js-confuser icon indicating copy to clipboard operation
js-confuser copied to clipboard

Published 20 hours ago verified publisher icon MichaelXF

"Invalid use of ++ operator" when combined with Terser

Open Thyme904 opened this issue 11 months ago • 14 comments

Describe the bug:

When minifying the output of js-confuser with terser, sometimes (about one time out of two) terser minification (more precisely the parsing step) will fail with the error "Invalid use of ++ operator".

This happens only since 2.0, so we've downgraded to 1.x in the meantime.

Any idea of what could be causing this?

Config and Small code sample

Config:

{
  target: "browser",
  preset: "low"
}

Code:

// Basic usage of Terser
await minify(output.code, {
    ecma: 2015,
});

Thyme904 avatar Dec 10 '24 02:12 Thyme904

Do not change obfuscated code!

doctor8296 avatar Dec 10 '24 02:12 doctor8296

@doctor8296 Can you explain why?

And isn't js-confuser expected to output valid JS that can be interpreted by a JS parser? (including Terser's parser)

Thyme904 avatar Dec 10 '24 02:12 Thyme904

@Thyme904 you shouldn't do it because obfuscator uses different techniques to prevent any further code modification. It is in fact returns a valid JS code, but after changing it's structure some, probably, string generative code breaks and gives you a SyntaxError.

doctor8296 avatar Dec 10 '24 02:12 doctor8296

@doctor8296 The first part makes sense, but it seems that the above error happens before Terser outputs code, at parsing time. So there might still be something to investigate here

Thyme904 avatar Dec 10 '24 03:12 Thyme904

@Thyme904 if code is valid - then it is only Terser issue.

doctor8296 avatar Dec 10 '24 03:12 doctor8296

@doctor8296 It's hard for me to check whether the js-confuser code is valid. It might be working and break only on rarely used parts of the code. Also it was working smoothly on 1.x and breaks since 2.x, that looks like a regression.

Thyme904 avatar Dec 10 '24 03:12 Thyme904

@Thyme904 if it is a SyntaxError then the code should break just on evaluation. If it is not - it is valid.

doctor8296 avatar Dec 10 '24 03:12 doctor8296

@doctor8296 All good so! Will try with 2.x without Terser. Thanks

Thyme904 avatar Dec 10 '24 03:12 Thyme904

@doctor8296 Oh but does js-confuser outputs ES5 code? We were mainly using Terser to ensure that

Thyme904 avatar Dec 10 '24 03:12 Thyme904

@Thyme904 I think I saw option for that

doctor8296 avatar Dec 10 '24 03:12 doctor8296

@doctor8296 Can't manage to find it, do you remember where you saw it?

Thyme904 avatar Dec 10 '24 03:12 Thyme904

ES5 support was discontinued in 2.0. @babel/preset-env can transpile code to ES5 by targeting NodeJS 5.9.

Changing the obfuscated code isn't recommended, as you may accidentally trigger Locks or break the program.

What would really help is the full Terser error stack

MichaelXF avatar Dec 10 '24 03:12 MichaelXF

@MichaelXF I see thanks. We are running js-confuser on Cloudflare Worker (edge runtime) not sure babel can run there. What's the target of the default output?

As for the Terser error stack, I don't have it anymore, but as far as I remember there weren't a lot to learn from, just that the error was raised by their JS parser code.

Thyme904 avatar Dec 10 '24 16:12 Thyme904

What's the target of the default output?

This really depends on what code you pass into the obfuscator, it will handle all the newest syntaxes (thanks to Babel). The lowest version possible would be around NodeJS 14.

MichaelXF avatar Dec 11 '24 23:12 MichaelXF