WeChat games Majiaobao package refers to the same set of game source code using a different name packaging online WeChat games platform. WeChat officially does not allow such a way to launch small games, but game operators in order to buy the demand, often use different packaging, in order to get more traffic. In addition, after the release of the game, a number of combined transport channels need to go online with the same small game, there are also Majiaobao.

If the Majiao-package game source code upload without special processing, will play back to the small game on suspicion of code package content infringement, and credit points -5 (the lower the credit score, the longer the time, generally keep in 90 points and above to ensure rapid review). The official reply from WeChat is as follows:

At present, WeChat small game audit compared with Apple store audit is not strict, basically can break through the code package infringement problem, the audit rate is quite high. So how to break through the code package infringement problem, can do this:

JS confusion

Recommend the Jascripto fascator tools. Why not use UglifyJS? The WeChat developer tool also uses this compression when uploading code. Do you think using it to obstruct will solve the problem? There are a few paid code obfuscators out there, like JS ** Man, which I haven’t tried yet, but I think my boss would kill me if I tried to get the code to their server. In addition, the price is not cheap, now the small game code easily single package more than 3M, according to this calculation, at least to buy an annual VIP line.

Why jascripto fascator?

Since it’s free and open source, see its Githup. It can implement variable substitution, code compression, flat control flow, add obsolete code, and so on. The difficulty is how to reasonably configure the confusion parameters, which can guarantee both the review and the performance and the size of the game. In other words, if the performance is too poor (the game is hot) and the game is too big (the game is slow to load), it will seriously affect the conversion and retention of users, and the over-review is useless!

Extract string

Can’t you just confuse them with jascript to fascator? Because when Jascripto fascators get mixed up, the strings are still in the code and are easier to tag. The general practice is to pull the string out and put it in one or more files for compressed storage.

How do I extract a string? Ordinary regular replacement is certainly not good, the game code, it is easy to replace the problem, resulting in game anomalies. It is recommended to learn JavaScript AST parsing. This parser https://astexplorer.net/ can help you learn the AST syntax tree quickly. In development we use Acorn and Escodegen, where Acorn helps to walk through the syntax tree of the code, so you can modify the syntax tree; Escodegen saves the modified syntax tree as the new code.

// You can install acorn, acorn-walk, escodegen const acorn = require("acorn") via NPM; const walk = require("acorn-walk"); const escodegen = require('escodegen'); //content is JS code const AST = acorn.parse(content, {ecmaVersion: 'latest', sourceType: 'script'}); Walk. Simple (ast, {arrayExpression (node) {// Array if (! node.elements || ! node.elements.length) { return; } for (var i in node.elements) { if (! node.elements[i]) { continue; } if (node.elements[i].type == 'Literal' && ! node.elements[i].regex && node.elements[i].value) { let key = ... ; // Create key node.elements[I]. Type = "Identifier"; node.elements[i].name = `${key}`; }}}}); let options = { comment: false, format: { compact: true }, }; // Get new JS code content = escodegen.generate(ast, options);

The performance test

After finishing 1 and 2, the most important step is to test the performance of the obfuscated code. Here we can use Tencent’s own tool PerfDog https://perfdog.qq.com/. We mainly used this tool to test the FPS, CPU usage, and battery temperature of different obfuscated code.

It’s best to use an iPhone as a test device. A delicate iPhone gets hot more often than an Android phone, which is prone to test problems.

Well, the above is WeChat small game vest package confusion strategy. A few additional points should pay attention to the usual arraignment:

1. The recharge entry of iOS must be hidden, and any text with the word “recharge” is not acceptable

2. Don’t expose too much material in the game

3. A personal account can be used to test whether the confusion strategy is effective. If it is effective, the company account can be used for arraignment to avoid excessive credit deduction

4, the current WeChat official code file name, resource file, request domain name review is not strict, this aspect can work less, do not drill into a dead end