodes) (fake opcode handlers) | +| Resist automated LLM-based analysis | ❌ fully vulnerable (no LLM-specific defenses) | ✅ bytecode encryption + anti-LLM defenses in [`vmSelfDefending`](#vmselfdefending) and [`vmDebugProtection`](#vmdebugProtection) | +| Encryption | ✅ [`stringArrayEncoding`](#stringarrayencoding) (base64/rc4 on extracted strings) | ✅ [`vmBytecodeEncoding`](#vmbytecodeencoding) (per-instruction encoding), [`vmBytecodeArrayEncoding`](#vmbytecodeArrayEncoding) (whole bytecode array as single block) | +| Anti-debugging | ✅ `debugProtection` (freezes browser DevTools) | ✅ [`vmDebugProtection`](#vmdebugProtection) (multi-layered anti-debugging and anti-analysis defenses) | +| Tamper detection | ✅ `selfDefending` (breaks if beautified) | ✅ [`vmSelfDefending`](#vmselfdefending) (multi-layered tamper detection, anti-hooking, anti-reverse-engineering protection) | +| Runs offline, no network | ✅ | ❌ uses obfuscator.io API (requires token) | + +[Visit Obfuscator.io](https://obfuscator.io) · [Pro API methods](#shield-pro-api-methods-vm-obfuscation) + +This package provides access to Obfuscator.io API via CLI and Node.js API. + +--- + JavaScript Obfuscator is a powerful free obfuscator for JavaScript, containing a variety of features which provide protection for your source code. **Key features:** -- VM obfuscation (via [JavaScript Obfuscator Pro](https://obfuscator.io/)) +- VM bytecode obfuscation (via [Obfuscator.io](https://obfuscator.io/)) - variables renaming - strings extraction and encryption - dead code injection @@ -40,6 +80,7 @@ The example of obfuscated code: [github.com](https://github.com/javascript-obfus * Malta: [malta-js-obfuscator](https://github.com/fedeghe/malta-js-obfuscator) * Netlify plugin: [netlify-plugin-js-obfuscator](https://www.npmjs.com/package/netlify-plugin-js-obfuscator) * Snowpack plugin: [snowpack-javascript-obfuscator](https://www.npmjs.com/package/snowpack-javascript-obfuscator) +* Vite plugin: [vite-plugin-bundle-obfuscator](https://github.com/z0ffy/vite-plugin-bundle-obfuscator) [![npm version](https://badge.fury.io/js/javascript-obfuscator.svg)](https://badge.fury.io/js/javascript-obfuscator) [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fjavascript-obfuscator%2Fjavascript-obfuscator.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fjavascript-obfuscator%2Fjavascript-obfuscator?ref=badge_shield) @@ -291,7 +332,6 @@ const result = await JavaScriptObfuscator.obfuscatePro( `function hello() { console.log("Hello World"); }`, { vmObfuscation: true, // Required! - vmObfuscationThreshold: 1, compact: true }, { @@ -305,19 +345,37 @@ console.log(result.getObfuscatedCode()); **Parameters:** * `sourceCode` (`string`) – source code to obfuscate -* `options` (`Object`) – obfuscation options. **Must include `vmObfuscation: true`** +* `options` (`Object`) – obfuscation options. **Must include at least one Pro feature: `vmObfuscation: true` or `parseHtml: true`** * `apiConfig` (`Object`) – Pro API configuration: * `apiToken` (`string`, required) – your API token from obfuscator.io * `timeout` (`number`, optional) – request timeout in ms (default: `300000` - 5 minutes) + * `version` (`string`, optional) – Obfuscator.io version to use (e.g., `'5.0.3'`). Defaults to latest version if not specified. * `onProgress` (`function`, optional) – callback for progress updates during obfuscation **Returns:** `Promise` **Throws:** `ApiError` if: -- `vmObfuscation` is not enabled in options +- No Pro features (`vmObfuscation` or `parseHtml`) are enabled in options - API token is invalid or expired - API request fails +### Pro API with Specific Version + +You can specify which obfuscator version to use via the `version` option: + +```javascript +const result = await JavaScriptObfuscator.obfuscatePro( + sourceCode, + { + vmObfuscation: true + }, + { + apiToken: 'your_javascript_obfuscator_pro_api_token', + version: '5.0.3' // Use specific version + } +); +``` + ### Pro API with Progress Updates The API uses streaming mode to provide real-time progress updates during obfuscation: @@ -326,8 +384,7 @@ The API uses streaming mode to provide real-time progress updates during obfusca const result = await JavaScriptObfuscator.obfuscatePro( sourceCode, { - vmObfuscation: true, - vmObfuscationThreshold: 1 + vmObfuscation: true }, { apiToken: 'your_javascript_obfuscator_pro_api_token' @@ -339,6 +396,28 @@ const result = await JavaScriptObfuscator.obfuscatePro( ); ``` +### Checking for Pro Features + +Use `ProApiClient.hasProFeatures()` to check if options require the Pro API: + +```javascript +const { ProApiClient } = require('javascript-obfuscator'); + +const options = { vmObfuscation: true, compact: true }; + +if (ProApiClient.hasProFeatures(options)) { + // Use obfuscatePro() - requires API token + const result = await JavaScriptObfuscator.obfuscatePro(sourceCode, options, { apiToken }); +} else { + // Use regular obfuscate() - no API token needed + const result = JavaScriptObfuscator.obfuscate(sourceCode, options); +} +``` + +Pro features include: +- `vmObfuscation: true` – VM-based bytecode obfuscation +- `parseHtml: true` – HTML parsing with inline JavaScript obfuscation + ### Error Handling ```javascript @@ -355,6 +434,36 @@ try { } ``` +### CLI Usage with Pro API + +You can also use Pro API features directly from the CLI by providing your API token: + +```sh +javascript-obfuscator input.js --pro-api-token YOUR_API_TOKEN --vm-obfuscation true -o output.js +``` + +With a specific obfuscator version: + +```sh +javascript-obfuscator input.js --pro-api-token YOUR_API_TOKEN --pro-api-version 5.0.3 --vm-obfuscation true -o output.js +``` + +**CLI Options:** +- `--pro-api-token ` – Your API token from [obfuscator.io](https://obfuscator.io) +- `--pro-api-version ` – Obfuscator.io version to use (optional, defaults to latest) + +The CLI automatically detects when Pro features (`vmObfuscation` or `parseHtml`) are enabled and routes the request through the Pro API. + +### Large File Uploads + +For files larger than ~4MB, the Pro API uses client-side uploads to Vercel Blob storage. To enable this feature, install the optional `@vercel/blob` package: + +```sh +npm install @vercel/blob +``` + +Without this package, large file obfuscation will fail with an error message prompting you to install it. + --- ## CLI usage @@ -434,6 +543,8 @@ When using CLI this prefix will be added automatically. ## JavaScript Obfuscator Options +> :shield: **Looking for VM obfuscation?