Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent vite's minifier from undoing obfuscation #16

Closed
doroved opened this issue Feb 11, 2023 · 8 comments
Closed

Prevent vite's minifier from undoing obfuscation #16

doroved opened this issue Feb 11, 2023 · 8 comments

Comments

@doroved
Copy link

doroved commented Feb 11, 2023
edited
Loading

Thank you. It all worked out.
I have one more question, I want the obfuscation code to look like this
image

But your plugin obfuscates like this
image

I would like to have the first example of how to do this?
I am using the default options.
In the first example plugin: vite-plugin-obfuscator

Originally posted by @doroved in #15 (comment)
@getkey
Copy link
Owner

getkey commented Feb 11, 2023

When you remove the plugin from your config, what do you get?

@doroved
Copy link
Author

doroved commented Feb 11, 2023

When you remove the plugin from your config, what do you get?

This is what the code looks like after building Vite without your plugin
image

This is what the code looks like with your plugin. The obfuscation seems to be there, but it doesn't look like what you get with the default config of javascript-obfuscator itself
image

@getkey
Copy link
Owner

getkey commented Feb 11, 2023

I'm pretty sure this is the result of rollup-plugin-obfuscator running before minification. Could you disable minification to test that theory?

It's not possible to make rollup-plugin-obfuscator run after minification, even with enforce: 'post'.
The only way to prevent that would be disabling minification. But I would not recommend it: obfuscation that can be removed so easily is useless, so might as well have lean minified JS. 😉

@doroved
Copy link
Author

doroved commented Feb 11, 2023

I'm pretty sure this is the result of rollup-plugin-obfuscator running before minification. Could you disable minification to test that theory?

It's not possible to make rollup-plugin-obfuscator run after minification, even with enforce: 'post'. The only way to prevent that would be disabling minification. But I would not recommend it: obfuscation that can be removed so easily is useless, so might as well have lean minified JS. 😉

Yes, with minify:false it will obfuscate properly
image

Why then does the vite-plugin-obfuscator plugin work correctly and the obfuscated code is minified? But it obfuscates all code, including library code, which is unnecessary.
So your plugin does not work with Vite? That's too bad.

@doroved
Copy link
Author

doroved commented Feb 11, 2023

This is how vite-plugin-obfuscator works.
It works, why don't you?)
image

@getkey
Copy link
Owner

getkey commented Feb 11, 2023

I tried, but I haven't been able to make vite-plugin-obfuscator work. Please make a repo with a minimal reproduction case and send me the link so I can look how it works.

@doroved
Copy link
Author

doroved commented Feb 12, 2023

I tried, but I haven't been able to make vite-plugin-obfuscator work. Please make a repo with a minimal reproduction case and send me the link so I can look how it works.

Use this config and everything should work fine.
This plugin unfortunately obfuscates all code, including libraries, and I need only the project code.

vite.config.js

import { fileURLToPath, URL } from 'node:url'
import { viteObfuscateFile } from 'vite-plugin-obfuscator'

import { defineConfig } from 'vite'
import vue from '@vitejs/plugin-vue'

export default defineConfig({
  plugins: [vue(), viteObfuscateFile()],
  resolve: {
    alias: {
      '@': fileURLToPath(new URL('./src', import.meta.url)),
    },
  },
})

If it does not work now, I will prepare a repository.

@getkey
Copy link
Owner

getkey commented Feb 12, 2023

Thanks, I was able to reproduce and have a deeper look at what that plugin is doing. It is modifying the bundle during the HTML transform phase, which apparently happens after the minification. Unfortunately this technique does not allow excluding libraries from the bundle.

Now the question is, should rollup-plugin-obfuscator adopt this technique when global is set to true?

  1. as I explained in this comment, I think this isn't a desirable use-case: if all it takes to turn fully-obfuscated code into the semi-obfuscated code from the second image here is to run terser on it, the former provides no additional protection. In which case you're better off not shipping that dead weight to your users
  2. there is an alternative way to achieve that outcome, by disabling minification (and optionally running @rollup/plugin-terser before rollup-plugin-obfuscator). Which, by the way, will work with global: false
  3. the Vite API to modify the bundle during the HTML transform phase is undocumented

So for all these reasons, I think it would make for a bad addition.

If you want to do it anyway, here is the alternative way to do it I was talking about in 2. (it will exclude library code):

// vite.config.js

import { defineConfig } from 'vite';
import obfuscator from 'rollup-plugin-obfuscator';
import terser from '@rollup/plugin-terser';

export default defineConfig({
	build: {
		minify: false,
	},
	plugins: [
		terser(),
		obfuscator(),
	],
});

@getkey getkey closed this as completed Feb 12, 2023
@getkey getkey changed the title Why is the obfuscation method different from the default settings of another plugin that uses javascript-obfuscator Prevent vite's minifier from undoing obfuscation Feb 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@getkey @doroved