webpack-obfuscator
webpack-obfuscator copied to clipboard
Published
20 hours ago •
javascript-obfuscator
javascript-obfuscator
Nuxtjs support ?
The project init by nuxt CLI
npx create-nuxt-app proj
There are logs of error show.
Exclude vendors.app and commons.app. Do not turn on "Rename globals" nor "Rename properties"
My config:
// nuxt.config.js, build.extend
if (!isDev && isClient && config.plugins) {
config.plugins.push(
new JavascriptObfuscator({
'compact': true,
'identifierNamesGenerator': 'mangled',
'selfDefending': true,
'stringArray': true,
'rotateStringArray': true,
'shuffleStringArray': true,
'stringArrayEncoding': 'rc4',
'stringArrayThreshold': 0.8,
'splitStrings': true,
'splitStringsChunkLength': 6,
'transformObjectKeys': true,
}, [
// Vendor
// Commons
])
);
}
@alza54 do u know how to obfuscate only my code, excluding node_modules and all nuxt js files?
my config, its working
build: {
extend(config, { isDev, isClient }) {
if (!isDev && isClient && config.plugins) {
config.plugins.push(
new JavascriptObfuscator({
rotateUnicodeArray: true, // must be true
compact: true, // Compact Remove newline characters from the output obfuscation code.
controlFlowFlattening: false, // This option greatly affects the performance of a 1.5x speed reduction. Enable code control flow flattening. Control flow flattening is the structural transformation of source code, which hinders program understanding.
controlFlowFlatteningThreshold: 0.8,
deadCodeInjection: true, // This option greatly increases the size of obfuscated code (up to 200%) This feature adds random dead code blocks (ie: code that will not be executed) to the obfuscated output, making it more difficult to reverse engineer.
deadCodeInjectionThreshold: 0.5,
debugProtection: true, // Debugging protection If you open the developer tools, you can freeze your browser.
debugProtectionInterval: true, // If checked, the interval forced debugging mode is used on the "Console" tab, which makes it more difficult to use other functions of "Developer Tools". How does it work? A special code that calls the debugger; inserted repeatedly throughout the obfuscated source code.
disableConsoleOutput: true, // Disable console.log, console.info, console.error and console.warn by replacing them with empty functions. This makes the use of the debugger more difficult.
domainLock: [], // Lock the obfuscated source code so that it only runs on specific domains and / or subdomains. This makes it very difficult for someone to simply copy and paste the source code and run it elsewhere. Multiple domains and subdomains can lock the code to multiple domains or subdomains. For example, to lock it so that the code only runs on www.example.com Add www.example.com so that it runs on any subdomain of example.com, use .example.com.
identifierNamesGenerator: 'hexadecimal', // Use this option to control the obfuscation of identifiers (variable names, function names, etc.).
identifiersPrefix: '', // This option makes all global identifiers have a specific prefix.
inputFileName: '',
log: false,
renameGlobals: false, // Don't start Enable global variable and function name confusion by declaration.
reservedNames: [], // Disable obfuscation and generate identifiers that match the passed RegExp pattern. For example, if you add ^ someName, the obfuscator will ensure that all variables beginning with someName, the function name and function parameters will not be destroyed.
reservedStrings: [], // Disable the conversion of string literals, which match the RegExp pattern passed. For example, if you add ^ some * string, the obfuscator will ensure that all strings beginning with certain strings are not moved to `stringArray`.
rotateStringArray: true, //
seed: 0, // By default (seed = 0), you will get a new result every time you obfuscate the code (ie: different variable names, different variables inserted into stringArray, etc.). If repeatable results are required, set the seed to a specific integer.
selfDefending: false, // This option makes the output code resistant to formatting and variable renaming. If you try to use a JavaScript beautifier on obfuscated code, the code will no longer work, making it more difficult to understand and modify it. Compact code setup is required.
sourceMap: false, // Make sure not to upload obfuscated source code with embedded source code, because it contains the original source code. Source mapping can help you debug obfuscated Java Script source code. If you want or need to debug in production, you can upload a separate source map file to a secret location and then point your browser to that location.
sourceMapBaseUrl: '', // This embeds the source mapping of the source into the result of obfuscated code. This is useful if you only want to debug locally on your computer.
sourceMapFileName: '',
sourceMapMode: 'separate',
stringArray: true, // Shift the stringArray array to a fixed and random (generated when code is confused) position. This makes it more difficult to match the order of deleted strings with their original positions. If the original source code is not small, it is recommended to use this option, because helper functions can attract attention.
