From Obfuscated to Obvious: A Comprehensive JavaScript Deobfuscation Tool for Security Analysis

TL;DR

This paper introduces JSIMPLIFIER, a comprehensive JavaScript deobfuscation tool that effectively handles diverse obfuscation techniques, improves code readability, and outperforms existing tools, thereby enhancing security analysis capabilities.

Contribution

The paper presents JSIMPLIFIER, a multi-stage deobfuscation pipeline incorporating static analysis, dynamic tracing, and LLM-based renaming, along with a large real-world dataset for evaluation.

Findings

Achieves 100% processing capability across 20 obfuscation techniques.

Reduces code complexity by 88.2%.

Improves readability over 4-fold validated by LLMs.

Abstract

JavaScript's widespread adoption has made it an attractive target for malicious attackers who employ sophisticated obfuscation techniques to conceal harmful code. Current deobfuscation tools suffer from critical limitations that severely restrict their practical effectiveness. Existing tools struggle with diverse input formats, address only specific obfuscation types, and produce cryptic output that impedes human analysis. To address these challenges, we present JSIMPLIFIER, a comprehensive deobfuscation tool using a multi-stage pipeline with preprocessing, abstract syntax tree-based static analysis, dynamic execution tracing, and Large Language Model (LLM)-enhanced identifier renaming. We also introduce multi-dimensional evaluation metrics that integrate control/data flow analysis, code simplification assessment, entropy measures and LLM-based readability assessments. We construct and release the largest real-world obfuscated JavaScript dataset with 44,421 samples (23,212 wild malicious + 21,209 benign samples). Evaluation shows JSIMPLIFIER outperforms existing tools with 100% processing capability across 20 obfuscation techniques, 100% correctness on evaluation subsets, 88.2% code complexity reduction, and over 4-fold readability improvement validated by multiple LLMs. Our results advance benchmarks for JavaScript deobfuscation research and practical security applications.