Skip to content

refactor: Functional API, Advanced Transforms, and Secure Sandbox Evaluation#20

Merged
kuizuo merged 11 commits intomainfrom
webcrack-deobfuscate
Feb 1, 2026
Merged

refactor: Functional API, Advanced Transforms, and Secure Sandbox Evaluation#20
kuizuo merged 11 commits intomainfrom
webcrack-deobfuscate

Conversation

@kuizuo
Copy link
Copy Markdown
Owner

@kuizuo kuizuo commented Feb 1, 2026

No description provided.

@vercel
Copy link
Copy Markdown

vercel Bot commented Feb 1, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
js-de-obfuscator Ready Ready Preview, Comment Feb 1, 2026 0:37am

@kuizuo
Copy link
Copy Markdown
Owner Author

kuizuo commented Feb 1, 2026

/gemini summary

@gemini-code-assist
Copy link
Copy Markdown

Summary of Changes

Hello @kuizuo, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on a significant refactoring of the deobfuscation library, transitioning to a more functional and simplified API. It introduces a suite of new code transformation capabilities, including advanced transpilation and unminification techniques, while also enhancing security through sandboxed code evaluation. The changes aim to improve the overall robustness, maintainability, and user-friendliness of the deobfuscator.

Highlights

  • API Refactoring: The primary deobfuscation logic has been refactored from a class-based Deob API to a more streamlined functional deob API, simplifying its usage across the library and examples.
  • Option Simplification: Several configuration options, including stringArraylength, inlineWrappersDepth, isStrongRemove, isRemoveDecoder, execCount, isDebug, and isMinifiedEnable, have been removed to simplify the API and configuration surface.
  • Enhanced Code Transformation: New transpilation transforms (e.g., default parameters, logical assignments, nullish coalescing, optional chaining, template literals) and unminification transforms (e.g., for-to-while, invert boolean logic, remove double not, split for loop vars, string literal in template, truncate number literal) have been integrated to improve code readability and structure.
  • Secure Code Evaluation: A sandbox environment using isolated-vm has been implemented for createNodeSandbox and evalCode, enhancing security when evaluating untrusted code snippets during deobfuscation.
  • Module Export Strategy Update: The packages/deob/package.json has been updated to include exports fields, improving CJS/ESM compatibility and module resolution.
  • Improved String Array and Decoder Handling: The logic for detecting and processing string arrays and decoders has been refined, including adding originalName to the Decoder class and enhancing matchers for better accuracy.
  • Website and Example Updates: All example files and website components have been updated to reflect the new API, removed options, and improved error handling, ensuring consistency and a better user experience.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request is a large and impressive refactoring that modernizes the API, introduces sandboxing for safer execution, and adds many new features and improvements. While the code quality is generally high, it introduces a critical security vulnerability: an insecure fallback to global.eval() in the deobfuscation engine's virtual machine component. This fallback, which occurs if the isolated-vm sandbox fails or is unavailable, allows an attacker to achieve Remote Code Execution (RCE) on the host system by providing a specially crafted malicious file. It is strongly recommended to remove these fallbacks and ensure untrusted code is only executed within a secure, non-bypassable sandbox. Additionally, I have a major concern about a potential bug in the control flow switch transform.

Comment on lines +70 to +85
try {
const result = await this.sandbox(code)
return result as unknown[]
}
catch (error) {
// ignore
}

try {
const result = await global.eval(code)
return result as unknown[]
}
catch (error) {
deobLogger('global.eval error:', error)
throw error
}
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

The VMDecoder.decode function implements an insecure fallback to global.eval() if the sandbox execution fails. The code variable being evaluated contains parts of the untrusted input file being deobfuscated (specifically the string array, rotator, and decoder functions). An attacker can craft a malicious JavaScript file that, when processed by the deobfuscator, executes arbitrary code on the host system. This leads to Remote Code Execution (RCE) in Node.js environments.

