{"id":27438465,"url":"https://github.com/jwillbold/rusty-jsyc","last_synced_at":"2025-04-14T20:39:44.772Z","repository":{"id":34931156,"uuid":"191174703","full_name":"jwillbold/rusty-jsyc","owner":"jwillbold","description":"JavaScript-To-Bytecode compiler written in Rust","archived":false,"fork":false,"pushed_at":"2023-05-11T13:17:09.000Z","size":242,"stargazers_count":175,"open_issues_count":9,"forks_count":14,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-28T02:04:08.714Z","etag":null,"topics":["compiler","javascript","obfuscation","rust","virtualization-based-security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jwillbold.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-06-10T13:36:13.000Z","updated_at":"2025-02-14T18:04:12.000Z","dependencies_parsed_at":"2023-01-15T10:36:02.895Z","dependency_job_id":null,"html_url":"https://github.com/jwillbold/rusty-jsyc","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jwillbold%2Frusty-jsyc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jwillbold%2Frusty-jsyc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jwillbold%2Frusty-jsyc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jwillbold%2Frusty-jsyc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jwillbold","download_url":"https://codeload.github.com/jwillbold/rusty-jsyc/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248958904,"owners_count":21189779,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compiler","javascript","obfuscation","rust","virtualization-based-security"],"created_at":"2025-04-14T20:39:43.255Z","updated_at":"2025-04-14T20:39:44.757Z","avatar_url":"https://github.com/jwillbold.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.com/jwillbold/rusty-jsyc.svg?token=hPh87VpFt3MQPwdySdkS\u0026branch=master)](https://travis-ci.com/jwillbold/rusty-jsyc)\n[![codecov](https://codecov.io/gh/jwillbold/rusty-jsyc/branch/master/graph/badge.svg?token=puTrXEsmcx)](https://codecov.io/gh/jwillbold/rusty-jsyc)\n\n\n# Rusty-JSYC\n\nRusty-JSYC (JavaScript bYtecode Compiler) is a JavaScript-To-Bytecode compiler written in Rust. The bytecode is meant to be used in conjunction with the provided [virtual machine](https://github.com/jwillbold/rusty-jsyc/blob/master/vm/vm.js) written in JavaScript. In combination they form the components for a virtualization obfuscation.\n\nThere is also a [blogpost](https://jwillbold.com/posts/obfuscation/2019-06-16-the-secret-guide-to-virtualization-obfuscation-in-javascript/) explaining this project and virtualization obfuscation in general.\n\n## How to use this\nYou must first compile the given JavaScript code. After that you can execute it with the provided virtual machine.\n\n#### Compile your JavaScript code\n\nYou can either use the provided command line tool:\n\n```Bash\ncargo run \u003c/path/to/javascript.js\u003e \u003c/path/to/vm-template.js\u003e \u003c/output/dir\u003e -d\n```\n\nor use the compiler as a library and call it from your own rust code:\n\n```Rust\nextern crate jsyc_compiler;\n\nuse jsyc_compiler::{JSSourceCode, BytecodeCompiler};\n\nfn main() {\n  let js_code = JSSourceCode::new(\"console.log('Hello World');\".into());\n  let mut compiler = BytecodeCompiler::new();\n\n  let bytecode = compiler.compile(\u0026js_code).expect(\"Failed to compile code\");\n  println!(\"Bytecode: {}\", bytecode);\n\n  let depedencies = compiler.decl_dependencies();\n  println!(\"Depedencies: {:?}\", depedencies);\n\n  let base64_bytecode = bytecode.encode_base64();\n  println!(\"Base64-encoded bytecode: {}\", base64_bytecode);\n}\n```\n\nIn your Cargo.Toml:\n```Toml\n[dependencies]\njsyc_compiler = \"~0.1\"\n```\n\n#### Run the virtual machine\n```JavaScript\n// include vm.js\n// ...\nvar vm = new VM();\nvm.init(Base64EncodedBytecode);\nrequestIdleCallback(() =\u003e vm.run());\n// ...\n```\nReplace ``Base64EncodedBytecode`` with the actual base64 encoded bytecode.\n\n#### Playground example\n\nAn example demonstrating both the compiler and the virtual machine can be found in ``playground/snake``. It features a small Snake game (snake.js).\nYou can compile this with:\n```Bash\ncargo run \"playground/snake/unobfuscated/snake.js\" \"vm/vm.js\" \"playground/snake/obfuscated\" \"playground/snake/unobfuscated/index.html\"\n```\nAfter compilation, open the index.html file in your browser.\n```\n/path/to/rusty-jsyc/playground/snake/obfuscated/index.html\n```\nThis was tested in Chrome 74 and Firefox 67. However, any ES6 capable browser should be compatible.\n\n## Virtualization Obfuscation\nVirtualization obfuscation is a state-of-the-art obfuscation scheme. It obfuscates the code by compiling it into bytecode which is then executed by a virtual machine (VM). Thus, the VM gets distributed along with the compiled bytecode. It is then called with this bytecode and executes it and is thereby executing the actual code.\n\nSince the bytecode is executed instruction by instruction, the original code is never restored anywhere. So, any potential attacker must first reverse engineer the VM, which may be heavily obfuscated. One must then understand the underlying architecture and instruction-set before being able to analyze the actual bytecode. Since any two virtualization obfuscations are potentially different, the use of automated tools is limited.[[1](1)][[2](2)]\n\n### Compatibility\n\n#### Interactions between the virtual and real JavaScript context\nIt is possible to provide the functions defined in the virtual JavaScript context to the real JavaScript context.\n```JavaScript\n// Compiled JavaScript\nfunction secret_function(a, b, c) { return a*b+c; }\nwindow.secret_function = secret_function;\n```\n\n```JavaScript\n// Non-Compiled JavaScript\nvar secret_function = window.secret_function;\nsecret_function(10, 20, 1337);\n```\n\nIt does not need to be ``window``, any object instance know to both contexts will work. When calling ``secret_function`` the virtual machine will start the execution of the corresponding bytecode chunk. Thus, calling a function this way does not reveal any more information on the implementation than just calling it inside the compiled JavaScript.\n\n#### Current unsound properties\nThese are the properties that are not reflected by the bytecode as they would be in real JavaScript.\n - the 'this' pointer for external non-member functions is simply 'void 0'\n - Assignment expressions do not return a value, and thus are not really expressions\n - If you declare a variable without assignment it's value will be unknown. Thus it might or might not be undefined (void 0). (It will be undefined but not JavaScript's undefined (void 0))\n - ``let`` and ``const`` declarations are treated as ``var`` declarations\n\n#### Unsupported JavaScript syntaxes\nThis compiler currently only supports a subset of JavaScript features. Currently missing are\n - Object related notations ({}, new, this, super, class)\n - for-of and for-in loops\n - async and await keywords\n - with, and switch keywords\n - ~~try and throw structures~~\n - ~~break, continue, labels~~\n - function expressions and arrow function (Regular functions are allowed)\n  - function expressions and arrow functions can be realized with:\n  ```JavaScript\n  var func_expr = eval(\"0, function(x) {return x*x;}\");\n  ```\n  However, they do not support references to variables defined in the compiled JavaScript.\n - tagged template expressions\n - spread, rest and sequence notations\n\n### How to run tests\nThere are several test sets in this project:\n 1. Cargo tests: ``cargo test``\n 2. Node (mocha) tests:``npm install \u0026\u0026 npm test``\n\n_____________________________________\n[1]: http://static.usenix.org/event/woot09/tech/full_papers/rolles.pdf\n*1*: Rolf Rolles. Unpacking virtualization obfuscators. USENIX Workshop on Offensive Technologies (WOOT), 2009.\n\n[2]: https://dslab.epfl.ch/pubs/staticVirtObf.pdf\n*2*: Johannes Kinder. Towards static analysis of virtualization-obfuscated binaries. Reverse Engineering (WCRE), 2012 19th Working Conference.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjwillbold%2Frusty-jsyc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjwillbold%2Frusty-jsyc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjwillbold%2Frusty-jsyc/lists"}