** Options like `vmObfuscation`, `parseHtml`, and every `vm*` option are Pro-only and require an API token from [obfuscator.io](https://obfuscator.io). Use them via the [`obfuscatePro()`](#shield-pro-api-methods-vm-obfuscation) method, or the `--pro-api-token` CLI flag — see [Pro API Methods](#shield-pro-api-methods-vm-obfuscation). + Following options are available for the JS Obfuscator: #### options: @@ -555,6 +666,37 @@ Following options are available for the JS Obfuscator: --target [browser, browser-no-eval, node] --transform-object-keys --unicode-escape-sequence + --pro-api-token + --pro-api-version + --vm-obfuscation + --vm-obfuscation-threshold + --vm-preprocess-identifiers + --vm-dynamic-opcodes + --vm-target-functions '' (comma separated) + --vm-exclude-functions '' (comma separated) + --vm-target-functions-mode [root, comment] + --vm-wrap-top-level-initializers + --vm-opcode-shuffle + --vm-bytecode-encoding + --vm-bytecode-array-encoding + --vm-bytecode-array-encoding-key + --vm-bytecode-array-encoding-key-getter + --vm-instruction-shuffle + --vm-jumps-encoding + --vm-decoy-opcodes + --vm-dead-code-injection + --vm-split-dispatcher + --vm-macro-ops + --vm-debug-protection + --vm-runtime-opcode-derivation + --vm-stateful-opcodes + --vm-stack-encoding + --vm-randomize-keys + --vm-indirect-dispatch + --vm-compact-dispatcher + --vm-bytecode-format [binary, json] + --parse-html + --strict-mode ``` @@ -1738,110 +1880,319 @@ The performance will be at a relatively normal level -## JavaScript Obfuscator Pro VM options +## Obfuscator.io Pro Options + +> :warning: **The following VM obfuscation/Pro options are available only via the [Obfuscator.io Pro API](https://obfuscator.io/).** +> +> To use these options, you need a Pro API token from [obfuscator.io](https://obfuscator.io) and must call the `obfuscatePro()` method instead of `obfuscate()`. See the [Pro API Methods](#shield-pro-api-methods-vm-obfuscation) section for details. ### `vmObfuscation` Type: `boolean` Default: `false` Enables VM-based bytecode obfuscation. When enabled, JavaScript functions are compiled into custom bytecode that runs on an embedded virtual machine. This provides the highest level of protection as the original code logic is completely transformed. -**Warning:** This significantly increases code size and may impact performance. Use `vmObfuscationThreshold` to control which root-level functions are transformed. - -### `vmObfuscationThreshold` -Type: `number` Default: `1` - -The probability (from 0 to 1) that a function will be transformed to VM bytecode when `vmObfuscation` is enabled. - -- `0` - no functions will be transformed -- `0.5` - 50% of functions will be transformed -- `1` - all functions will be transformed +**Example:** +Your readable code like `return qty * price` becomes a list of numbers like `[0x15,0x03,0x17,...]` that only the embedded VM interpreter can execute. The original logic is no longer visible as JavaScript. ### `vmTargetFunctions` Type: `string[]` Default: `[]` -Array of root-level function names to target for VM obfuscation. When specified, only these functions will be transformed (subject to `vmObfuscationThreshold`). Empty array means all functions are candidates. +Specify exactly which root-level functions should get VM protection by name. + +**Example:** +```javascript +{ + vmObfuscation: true, + vmTargetFunctions: ['someFunctionName'] +} +``` + +**Result:** Only these three functions get VM-protected. Everything else stays as regular (but still obfuscated) JavaScript. Perfect for protecting sensitive license checks or authentication logic while keeping the rest of your code lean. ### `vmExcludeFunctions` Type: `string[]` Default: `[]` -Array of root-level function names to exclude from VM obfuscation. These functions will never be transformed regardless of other settings. +Specify root-level functions that should never get VM protection. Takes precedence over other settings. + +**Example:** +```javascript +{ + vmObfuscation: true, + vmExcludeFunctions: ['someFunctionName'] +} +``` + +**When to use:** Performance-critical root-level functions (animation loops, real-time data processing) can be excluded to avoid VM overhead while still protecting everything else. + +### `vmTargetFunctionsMode` +Type: `string` Default: `root` -### `vmOpcodeShuffle` +Controls how functions/methods are selected for VM obfuscation. + +| Mode | Description | +|------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `root` | Default behavior. Only root-level functions are considered for VM obfuscation. Uses `vmTargetFunctions` allow-list and `vmExcludeFunctions` deny-list to filter. | +| `comment` | Only functions/methods decorated with `/* javascript-obfuscator:vm */` comment are VM-obfuscated. Works with functions/methods at **any nesting level**. | + +**Example - Comment mode:** +```javascript +// Source code +function regularFunction() { + return 'not virtualized'; +} + +/* javascript-obfuscator:vm */ +function sensitiveFunction() { + return 'this will be VM-protected'; +} + +function outer() { + /* javascript-obfuscator:vm */ + function nestedSensitive() { + return 'nested but still VM-protected'; + } + return nestedSensitive(); +} +``` + +```javascript +// Obfuscator options +{ + vmObfuscation: true, + vmTargetFunctionsMode: 'comment' +} +``` + +**When to use:** When you need surgical control over exactly which functions get VM protection, especially nested functions that contain sensitive logic. Unlike `vmTargetFunctions` which only works with root-level named functions, comment mode lets you protect any function anywhere in your code. + +### `vmWrapTopLevelInitializers` Type: `boolean` Default: `false` -Randomizes the opcode mapping for each obfuscation run. Makes static analysis more difficult as opcode meanings change between builds. +Wraps some top-level variable initializers in IIFEs (Immediately Invoked Function Expressions) so they can be VM-obfuscated. + +**What it