Tamper Protection

JS-Confuser

Try It Out

NPM GitHub

Tamper Protection

Tamper Protection safeguards the runtime behavior from being altered by JavaScript pitfalls.

⚠️ Tamper Protection requires eval and ran in a non-strict mode environment!

This can break your code.
Due to the security concerns of arbitrary code execution, you must enable this yourself.

Option name: "lock.tamperProtection"

Option values: true/false/Function

Requires Non-Strict Mode

The obfuscated code will not work properly in Strict Mode.

You can use the Pack option to bypass Strict Mode constraints.

Requires Eval

The obfuscated code will contain unsafe eval expressions.

The code will not work properly in environments that have disabled eval

Input / Output

This example showcases how Tamper Protection transforms the code. Try it out by changing the input code and see changes apply in real-time.

Input.js

Output.js

var bdgCNM = hpzPma();
function hpzPma() {
  var bdgCNM = !1;
  eval("bdgCNM" + " = true");
  if (!bdgCNM) {
    TEBEcbZ();
    return {};
  }
  const hpzPma = eval("this");
  return hpzPma;
}
function x5IcSR0(hpzPma) {
  switch (hpzPma) {
    case "CUVQbL":
      return bdgCNM.nBVKwEj;
    case "bgnjO0":
      return bdgCNM.WZ7zO2N;
    case "5LjAkf":
      return bdgCNM.KiwHwk;
    case "b4TvlOB":
      return bdgCNM.YZK20d;
    case "TWj5OaF":
      return bdgCNM.c8a_Pf;
    case "yMlBavl":
      return bdgCNM.lkqDJUU;
    case "Q4XkbPL":
      return bdgCNM.U0RuHJG;
    case "0IIJaj":
      return bdgCNM.j1ofFP;
    case "cjUjWOH":
      return bdgCNM.EkzvNSX;
    case "SLo6XY6":
      return bdgCNM.GJsZ4nm;
    case "DB1gmY":
      return bdgCNM.TkAFV_l;
    case "o6Ttg6":
      return bdgCNM.u9HPua;
    case "hQf5plR":
      return bdgCNM.iFgRDeL;
    case "COTjjO":
      return bdgCNM.lh3_5ju;
    case "jutHOk":
      return bdgCNM.JsyTQo;
    case "xYuJHF":
      return bdgCNM.nTbXfq;
    case "PNDKRm":
      return bdgCNM.esk_gdU;
    case "2ZnYIi":
      return bdgCNM.n0Q3VJ2;
    case "21GVbb":
      return bdgCNM.j3f8wV;
    case "patFh7l":
      return bdgCNM.jInx0C;
    case "u8og9uH":
      return bdgCNM.GQJZCDx;
    case "7l3kUR8":
      return bdgCNM.gwaql6r;
    case "fHe56R":
      return bdgCNM.zPNNiR;
    case "Q5DzsQ":
      return bdgCNM.q0MS5v7;
    case "s4649o":
      return bdgCNM.SWK5hU0;
    case "hqA22Bh":
      return bdgCNM.fja11b;
    case "dhG25wI":
      return bdgCNM.ht6HPOS;
    case "6YvMZp":
      return bdgCNM.TC8n8GY;
    case "2DkNIUT":
      return bdgCNM.sylYST;
    case "NIa9c1":
      return bdgCNM.qNNfje;
    case "csicuTm":
      return bdgCNM.ZhnxQ0S;
    case "3TuUDRE":
      return bdgCNM.j2dMMAj;
    case "TP8C0L":
      return bdgCNM.fetch;
    case "zec5js":
      return bdgCNM.Error;
    case "sUmxC3e":
      return bdgCNM.ANQrmQX;
    case "zh3BF_C":
      return bdgCNM.Object;
    case "yEkUAkM":
      return bdgCNM.DNamkP;
    case "ucFXo0":
      return bdgCNM.XiEsSU;
    case "bf45GT":
      return bdgCNM.hf2J8E;
    case "aIxOmE":
      return bdgCNM.zpLH8Ak;
    case "EkB7LO":
      return bdgCNM.aHbEv3;
    case "molVQ5":
      return bdgCNM.YSXUiYI;
    case "u0O3Tk":
      return bdgCNM.console;
  }
}
var W2xvMU = !1;
function TEBEcbZ() {
  if (W2xvMU) return;
  W2xvMU = !0;
  oq0kvW5();
}
function Tfatbw() {
  function bdgCNM(bdgCNM, hpzPma) {
    const W2xvMU = bdgCNM.length,
      Tfatbw = hpzPma.length;
    let oq0kvW5 = 0;
    if (Tfatbw > W2xvMU) {
      return -1;
    }
    for (let eH34c1Y = 0; eH34c1Y <= W2xvMU - Tfatbw; 
    eH34c1Y++) for (let x5IcSR0 = 0; x5IcSR0 < Tfatbw; 
    x5IcSR0++) if (bdgCNM[eH34c1Y + x5IcSR0] === 
    hpzPma[x5IcSR0]) {
      oq0kvW5++;
      if (oq0kvW5 === Tfatbw) {
        return eH34c1Y;
      }
    } else {
      oq0kvW5 = 0;
      break;
    }
    return -1;
  }
  function hpzPma(hpzPma) {
    if (bdgCNM("" + hpzPma, "{ [native code] }") === -1 || 
    typeof 
    x5IcSR0("zh3BF_C").getOwnPropertyDescriptor(hpzPma, 
    "toString") !== "undefined") {
      TEBEcbZ();
      return;
    }
    return hpzPma;
  }
  var W2xvMU = arguments;
  if (W2xvMU.length === 1) {
    return hpzPma(W2xvMU[0]);
  } else if (W2xvMU.length === 2) {
    var Tfatbw = W2xvMU[0],
      oq0kvW5 = W2xvMU[1],
      eH34c1Y = Tfatbw[oq0kvW5];
    eH34c1Y = hpzPma(eH34c1Y);
    return eH34c1Y.bind(Tfatbw);
  }
}
(function () {
  function bdgCNM() {
    try {
      var bdgCNM = [];
      delete bdgCNM.length;
    } catch (hpzPma) {
      return !0;
    }
    return !1;
  }
  if (bdgCNM()) {
    TEBEcbZ();
    Tfatbw = void 0;
  }
})();
function oq0kvW5() {
  throw new (x5IcSR0("zec5js"))('Tampering detected!');
}
Tfatbw(x5IcSR0("TP8C0L"))
('https://jsonplaceholder.typicode.com/users').then(bdgCNM => 
{
  return bdgCNM.json();
}).then(bdgCNM => {
  Tfatbw(x5IcSR0("u0O3Tk"), "log")(bdgCNM);
});

Improves Global Concealing

Tamper Protection with Global Concealing can detect at runtime if certain global functions have been monkey-patched. The following code exemplifies this:

Native function check

Code

This monkey-patch can be detected by inspecting the fetch.toString() value:

Code

Certain global functions are checked before each invocation to ensure that (1) the arguments cannot be intercepted and (2) their behavior cannot be altered.

Stealthy global

A direct eval invocation can access the local scope, only if it has not been redefined.

Code

This method securely obtains the real global object for both the browser and NodeJS. Properties on the global object can still be changed however.

Disallows Strict Mode

Tamper Protection requires the script to run in non-strict mode. Detection of the script in Strict Mode will be considered tampering. You can control the tampering response using the lock.countermeasures option.

Custom Implementation

options.lock.tamperProtection(fnName)

Control which functions are changed. Returns a boolean.

Parameter	Type	Description
fnName	string	The function name proposed receive native check protection.

Usage Example

The provided code example will obfuscate the file input.js and write the output to a file named output.js.

Usage Example

import JSConfuser from "js-confuser";
import {readFileSync, writeFileSync} from "fs";
// Read input code
const sourceCode = readFileSync("input.js", "utf8");
const options = {
  target: 'browser',
  lock: {
    tamperProtection: true,
    countermeasures: 'onTamperDetected',
  },
  globalConcealing: true,
};
JSConfuser.obfuscate(sourceCode, options).then((result)=>{
  // Write output code
  writeFileSync("output.js", result.code);
}).catch(err=>{
  // Error occurred
  console.error(err);  
});