Comment on lines +89 to 102
export async function evalCode(sandbox: Sandbox, code: string) {
try {
return await sandbox(code) as unknown
}
catch (sandboxError) {
try {
return global.eval(code) as unknown
}
catch (evalError) {
deobLogger('evalCode error:', evalError)
throw sandboxError
}
}
}
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

The evalCode function also implements an insecure fallback to global.eval() if the sandbox execution fails. Similar to VMDecoder.decode, this allows for arbitrary code execution if the input code is derived from untrusted sources. In the context of this application, evalCode is used to execute setup code and decoder calls which are extracted from the input file.

Comment on lines +77 to +78
path.node.body.splice(0, 3, ...newStatements);
this.changes += newStatements.length + 3;
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The use of path.node.body.splice(0, 3, ...newStatements) assumes that the three statements of the control flow flattening mechanism (sequence declaration, iterator declaration, and the loop) are always the first three statements in the block. However, the @codemod/matchers anyList does not guarantee this; it will find a matching sequence of statements anywhere in the block's body. If there are other statements before the control flow mechanism, this will lead to incorrect code by removing the wrong statements.

A more robust approach would be to capture the matched statements and remove them specifically from the body, for example by finding their indices.

@kuizuo kuizuo changed the title refactor: remove stringArraylength option from various components and… refactor: Functional API, Advanced Transforms, and Secure Sandbox Evaluation Feb 1, 2026
@gemini-code-assist
Copy link
Copy Markdown

Summary of Changes

This pull request undertakes a significant refactoring of the deobfuscation library, moving towards a more functional and simplified API. It introduces a comprehensive suite of new code transformation capabilities, including advanced transpilation and unminification techniques, while also enhancing security through sandboxed code evaluation. The changes aim to improve the overall robustness, maintainability, and user-friendliness of the deobfuscator.