does:** +Without this option, top-level constants and variables remain visible in the output: +```javascript +// Input +const MY_STRING = "my-string"; + +// Output (without vmWrapTopLevelInitializers) +const MY_STRING = "my-string"; // String is visible! +``` + +With this option enabled, the initializer is wrapped in an IIFE that gets VM-obfuscated: +```javascript +// Input +const MY_STRING = "my-string"; + +// Output (with vmWrapTopLevelInitializers: true) +const MY_STRING = (() => { return /* VM bytecode call */ })(); // String hidden in bytecode +``` + +**Note:** This option only works when `vmTargetFunctionsMode` is `'root'` (the default). + +### `vmDynamicOpcodes` +Type: `boolean` Default: `false` + +Makes the VM interpreter smaller and unique for each build. + +**What it does:** +1. **Filters unused instructions** - If your code doesn't use classes, class-related instructions are removed entirely +2. **Randomizes structure** - The order of instruction handlers is shuffled each build + +As the result - smaller output and each build looks different. ### `vmBytecodeEncoding` Type: `boolean` Default: `false` -Encodes the bytecode instructions using XOR encryption. The decoding key is derived at runtime, adding another layer of protection. +Encodes each bytecode instruction. Instructions are decoded one at a time during execution. ### `vmBytecodeArrayEncoding` Type: `boolean` Default: `false` -Applies additional encoding to the bytecode array, making it harder to identify bytecode patterns through static analysis. +Encodes the entire bytecode array as a single block. The array is decoded once at startup before execution begins. Use together with `vmBytecodeEncoding` for two layers of protection. + +### `vmBytecodeArrayEncodingKey` +Type: `string` Default: `''` + +Custom encryption key for bytecode array encoding. When set, this key is used instead of the default environment-derived key. The key must be provided at runtime via `vmBytecodeArrayEncodingKeyGetter`. + +This option externalizes the encryption key - it's not embedded in the obfuscated code itself. While the key is still accessible at runtime (and thus not truly secret), this separation prevents static analysis tools from finding the key by examining the code alone. + +**Important:** The key must be available **synchronously** when the obfuscated code loads. Use synchronous storage like cookies, localStorage, sessionStorage, global variables, or DOM elements (e.g., server-injected meta tags). Async methods like `fetch()` cannot be used directly in the key getter expression. + +### `vmBytecodeArrayEncodingKeyGetter` +Type: `string` Default: `''` + +**Synchronous** JavaScript expression that **returns** the encryption key at runtime. This expression is evaluated when the obfuscated code loads, and must return the same key that was provided in `vmBytecodeArrayEncodingKey`. + +**The obfuscated code will only work when the key getter returns exactly the same key that was used during obfuscation.** If the keys don't match, decryption will fail and the code will produce garbage or errors. If the key getter returns `undefined`, `null`, or an empty string, the code will throw an error: "VM decryption key not available". + +**Important:** The key should NOT be defined in the same JavaScript file/script as the obfuscated code. Doing so defeats the purpose of key externalization, as static analysis could still find the key. Store the key in a separate source: server-set cookies, localStorage populated by another script, server-injected HTML meta tags, or a global variable set by a different script that loads before the obfuscated code. + +Examples: +```ts +// From cookie +vmBytecodeArrayEncodingKeyGetter: "document.cookie.match(/vmKey=([^;]+)/)?.[1]" + +// From localStorage +vmBytecodeArrayEncodingKeyGetter: "localStorage.getItem('vmKey')" + +// From global variable +vmBytecodeArrayEncodingKeyGetter: "window.__VM_KEY__" + +// From meta tag (server-injected) +vmBytecodeArrayEncodingKeyGetter: "document.querySelector('meta[name=\"vm-key\"]').content" + +// From nested object +vmBytecodeArrayEncodingKeyGetter: "window.config.encryption.key" +``` + +**Usage example:** +```ts +// Build time +JavaScriptObfuscator.obfuscate(code, { + vmObfuscation: true, + vmBytecodeArrayEncoding: true, + vmBytecodeArrayEncodingKey: 'mySecretKey123', + vmBytecodeArrayEncodingKeyGetter: 'window.__VM_KEY__' +}); + +// Runtime - key must be set before obfuscated code runs +window.__VM_KEY__ = 'mySecretKey123'; +``` ### `vmJumpsEncoding` Type: `boolean` Default: `false` -Encodes jump targets and offsets in the bytecode. This obscures control flow and makes it harder to follow program execution. +Encodes jump targets in the bytecode. Jump offsets are calculated at runtime, hiding the control flow structure (`if`/`else`, loops, etc.) from static analysis. ### `vmDecoyOpcodes` Type: `boolean` Default: `false` -Inserts fake opcodes into the dispatcher that are never executed. Increases code complexity and confuses reverse engineering attempts. +Adds fake opcode handlers to the VM dispatcher that are never called. For example, if the VM uses 20 real opcodes, this might add 30 fake handlers, making the interpreter appear more complex than it really is. ### `vmDeadCodeInjection` Type: `boolean` Default: `false` -Injects dead code sequences into the VM bytecode. These sequences are valid but unreachable, adding noise to analysis. - -### `vmSplitDispatcher` -Type: `boolean` Default: `false` - -Splits the VM dispatcher into multiple smaller dispatchers. Makes the execution flow harder to follow. +Injects fake bytecode sequences that are never executed. These look like real instructions but are skipped during runtime, confusing analysis tools that process them. ### `vmMacroOps` Type: `boolean` Default: `false` -Combines common instruction sequences into single macro opcodes. This creates unique instruction patterns that are harder to recognize. +Combines common instruction sequences into single "macro" opcodes. For example, `LOAD + ADD + STORE` might become a single `MACRO_ADD_TO_VAR` instruction. This breaks pattern recognition and can improve performance. ### `vmDebugProtection` Type: `boolean` Default: `false` -Adds