Skip to content

Add obfuscateBuiltins and obfuscateApiCalls options#1385

Open
thkim2015 wants to merge 2 commits intojavascript-obfuscator:masterfrom
thkim2015:5.3.1_di
Open

Add obfuscateBuiltins and obfuscateApiCalls options#1385
thkim2015 wants to merge 2 commits intojavascript-obfuscator:masterfrom
thkim2015:5.3.1_di

Conversation

@thkim2015
Copy link

@thkim2015 thkim2015 commented Mar 18, 2026

Summary

  • Add obfuscateBuiltins option: transforms built-in JavaScript identifiers (console, Math, JSON, Object, etc.) into globalThis['name'] computed access patterns
  • Add obfuscateApiCalls option: transforms API method calls (document.getElementById, fetch, etc.) into globalThis-based indirect access
  • Both options create string literals extractable by StringArrayTransformer for maximum obfuscation

Key Design Decisions

  • Stage: Converting (after scope analysis, before identifier renaming)
  • Technique: consoleglobalThis['console'] — creates string literals for StringArray extraction
  • Safety: Scope-aware (skips user-defined variables that shadow built-ins), target-aware (browser vs node), reservedNames-compatible
  • Defaults: Both false by default. obfuscateBuiltins: true in high-obfuscation preset

Changes

New Files (8)

  • src/constants/BuiltinIdentifierNames.ts — Categorized built-in lists (Core JS, Browser, Node.js)
  • src/node-transformers/converting-transformers/BuiltinsObfuscationTransformer.ts
  • src/node-transformers/converting-transformers/ApiCallsObfuscationTransformer.ts
  • Test specs and fixtures (5 files)

Modified Files (9)

  • Options: IOptions.ts, Options.ts, Default.ts, HighObfuscation.ts, NoCustomNodes.ts
  • Pipeline: NodeTransformer.ts, JavaScriptObfuscator.ts, ConvertingTransformersModule.ts
  • CLI: JavaScriptObfuscatorCLI.ts

Test plan

  • 12 BuiltinsObfuscationTransformer tests (basic builtins, shadowed vars, property access, reserved names, disabled option)
  • 5 ApiCallsObfuscationTransformer tests (DOM APIs, fetch, disabled option)
  • 202 existing converting transformer tests pass (no regression)
  • 19 issue regression tests pass
  • ESLint clean (pre-commit hook)

Examples

// obfuscateBuiltins: true
console.log('hello')  globalThis['console']['log']('hello')
Math.random()         globalThis['Math']['random']()

// obfuscateApiCalls: true
document.getElementById('x')  globalThis['document']['getElementById']('x')
fetch(url)                     globalThis['fetch'](url)

SPEC: SPEC-OBFUSCATION-001

🗿 MoAI [email protected]

@thkim2015
Add obfuscateBuiltins and obfuscateApiCalls options
05c14f4 
Introduce two new obfuscation options that transform references to built-in
JavaScript objects/functions and browser/Node.js API calls into indirect
access patterns via globalThis, making reverse engineering significantly harder.

- obfuscateBuiltins: transforms built-in identifiers (console, Math, JSON, etc.)
  into globalThis['name'] computed access patterns
- obfuscateApiCalls: transforms API method calls (document.getElementById,
  fetch, etc.) into globalThis-based indirect access

Both options are scope-aware (skip shadowed variables), target-aware
(browser vs node built-in lists), and compatible with reservedNames,
conditional comments, and stringArray extraction.

SPEC: SPEC-OBFUSCATION-001

🗿 MoAI <[email protected]>
@thkim2015
Add obfuscateApiCallsMode sub-option for non-call bracket access support
7bc8e6f 
Enhance ApiCallsObfuscationTransformer with a new obfuscateApiCallsMode option
that controls whether to transform only API function calls ('calls-only', default)
or all member expression access patterns ('all-access').

In 'all-access' mode, non-call bracket/dot access like `document.body`,
`document['getElementById']`, and `navigator.userAgent` are also transformed
to `globalThis['document']['body']` etc, creating string literals extractable
by StringArrayTransformer.

Includes normalizer rule to reset mode to 'calls-only' when obfuscateApiCalls
is disabled.

SPEC: SPEC-OBFUSCATION-002

🗿 MoAI <[email protected]>
patchixgit
patchixgit suggested changes Mar 21, 2026
View reviewed changes
Copy link

@patchixgit patchixgit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if an environment does not have globalThis? It is not available in older browsers or older versions of Node.js. In these cases, a polyfill is needed to emulate its behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@patchixgit patchixgit patchixgit requested changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thkim2015 @patchixgit @sanex3339