4

7.8k Star!一个强大的 JS 代码混淆工具

 2 years ago
source link: https://segmentfault.com/a/1190000040930890
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

7.8k Star!一个强大的 JS 代码混淆工具

发布于 11 月 9 日

【导语】:一个开源的代码混淆器,能将 JS 代码混淆成可读性低的代码。

JavaScript Obfuscator 是一款功能强大的免费 JavaScript 混淆器,包含多种功能,能将代码混淆成可读性低的代码,看上去是难以阅读的代码,其实具备和之前代码一样的功能,从而起到保护代码的作用。

function hi() {
  console.log("Hello World!");
}
hi();

混淆后代码:

function _0x5737(){var _0x3de046=['13797910djQtgr','202NzEpzv','2273TLhUKk','6976590XeTkcs','4633335tPFIvf','460SzVdaa','1260225mbbZER','49056QtXjli','1736NJoeHX','42116DYgHBM'];_0x5737=function(){return _0x3de046;};return _0x5737();}function _0x5e71(_0x1e04fb,_0x168fdd){var _0x57378a=_0x5737();return _0x5e71=function(_0x5e7194,_0x30106f){_0x5e7194=_0x5e7194-0xb6;var _0x3c5c20=_0x57378a[_0x5e7194];return _0x3c5c20;},_0x5e71(_0x1e04fb,_0x168fdd);}(function(_0x41d572,_0x45db5e){var _0x306ede=_0x5e71,_0x408f15=_0x41d572();while(!![]){try{var _0x4c3c37=-parseInt(_0x306ede(0xbb))/0x1*(parseInt(_0x306ede(0xba))/0x2)+-parseInt(_0x306ede(0xbd))/0x3+parseInt(_0x306ede(0xb8))/0x4*(parseInt(_0x306ede(0xbe))/0x5)+-parseInt(_0x306ede(0xbc))/0x6+-parseInt(_0x306ede(0xb6))/0x7*(-parseInt(_0x306ede(0xb7))/0x8)+-parseInt(_0x306ede(0xbf))/0x9+parseInt(_0x306ede(0xb9))/0xa;if(_0x4c3c37===_0x45db5e)break;else _0x408f15['push'](_0x408f15['shift']());}catch(_0x8596b2){_0x408f15['push'](_0x408f15['shift']());}}}(_0x5737,0xc1743));function hi(){console['log']('Hello\x20World!');}hi();

主要特点:

  • 变量重命名
  • 字符串提取和加密
  • 随机添加无用代码进行混淆
  • 控制流扁平化
  • 各种代码转换 ...

支持的插件:

  • Webpack 插件: webpack-obfuscator
  • Webpack loader: obfuscator-loader
  • Gulp: gulp-javascript-obfuscator
  • Grunt: grunt-contrib-obfuscator
  • Rollup: rollup-plugin-javascript-obfuscator
  • Weex: weex-devtool
  • Malta: malta-js-obfuscator
  • Netlify 插件: netlify-plugin-js-obfuscator

项目地址是:

https://github.com/javascript...

使用 Yarn 或 Npm 安装

// yarn 安装
$ yarn add --dev javascript-obfuscator
// npm 安装
$ npm install --save-dev javascript-obfuscator

CDN 引入

<script src="https://cdn.jsdelivr.net/npm/javascript-obfuscator/dist/index.browser.js"></script>
var JavaScriptObfuscator = require('javascript-obfuscator');

var obfuscationResult = JavaScriptObfuscator.obfuscate(
    `
        (function(){
            var variable1 = '5' - 3;
            var variable2 = '5' + 3;
            var variable3 = '5' + - '2';
            var variable4 = ['10','10','10','10','10'].map(parseInt);
            var variable5 = 'foo ' + 1 + 1;
            console.log(variable1);
            console.log(variable2);
            console.log(variable3);
            console.log(variable4);
            console.log(variable5);
        })();
    `,
    {
        compact: false,
        controlFlowFlattening: true,
        controlFlowFlatteningThreshold: 1,
        numbersToExpressions: true,
        simplify: true,
        stringArrayShuffle: true,
        splitStrings: true,
        stringArrayThreshold: 1
    }
);

console.log(obfuscationResult.getObfuscatedCode());

