What types of protections do you apply on the asar files?

[burgil]

Hey there, Thank you so much for this awesome repository, I love using it and wish you good luck,

I saw everything is labeled as default patches but I'm a bit curious so I had to dig and found out this part:

asarmor/src/encryption/main.cpp

Line 173 in 397a192

arg.find("--remote-debugging-port") == 0) {

And that file:

https://github.com/sleeyax/asarmor/blob/master/src/encryption/includes.h

And the library it seem to reference: (Edit: Not being referenced)

https://www.npmjs.com/package/js2c

Any information on the above will feed my curiosity and probably of others too, But, My simple questions will be, please:

1. regarding the last two links, (js2c and includes.h) It seems like it's either trying to find out where to inject itself or it's injecting something to the electron binary, am I correct? which one will it be?

2. In main.cpp where includes.h is referenced - Why is it intercepting the --remote-debugging-port and the --inspect? and which function causes that? is it the trashify? or the bloat? or the encrypt? or none of the above? also, how do I trigger so called general patches from the command line? (reason was that I do want to enable remote debugging on my release app since it's gonna be a browser..)

3. I'm using the cli to build electron apps without electron builder so I generally use the CLI and not the beforePack or afterPack hooks, Most important question I have please: Do I need to run first the encrypt and then bloat and then trashify (ignore order), or can I do it all in one command? what is like the ultimate command and settings please lol?

example for that will be:

This "badly-need-a-fix" "one-liner":
$ asarmor -a app.asar -o asarmor.asar --bloat 43908573409750 --trashify something-that-makes-more-sense.exe not-foo.js and-not-bar.ts --backup --encrypt asarmor.asar --encrypt-key key.txt
DANGER DO NOT RUN << I JUST WROTE UP THIS NUMBER 43908573409750 TO CHECK IF YOU WILL SAY IT'S BAD LOL?

Or this: (Or what else lol, I don't care how many lines I need to run but how many?)

 $ asarmor -a app.asar -o asarmor.asar --bloat 1000
 $ asarmor -a app.asar -o asarmor.asar --trashify bee-movie.txt foo.js bar.ts
 $ asarmor -a app.asar -o asarmor.asar --trashify --backup
 $ asarmor -a app.asar -o asarmor.asar --encrypt asarmor.asar   << Is this correct or do I need to reference a folder? please help me craft the ultimate command all I have is an app.asar right now what now please? need the ultimate config and I'm not giving up until I got it lol?
 $ asarmor -a app.asar -o asarmor.asar --encrypt-key key.txt
 $ asarmor -a app.asar --restore

[sleeyax]

Thank you for starting a discussion. Few developers have taken the time thus far to contribute back to the repository so your input is much appreciated.

Please keep in mind that the encryption module and other recent changes related to it are are currently considered to be in beta.

Asarmor's encryption module is based on toyobayashi/electron-asar-encrypt-demo. That's a good place to start if you want to learn more about how it works in detail. Asarmor integrates the same encryption methods, but in an easier to use format.

---

Now, to answer your questions:

And the library it seem to reference:

npmjs.com/package/js2c

That library isn't used, actually. It's a local script scripts/js2c.js which is ran after the package is installed. Its purpose is to write bootstrap JS code to includes.h so it can later be referenced at runtime.

1. See my answer above. No modifications to electron binaries are made.

In main.cpp where includes.h is referenced - Why is it intercepting the --remote-debugging-port and the --inspect

Those are some very basic anti-debugging checks, unrelated to the encryption part. Good that you mention this though, we may want to either improve this or remove it because it's actually a bit out of scope for asarmor and there's better libraries/tools out there that already solve this problem.

and which function causes that? is it the trashify? or the bloat? or the encrypt

Only encrypt. The other patches you mention are decoupled form each other and don't have anything to do with encryption or these anti-debugging checks.

how do I trigger so called general patches from the command line?

I'm not sure what you mean by 'general patches'. Do you mean the default patches that are applied via asarmor.patch() without arguments? If so, that's currently not supported via CLI. The CLI is suposed to be more geared towards power users, I don't think having a default patch option there makes sense since you can get the same result by combining the different flags. If you really need it for some reason I'm willing to accept a PR though.

Do I need to run first the encrypt and then bloat and then trashify (ignore order), or can I do it all in one command?

Encrypt the source files to .asar first and then apply the bloat and trashify patches to the resulting asar. This is currently a limitation, see #42.

what is like the ultimate command and settings please lol?

