pkg icon indicating copy to clipboard operation
pkg copied to clipboard

Published 20 hours ago verified publisher icon vercel

Using pkg with obfuscated nodejs code

Open OrionWambert opened this issue 2 years ago • 4 comments

What version of pkg are you using?

5.7.0

What version of Node.js are you using?

v16.15.1

What operating system are you using?

Macos Monterey version 12.2.1 (21D62)

What CPU architecture are you using?

Apple M1

What Node versions, OSs and CPU architectures are you building for?

default

Describe the Bug

Hello ,

I'm working on a node js project and to go to production I need to convert the code to executable but using a tool to obfuscate the real code

To do this I use the library : javascript-obfuscator

Then when I use pkg I have an error that says that :

> Targets not specified. Assuming:
  node16-linux-arm64, node16-macos-arm64, node16-win-arm64
> Warning Cannot resolve 'a3_0x414493(1567, 1689, '$akJ', 1596, 1781) + 're''

  Dynamic require may fail at run time, because the requested file
  is unknown at compilation time and not included into executable.
  Use a string literal as an argument for 'require', or leave it
  as is and specify the resolved file name in 'scripts' option.
> Warning Cannot resolve 'a3_0x4db522(-83, -147, 'Z5)b', -109, -200) + 'le''.

Finally when I open the executable it doesn't work.

Expected Behavior

I would like the executable file to work without errors

To Reproduce

-  npx nest new app && cd app
-  npm i javascript-obfuscator
-  npm i pkg 
- update build script with  "build": "nest build && javascript-obfuscator dist/ --output encrypted  --target node && pkg encrypted/main.js --out-path executable ",
- run output executable files

OrionWambert avatar Jun 28 '22 15:06 OrionWambert

I don't understand why you need to obfuscate your code when pkg already compiles it to bytecode that it's even better

robertsLando avatar Jun 28 '22 15:06 robertsLando

I read somewhere that the executable generated by pkg is readable using a hexadecimal editor, I prefer to obfuscate it to add one more security

OrionWambert avatar Jun 28 '22 16:06 OrionWambert

It might not be the intent of the issue raised but the stacktrace created from these can expose the file names and node packages being used. This might be unexpected when sharing the executable with customers who should not be able to figure out these.

Stacktrace helps in debugging and in dev mode execution, but having a mode of creating binary which can further hide such info (obfuscate) would be very useful.

gtmsingh avatar Jun 28 '22 17:06 gtmsingh

Had the same issue. Try to tweak your javascript-obfuscator config.

I found that stringArrayEncoding would make the program crash.

splitStrings can be very slow if you have very huge strings.

Also, selfDefending may break your code (nothing happens when running) if you bundle/minify/reformat it (see selfDefending

⚠️ Don't change obfuscated code in any way after obfuscation with this option, because any change like uglifying of code can trigger self defending and code wont work anymore!

Here is what I came up with that works for me (heavy obfuscation, you may reduce it to optimize performance) https://github.com/rigwild/waifu-stealer/blob/f4dc7f054335833d2c67ce51c83867978c79223c/builder.js#L28-L55

rigwild avatar Aug 05 '22 02:08 rigwild

This issue is stale because it has been open 90 days with no activity. Remove the stale label or comment or this will be closed in 5 days. To ignore this issue entirely you can add the no-stale label

github-actions[bot] avatar Nov 06 '22 00:11 github-actions[bot]

This issue is now closed due to inactivity, you can of course reopen or reference this issue if you see fit.

github-actions[bot] avatar Nov 11 '22 00:11 github-actions[bot]

here is a config that works for me (low obfuscation,high performance):

const obfuscatorConfig = {
  compact: true,
  controlFlowFlattening: false,
  deadCodeInjection: false,
  debugProtection: false,
  debugProtectionInterval: 0,
  disableConsoleOutput: false,
  identifierNamesGenerator: "hexadecimal",
  log: false,
  numbersToExpressions: false,
  renameGlobals: false,
  selfDefending: true,
  simplify: false,
  splitStrings: false,
  stringArray: true,
  stringArrayCallsTransform: false,
  stringArrayEncoding: [],
  stringArrayIndexShift: true,
  stringArrayRotate: true,
  stringArrayShuffle: true,
  stringArrayWrappersCount: 1,
  stringArrayWrappersChainedCalls: true,
  stringArrayWrappersParametersMaxCount: 2,
  stringArrayWrappersType: "variable",
  stringArrayThreshold: 0.75,
  unicodeEscapeSequence: false
};

Baker68 avatar Nov 19 '22 10:11 Baker68

Hello @Baker68 ! Is it possible to know which commands you used ?

0xARROWK avatar Mar 17 '23 13:03 0xARROWK