Rusty-JSYC (JavaScript bYtecode Compiler) is a JavaScript-To-Bytecode compiler written in Rust. The bytecode is meant to be used in conjunction with the provided virtual machine written in JavaScript. In combination they form the components for a virtualization obfuscation.
There is also a blogpost explaining this project and virtualization obfuscation in general.
You must first compile the given JavaScript code. After that you can execute it with the provided virtual machine.
You can either use the provided command line tool:
cargo run </path/to/javascript.js> </path/to/vm-template.js> </output/dir> -d
or use the compiler as a library and call it from your own rust code:
extern crate jsyc_compiler;
use jsyc_compiler::{JSSourceCode, BytecodeCompiler};
fn main() {
let js_code = JSSourceCode::new("console.log('Hello World');".into());
let mut compiler = BytecodeCompiler::new();
let bytecode = compiler.compile(&js_code).expect("Failed to compile code");
println!("Bytecode: {}", bytecode);
let depedencies = compiler.decl_dependencies();
println!("Depedencies: {:?}", depedencies);
let base64_bytecode = bytecode.encode_base64();
println!("Base64-encoded bytecode: {}", base64_bytecode);
}
In your Cargo.Toml:
[dependencies]
jsyc_compiler = "~0.1"
// include vm.js
// ...
var vm = new VM();
vm.init(Base64EncodedBytecode);
requestIdleCallback(() => vm.run());
// ...
Replace Base64EncodedBytecode
with the actual base64 encoded bytecode.
An example demonstrating both the compiler and the virtual machine can be found in playground/snake
. It features a small Snake game (snake.js).
You can compile this with:
cargo run "playground/snake/unobfuscated/snake.js" "vm/vm.js" "playground/snake/obfuscated" "playground/snake/unobfuscated/index.html"
After compilation, open the index.html file in your browser.
/path/to/rusty-jsyc/playground/snake/obfuscated/index.html
This was tested in Chrome 74 and Firefox 67. However, any ES6 capable browser should be compatible.
Virtualization obfuscation is a state-of-the-art obfuscation scheme. It obfuscates the code by compiling it into bytecode which is then executed by a virtual machine (VM). Thus, the VM gets distributed along with the compiled bytecode. It is then called with this bytecode and executes it and is thereby executing the actual code.
Since the bytecode is executed instruction by instruction, the original code is never restored anywhere. So, any potential attacker must first reverse engineer the VM, which may be heavily obfuscated. One must then understand the underlying architecture and instruction-set before being able to analyze the actual bytecode. Since any two virtualization obfuscations are potentially different, the use of automated tools is limited.[1][2]
It is possible to provide the functions defined in the virtual JavaScript context to the real JavaScript context.
// Compiled JavaScript
function secret_function(a, b, c) { return a*b+c; }
window.secret_function = secret_function;
// Non-Compiled JavaScript
var secret_function = window.secret_function;
secret_function(10, 20, 1337);
It does not need to be window
, any object instance know to both contexts will work. When calling secret_function
the virtual machine will start the execution of the corresponding bytecode chunk. Thus, calling a function this way does not reveal any more information on the implementation than just calling it inside the compiled JavaScript.
These are the properties that are not reflected by the bytecode as they would be in real JavaScript.
- the 'this' pointer for external non-member functions is simply 'void 0'
- Assignment expressions do not return a value, and thus are not really expressions
- If you declare a variable without assignment it's value will be unknown. Thus it might or might not be undefined (void 0). (It will be undefined but not JavaScript's undefined (void 0))
let
andconst
declarations are treated asvar
declarations
This compiler currently only supports a subset of JavaScript features. Currently missing are
- Object related notations ({}, new, this, super, class)
- for-of and for-in loops
- async and await keywords
- with, and switch keywords
try and throw structuresbreak, continue, labels- function expressions and arrow function (Regular functions are allowed)
- function expressions and arrow functions can be realized with:
var func_expr = eval("0, function(x) {return x*x;}");
However, they do not support references to variables defined in the compiled JavaScript.
- tagged template expressions
- spread, rest and sequence notations
There are several test sets in this project:
- Cargo tests:
cargo test
- Node (mocha) tests:
npm install && npm test
1: Rolf Rolles. Unpacking virtualization obfuscators. USENIX Workshop on Offensive Technologies (WOOT), 2009.
2: Johannes Kinder. Towards static analysis of virtualization-obfuscated binaries. Reverse Engineering (WCRE), 2012 19th Working Conference.