stringArrayEncoding: ['rc4'], // This option may slightly reduce the script speed. Use Base64 or RC4 to encode all string literals of stringArray and insert a special function to decode it back at runtime.
stringArrayThreshold: 0.8, // You can use this setting to adjust the probability that string literals will be inserted into stringArray (from 0 to 1). This setting is useful in large code bases, because repeated calls to the stringArray function will reduce the speed of the code.
target: 'browser', // You can set the target environment of the obfuscated code to one of the following: Browser, Browser No Eval, Node The current browser and node output are the same.
transformObjectKeys: false, // Convert (obfuscate) object keys. For example, this code var a = {enabled: true}; when using this option for obfuscation, the enabled object key will be hidden: var a = {}; a [_0x2ae0 [('0x0')] = true ;. Ideally used with String Array settings.
unicodeEscapeSequence: true,
}, ['node_modules/**/*.js'])
);
}
}
},
Strange that it works for you I get:
✔ Builder initialized 14:51:25
✔ Nuxt files generated 14:51:25
FATAL Invalid configuration object. Webpack has been initialised using a configuration object that does not match the API schema. 14:51:27
- configuration.plugins[7] misses the property 'apply'.
function
-> The run point of the plugin, required method.
- configuration.plugins[7] misses the property 'apply'.
function
-> The run point of the plugin, required method.
at Object.webpack (node_modules/webpack/lib/webpack.js:31:9)
at node_modules/@nuxt/webpack/dist/webpack.js:2056:51
at Array.map (<anonymous>)
at WebpackBundler.build (node_modules/@nuxt/webpack/dist/webpack.js:2055:37)
at Builder.build (node_modules/@nuxt/builder/dist/builder.js:327:5)
at Object.run (node_modules/@nuxt/cli/dist/cli-build.js:110:7)
at NuxtCommand.run (node_modules/@nuxt/cli/dist/cli-index.js:413:7)
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ │
│ ✖ Nuxt Fatal Error │
│ │
│ WebpackOptionsValidationError: Invalid configuration object. Webpack has been initialised using a configuration object that does not match the API │
│ schema. │
│ - configuration.plugins[7] misses the property 'apply'. │
│ function │
│ -> The run point of the plugin, required method. │
│ │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Is there a workaround? :P
@Extarys Hello, did you import 'webpack-obfuscator' or `javascript-obfuscator'?
For me config from cafe4it works, but I downgraded version of webpack-obsever to 2.6.0, because with version 3.4.0 I have error
Cannot read property 'tap' of undefined
@kosuha606 Oh there is where the problem must be, as I imported `javascript-obfuscator' :man_facepalming: I'm not used to webpack and didn't really look into another package for it.
my config, its working
build: { extend(config, { isDev, isClient }) { if (!isDev && isClient && config.plugins) { config.plugins.push( new JavascriptObfuscator({ rotateUnicodeArray: true, // must be true compact: true, // Compact Remove newline characters from the output obfuscation code. controlFlowFlattening: false, // This option greatly affects the performance of a 1.5x speed reduction. Enable code control flow flattening. Control flow flattening is the structural transformation of source code, which hinders program understanding. controlFlowFlatteningThreshold: 0.8, deadCodeInjection: true, // This option greatly increases the size of obfuscated code (up to 200%) This feature adds random dead code blocks (ie: code that will not be executed) to the obfuscated output, making it more difficult to reverse engineer. deadCodeInjectionThreshold: 0.5, debugProtection: true, // Debugging protection If you open the developer tools, you can freeze your browser. debugProtectionInterval: true, // If checked, the interval forced debugging mode is used on the "Console" tab, which makes it more difficult to use other functions of "Developer Tools". How does it work? A special code that calls the debugger; inserted repeatedly throughout the obfuscated source code. disableConsoleOutput: true, // Disable console.log, console.info, console.error and console.warn by replacing them with empty functions. This makes the use of the debugger more difficult. domainLock: [], // Lock the obfuscated source code so that it only runs on specific domains and / or subdomains. This makes it very difficult for someone to simply copy and paste the source code and run it elsewhere. Multiple domains and subdomains can lock the code to multiple domains or subdomains. For example, to lock it so that the code only runs on www.example.com Add www.example.com so that it runs on any subdomain of example.com, use .example.com. identifierNamesGenerator: 'hexadecimal', // Use this option to control the obfuscation of identifiers (variable names, function names, etc.). identifiersPrefix: '', // This option makes all global identifiers have a specific prefix. inputFileName: '', log: false, renameGlobals: false, // Don't start Enable global variable and function name confusion by declaration. reservedNames: [], // Disable obfuscation and generate identifiers that match the passed RegExp pattern. For example, if you add ^ someName, the obfuscator will ensure that all variables beginning with someName, the function name and function parameters will not be destroyed. reservedStrings: [], // Disable the conversion of string literals, which match the RegExp pattern passed. For example, if you add ^ some * string, the obfuscator will ensure that all strings beginning with certain strings are not moved to `stringArray`. rotateStringArray: true, // seed: 0, // By default (seed = 0), you will get a new result every time you obfuscate the code (ie: different variable names, different variables inserted into stringArray, etc.). If repeatable results are required, set the seed to a specific integer. selfDefending: false, // This option makes the output code resistant to formatting and variable renaming. If you try to use a JavaScript beautifier on obfuscated code, the code will no longer work, making it more difficult to understand and modify it. Compact code setup is required. sourceMap: false, // Make sure not to upload obfuscated source code with embedded source code, because it contains the original source code. Source mapping can help you debug obfuscated Java Script source code. If you want or need to debug in production, you can upload a separate source map file to a secret location and then point your browser to that location. sourceMapBaseUrl: '', // This embeds the source mapping of the source into the result of obfuscated code. This is useful if you only want to debug locally on your computer. sourceMapFileName: '', sourceMapMode: 'separate', stringArray: true, // Shift the stringArray array to a fixed and random (generated when code is confused) position. This makes it more difficult to match the order of deleted strings with their original positions. If the original source code is not small, it is recommended to use this option, because helper functions can attract attention. stringArrayEncoding: ['rc4'], // This option may slightly reduce the script speed. Use Base64 or RC4 to encode all string literals of stringArray and insert a special function to decode it back at runtime. stringArrayThreshold: 0.8, // You can use this setting to adjust the probability that string literals will be inserted into stringArray (from 0 to 1). This setting is useful in large code bases, because repeated calls to the stringArray function will reduce the speed of the code. target: 'browser', // You can set the target environment of the obfuscated code to one of the following: Browser, Browser No Eval, Node The current browser and node output are the same. transformObjectKeys: false, // Convert (obfuscate) object keys. For example, this code var a = {enabled: true}; when using this option for obfuscation, the enabled object key will be hidden: var a = {}; a [_0x2ae0 [('0x0')] = true ;. Ideally used with String Array settings. unicodeEscapeSequence: true, }, ['node_modules/**/*.js']) ); } } },
hi, this is not working my code. please full configuration nuxt.config.js settings you? sory my bad my language
For me config from cafe4it works, but I downgraded version of webpack-obsever to 2.6.0, because with version 3.4.0 I have error
Cannot read property 'tap' of undefined
@Extarys Hello, did you import 'webpack-obfuscator' or `javascript-obfuscator'?
@Extarys Hello, did you import 'webpack-obfuscator' or `javascript-obfuscator'?
Sir, Can you post full devDependencies and nuxt.config.js about obfuscation, thx. My config didnt work, so sad~
@live680g It didn't work for me either. The webpage wouldn't load. Anyway I'm taking this time off for other stuff and better prepare the project I'm working on, waiting for Nuxt 3 to be in Beta/RC and then I'll continue :)
Please share if you ever find a proper solution for this :heart:
@Extarys @live680g @hendras1722 @kidbai @CavalcanteLeo
i found solution and its worked for NuxtJs. first check your webpack first. on my case i use webpack version 4.46.0. you should downgrade this webpack obfuscator use version 2.6.0
install package
yarn add javascript-obfuscator [email protected]
// in nuxt.config.js
var WebpackObfuscator = require('webpack-obfuscator');
build: {
extend (config, { isDev, isClient }) {
if (!isDev && isClient) {
config.plugins.push(
new WebpackObfuscator({
compact: true,
simplify: true,
disableConsoleOutput: true,
debugProtection: false,
debugProtectionInterval: 0,
identifierNamesGenerator: 'hexadecimal',
numbersToExpressions: false,
}, ['node_modules/**/*.js'])
)
}
}
}
To specify for people looking around, this won't work on Nuxt 3, but I guess we can take the same obfuscator options to put into rollup-plugin-obfuscator :smile:
I'll test later, thanks @adhimafauzans
