Party A suddenly asked to do private deployment

The project is made with Node.js. Does node.js code need to be protected?

Usually not, because the code runs in the cloud. Node.js code, even in plaintext, is safe as long as the server is safe.

But everything is not afraid of ten thousand, just one thousand. Suppose one day party A suddenly asked to do privatization deployment, and your boss readily agreed, and throw this problem to you.

Well, now that things have changed, you need the code to be deployed in untrusted environments. Once the Node.js source code is packaged or online on party A’s servers, party A can easily view, analyze, tamper with, and copy your code.

So I started googling

What are some ways to protect JS code?

The idea is that protected code needs to work (of course, what’s the use of code that doesn’t), while still keeping the source code from being easily accessible to others. In short, make it readable by machines and hard to read by humans.

  1. encryption

    We can encrypt the JS code, decrypt it before each execution, and actually run the decrypted code. But encryption has an impact on execution efficiency, and once the password is cracked, the source code is leaked.

  2. confusion

    The idea of obfuscating code to make it as unreadable as possible is said to have been learned from programmers who write badly. Common practices include separating constants, disrupting control flow, adding meaningless code, locking domain names, obfuscating strings, disabling debugging, and so on.

  3. compile

    Node.js code is executed by the V8 engine, which compiles the source code into bytenode and interprets the execution. If we can compile node.js code into bytecode, it will further improve the security of the code. Decompiling V8 bytecode is not easy, after all.

  4. packaging

    Package node.js code and dependencies into an executable file. That makes it a little harder to crack.

Then copy the code from Github

Here are a few libraries or websites that are confused, compiled, and packaged with JS:

  1. confusion

    • JavaScript Obfuscator – a powerful JavaScript obfuscator.
    • Shaman Technology – a set of JS code security problem solutions.

  2. compile

    • Bytenode, a minimalist Node.js bytecode compiler.

  3. packaging

    • NCC can package Node.js projects into a single JS file with TypeScript support and dynamic import.
    • PKG can package node.js projects into a binary executable file. PKG does not support dynamic import, but it packages Node itself and can run in an environment where Node.js is not installed.
    • Pmq20 /node-packer can also be packaged as a binary executable, which has the advantage of supporting various forms of require, as well as C++ modules. This project has not been updated in two years, it is only supported as far as Node.js 8.3.0. For higher release support, please move to Slee047 / Node-Packer.

Choose a plan to cross

There is no absolute security, the above method can only be to increase the difficulty of cracking. It is said that nothing in the world is difficult if you put your heart into it, as long as you have enough technology and patience, it is still possible to restore the corresponding code.

As defenders, what we can do is try to protect as much as possible. Here, provide a JavaScript obfuscator + Bytenode + Node-packer solution.

Why node-Packer instead of NCC, PKG? Because NCC and PKG cannot handle obfuscated code.

Protect code worth tens of millions of dollars

Suppose we need to protect a project like this:

// index.js
console.log("Here are tens of millions of dollars worth of code :");
var a = 1;
var b = 1;
var c = a + b;
console.log("1 + 1 =" + c)
Copy the code

First we install javascript- Obfuscator and Bytenode via NPM. Then install Node-Packer on the current system.

Since Node-Packer cannot package the. JSC bytecode files generated by Bytenode, the following files need to be added to import the. JSC files:

// build.js
require('bytenode');

require('./index-obfuscated.jsc');
Copy the code

Then add the following instructions to package.json:

  "scripts": {
    "obfuscate": "javascript-obfuscator index.js --string-array-encoding rc4",
    "bytenode": "bytenode --compile index-obfuscated.js",
    "nodec": "nodec build.js --skip-npm-install",
    "build": "npm run obfuscate && npm run bytenode && npm run nodec",
  }
Copy the code

Finally, run NPM run build to get an A.out (a.exe on Windows) executable. Run it, and tens of millions of dollars worth of code is running.

In addition, you will find two more files in the project directory: index-obfused.js and index-obfused.jsc. These are the obfuscated code and bytecode files, respectively. Javascript – obfuscator supports a variety of obfuscation techniques, possibly by looking at the documents, in accordance with the project requirements, allocate the appropriate options.

conclusion

In addition to the above technical measures, don’t forget to add the license, copyright information.

Thanks for coming to the end, and I’m going to give you this million dollar code example for free. The project address is javascript-code-protection-example, welcome star.

There are wrong places, I hope you can comment freely.