Encryption + default patches. Custom patches are only useful if you want full control over what gets written, the protection itself is at the same level of security. Asarmor isn't comparable to a regular obfuscator where you have 'low', 'medium' or 'high' protection levels.

<< Is this correct or do I need to reference a folder?

Encryption currently only supports source/transpiled files -> .asar. So yes, you need to specify a folder for now.

I guess if you really want 'the ultimate conifg' to mess with a reverse engineer the most, this would be it:

$ asarmor -a ./release/app/dist -o app.asar --encrypt-key key.txt
$ asarmor -a app.asar -o asarmor.asar --trashify bee-movie.txt foo.js bar.ts --bloat 999999 

Don't try to asar extract the result if you don't fully understand what it does!

[sleeyax]

@burgil please open a separate issue regarding the issues you're facing with NPM.

[sleeyax]

So it's essentially an Asar alternative, I mean wow, maybe electron can integrate it directly with a PR or something,
But just to be clear I don't need asar to be installed right? currently I package it with asar, unpackage it with asar, and repackage it with asarmor lol, if you will write somewhere that this is a complete alternative solution to asar I'm sure a lot more people will get it and it will solve my type of confusions

Sorry, but you're missing the point completely. Asarmor is everything but an alternative to asar. It's in the name; by design its purpose is to 'harden' an existing asar file to protect it from extraction. That's all. It may look like it has packaging functionalities because of the way the encryption module is currently implemented but as said countless of times before, that's a limitation and not a feature.

[burgil]

well if it packs the app folder into an asar file, in my eyes it's considered an alternative since I no longer have to package my files using the official asar and now I have asarmor instead to package it for me:

(God forgive me for using batch please ignore the fact it's in batch lol)

so this ^^ can now transform into this:

I love it, sorry if I said something wrong I an not a native english speaker forgive me, anywho,

You know how they say, if it's a limit make it a feature (;

[sleeyax]

Ok but keep in mind that this is subject to change in a newer version of asarmor. Asarmor should by design only modify an existing .asar file.

[burgil]

Oh right the new integrity headers are missing now from the final asar file I get it now it's not an alternative its meant to patch it

[burgil]

also I finally got trashify! this is great! I've finally decided this project is worth it! thank you again!

…

On Thu, Jun 2, 2022, 5:26 PM Burgil ***@***.***> wrote: Well, I tried to install it using yarn 3 but it failed with an error both as a devdependency and just a dependency, I had to install it globally using npm and also I had to install a module called terser which wasnt installed for me? On Thu, Jun 2, 2022, 4:49 PM Sleeyax ***@***.***> wrote: > Encryption currently only supports source/transpiled files -> .asar > It looks like an error? I mean if it only supports source files why point > into .asar? > > What I meant to say is you have to specify a source folder to asarmor and > it will create a new .asar from its contents. > > And I am guessing 999999 is the maximum number, like will it literally > consume all hard disk space? how fast? is it reversible? > > Not at all, the maximum number would technically be Number.MAX_VALUE > (JavaScript's max number) i.e 1.7976931348623157e+308 though I haven't > tested if asar can parse values in that range. Technical possibilities > aside judging your use case you don't need to go this high unless you > really wanna have quite an insane asar file. As stated in the README, > output from asarmor --help and by taking ~5 minutes of your time to read > the code, you can see that the bloat protection writes the specified amount > of GBs of randomness to the disk (relative to where the .asar is located). > So if you specify --bloat 5 that will write +- 5GB of random files in > total to the location where your .asar file is located. It's safe to try > that out (use a VM if you're uncertain). It takes as much time as the > operating system needs to write stuff to disk. Once all files have been > written, they can be deleted so it is 'reversible' in a sense. Asarmor > doesn't do anything that could cause damage to a computer unless you > explicitly tell or write a custom patch to do so. > > if I were looking to do the same from the CLI how will that look like we > have that part right: --trashify bee-movie.txt foo.js bar.ts can we make it > a little better? what's the limit? > > There's no limits to it, you can specify whatever files you want. All the > random extension handler does is help to make it more random so > bee-movie.txt can become bee-movie.n9X7m5KXzNhduzXu6LnA.txt or > bee-mobie.ZnXraNwgKBndRHfEU2sT.js per build. CLI accepts static > parameters only, but you could write a shell script if you need to > randomize it... > > Or why don't you install asarmor as a local dependency, create a file > like build.js and put everything packaging related in there so you can > run it via node build.js instead of messing with cli params? > > — > Reply to this email directly, view it on GitHub > <#44 (reply in thread)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AJ5MJFLRN65KLOG7PBJGI6TVNC3XRANCNFSM5XTAHLKA> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >