如何反编译字节节点"jsc"文件? [英] How to Decompile Bytenode "jsc" files?

问题描述

我刚刚看到了这个库 ByteNode 作为Java的ByteCode，但这是针对NodeJS的.

I've just seen this library ByteNode it's the same as ByteCode of java but this is for NodeJS.

该库将您的JavaScript代码编译为V8字节码，以保护您的源代码，我想知道反编译byteNode是否存在，因此它不够安全.我想知道是因为我想使用此库保护我的源代码吗?

This library compiles your JavaScript code into V8 bytecode, which protect your source code, I'm wondering is there anyway to Decompile byteNode therefore it's not secure enough. I'm wondering because I would like to protect my source code using this library?

推荐答案

TL; DR 它将向那些复制该代码并尝试将其作为自己的代码的人提出更高的要求.这不会阻止专职人员这样做.但是保护您工作的主要方法不是技术性的，而是合法的.

TL;DR It'll raise the bar to someone copying the code and trying to pass it off as their own. It won't prevent a dedicated person from doing so. But the primary way to protect your work isn't technical, it's legal.

该库将您的JavaScript代码编译为V8字节码，从而保护您的源代码...

This library compiles your JavaScript code into V8 bytecode, which protect your source code...

好吧，我们不知道它是V8字节码，但它是已编译"的.在某种意义上.我们所知道的是，它创建了一个代码缓存".通过内置的 vm.Script.prototype.createCachedData API，这正式只是用于第二次，第三次等加速重新编译代码的缓存.理论上，您还应该将原始源代码作为字符串提供给 vm.Script 构造函数.但是，如果您深入研究Node.js的 vm.Script 和V8，它似乎是某种编译形式的实际代码(无论是否为实际的V8字节码)，以及您提供的代码字符串运行时将被忽略.(当从代码缓存运行代码时，ByteNode库提供了一个虚拟字符串，因此显然[总是?]不需要实际的代码.)

Well, we don't know it's V8 bytecode, but it's "compiled" in some sense. All we know is that it creates a "code cache" via the built-in vm.Script.prototype.createCachedData API, which is officially just a cache used to speed up recompiling the code a second time, third time, etc. In theory, you're supposed to also provide the original source code as a string to the vm.Script constructor. But if you go digging into Node.js's vm.Script and V8 far enough it seems to be the actual code in some compiled form (whether actual V8 bytecode or not), and the code string you give it when running is ignored. (The ByteNode library provides a dummy string when running the code from the code cache, so clearly the actual code isn't [always?] needed.)

我想知道反编译byteNode是否足够安全.

I'm wondering is there anyway to Decompile byteNode therefore it's not secure enough.

自然，否则它将是无用的，因为Node.js无法运行它.我没有找到做此事的工具，但是由于V8是开源的，因此大概可以找到必要的信息来为其编写反编译器，以输出有效的JavaScript源代码，然后有人可以尝试理解该源代码.

Naturally, otherwise it would be useless because Node.js wouldn't be able to run it. I didn't find a tool to do it that already exists, but since V8 is open source, it would presumably be possible to find the necessary information to write a decompiler for it that outputs valid JavaScript source code which someone could then try to understand.

使用它进行实验，局部变量名称似乎丢失了，尽管函数名称没有.注释似乎迷路了(考虑到需要 Function.prototype.toString 来返回原始源文本或合成版本

Experimenting with it, local variable names appear to be lost, although function names don't. Comments appear to get lost (this may not be as obvious as it seems, given that Function.prototype.toString is required to either return the original source text or a synthetic version [details]).

因此，如果您通过一个压缩器(特别是重命名函数的压缩器)运行代码，然后通过ByteNode运行它(或者您自己使用 vm.Script 来执行，则ByteNode是一个相当薄的包装器)，将某人将其反编译为类似于源代码的可行，但该源代码将很难理解.这与运送Java类文件非常相似，可以将其反编译(甚至在JDK中甚至有一个标准工具， javap )，但格式Java类文件已被详细记录且没有不会从一个点发布版本更改为另一个点发布版本(尽管它们可以从一个主要版本更改为另一个；尽管新版本始终支持较旧的格式)，但是未记录此数据的格式(尽管它是一个开源项目)并且 可能会从一个发行版更改为另一个发行版.

So if you run the code through a minifier (particularly one that renames functions), then run it through ByteNode (or just do it with vm.Script yourself, ByteNode is a fairly thin wrapper), it will be feasible for someone to decompile it into something resembling source code, but that source code will be very hard to understand. This is very similar to shipping Java class files, which can be decompiled (there's even a standard tool to do it in the JDK, javap), except that the format Java class files are well-documented and don't change from one dot release to the next (though they can change from one major release to another; new releases always support the older format, though), whereas the format of this data is not documented (though it's an open source project) and is subject to change from one dot release to the next.

某些更改(例如更改版权信息)可能很容易对所述源代码进行.更有意义的变化将更加困难.

Certain changes, such as changing the copyright message, are probably fairly easy to make to said source code. More meaningful changes will be harder.

请注意，代码缓存似乎具有校验和或其他类似的完整性机制，因为直接编辑 .jsc 文件以将原义字符串中的一个字母交换为另一个字母会使代码缓存无法加载.因此，有人对其进行篡改(例如，更改版权声明)可能需要走反编译/重新编译的路线，或者潜入V8源代码中以了解如何更正完整性检查.

Note that the code cache appears to have a checksum or other similar integrity mechanism, since directly editing the .jsc file to swap one letter for another in a literal string makes the code cache fail to load. So someone tampering with it (for instance, to change a copyright notice) would either need to go the decompilation/recompilation route, or dive into the V8 source to find out how to correct the integrity check.

从根本上来说，保护您作品的方法是确保已将所有相关声明放在相关位置，以使复制该内容的事实明显侵犯版权，然后在发现后继续寻求法律追索权关于某人以自己的名义假冒.

Fundamentally, the way to protect your work is to ensure that you've put all the relevant notices in the relevant places such that the fact copying it is a violation of copyright is clear, then pursue your legal recourse should you find out about someone passing it off as their own.

这篇关于如何反编译字节节点"jsc"文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！