const parser = require('@babel/parser'); const traverse = require('@babel/traverse').default; const generate = require('@babel/generator').default; const t = require('@babel/types'); function deobfuscateStringArray(code) const ast = parser.parse(code); let stringArray = null; let accessorName = null;
// Step 1: Find array declaration traverse(ast, VariableDeclarator(path) if (path.node.init && t.isArrayExpression(path.node.init)) stringArray = path.node.init.elements.map(el => el.value);
);
);
function deepUnpack(code, maxDepth=10) let depth = 0; let current = code; while (depth < maxDepth) const evalMatches = current.match(/eval\((['"])(.*?)\1\)/s); if (!evalMatches) break; let inner = evalMatches[2]; // Unescape common escapes inner = inner.replace(/\\x([0-9A-Fa-f]2)/g, (_, hex) => String.fromCharCode(parseInt(hex, 16))); current = inner; depth++; return current; javascript deobfuscator and unpacker
A is a tool or script that attempts to reverse this process. An Unpacker is a specific type of deobfuscator designed to handle multi-layered or "packed" code—code that generates more code, often dynamically.
if (path.node.init && t.isIdentifier(path.node.init) && path.node.id.name.startsWith('_0x')) // track accessor function name Impossible without type inference or runtime profiling
const vm = require('vm'); let lastEvalArg = null; const sandbox = { eval: (x) => lastEvalArg = x; return null; , Function: function(...args) { lastEvalArg = args[args.length-1]; return ()=>{}; }, console: console }; vm.runInNewContext(obfuscatedCode, sandbox); console.log(lastEvalArg); // unpacked code Rename _0xdead , _0xbeef to meaningful names? Impossible without type inference or runtime profiling. Most deobfuscators leave identifiers as-is but beautified. 4. Real-World Tools & Their Internals | Tool | Approach | Strength | Weakness | |------|----------|----------|----------| | de4js (online) | Mixed static + dynamic ( eval in sandbox) | Good for string array & simple packers | No CFG unflattening | | Obfuscator.io Detector | Pattern matching | Fast, accurate for one obfuscator | Not general | | JStillery | Hybrid: static + Chromium headless | Handles DOM-based obfuscation | Heavy, slow | | Box-JS (Python) | AST rewriting + sandbox | Pure static, no execution risk | Cannot handle dynamic eval | | CrackJS (commercial) | Symbolic execution + taint tracking | State-of-the-art for CFG flattening | Expensive, closed source |
// Step 2: Replace calls with actual strings traverse(ast, CallExpression(path) if (path.node.callee.name === accessorName) const index = path.node.arguments[0].value; const replacement = t.stringLiteral(stringArray[index]); path.replaceWith(replacement); Real-World Tools & Their Internals | Tool |
1. The Core Problem: Why Deobfuscate? In the world of JavaScript, "obfuscation" is the deliberate act of making source code extremely difficult for humans to understand while preserving its functional behavior for the JavaScript engine (V8, SpiderMonkey, JavaScriptCore). Developers use obfuscation for legitimate reasons (protecting intellectual property, reducing code size) and malicious reasons (evading antivirus, hiding malicious payloads).
return generate(ast).code;