loading
loading
Static Code Analysis
General purpose JavaScript deobfuscator.
overview
javascript-deobfuscator takes obfuscated JavaScript and rewrites it back toward readable source. It reverses the transforms that hide intent: string-array lookups, proxy-function indirection, arithmetic and string-concatenation obfuscation, and hex-renamed identifiers, so the output reads close to real code instead of a wall of encoded tokens. It targets the style of output that tools like obfuscator.io produce.
It runs over a folder of files, which fits the way crawlers and JS-collection tools dump bundles. Point it at a directory of scripts pulled from a target and it processes each one, leaving a tree of cleaned files ready to grep or feed into a static-analysis step.
On Trickest, the node takes a folder of JavaScript and writes a folder of readable files. Chain it after a step that harvests scripts from a target, then pass the clean output to an endpoint or secret extractor so the next stage works against legible code.
use cases
Run a folder of obfuscated scripts through the deobfuscator so the output reads like real source instead of encoded string arrays and proxy calls.
Deobfuscate first, then feed the readable files to LinkFinder or jsluice so the regex and parser stages see real URLs and paths, not hidden ones.
Unpack a script that hides its behavior behind obfuscation so you can read what it loads, calls, and exfiltrates at runtime.
Point the tool at a folder of bundles pulled by a crawler and let it process every file in one pass for a tree of legible output.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input-folder | FOLDER | · | Folder of JavaScript files to deobfuscate. Every file in the folder is processed and a cleaned copy is written to the output folder. |
Showing key inputs. javascript-deobfuscator exposes 1 inputs in total.
example
# batch-deobfuscate a folder of harvested scriptsfor f in ./js-bundles/*.js; do js-deobfuscator -i "$f" -o "./deobfuscated/$(basename "$f")"done// deobfuscated/collect.js (string array and proxy calls resolved)const config = { endpoint: "https://api.example.com/v2", timeout: 3000};function sendBeacon(payload) { return fetch(config.endpoint + "/collect", { method: "POST", body: JSON.stringify(payload) });}document.addEventListener("DOMContentLoaded", () => sendBeacon({ ref: document.referrer }));guidance
Use javascript-deobfuscator when you have obfuscated JavaScript that resists reading and you need legible source before analyzing it. It cleans code, it does not extract endpoints or secrets, so pair it with jsluice or LinkFinder downstream.
Parses JavaScript for URLs and secrets. Run the deobfuscator first so jsluice sees readable code.
Regex endpoint discovery in JS. Deobfuscate before it so endpoints are not hidden behind encoding.
Recovers original sources from source maps when they exist. Use it when maps are available, this tool when they are not.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
A folder of obfuscated JS bundles feeds javascript-deobfuscator, which rewrites them and writes a folder of readable files for analysis.
Facts on this page come from the live Trickest tool library.