anti-debugging measures to the VM runtime. Detects debugger presence and alters behavior when debugging is detected. +Adds multi-layered anti-debugging, anti-analysis, and anti-LLM defenses to the VM runtime. For best results, allow `unsafe-eval` in your Content Security Policy. Works best with `browser`/`browser-no-eval` targets. -### `vmRuntimeOpcodeDerivation` +### `vmSelfDefending` Type: `boolean` Default: `false` -Derives opcode values at runtime through mathematical operations rather than using static values. Makes static analysis significantly harder. +Adds multi-layered tamper detection, anti-hooking, and anti-reverse-engineering protection to the VM runtime. + +> :warning: This option force-enables [`vmBytecodeArrayEncoding`](#vmbytecodeArrayEncoding). + +Strongly recommended to use together with [`vmDebugProtection`](#vmDebugProtection), [`vmBytecodeArrayEncodingKey`](#vmbytecodeArrayEncodingKey), and [`vmBytecodeArrayEncodingKeyGetter`](#vmbytecodeArrayEncodingKeyGetter). ### `vmStatefulOpcodes` Type: `boolean` Default: `false` -Makes opcode interpretation depend on VM state. The same opcode can have different meanings based on execution history. +Makes opcode meanings depend on position in the bytecode. Each position has a different opcode-to-handler mapping derived from a seed, so the same opcode number performs different operations at different positions. ### `vmStackEncoding` Type: `boolean` Default: `false` -Encodes values pushed to and popped from the VM stack. Adds protection against memory inspection during execution. +Encrypts values on the VM stack during execution. Values are encoded when pushed and decoded when popped, so memory inspection shows encrypted data instead of actual values. -### `vmRandomizeKeys` +This option heavily affects performance. + +### `vmCompactDispatcher` Type: `boolean` Default: `false` -Randomizes encryption keys and other constants used by the VM. Each build produces unique key values. +Uses a single VM executor instead of dual executors (sync + generator). Reduces obfuscated code size but adds ~20% performance overhead on recursion-heavy code. + +- `false` (default): dual executors — optimal performance, larger output +- `true`: single executor — smaller output, slightly slower -### `vmIndirectDispatch` +### `vmStringArrayBytecodeOnly` Type: `boolean` Default: `false` -Uses indirect function calls for opcode dispatch instead of direct switch/case. Makes control flow analysis more difficult. +When enabled, the string array will **only** extract strings from bytecode data — no other strings in the code are transformed. This force-enables `stringArray` even if it's not explicitly set. -### `vmBytecodeFormat` -Type: `string` Default: `binary` +**Why use this:** Extracting all VM runtime strings to a string array is slow. This option targets only bytecode content for string array extraction, improving performance while still protecting bytecode constants. -Specifies the format used to embed bytecode in the output: -- `binary` - Compact binary representation (smaller size) -- `json` - JSON format (easier debugging, larger size) +- When `vmBytecodeArrayEncoding: false` — strings inside bytecode constant pools (`c` arrays) are extracted +- When `vmBytecodeArrayEncoding: true` — top-level base64 encoded bytecode strings are extracted +- `stringArrayThreshold` still controls what percentage of those bytecode strings are extracted + + +### `strictMode` +Type: `boolean | null` Default: `null` + +Allows to specify how the obfuscator should treat code regarding JavaScript strict mode. + +Available values: +* `null` (default) - auto-detect strict mode from the code. If the code has explicit `'use strict'` directive, ES module syntax, or class methods, it's treated as strict mode. Otherwise, sloppy mode is assumed. +* `true` - force strict mode treatment for all code, even without explicit `'use strict'` directive. Use this when your code will run in strict mode context (e.g., in ES modules, bundlers, or modern frameworks). +* `false` - only explicit strict mode indicators (`'use strict'`, ES modules, class methods) are treated as strict. Parent scope inheritance still applies per JS spec. + +### `parseHtml` +Type: `boolean` Default: `false` + +Enables obfuscation of JavaScript within HTML ` + + + + +`; + +JavaScriptObfuscator.obfuscate(html, { + parseHtml: true, + stringArray: true +}); + +// output: HTML with only the marked script obfuscated +``` ## Frequently Asked Questions @@ -1936,7 +2287,7 @@ Become a sponsor and get your logo on our README on Github with a link to your s ## License [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fjavascript-obfuscator%2Fjavascript-obfuscator.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fjavascript-obfuscator%2Fjavascript-obfuscator?ref=badge_large) -Copyright (C) 2016-2024 [Timofey Kachalov](http://github.com/sanex3339). +Copyright (C) 2016-2026 [Timofei Kachalov](http://github.com/sanex3339). Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/bin/javascript-obfuscator b/bin/javascript-obfuscator index 0946b4521..144f7b8ad 100755 --- a/bin/javascript-obfuscator +++ b/bin/javascript-obfuscator @@ -1,3 +1,6 @@ #!/usr/bin/env node -require('../dist/index.cli').obfuscate(process.argv); \ No newline at end of file +require('../dist/index.cli').obfuscate(process.argv).catch((error) => { + console.error(error.message); + process.exit(1); +}); \ No newline at end of file diff --git a/package.json b/package.json index 197ba0f58..0612d2257 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "javascript-obfuscator", - "version": "5.0.0", + "version": "5.4.2", "description": "JavaScript obfuscator", "keywords": [ "obfuscator", @@ -21,26 +21,26 @@ }, "types": "typings/index.d.ts", "dependencies": { - "@javascript-obfuscator/escodegen": "2.3.1", + "@javascript-obfuscator/escodegen": "2.4.1", "@javascript-obfuscator/estraverse": "5.4.0", + "@vercel/blob": ">=0.23.0", "acorn": "8.15.0", + "acorn-import-attributes": "^1.9.5", "assert": "2.1.0", "chalk": "4.1.2", "chance": "1.1.13", "class-validator": "0.14.3", "commander": "12.1.0", + "env-paths": "4.0.0", "eslint-scope": "8.4.0", "eslint-visitor-keys": "4.2.1", "fast-deep-equal": "3.1.3", - "inversify": "6.1.4", + "inversify": "7.11.0", "js-string-escape": "1.0.1", "md5": "2.3.0", - "mkdirp": "3.0.1", "multimatch": "5.0.0", - "opencollective-postinstall": "2.0.3", "process": "0.11.10", "reflect-metadata": "0.2.2", - "source-map-support": "0.5.21", "string-template": "1.0.0", "stringz": "2.1.0", "tslib": "2.8.1" @@ -57,7 +57,6 @@ "@types/js-beautify": "1.14.3", "@types/js-string-escape": "1.0.3", "@types/md5": "2.3.6", - "@types/mkdirp": "1.0.2", "@types/mocha": "10.0.10", "@types/multimatch": "4.0.0", "@types/node": "22.10.2", @@ -85,11 +84,13 @@ "js-beautify": "1.15.4", "mocha": "11.7.4", "nyc": "17.1.0", + "parse5": "^8.0.0", "pjson": "1.0.9", "prettier": "3.6.2", "rimraf": "6.0.1", "sinon": "19.0.2", "source-map-resolve": "0.6.0", + "source-map-support": "0.5.21", "terser": "5.44.0", "threads": "1.7.0", "ts-loader": "9.5.4", @@ -124,25 +125,14 @@ "prettier:check": "prettier --check \"src/**/*.ts\" \"test/**/*.ts\"", "format": "yarn run prettier && yarn run eslint --fix", "git:addFiles": "git add .", - "postinstall": "opencollective-postinstall", "precommit": "yarn run eslint", "prepublishOnly": "yarn run build && yarn run build:typings", "prepare": "husky install" }, "author": { - "name": "Timofey Kachalov" + "name": "Timofei Kachalov" }, - "contributors": [ - "Timofey Kachalov (https://github.com/sanex3339)", - "Dmitry Zamotkin (https://github.com/zamotkin)" - ], + "contributors": ["Timofei Kachalov (https://github.com/sanex3339)", "Dmitry Zamotkin (https://github.com/zamotkin)"], "license": "BSD-2-Clause", - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/javascript-obfuscator" - }, - "collective": { - "url": "https://opencollective.com/javascript-obfuscator" - }, "packageManager": "yarn@1.22.21+sha512.ca75da26c00327d26267ce33536e5790f18ebd53266796fbb664d2a4a5116308042dd8ee7003b276a20eace7d3c5561c3577bdd71bcb67071187af124779620a" } diff --git a/src/ASTParserFacade.ts b/src/ASTParserFacade.ts index 796f2ad8b..ade6007c4 100644 --- a/src/ASTParserFacade.ts +++ b/src/ASTParserFacade.ts @@ -1,6 +1,9 @@ import * as acorn from 'acorn'; import * as ESTree from 'estree'; import chalk, { Chalk } from 'chalk'; +import { importAttributesOrAssertions } from 'acorn-import-attributes'; + +const AcornParser = acorn.Parser.extend(importAttributesOrAssertions); /** * Facade over AST parser `acorn` @@ -58,12 +61,16 @@ export class ASTParserFacade { const comments: ESTree.Comment[] = []; const config: acorn.Options = { ...inputConfig, - allowAwaitOutsideFunction: true, + allowAwaitOutsideFunction: false, + allowReserved: true, + allowImportExportEverywhere: true, + allowReturnOutsideFunction: true, + allowSuperOutsideMethod: true, onComment: comments, sourceType }; - const program: acorn.Node & ESTree.Program = acorn.parse(sourceCode, config); + const program: acorn.Node & ESTree.Program = AcornParser.parse(sourceCode, config); if (comments.length) { program.comments = comments; diff --git a/src/JavaScriptObfuscator.ts b/src/JavaScriptObfuscator.ts index f6f91a5dd..53381b977 100644 --- a/src/JavaScriptObfuscator.ts +++ b/src/JavaScriptObfuscator.ts @@ -28,6 +28,7 @@ import { ecmaVersion } from './constants/EcmaVersion'; import { ASTParserFacade } from './ASTParserFacade'; import { NodeGuards } from './node/NodeGuards'; import { Utils } from './utils/Utils'; +import { AdvertisementUtils } from './utils/AdvertisementUtils'; @injectable() export class JavaScriptObfuscator implements IJavaScriptObfuscator { @@ -157,6 +158,11 @@ export class JavaScriptObfuscator implements IJavaScriptObfuscator { * @returns {IObfuscationResult} */ public obfuscate(sourceCode: string): IObfuscationResult { + if (AdvertisementUtils.shouldShowAdvertisement()) { + this.logger.advertise(LoggingMessage.JavaScriptObfuscatorProAdFirstPart); + this.logger.advertise(LoggingMessage.JavaScriptObfuscatorProAdSecondPart); + } + if (typeof sourceCode !== 'string') { sourceCode = ''; } diff --git a/src/JavaScriptObfuscatorCLIFacade.ts b/src/JavaScriptObfuscatorCLIFacade.ts index 09a66604b..075f21be5 100644 --- a/src/JavaScriptObfuscatorCLIFacade.ts +++ b/src/JavaScriptObfuscatorCLIFacade.ts @@ -6,11 +6,12 @@ class JavaScriptObfuscatorCLIFacade { /** * @param {string[]} argv */ - public static obfuscate(argv: string[]): void { + public static async obfuscate(argv: string[]): Promise { const javaScriptObfuscatorCLI: JavaScriptObfuscatorCLI = new JavaScriptObfuscatorCLI(argv); javaScriptObfuscatorCLI.initialize(); - javaScriptObfuscatorCLI.run(); + + return javaScriptObfuscatorCLI.run(); } } diff --git a/src/JavaScriptObfuscatorFacade.ts b/src/JavaScriptObfuscatorFacade.ts index d5128d0ee..91356e7c3 100644 --- a/src/JavaScriptObfuscatorFacade.ts +++ b/src/JavaScriptObfuscatorFacade.ts @@ -11,12 +11,10 @@ import { IInversifyContainerFacade } from './interfaces/container/IInversifyCont import { IJavaScriptObfuscator } from './interfaces/IJavaScriptObfsucator'; import { IObfuscationResult } from './interfaces/source-code/IObfuscationResult'; import { IProApiConfig, IProObfuscationResult, TProApiProgressCallback } from './interfaces/pro-api/IProApiClient'; -import { ApiError } from './pro-api/ApiError'; import { InversifyContainerFacade } from './container/InversifyContainerFacade'; import { Options } from './options/Options'; import { Utils } from './utils/Utils'; -import { ProApiClient } from './pro-api/ProApiClient'; class JavaScriptObfuscatorFacade { /** @@ -94,6 +92,7 @@ class JavaScriptObfuscatorFacade { /** * Obfuscate code using the Pro API (obfuscator.io) * This method requires a valid API token from obfuscator.io and only works with VM obfuscation. + * Only available in Node.js environment. * * @param {string} sourceCode - Source code to obfuscate * @param {TInputOptions} inputOptions - Obfuscation options (must include vmObfuscation: true) @@ -108,13 +107,13 @@ class JavaScriptObfuscatorFacade { proApiConfig: IProApiConfig, onProgress?: TProApiProgressCallback ): Promise { - if (!inputOptions.vmObfuscation) { - throw new ApiError( - 'obfuscatePro method works only with VM obfuscation. Set vmObfuscation: true in options.', - 400 - ); + if (typeof window !== 'undefined') { + const { ApiError } = await import('./pro-api/ApiError'); + + throw new ApiError('obfuscatePro is only available in Node.js environment', 500); } + const { ProApiClient } = await import('./pro-api/ProApiClient'); const client = new ProApiClient(proApiConfig); return client.obfuscate(sourceCode, inputOptions, onProgress); @@ -123,4 +122,4 @@ class JavaScriptObfuscatorFacade { export { JavaScriptObfuscatorFacade as JavaScriptObfuscator }; export { ApiError } from './pro-api/ApiError'; -export type { IProApiConfig, TProApiProgressCallback } from './interfaces/pro-api/IProApiClient'; +export type { IProApiConfig, IProObfuscationResult, TProApiProgressCallback } from './interfaces/pro-api/IProApiClient'; diff --git a/src/analyzers/calls-graph-analyzer/callee-data-extractors/FunctionDeclarationCalleeDataExtractor.ts b/src/analyzers/calls-graph-analyzer/callee-data-extractors/FunctionDeclarationCalleeDataExtractor.ts index 2a3667155..ee5ce750a 100644 --- a/src/analyzers/calls-graph-analyzer/callee-data-extractors/FunctionDeclarationCalleeDataExtractor.ts +++ b/src/analyzers/calls-graph-analyzer/callee-data-extractors/FunctionDeclarationCalleeDataExtractor.ts @@ -1,4 +1,4 @@ -import { injectable } from 'inversify'; +import { injectable, injectFromBase } from 'inversify'; import * as estraverse from '@javascript-obfuscator/estraverse'; import * as ESTree from 'estree'; @@ -9,6 +9,7 @@ import { AbstractCalleeDataExtractor } from './AbstractCalleeDataExtractor'; import { NodeGuards } from '../../../node/NodeGuards'; import { NodeStatementUtils } from '../../../node/NodeStatementUtils'; +@injectFromBase() @injectable() export class FunctionDeclarationCalleeDataExtractor extends AbstractCalleeDataExtractor { /** diff --git a/src/analyzers/calls-graph-analyzer/callee-data-extractors/FunctionExpressionCalleeDataExtractor.ts b/src/analyzers/calls-graph-analyzer/callee-data-extractors/FunctionExpressionCalleeDataExtractor.ts index a24cb5c04..c0b8e0c0d 100644 --- a/src/analyzers/calls-graph-analyzer/callee-data-extractors/FunctionExpressionCalleeDataExtractor.ts +++ b/src/analyzers/calls-graph-analyzer/callee-data-extractors/FunctionExpressionCalleeDataExtractor.ts @@ -1,4 +1,4 @@ -import { injectable } from 'inversify'; +import { injectable, injectFromBase } from 'inversify'; import * as estraverse from '@javascript-obfuscator/estraverse'; import * as ESTree from 'estree'; @@ -9,6 +9,7 @@ import { AbstractCalleeDataExtractor } from './AbstractCalleeDataExtractor'; import { NodeGuards } from '../../../node/NodeGuards'; import { NodeStatementUtils } from '../../../node/NodeStatementUtils'; +@injectFromBase() @injectable() export class FunctionExpressionCalleeDataExtractor extends AbstractCalleeDataExtractor { /** diff --git a/src/analyzers/calls-graph-analyzer/callee-data-extractors/ObjectExpressionCalleeDataExtractor.ts b/src/analyzers/calls-graph-analyzer/callee-data-extractors/ObjectExpressionCalleeDataExtractor.ts index 57e22783e..8f24f7675 100644 --- a/src/analyzers/calls-graph-analyzer/callee-data-extractors/ObjectExpressionCalleeDataExtractor.ts +++ b/src/analyzers/calls-graph-analyzer/callee-data-extractors/ObjectExpressionCalleeDataExtractor.ts @@ -1,4 +1,4 @@ -import { injectable } from 'inversify'; +import { injectable, injectFromBase } from 'inversify'; import * as estraverse from '@javascript-obfuscator/estraverse'; import * as ESTree from 'estree'; @@ -11,6 +11,7 @@ import { AbstractCalleeDataExtractor } from './AbstractCalleeDataExtractor'; import { NodeGuards } from '../../../node/NodeGuards'; import { NodeStatementUtils } from '../../../node/NodeStatementUtils'; +@injectFromBase() @injectable() export class ObjectExpressionCalleeDataExtractor extends AbstractCalleeDataExtractor { /** diff --git a/src/analyzers/scope-analyzer/ScopeAnalyzer.ts b/src/analyzers/scope-analyzer/ScopeAnalyzer.ts index 169e33397..1c001e376 100644 --- a/src/analyzers/scope-analyzer/ScopeAnalyzer.ts +++ b/src/analyzers/scope-analyzer/ScopeAnalyzer.ts @@ -84,6 +84,11 @@ export class ScopeAnalyzer implements IScopeAnalyzer { sourceType: ScopeAnalyzer.sourceTypes[i] }); + // Fix Annex B function hoisting references + // eslint-scope doesn't implement Annex B semantics where function declarations + // in blocks also create a var-hoisted binding in the enclosing function scope + this.fixAnnexBFunctionHoisting(); + return; } catch (error) { if (i < sourceTypeLength - 1) { @@ -117,6 +122,101 @@ export class ScopeAnalyzer implements IScopeAnalyzer { return scope; } + /** + * Fix Annex B function hoisting references. + * + * In non-strict mode, function declarations in blocks have dual binding: + * 1. A block-scoped binding (handled by eslint-scope) + * 2. A var-hoisted binding in the enclosing function scope (NOT handled by eslint-scope) + * + * This method merges block-scoped function declarations into the enclosing + * function scope and links unresolved references. + */ + private fixAnnexBFunctionHoisting(): void { + if (!this.scopeManager) { + return; + } + + this.walkScopes(this.scopeManager.globalScope, (scope: eslintScope.Scope) => { + if (scope.type !== 'block' && scope.type !== 'switch') { + return; + } + + // Skip strict mode scopes - Annex B doesn't apply + if (scope.isStrict) { + return; + } + + const functionScope = scope.variableScope; + + if (!functionScope) { + return; + } + + for (let i = scope.variables.length - 1; i >= 0; i--) { + const variable = scope.variables[i]; + + const isFunctionDeclaration = variable.defs.some( + (def) => def.type === 'FunctionName' && def.node?.type === 'FunctionDeclaration' + ); + + if (!isFunctionDeclaration) { + continue; + } + + // Find existing variable with the same name in function scope (shadowing case) + const outerVariable = functionScope.variables.find((v) => v.name === variable.name && v !== variable); + + // Per Annex B.3.3, hoisting only applies if outer binding is var/function (not let/const) + const isOuterLetOrConst = outerVariable?.defs.some( + (def) => def.type === 'Variable' && (def.parent?.kind === 'let' || def.parent?.kind === 'const') + ); + + // Skip Annex B hoisting if there's a let/const with the same name + if (isOuterLetOrConst) { + continue; + } + + const targetVariable = outerVariable ?? variable; + + if (outerVariable) { + // Merge inner function's identifiers and references into outer + outerVariable.identifiers.push(...variable.identifiers); + outerVariable.references.push(...variable.references); + } else { + // Move variable to function scope so references can find it + functionScope.variables.push(variable); + } + + // Remove from block scope + scope.variables.splice(i, 1); + + // Link "through" references with matching name to the target variable + this.linkThroughReferences(variable.name, functionScope, targetVariable); + } + }); + } + + /** + * Link unresolved "through" references to a variable. + * + * @param {string} name - The variable name to match + * @param {Scope} scope - The scope to start searching from + * @param {Variable} targetVariable - The variable to link references to + */ + private linkThroughReferences(name: string, scope: eslintScope.Scope, targetVariable: eslintScope.Variable): void { + for (let i = scope.through.length - 1; i >= 0; i--) { + if (scope.through[i].identifier.name === name) { + targetVariable.references.push(scope.through[i]); + scope.through.splice(i, 1); + } + } + + for (const childScope of scope.childScopes) { + this.linkThroughReferences(name, childScope, targetVariable); + } + } + /** * @param {Scope} scope */ @@ -138,7 +238,11 @@ export class ScopeAnalyzer implements IScopeAnalyzer { (definition: eslintScope.Definition) => definition.type === 'ClassName' ); - return isValidClassNameVariable && variable.name === classNameVariable.name; + const isImportBinding: boolean = variable.defs.some( + (definition: eslintScope.Definition) => definition.type === 'ImportBinding' + ); + + return isValidClassNameVariable && variable.name === classNameVariable.name && !isImportBinding; } ); @@ -150,4 +254,18 @@ export class ScopeAnalyzer implements IScopeAnalyzer { this.sanitizeScopes(childScope); } } + + /** + * Walk through all scopes in the scope tree + * + * @param {Scope} scope - Starting scope + * @param {Function} callback - Function to call for each scope + */ + private walkScopes(scope: eslintScope.Scope, callback: (scope: eslintScope.Scope) => void): void { + callback(scope); + + for (const childScope of scope.childScopes) { + this.walkScopes(childScope, callback); + } + } } diff --git a/src/cli/JavaScriptObfuscatorCLI.ts b/src/cli/JavaScriptObfuscatorCLI.ts index 9d905accd..95eb5b78d 100644 --- a/src/cli/JavaScriptObfuscatorCLI.ts +++ b/src/cli/JavaScriptObfuscatorCLI.ts @@ -4,10 +4,13 @@ import * as path from 'path'; import { TInputCLIOptions } from '../types/options/TInputCLIOptions'; import { TInputOptions } from '../types/options/TInputOptions'; +import { TOptionsPreset } from '../types/options/TOptionsPreset'; import { IFileData } from '../interfaces/cli/IFileData'; import { IInitializable } from '../interfaces/IInitializable'; import { IObfuscationResult } from '../interfaces/source-code/IObfuscationResult'; +import { ProApiClient } from '../pro-api/ProApiClient'; +import { IProObfuscationResult } from '../interfaces/pro-api/IProApiClient'; import { initializable } from '../decorators/Initializable'; @@ -22,11 +25,10 @@ import { StringArrayEncoding } from '../enums/node-transformers/string-array-tra import { StringArrayIndexesType } from '../enums/node-transformers/string-array-transformers/StringArrayIndexesType'; import { StringArrayWrappersType } from '../enums/node-transformers/string-array-transformers/StringArrayWrappersType'; -import { DEFAULT_PRESET } from '../options/presets/Default'; - import { ArraySanitizer } from './sanitizers/ArraySanitizer'; import { BooleanSanitizer } from './sanitizers/BooleanSanitizer'; +import { Options } from '../options/Options'; import { CLIUtils } from './utils/CLIUtils'; import { IdentifierNamesCacheFileUtils } from './utils/IdentifierNamesCacheFileUtils'; import { JavaScriptObfuscator } from '../JavaScriptObfuscatorFacade'; @@ -34,6 +36,9 @@ import { Logger } from '../logger/Logger'; import { ObfuscatedCodeFileUtils } from './utils/ObfuscatedCodeFileUtils'; import { SourceCodeFileUtils } from './utils/SourceCodeFileUtils'; import { Utils } from '../utils/Utils'; +import { VMTargetFunctionsMode } from '../pro-api/enums/VMTargetFunctionsMode'; +import { VMBytecodeFormat } from '../pro-api/enums/VMBytecodeFormat'; +import { StrictModeSanitizer } from './sanitizers/StrictModeSanitizer'; export class JavaScriptObfuscatorCLI implements IInitializable { /** @@ -107,26 +112,36 @@ export class JavaScriptObfuscatorCLI implements IInitializable { /** * @param {TInputCLIOptions} inputOptions + * @param {commander.Command} command * @returns {TInputOptions} */ - private static buildOptions(inputOptions: TInputCLIOptions): TInputOptions { - const inputCLIOptions: TInputOptions = JavaScriptObfuscatorCLI.filterOptions(inputOptions); + private static buildOptions(inputOptions: TInputCLIOptions, command: commander.Command): TInputOptions { + const inputCLIOptions: TInputOptions = JavaScriptObfuscatorCLI.filterOptions(inputOptions, command); const configFilePath: string | undefined = inputOptions.config; const configFileLocation: string = configFilePath ? path.resolve(configFilePath, '.') : ''; const configFileOptions: TInputOptions = configFileLocation ? CLIUtils.getUserConfig(configFileLocation) : {}; + const presetName: TOptionsPreset = + inputCLIOptions.optionsPreset ?? configFileOptions.optionsPreset ?? OptionsPreset.Default; + const presetOptions: TInputOptions = Options.getOptionsByPreset(presetName); + return { - ...DEFAULT_PRESET, + ...presetOptions, ...configFileOptions, ...inputCLIOptions }; } /** + * Filters out options that were not explicitly set by the user. + * Commander.js sets default values for all options, which would + * override preset values. Only user-provided options should be kept. + * * @param {TObject} options + * @param {commander.Command} command * @returns {TInputOptions} */ - private static filterOptions(options: TInputCLIOptions): TInputOptions { + private static filterOptions(options: TInputCLIOptions, command: commander.Command): TInputOptions { const filteredOptions: TInputOptions = {}; Object.keys(options).forEach((option: keyof TInputCLIOptions) => { @@ -134,6 +149,10 @@ export class JavaScriptObfuscatorCLI implements IInitializable { return; } + if (command.getOptionValueSource(String(option)) === 'default') { + return; + } + filteredOptions[option] = options[option]; }); @@ -147,7 +166,7 @@ export class JavaScriptObfuscatorCLI implements IInitializable { this.configureHelp(); this.inputPath = path.normalize(this.commands.args[0] || ''); - this.inputCLIOptions = JavaScriptObfuscatorCLI.buildOptions(this.commands.opts()); + this.inputCLIOptions = JavaScriptObfuscatorCLI.buildOptions(this.commands.opts(), this.commands); this.sourceCodeFileUtils = new SourceCodeFileUtils(this.inputPath, this.inputCLIOptions); this.obfuscatedCodeFileUtils = new ObfuscatedCodeFileUtils(this.inputPath, this.inputCLIOptions); this.identifierNamesCacheFileUtils = new IdentifierNamesCacheFileUtils( @@ -155,7 +174,7 @@ export class JavaScriptObfuscatorCLI implements IInitializable { ); } - public run(): void { + public async run(): Promise { const canShowHelp: boolean = !this.arguments.length || this.arguments.includes('--help'); if (canShowHelp) { @@ -166,7 +185,7 @@ export class JavaScriptObfuscatorCLI implements IInitializable { const sourceCodeData: IFileData[] = this.sourceCodeFileUtils.readSourceCode(); - this.processSourceCodeData(sourceCodeData); + await this.processSourceCodeData(sourceCodeData); } private configureCommands(): void { @@ -210,7 +229,7 @@ export class JavaScriptObfuscatorCLI implements IInitializable { ) .option( '--domain-lock-redirect-url ', - 'Allows the browser to be redirected to a passed URL if the source code isn\'t run on the domains specified by --domain-lock' + "Allows the browser to be redirected to a passed URL if the source code isn't run on the domains specified by --domain-lock" ) .option( '--exclude (comma separated, without whitespaces)', @@ -390,6 +409,153 @@ export class JavaScriptObfuscatorCLI implements IInitializable { 'Allows to enable/disable string conversion to unicode escape sequence', BooleanSanitizer ) + .option( + '--pro-api-token ', + 'API token for Pro obfuscation via obfuscator.io (enables VM obfuscation via cloud API)' + ) + .option('--pro-api-version ', 'Obfuscator version to use with Pro API (e.g., "5.0.0")') + .option( + '--vm-obfuscation ', + 'Enables VM-based bytecode obfuscation for functions', + BooleanSanitizer + ) + .option( + '--vm-obfuscation-threshold ', + 'The probability that VM obfuscation will be applied to a function (Default: 1, Min: 0, Max: 1)', + parseFloat + ) + .option( + '--vm-preprocess-identifiers ', + 'Preprocesses identifiers before VM transformation (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-dynamic-opcodes ', + 'Dynamically assembles VM dispatcher with shuffled case order and filters unused opcodes based on code analysis', + BooleanSanitizer + ) + .option( + '--vm-target-functions (comma separated, without whitespaces)', + 'List of specific function names to apply VM obfuscation to (comma separated)', + ArraySanitizer + ) + .option( + '--vm-exclude-functions (comma separated, without whitespaces)', + 'List of function names to exclude from VM obfuscation (comma separated)', + ArraySanitizer + ) + .option( + '--vm-target-functions-mode ', + 'Controls how functions are selected for VM obfuscation. ' + + `Values: ${CLIUtils.stringifyOptionAvailableValues(VMTargetFunctionsMode)}. ` + + `Default: ${VMTargetFunctionsMode.Root}` + ) + .option( + '--vm-wrap-top-level-initializers ', + 'Wraps top-level variable initializers in IIFEs so they can be VM-obfuscated (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-opcode-shuffle ', + 'Randomizes the numeric values assigned to each opcode (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-bytecode-encoding ', + 'Enables bytecode encryption with per-function keys (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-bytecode-array-encoding ', + 'Enables encrypted bytecode array with lazy decryption (Default: false)', + BooleanSanitizer + ) + .option('--vm-bytecode-array-encoding-key ', 'Custom static key for bytecode array encoding') + .option( + '--vm-bytecode-array-encoding-key-getter ', + 'Custom key getter function code for bytecode array encoding' + ) + .option( + '--vm-instruction-shuffle ', + 'Shuffles instruction order within basic blocks (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-jumps-encoding ', + 'Enables jump target encoding to prevent CFG reconstruction (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-decoy-opcodes ', + 'Enables insertion of decoy opcodes and dead instructions (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-dead-code-injection ', + 'Enables dead code injection with opaque predicates in bytecode (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-split-dispatcher ', + 'Splits the VM interpreter into multiple category-based dispatchers (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-macro-ops ', + 'Enables macro-op fusion to combine common instruction sequences (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-debug-protection ', + 'Enables anti-debugging measures with state corruption (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-runtime-opcode-derivation ', + 'Enables runtime opcode derivation from seeds instead of static mappings (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-stateful-opcodes ', + 'Enables position-based stateful opcode decoding to prevent pattern matching (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-stack-encoding ', + 'Enables stack value encoding to prevent stack inspection (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-randomize-keys ', + 'Randomizes bytecode property keys to prevent pattern matching (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-indirect-dispatch ', + 'Uses indirect dispatch via handler function table instead of switch statement (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-compact-dispatcher ', + 'Uses a single unified dispatcher for both sync and generator execution, reducing code size (Default: false)', + BooleanSanitizer + ) + .option( + '--vm-bytecode-format ', + 'Sets the bytecode storage format. ' + + `Values: ${CLIUtils.stringifyOptionAvailableValues(VMBytecodeFormat)}. ` + + `Default: ${VMBytecodeFormat.Binary}` + ) + .option( + '--parse-html ', + 'Enables obfuscation of JavaScript within HTML