Highlights

  • API Refactoring: The core deobfuscation logic has been transitioned from a class-based Deob API to a more functional deob API, simplifying its usage across the library and examples.
  • Option Simplification: Several configuration options, including stringArraylength, inlineWrappersDepth, isStrongRemove, isRemoveDecoder, execCount, isDebug, and isMinifiedEnable, have been removed to streamline the API and configuration.
  • Enhanced Code Transformation: New transpilation transforms (e.g., default parameters, logical assignments, nullish coalescing, optional chaining, template literals) and unminification transforms (e.g., for-to-while, invert boolean logic, remove double not, split for loop vars, string literal in template, truncate number literal) have been integrated to improve code readability and structure.
  • Secure Code Evaluation: A sandbox environment using isolated-vm has been implemented for createNodeSandbox and evalCode, enhancing security when evaluating untrusted code snippets during deobfuscation. However, a fallback to global.eval() has been identified as a security concern.
  • Module Export Strategy Update: The packages/deob/package.json has been updated to include exports fields, improving CJS/ESM compatibility and module resolution.
  • Improved String Array and Decoder Handling: The logic for detecting and processing string arrays and decoders has been refined, including adding originalName to the Decoder class and enhancing matchers for better accuracy.
  • Website and Example Updates: All example files and website components have been updated to reflect the new API, removed options, and improved error handling, ensuring consistency and a better user experience.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • .gitignore
    • Removed history_*.js from the ignore list.
  • README.md
    • Updated example code to reflect the new functional deob API and removed options like inlineWrappersDepth and defaultOptions spread.
  • example/cx/index.ts
    • Removed stringArraylength and isDebug options from options object.
    • Updated import from Deob to deob and parseCode.
    • Refactored Deob class instantiation to direct deob function call.
    • Removed AST history logging loop.
  • example/cx/output.js
    • Added // TOLOOK comment at the beginning of the file.
    • Refactored variable declarations within for loops to be inline, reducing verbosity.
  • example/cycgo/index.ts
    • Removed stringArraylength and isDebug options.
    • Updated import from Deob to deob and parseCode.
    • Refactored Deob class instantiation to direct deob function call.
    • Removed AST history logging loop.
  • example/gk/index.ts
    • Removed stringArraylength and isDebug options.
    • Updated import from Deob to deob and parseCode.
    • Refactored Deob class instantiation to direct deob function call.
    • Removed AST history logging loop.
  • example/jsonv6/index.ts
    • Removed isDebug option.
    • Updated import from Deob to deob and parseCode.
    • Refactored Deob class instantiation to direct deob function call.
    • Removed AST history logging loop.
  • example/lamz/index.ts
    • Removed execCount, isStrongRemove, and isRemoveDecoder options.
    • Updated import from Deob to deob and parseCode.
    • Refactored Deob class instantiation to direct deob function call.
    • Removed AST history logging loop.
  • example/maoyan/index.ts
    • Removed stringArraylength and isDebug options.
    • Updated import from Deob to deob and parseCode.
    • Refactored Deob class instantiation to direct deob function call.
    • Removed AST history logging loop.
  • example/maoyan/output.js
    • Refactored variable declarations within for loops to be inline, reducing verbosity.
    • Added // TOLOOK comment before setInterval call.
  • example/obfuscator/index.ts
    • Removed decoderLocationMethod, stringArraylength, and isDebug options.
    • Updated import from Deob to deob and parseCode.
    • Refactored Deob class instantiation to direct deob function call.
    • Removed AST history logging loop.
  • example/obfuscator/output.js
    • Added new _0x42856f object and conditional logic within _0x7fa39c function.
    • Refactored variable declarations within for loops to be inline, reducing verbosity.
    • Removed several unused functions (r, o, a, f, c, j, d, h, p, m, O, I, x, A, U) and related code from the output.
  • example/pdd/index.ts
    • Removed isDebug, execCount, and isStrongRemove options.
    • Updated import from Deob to deob and parseCode.
    • Refactored Deob class instantiation to direct deob function call.
    • Removed AST history logging loop.
  • example/wangyi/index.ts
    • Removed stringArraylength and isDebug options.