输出结果:

var _0x9947 = [
    'map',
    'log',
    'foo\x20',
    'bvmqO',
    '133039ViRMWR',
    'xPfLC',
    'ytpdx',
    '1243717qSZCyh',
    '2|7|4|6|9|',
    '1ErtbCr',
    '1608314VKvthn',
    '1ZRaFKN',
    'XBoAA',
    '423266kQOYHV',
    '3|0|5|8|1',
    '235064xPNdKe',
    '13RUDZfG',
    '157gNPQGm',
    '1639212MvnHZL',
    'rDjOa',
    'iBHph',
    '9926iRHoRl',
    'split'
];
function _0x33e4(_0x1809b5, _0x37ef6e) {
    return _0x33e4 = function (_0x338a69, _0x39ad79) {
        _0x338a69 = _0x338a69 - (0x1939 + -0xf * 0x1f3 + 0x1 * 0x469);
        var _0x2b223a = _0x9947[_0x338a69];
        return _0x2b223a;
    }, _0x33e4(_0x1809b5, _0x37ef6e);
}
(function (_0x431d87, _0x156c7f) {
    var _0x10cf6e = _0x33e4;
    while (!![]) {
        try {
            var _0x330ad1 = -parseInt(_0x10cf6e(0x6c)) * -parseInt(_0x10cf6e(0x6d)) + -parseInt(_0x10cf6e(0x74)) * -parseInt(_0x10cf6e(0x78)) + parseInt(_0x10cf6e(0x6a)) + -parseInt(_0x10cf6e(0x70)) + parseInt(_0x10cf6e(0x6e)) * -parseInt(_0x10cf6e(0x75)) + parseInt(_0x10cf6e(0x72)) + -parseInt(_0x10cf6e(0x67)) * parseInt(_0x10cf6e(0x73));
            if (_0x330ad1 === _0x156c7f)
                break;
            else
                _0x431d87['push'](_0x431d87['shift']());
        } catch (_0x9f878) {
            _0x431d87['push'](_0x431d87['shift']());
        }
    }
}(_0x9947, -0xb6270 + 0x4dfd2 * 0x2 + 0x75460 * 0x2), function () {
    var _0x1f346d = _0x33e4, _0x860db8 = {
            'ytpdx': _0x1f346d(0x6b) + _0x1f346d(0x71),
            'bvmqO': function (_0x560787, _0x519b9e) {
                return _0x560787 - _0x519b9e;
            },
            'rDjOa': function (_0x4501fe, _0x2b07a3) {
                return _0x4501fe + _0x2b07a3;
            },
            'xPfLC': function (_0x5f3c9b, _0x434936) {
                return _0x5f3c9b + _0x434936;
            },
            'XBoAA': function (_0x535b8a, _0x42eef4) {
                return _0x535b8a + _0x42eef4;
            },
            'iBHph': _0x1f346d(0x65)
        }, _0x346c55 = _0x860db8[_0x1f346d(0x69)][_0x1f346d(0x79)]('|'), _0x3bf817 = 0x4bb * 0x1 + 0x801 + -0xcbc;
    while (!![]) {
        switch (_0x346c55[_0x3bf817++]) {
        case '0':
            console[_0x1f346d(0x7b)](_0x4c96d8);
            continue;
        case '1':
            console[_0x1f346d(0x7b)](_0x101028);
            continue;
        case '2':
            var _0x65977d = _0x860db8[_0x1f346d(0x66)]('5', -0x586 + -0x2195 + -0x6 * -0x685);
            continue;
        case '3':
            console[_0x1f346d(0x7b)](_0x65977d);
            continue;
        case '4':
            var _0x56d39b = _0x860db8[_0x1f346d(0x76)]('5', -'2');
            continue;
        case '5':
            console[_0x1f346d(0x7b)](_0x56d39b);
            continue;
        case '6':
            var _0x544285 = [
                '10',
                '10',
                '10',
                '10',
                '10'
            ][_0x1f346d(0x7a)](parseInt);
            continue;
        case '7':
            var _0x4c96d8 = _0x860db8[_0x1f346d(0x68)]('5', 0x622 * -0x6 + 0x4a * 0x3 + 0x1 * 0x23f1);
            continue;
        case '8':
            console[_0x1f346d(0x7b)](_0x544285);
            continue;
        case '9':
            var _0x101028 = _0x860db8[_0x1f346d(0x6f)](_0x860db8[_0x1f346d(0x6f)](_0x860db8[_0x1f346d(0x77)], 0x6fb * 0x5 + 0x1ebf * 0x1 + -0x41a5), 0x209 * 0xa + 0x1314 + -0x276d);
            continue;
        }
        break;
    }
}());

obfuscate(sourceCode, options) 方法

该方法返回的对象 ObfuscationResult 包含以下公共方法:

