在整个 Node 项目上使用 UglifyJs? [英] Using UglifyJs on the whole Node project?

问题描述

我需要尽可能地混淆我的源代码，所以我决定使用 uglifyjs2 .. 现在我有了包含嵌套目录的项目结构，我如何通过 uglifyjs2 运行它来完成整个项目而不是全部输入文件?

I need to obfuscate my source code as best as possible so I decided to use uglifyjs2.. Now I have the project structure that has nested directories, how can I run it through uglifyjs2 to do the whole project instead of giving it all the input files?

我不介意它是否将整个项目缩小到单个文件或其他内容

I wouldn't mind if it minified the whole project into a single file or something

推荐答案

我在我参与的一个项目中做过与此非常相似的事情.您有两个选择:

I've done something very similar to this in a project I worked on. You have two options:

1. 将文件保留在其目录结构中.

这是迄今为止更简单的选择，但提供的混淆程度要低得多，因为对您的代码足够感兴趣的人基本上拥有文件逻辑组织的副本.

This is by far the easier option, but provides a much lower level of obfuscation since someone interested enough in your code basically has a copy of the logical organization of files.

攻击者可以简单地打印所有文件并重命名每个文件中混淆的变量名称，直到他们了解发生了什么.

An attacker can simply pretty-print all the files and rename the obfuscated variable names in each file until they have an understanding of what is going on.

为此，请使用 fs.readdir 和 fs.stat 递归遍历文件夹，读取每个 .js 文件并输出损坏的代码.

To do this, use fs.readdir and fs.stat to recursively go through folders, read in every .js file and output the mangled code.

将所有内容编译成一个 JS 文件.

这对您来说实施起来要困难得多，但确实让攻击者的生活更加艰难，因为他们不再从您的项目组织中受益.

This is much more difficult for you to implement, but does make life harder on an attacker since they no longer have the benefit of your project's organization.

您的主要问题是协调您的 require 调用与不再存在的文件(因为现在所有内容都在同一个文件中).

Your main problem is reconciling your require calls with files that no longer exist (since everything is now in the same file).

我通过使用 Uglify 通过分析 AST 用于调用 require.然后我加载了所需文件的源代码并重复.

I did this by using Uglify to perform static analysis of my source code by analyzing the AST for calls to require. I then loaded the source code of the required file and repeated.

加载所有代码后，我将 require 调用替换为对自定义函数的调用，将每个文件的源代码包装在一个模拟 node的模块系统是如何工作的，然后对所有内容进行处理并将其编译为单个文件.

Once all code was loaded, I replaced the require calls with calls to a custom function, wrapped each file's source code in a function that emulates how node's module system works, and then mangled everything and compiled it into a single file.

我的自定义 require 函数执行 node 的大部分 require 功能，除了它不是在磁盘中搜索模块，而是搜索包装函数.

My custom require function does most of what node's require does except that rather than searching the disk for a module, it searches the wrapper functions.

不幸的是，我无法真正分享 #2 的任何代码，因为它是专有项目的一部分，但要点是:

Unfortunately, I can't really share any code for #2 since it was part of a proprietary project, but the gist is:

• 使用 UglifyJS.parse<将源文本解析为 AST/a>.

• 使用TreeWalker 访问AST的每个节点并检查是否

• Parse the source text into an AST using UglifyJS.parse.

• Use the TreeWalker to visit every node of the AST and check if

node instanceof UglifyJS.AST_Call && node.start.value == 'require'

这篇关于在整个 Node 项目上使用 UglifyJs?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！