    • Updated import from Deob to deob and parseCode.
    • Refactored Deob class instantiation to direct deob function call.
    • Removed AST history logging loop.
  • example/wangyi/output.js
    • Refactored variable declarations within for loops to be inline, reducing verbosity.
    • Removed a large string array e from the (function () { ... })() block.
  • packages/deob/package.json
    • Added exports field for better CJS/ESM compatibility.
    • Changed main field from dist/index.js to dist/index.cjs.
  • packages/deob/src/ast-utils/ast.ts
    • Added semicolons at the end of import statements and return values for consistency.
  • packages/deob/src/ast-utils/generator.ts
    • Changed ellipsis from …… to in codePreview function.
  • packages/deob/src/ast-utils/index.ts
    • Removed export of ./scope.
  • packages/deob/src/ast-utils/inline.ts
    • Modified inlineVariable to accept a value matcher and unsafeAssignments flag, allowing for inlining of non-constant assignments.
    • Added t.cloneNode when replacing array elements to prevent unintended side effects.
    • Renamed inlineFunction to inlineFunctionCall and added handling for void 0 when arguments are missing.
    • Added a check in inlineVariableAliases to avoid infinite loops from alias = alias;.
    • Changed replacement logic for assignment expressions in inlineVariableAliases to replace with the target identifier directly.
  • packages/deob/src/ast-utils/matcher.ts
    • Renamed anyLiteral to safeLiteral and clarified its purpose.
    • Introduced anonymousFunction matcher for function and arrow function expressions.
    • Introduced iife matcher for immediately invoked function expressions.
    • Introduced undefinedMatcher for undefined and void 0.
    • Improved isReadonlyObject to handle more complex destructuring assignments.
    • Added isTemporaryVariable to identify compiler-generated temporary variables.
    • Introduced AnySubListMatcher and anySubList for greedy matching of sub-lists.
  • packages/deob/src/ast-utils/matchers.d.ts
    • Added toString() method to NodePath interface for convenience.
  • packages/deob/src/ast-utils/rename.ts
    • Added ref.isExportDefaultDeclaration() check to renameFast to prevent renaming default exports.
    • Added handling for delete unary expressions, array patterns in variable declarators, and function declarations in renameFast.
  • packages/deob/src/ast-utils/scope.ts
    • Modified generateUid to remove the leading underscore prefix and name filters, making it more similar to Babel's scope.generateUid.
  • packages/deob/src/ast-utils/test/inline.test.ts
    • New test file for inlineVariable, inlineArrayElements, inlineObjectProperties, and inlineFunctionCall.
  • packages/deob/src/ast-utils/test/matcher.test.ts
    • New test file for anySubList matcher.
  • packages/deob/src/ast-utils/test/rename.test.ts
    • Added a test case for duplicate function binding in renameFast.
    • Added test cases for a = 3; and delete a; in renameFast.
  • packages/deob/src/ast-utils/transform.ts
    • Added debug logging for transform start and end.
    • Modified applyTransforms to accept a name option for logging and improved logging for transform execution.
    • Introduced mergeTransforms function to combine multiple transforms into a single one.
  • packages/deob/src/cli.ts
    • Updated import from Deob to deob.
    • Refactored Deob class instantiation to direct deob function call.
  • packages/deob/src/deobfuscate/array-rotator.ts
    • Updated callMatcher to use the new iife matcher.
  • packages/deob/src/deobfuscate/control-flow-object.ts
    • Renamed transform name from controlFlowObject to control-flow-object.
    • Updated inlineFunction to inlineFunctionCall.
    • Added inlineMatcher and MemberExpression visitor to handle inline member access directly.
  • packages/deob/src/deobfuscate/control-flow-switch.ts
    • Renamed transform name from controlFlowSwitch to control-flow-switch.
    • Modified cases matcher to use anyList more accurately.
    • Changed path.node.body.splice(0, path.node.body.length, ...newStatements) to path.node.body.splice(0, 3, ...newStatements) to correctly replace the first three statements.
  • packages/deob/src/deobfuscate/dead-code.ts
    • Renamed transform name from deadCode to dead-code.
    • Refactored replace function to handle variable shadowing when replacing block statements.
  • packages/deob/src/deobfuscate/debug-protection.ts
    • Renamed transform name from debugProtection to debug-protection.
    • Updated findParent(ref, iife) to findParent(ref, iife()) to use the new iife matcher.
  • packages/deob/src/deobfuscate/decoder.ts
    • Added originalName property to Decoder class.
    • Modified inlineVariable call to use literalArgument and true for unsafeAssignments.
    • Added handling for ExpressionStatement where decoder calls might appear on their own.
    • Updated anyList to anySubList in findDecoders.
  • packages/deob/src/deobfuscate/evaluate-globals.ts
    • New transform to evaluate global functions like atob, unescape, decodeURI, decodeURIComponent.
  • packages/deob/src/deobfuscate/index.ts
    • Updated imports for AsyncTransform and Sandbox.
    • Removed stringArraylength option from findDecoderByArray call.
    • Updated logging for string array decoders to show original names.
    • Removed inlineWrappersDepth loop and isRemoveDecoder / isStrongRemove logic.
    • Removed execCount loop for control flow flattening.
    • Integrated new transpile and unminify transforms.
    • Added evaluateGlobals transform.
    • Removed Deob class and refactored to a functional deob API.
  • packages/deob/src/deobfuscate/inline-decoded-strings.ts
    • Renamed transform name from inlineDecodedStrings to inline-decoded-strings.
    • Modified decodeStrings to be an async function and accept a sandbox parameter.
  • packages/deob/src/deobfuscate/inline-decoder-wrappers.ts
    • Renamed transform name from inlineDecoderWrappers to inline-decoder-wrappers.
    • Removed logging from run function.
  • packages/deob/src/deobfuscate/inline-object-props.ts
    • Renamed transform name from inlineObjectProps to inline-object-props.
    • Added literalMemberAccess matcher and MemberExpression visitor to handle inline object property access.
  • packages/deob/src/deobfuscate/merge-object-assignments.ts
    • Improved inlineableObject matcher to use safeLiteral.
    • Added isRepeatedCallReference check to prevent inlining objects that are evaluated multiple times.
  • packages/deob/src/deobfuscate/my-string-array.ts
    • New file containing refactored findStringArray logic, including hasIIFEReference and hasMemberAccessInFunction.
  • packages/deob/src/deobfuscate/self-defending.ts
    • Renamed transform name from selfDefending to self-defending.
    • Updated matchIife to iife.
    • Removed recordRemoval function and related logging.
  • packages/deob/src/deobfuscate/string-array.ts
    • Added originalName to StringArray interface.
    • Modified findStringArray to remove count parameter and use undefinedMatcher in arrayExpression.
    • Added originalName to the StringArray result.
  • packages/deob/src/deobfuscate/var-functions.ts
    • Added semicolons at the end of import statements and matcher definitions.
  • packages/deob/src/deobfuscate/vm.ts
    • Implemented createNodeSandbox using isolated-vm.
    • Added evalCode function to safely evaluate code in a sandbox with a fallback to global.eval.
  • packages/deob/src/index.ts
    • Updated imports for ParseResult and t.
    • Removed parser export and added parseCode function.
    • Removed Deob class and refactored to a functional deob API.
    • Updated DeobResult interface to remove historys.
    • Integrated new transpile and unminify transforms.
    • Removed inlineWrappersDepth, isStrongRemove, isRemoveDecoder, execCount options from Options.
    • Added evalCode import and usage.
    • Removed reParse method.
  • packages/deob/src/options.ts
    • Removed isStrongRemove, inlineWrappersDepth, stringArraylength, isRemoveDecoder, execCount, isDebug, isMinifiedEnable from Options interface and defaultOptions.
    • Added sandbox option to Options and defaultOptions.
  • packages/deob/src/transforms/decode-strings.ts
    • Modified decodeStrings to be an async function and accept a sandbox parameter.
    • Updated global.eval(call) to await evalCode(sandbox, call).
  • packages/deob/src/transforms/design-decoder.ts
    • Modified designDecoder to pass name as originalName to the Decoder constructor.
  • packages/deob/src/transforms/find-decoder-by-array.ts
    • Removed count parameter from findDecoderByArray.
    • Added hasIIFEReference and hasMemberAccessInFunction helper functions.
    • Updated Decoder constructor calls to pass originalName.
  • packages/deob/src/transforms/find-decoder-by-call-count.ts
    • Modified findDecoderByCallCount to pass fnName as originalName to the Decoder constructor.
  • packages/deob/src/transforms/mangle.ts
    • Removed state.changes++ from BindingIdentifier visitor.
    • Updated import for generateUid to ../ast-utils/scope.
  • packages/deob/src/transforms/test/decoder.test.ts
    • Added sandbox parameter to decodeStrings calls.
    • Added createNodeSandbox import and usage.
  • packages/deob/src/transpile/index.ts
    • New file that merges all transpilation transforms.
  • packages/deob/src/transpile/test/default-parameters.test.ts
    • New test file for defaultParameters transform.
  • packages/deob/src/transpile/test/logical-assignments.test.ts
    • New test file for logicalAssignments transform.
  • packages/deob/src/transpile/test/nullish-coalescing-assignment.test.ts
    • New test file for nullishCoalescingAssignment transform.
  • packages/deob/src/transpile/test/nullish-coalescing.test.ts
    • New test file for nullishCoalescing transform.
  • packages/deob/src/transpile/test/optional-chaining.test.ts
    • New test file for optionalChaining transform.
  • packages/deob/src/transpile/test/template-literals.test.ts
    • New test file for templateLiterals transform.
  • packages/deob/src/transpile/transforms/default-parameters.ts
    • New transform to convert arguments based default parameter assignments to ES6 default parameters.
  • packages/deob/src/transpile/transforms/index.ts
    • New file exporting all transpilation transforms.
  • packages/deob/src/transpile/transforms/logical-assignments.ts
    • New transform to convert x || (x = y) to x ||= y.
  • packages/deob/src/transpile/transforms/nullish-coalescing-assignment.ts
    • New transform to convert x ?? (x = y) to x ??= y.
  • packages/deob/src/transpile/transforms/nullish-coalescing.ts
    • New transform to convert x !== null && x !== undefined ? x : y to x ?? y.
  • packages/deob/src/transpile/transforms/optional-chaining.ts
    • New transform to convert x === null || x === undefined ? undefined : x.y to x?.y.
  • packages/deob/src/transpile/transforms/template-literals.ts
    • New transform to convert string concatenations (.concat(), +) to template literals.
  • packages/deob/src/unminify/index.ts
    • Refactored unminify to use mergeTransforms.
  • packages/deob/src/unminify/test/block-statements.test.ts
    • Updated import path for blockStatements.
  • packages/deob/src/unminify/test/computed-properties.test.ts
    • Updated import path for computedProperties.
  • packages/deob/src/unminify/test/for-to-while.test.ts
    • New test file for forToWhile transform.
  • packages/deob/src/unminify/test/infinity.test.ts
    • Updated import path for infinity.
  • packages/deob/src/unminify/test/invert-boolean-logic.test.ts
    • New test file for invertBooleanLogic transform.
  • packages/deob/src/unminify/test/json-parse.test.ts
    • Updated import path for jsonParse.
  • packages/deob/src/unminify/test/logical-to-if.test.ts
    • Updated import path for logicalToIf.
  • packages/deob/src/unminify/test/merge-else-if.test.ts
    • Updated import path for mergeElseIf.
  • packages/deob/src/unminify/test/merge-strings.test.ts
    • Updated import path for mergeStrings.
  • packages/deob/src/unminify/test/number-expressions.test.ts
    • Updated import path for numberExpressions.
    • Added test case for string and number concatenation.
  • packages/deob/src/unminify/test/raw-literals.test.ts
    • Updated import path for rawLiterals.
  • packages/deob/src/unminify/test/remove-double-not.test.ts
    • New test file for removeDoubleNot transform.
  • packages/deob/src/unminify/test/sequence.test.ts
    • Updated import path for sequence.
    • Added test cases for for-of loops, if statements with for loops, and various assignment types.
    • Added test case for simplifying computed properties with literals.
  • packages/deob/src/unminify/test/split-for-loop-vars.test.ts
    • New test file for splitForLoopVars transform.
  • packages/deob/src/unminify/test/string-literal-in-template-literal.test.ts
    • New test file for stringLiteralInTemplate transform.
  • packages/deob/src/unminify/test/template-literals.test.ts
    • Removed test file.
  • packages/deob/src/unminify/test/ternary-to-if.test.ts
    • Updated import path for ternaryToIf.
  • packages/deob/src/unminify/test/truncate-number-literal.test.ts
    • New test file for truncateNumberLiteral transform.
  • packages/deob/src/unminify/test/typeof-undefined.test.ts
    • Updated import path for typeofUndefined.
  • packages/deob/src/unminify/test/unary-expressions.test.ts
    • Updated import path for unaryExpressions.
  • packages/deob/src/unminify/test/unminify-booleans.test.ts
    • Updated import path for unminifyBooleans.
  • packages/deob/src/unminify/test/unminify.test.ts
    • New test file for the main unminify transform.
  • packages/deob/src/unminify/test/void-to-undefined.test.ts
    • Updated import path for voidToUndefined.
  • packages/deob/src/unminify/test/yoda.test.ts
    • Updated import path for yoda.
    • Added test case for ignoring pure values in yoda comparisons.
  • packages/deob/src/unminify/transforms/computed-properties.ts
    • Simplified stringMatcher to directly use isIdentifierName.
  • packages/deob/src/unminify/transforms/for-to-while.ts
    • New transform to convert for loops without init or update to while loops.
  • packages/deob/src/unminify/transforms/index.ts