  • getObfuscatedCode()- 返回混淆后的代码字符串(对 ObfuscationResult 对象调用 toString() 方法也将返回混淆代码);
  • getSourceMap()- 如果 sourceMapMode 选项设置为 inline,则返回原代码或空字符串;
  • getIdentifierNamesCache()- 如果 identifierNamesCache 选项为启用,则返回带有标识符名称的缓存对象,否则返回 null。

该方法包含两个参数:

  • sourceCode(string, default:null) – 字符串原代码;
  • options(Object, default:null) – 可选的设置选项 options 对象,具体有:
{
    compact: true,
    controlFlowFlattening: false,
    controlFlowFlatteningThreshold: 0.75,
    deadCodeInjection: false,
    deadCodeInjectionThreshold: 0.4,
    debugProtection: false,
    debugProtectionInterval: false,
    disableConsoleOutput: false,
    domainLock: [],
    domainLockRedirectUrl: 'about:blank',
    forceTransformStrings: [],
    identifierNamesCache: null,
    identifierNamesGenerator: 'hexadecimal',
    identifiersDictionary: [],
    identifiersPrefix: '',
    ignoreRequireImports: false,
    inputFileName: '',
    log: false,
    numbersToExpressions: false,
    optionsPreset: 'default',
    renameGlobals: false,
    renameProperties: false,
    renamePropertiesMode: 'safe',
    reservedNames: [],
    reservedStrings: [],
    seed: 0,
    selfDefending: false,
    simplify: true,
    sourceMap: false,
    sourceMapBaseUrl: '',
    sourceMapFileName: '',
    sourceMapMode: 'separate',
    sourceMapSourcesMode: 'sources-content',
    splitStrings: false,
    splitStringsChunkLength: 10,
    stringArray: true,
    stringArrayIndexesType: [
        'hexadecimal-number'
    ],
    stringArrayEncoding: [],
    stringArrayIndexShift: true,
    stringArrayRotate: true,
    stringArrayShuffle: true,
    stringArrayWrappersCount: 1,
    stringArrayWrappersChainedCalls: true,
    stringArrayWrappersParametersMaxCount: 2,
    stringArrayWrappersType: 'variable',
    stringArrayThreshold: 0.75,
    target: 'browser',
    transformObjectKeys: false,
    unicodeEscapeSequence: false
}

obfuscateMultiple(sourceCodesObject, options) 方法

sourceCodesObject 是字典键值对象,其中键是源代码的标识符,值是原代码:

{
    foo: 'var foo = 1;',
    bar: 'var bar = 2;'
}

该方法也返回一个字典键值对象,其键是原代码的标识符,值是 ObfuscationResult对象。

命令行使用

混淆单个文件

带有 .js 扩展名的单个文件的混淆:

javascript-obfuscator input_file_name.js [options]
javascript-obfuscator input_file_name.js --output output_file_name.js [options]
javascript-obfuscator input_file_name.js --output output_folder_name [options]
javascript-obfuscator input_folder_name --output output_folder_name [options]

如果没有使用 --output 指定输出路径,则混淆后的结果文件将存放到输入文件的目录中:

// 这会创建一个新文件 samples/sample-obfuscated.js
javascript-obfuscator samples/sample.js --compact true --self-defending false

// 这会创建一个新文件 output/output.js
javascript-obfuscator samples/sample.js --output output/output.js --compact true --self-defending false

递归混淆目录下的文件

混淆输入目录下的所有 .js 文件。如果目录中包含已经带有 -obfuscated 后缀的混淆文件,则忽略这些文件。

// 输出结果到 ./dist 同级目录下带有 obfuscated 后缀的目录中
javascript-obfuscator ./dist [options]

// 输出结果到 ./dist/obfuscated 目录中
javascript-obfuscator ./dist --output ./dist/obfuscated [options]
// creates a folder structure with obfuscated files under `./dist/obfuscated` path

开源前哨 日常分享热门、有趣和实用的开源项目。参与维护 10万+ Star 的开源技术资源库,包括:Python、Java、C/C++、Go、JS、CSS、Node.js、PHP、.NET 等。


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK