stephenmathieson/node-obfuscator

backlash and vertical tab characters in string were not correctly obfuscated

shiwanlin opened this issue · 0 comments

On this version of obfuscator:

├─┬ obfuscator@0.5.4
│ ├── commander@2.0.0
│ └─┬ uglify-js@2.4.24
│   ├── async@0.2.10
│   ├─┬ source-map@0.1.34
│   │ └── amdefine@1.0.0
│   ├── uglify-to-browserify@1.0.2
│   └─┬ yargs@3.5.4
│     ├── camelcase@1.2.1
│     ├─┬ decamelize@1.1.2
│     │ └── escape-string-regexp@1.0.4
│     ├── window-size@0.1.0
│     └── wordwrap@0.0.2
  • a backslash character is not correctly obfuscated (with the options.strings set true): both '\\' and '\x5c' get obfuscated into "\underfined".
  • a vertical tab specified as '\v' or ``\x0b'gets obfuscated into"\xb"`.

In both cases I got a fatal error from node when executing the obfuscated codes of some large production code base as shown below. However I could not reproduce the same fatal error when testing with a simple test program. In both programs, the behaviors are incorrect.

SyntaxError: Unexpected token ILLEGAL
    at exports.runInThisContext (vm.js:53:16)
    at Module._compile (module.js:413:25)
    at Object.Module._extensions..js (module.js:452:10)
    at Module.load (module.js:355:32)
    at Function.Module._load (module.js:310:12)
    at Function.Module.runMain (module.js:475:10)
    at startup (node.js:117:18)
    at node.js:951:3

The problem lies in /lib/utils.js:exports.hex() -

    if (map[char]) {
      result += map[char];
    } else if ('\\' == char) {
      result += '\\' + str[++i];
    } else {
      result += '\\x' + str.charCodeAt(i).toString(16);
    }

In the case of a single character of escaped backlash, it will cause str[++i] producing "undefined". For the case of '\v', the leading zero is perhaps dropped by the charCodeAt(i).

Suggested fix: expanding the map object in /lib/utils.js to include all the official JavaScript special characters as defined in https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Grammar_and_types:

/**
 * Escape map.
 */

var map = {
  '\b': '\\b',
  '\f': '\\f',
  '\n': '\\n',
  '\r': '\\r',
  '\t': '\\t',
  '\v': '\\v',
  '\\': '\\\\',
  '\0': '\\0'.
  '\"': '\\"',
  "\'": "\\'"
};