Search Icon
Register

From Obfuscated to Obvious: A Comprehensive JavaScript Deobfuscation Tool for Security Analysis

Dongchao Zhou (Beijing University of Post and Telecommunications, QI-ANXIN Technology Research Institute), Lingyun Ying (QI-ANXIN Technology Research Institute), Huajun Chai (QI-ANXIN Technology Research Institute), Dongbin Wang (Beijing University of Post and Telecommunications)

JavaScript's widespread adoption has made it an attractive target for malicious attackers who employ sophisticated obfuscation techniques to conceal harmful code. Current deobfuscation tools suffer from critical limitations that severely restrict their practical effectiveness. Existing tools struggle with diverse input formats, address only specific obfuscation types, and produce cryptic output that impedes human analysis.

To address these challenges, we present JSIMPLIFIER, a comprehensive deobfuscation tool using a multi-stage pipeline with preprocessing, abstract syntax tree-based static analysis, dynamic execution tracing, and Large Language Model (LLM)-enhanced identifier renaming. We also introduce multi-dimensional evaluation metrics that integrate control/data flow analysis, code simplification assessment, entropy measures and LLM-based readability assessments.

We construct and release the largest real-world obfuscated JavaScript dataset with 44,421 samples (23,212 wild malicious + 21,209 benign samples). Evaluation shows JSIMPLIFIER outperforms existing tools with 100% processing capability across 20 obfuscation techniques, 100% correctness on evaluation subsets, 88.2% code complexity reduction, and over 4-fold readability improvement validated by multiple LLMs. Our results advance benchmarks for JavaScript deobfuscation research and practical security applications.

Paper

View More Papers

Know Me by My Pulse: Toward Practical Continuous Authentication...

Wei Shao (University of California, Davis), Zequan Liang (University of California Davis), Ruoyu Zhang (University of California, Davis), Ruijie Fang (University of California, Davis), Ning Miao (University of California, Davis), Ehsan Kourkchi (University of California - Davis), Setareh Rafatirad (University of California, Davis), Houman Homayoun (University of California Davis), Chongzhou Fang (Rochester Institute of Technology)

Read More

Identifying Logical Vulnerabilities in QUIC Implementations

Kaihua Wang (Tsinghua University), Jianjun Chen (Tsinghua University), Pinji Chen (Tsinghua University), Jianwei Zhuge (Tsinghua University), Jiaju Bai (Beihang University), Haixin Duan (Tsinghua University)

Read More

Replication: A Study on How Users (Don’t) Use Password...

Pithayuth Charnsethikul (University of Southern California), Anushka Fattepurkar (University of Southern California), Dipsy Desai (University of Southern California), Gale Lucas (University of Southern California), Jelena Mirkovic (University of Southern California)

Read More