    • Added exports for new transforms: forToWhile, invertBooleanLogic, removeDoubleNot, splitForLoopVars, stringLiteralInTemplate, truncateNumberLiteral.
    • Removed export for templateLiterals.
  • packages/deob/src/unminify/transforms/invert-boolean-logic.ts
    • New transform to invert boolean logic in unary ! expressions.
  • packages/deob/src/unminify/transforms/json-parse.ts
    • Changed catch (error) to catch to ignore errors during JSON parsing.
  • packages/deob/src/unminify/transforms/logical-to-if.ts
    • Refactored andMatcher and orMatcher to directly check expression.operator.
  • packages/deob/src/unminify/transforms/merge-strings.ts
    • Refactored merge-strings transform to directly modify the left-hand side of binary expressions and remove the right-hand side.
  • packages/deob/src/unminify/transforms/number-expressions.ts
    • Refactored number-expressions transform to simplify the matcher and directly replace evaluated confident expressions.
  • packages/deob/src/unminify/transforms/remove-double-not.ts
    • New transform to remove double negation (!!) and simplify triple negation (!!!).
  • packages/deob/src/unminify/transforms/sequence.ts
    • Improved assignmentVariable matcher to include safeLiteral.
    • Added AssignmentExpression visitor to handle sequence expressions in assignments.
    • Added ForOfStatement visitor to handle sequence expressions in for-of loops.
    • Modified VariableDeclaration visitor to use path.getStatementParent()?.insertBefore for inserting statements.
  • packages/deob/src/unminify/transforms/split-for-loop-vars.ts
    • New transform to extract unused variable declarations from for loop initializers.
  • packages/deob/src/unminify/transforms/string-literal-in-template.ts
    • New transform to inline string literals directly into template literals.
  • packages/deob/src/unminify/transforms/template-literals.ts
    • Removed file.
  • packages/deob/src/unminify/transforms/truncate-number-literal.ts
    • New transform to truncate number literals in bitwise operations.
  • packages/deob/src/unminify/transforms/yoda.ts
    • Renamed flippedOperators to FLIPPED_OPERATORS.
    • Introduced pureValue matcher for better clarity.
    • Modified BinaryExpression visitor to use path.replaceWith with a new t.binaryExpression for consistency.
  • website/components/DeObfuscatorOutput.vue
    • Added error handling for worker messages, displaying error messages and timestamps.
    • Updated success message to include decoder location method.
    • Added disabled state and loading spinner to the 'Deobfuscate' button.
  • website/components/Options.vue
    • Updated labels for decoder location methods for clarity.
    • Removed stringArraylength input field.
    • Removed inlineWrappersDepth, execCount, isRemoveDecoder, isStrongRemove options from the UI.
    • Refactored keyword marking UI to be more user-friendly with a keywordsStr computed property and a tooltip.
  • website/components/SourceCodeEditor.vue
    • Removed beautify function and related button from the UI.
  • website/components/Tooltip.vue
    • New component for displaying tooltips.
  • website/composables/state.ts
    • Removed isStrongRemove, inlineWrappersDepth, stringArraylength, isRemoveDecoder, execCount, isDebug, isMinifiedEnable from defaultOptions.
  • website/utils/deobfuscate.worker.ts
    • Modified self.addEventListener to be async.
    • Wrapped deob call in a try-catch block to handle errors and post them back to the main thread.
Activity
  • Comment 1 from vercel[bot] indicates a failed deployment for js-de-obfuscator.
  • Comment 2 from kuizuo requests a summary from gemini-code-assist[bot].
  • Comment 3 from gemini-code-assist[bot] provides a summary of changes, highlighting API refactoring, option simplification, enhanced code transformation, secure code evaluation, module export strategy update, improved string array and decoder handling, and website/example updates.
  • Review comment thread 1 from gemini-code-assist[bot] raises a security-critical concern regarding the VMDecoder.decode function's insecure fallback to global.eval().
  • Review comment thread 2 from gemini-code-assist[bot] raises a security-critical concern regarding the evalCode function's insecure fallback to global.eval().
  • Review comment thread 3 from gemini-code-assist[bot] raises a high-priority concern about the control-flow-switch transform, specifically the assumption that control flow statements are always the first three in a block, which could lead to incorrect code removal.

@kuizuo kuizuo merged commit 77d8dd9 into main Feb 1, 2026
4 of 5 checks passed
@kuizuo kuizuo deleted the webcrack-deobfuscate branch February 3, 2026 06:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant