Some useful tool additions for 'Code Review Tools -> JavaScript -> Static Analysis -> Deobfuscate/Unpack'

[0xdevalias]

In the Code Review Tools -> JavaScript -> Static Analysis -> Deobfuscate/Unpack section:

• https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/code-review-tools#static-analysis

I've been maintaining my own more comprehensive list of tools/helpful resources in this gist:

• https://gist.github.com/0xdevalias/d8b743efb82c0e9406fc69da0d6c6581#deobfuscating--unminifying-obfuscated-web-app-code

I'm not sure if it would make sense to link to that from your page or not; but I did want to specifically highlight a few tools I came across recently that seem quite good, and would fit well in this section:

• https://github.com/pionxzh/wakaru (@pionxzh)

  • Javascript decompiler, unpacker and unminify toolkit

  • Wakaru is the Javascript decompiler for modern frontend. It brings back the original code from a bundled and transpiled source.

• https://github.com/j4k0xb/webcrack (@j4k0xb)

  • Deobfuscate obfuscator.io, unminify and unpack bundled javascript

• https://github.com/jehna/humanify (@jehna)

  • Un-minify Javascript code using ChatGPT

  • This tool uses large language modeles (like ChatGPT & llama2) and other tools to un-minify Javascript code. Note that LLMs don't perform any structural changes – they only provide hints to rename variables and functions. The heavy lifting is done by Babel on AST level to ensure code stays 1-1 equivalent.

  • https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification.html

    • Using LLMs to reverse JavaScript variable name minification