Protected JS binary isnt protecting const string and function names

[akinohana]

they can be see directly, any workaround?

[rogerwang]

Could you please provide a minimal sample to reproduce?

[rogerwang]

btw, it's normal that string literal is in cleartext. The sample applies when you compile C/C++ code, as the string literal is stored directly in the binary. In NW we try to provide the similar level of protection as C/C++ compilation. We'll see the function name case.

[rogerwang]

@Christywl could you please try to write a case and reproduce?

[akinohana]

Here is the reproduce code

I also noticed attribute name and variable name are visible too

nwjc.zip

[akinohana]

[Christywl]

I can reproduce this issue. Function name, const string, attribute name are visible.
nwjs version: sdk-v0.24.0
1.js

function test(){
	alert("Hellooooo")	
}

1.bin

��ÞÀ    Ϊä3-       �õm¥�       À�  <M(’³žˆi       €(� €   €   €   €    �L“���‰��’Å    �       C                                   …�˜�A��$�ÔÀ    �   �ŒÀ    �   ��ŒÀ    �   ��‘Â�B³q        �   test    Á            �   �L“���	°��’Å    �       ÁA                                  …�˜8�$9À    �   ��ŒÀ    �   ��‘šáaQ        �   alert   ��‘ÃÒÝHÜ        	   Hellooooo       ž�‹Á    �   � �� 
.Ã�   �    @�   “
 ��ú	��ùQúù��—  �D�-�
 „Á                „àÀ    �   „À    �   „À         �ŒÀ    �   �—	 …�—	À…À    �   „à�‰�À        ‰���    �       �       �  Æ    �           �       Z   <   �   ��          �       ž�‹Á    �   ���X    Ã�   �    @�   	 �ú��ù þøU®�ú�“�—	��À    �   ‰���    �       �       �H  Æ                �       Z   �   þÿÿÿ�           �       �/////////

The reporter's test bin file:

��ÞÀ    Ϊä3Š�      �õm¥�       ˜�  up	´ÐÝÚ    h  €`	 €   €   €   €    �L“���‰��’Å    �       C                                   …�˜�A��$�ÔÀ    �   �ŒÀ    �   ��ŒÀ    �   ��‘Ãv’�j           CreateScript    Á            �   �L“���	°�(’Å    �       ÁA              �                   ��‘Â>òÙ2        �   ret     ��‘šcñá        �   UUID    ��‘Ã^p
m        	   newScript       …�˜8�`9À    †   �TŒÀ    �   ��‘Â�¡5        �   EJS     ��ŒÀ    �   ��‘º*XR        �   url     ��‘Âj
Fí        �   nav.ejs ��‘ÂN�î˜        �   render  ‰�(ŒÀ    �   ��‘ÂnÒ87        �   danyuan ��ŒÁ    �       ÿÿÿÿ��I�À    �    �À    �   ‰��‘ÃÎV‡•        	   xuanxiang       ��ŒÁ    �       ÿÿÿÿ�;À    �    �À    �   ‰��‘Âþ�±y        �   jiaoben ��ŒÁ    �       ÿÿÿÿ�;À    �    �À    �   ‰��‘Ã:�Ϭ        
   dynamicTab      ƒ	!���‘ÂæL‡ì        �   document��‘ÃZc�à        �   getElementById  ��‘Â6xE
        �   nav     ��‘îûÌ&        	   innerHTML       ��‘Âî�Õv        �   guid    ž��‘Âì�         �   123     ��‘ÂŽ�CÈ        �   Name    	I���‘Â^�ÇÅ        �   Data    ��‘Â��OD        �   dest    ��‘¦*vV        �   keyword ��‘ÂZ�±í        �   UIData  ž�$‹Ç    6   �0�X�3�2�€��}�ž������@�6� 
4������������������$���"
�  Ò8   �    @�   “
 �m�	�õ�ö�öYöõ���ö!ö�
�÷	�m���ô�õ
��'ô��N÷öõô��ú
���ö!ö���÷	��õM÷öõ��÷�ú%÷	�

��÷P÷��ùm� �÷ ÷ø	%÷
!�ù%ø�#	�%ø�%	�%ø�'	�%ø�)	�%ø�+�—    �D�-�
 „Á                „àÀ    �   „À    �   „À         �ŒÀ    �   �—	 …�—	Ä…À    �   „à�‰�À        ‰�(�È    �       *       ��0     S€9'    �L��    ` ��     €�&    � €     � € Æ    �           �       ��  \   �   ��          °       ž�‹Á    �   ���’�   Ã�   �    @�   	 �ú��ù þøU®�ú�“�—	��À    �   ‰���    �       �       �H  Æ                �       ��  �   þÿÿÿ�           �       �///////

[rogerwang]

I went through the strings in the binary file:
The function name CreateScript will become a member of the global window object once the binary is evaluated. So the name should be preserved. The same applies to the DOM object document and it's function names, as the names are needed to create the link and find the object/functions when it's evaluated in the DOM context.
As said in my previous comment, the string literals are also kept unchanged on purpose.

At least code obfuscation tool can be used with this NW feature together if you want to hide the names.

There is only newScript and the names of its member left. I'll follow it up.