@jshookmcp/jshook 0.1.7 → 0.1.8

package/dist/modules/deobfuscator/AdvancedDeobfuscator.js

@@ -1,252 +1,84 @@
 import { logger } from '../../utils/logger.js';
-import { ADV_DEOBF_LLM_MAX_TOKENS } from '../../constants.js';
-import { generateCodeCleanupMessages, generateControlFlowUnflatteningMessages, } from '../../services/prompts/deobfuscation.js';
-import { VMDeobfuscator } from '../deobfuscator/VMDeobfuscator.js';
-import { applyASTOptimizations as applyASTOptimizationsUtil, decodeStrings as decodeStringsUtil, derotateStringArray as derotateStringArrayUtil, estimateCodeComplexity as estimateCodeComplexityUtil, removeDeadCode as removeDeadCodeUtil, removeOpaquePredicates as removeOpaquePredicatesUtil, } from '../deobfuscator/AdvancedDeobfuscator.ast.js';
+import { runWebcrack } from '../deobfuscator/webcrack.js';
+import { detectObfuscationType as detectObfuscationTypeUtil } from '../deobfuscator/Deobfuscator.utils.js';
 export class AdvancedDeobfuscator {
-    llm;
-    vmDeobfuscator;
-    constructor(llm) {
-        this.llm = llm;
-        this.vmDeobfuscator = new VMDeobfuscator(llm);
-    }
     async deobfuscate(options) {
-        logger.info('Starting advanced deobfuscation...');
-        const startTime = Date.now();
-        let code = options.code;
-        const detectedTechniques = [];
+        logger.info('Starting advanced webcrack deobfuscation...');
+        const detectedTechniques = detectObfuscationTypeUtil(options.code);
         const warnings = [];
-        let vmDetected;
-        let astOptimized = false;
-        try {
-            code = this.normalizeCode(code);
-            if (this.detectInvisibleUnicode(code)) {
-                detectedTechniques.push('invisible-unicode');
-                logger.info('Detected: Invisible Unicode Obfuscation');
-                code = this.decodeInvisibleUnicode(code);
-            }
-            if (this.detectStringEncoding(code)) {
-                detectedTechniques.push('string-encoding');
-                logger.info('Detected: String Encoding');
-                code = this.decodeStrings(code);
-            }
-            const vmInfo = this.vmDeobfuscator.detectVMProtection(code);
-            if (vmInfo.detected) {
-                detectedTechniques.push('vm-protection');
-                logger.info(`Detected: VM Protection (${vmInfo.type})`);
-                vmDetected = {
-                    type: vmInfo.type,
-                    instructions: vmInfo.instructionCount,
-                    deobfuscated: false,
-                };
-                if (options.aggressiveVM) {
-                    const vmResult = await this.vmDeobfuscator.deobfuscateVM(code, vmInfo);
-                    if (vmResult.success) {
-                        code = vmResult.code;
-                        vmDetected.deobfuscated = true;
-                    }
-                    else {
-                        warnings.push('VM deobfuscation failed, code may be incomplete');
-                    }
-                }
-            }
-            if (this.detectControlFlowFlattening(code)) {
-                detectedTechniques.push('control-flow-flattening');
-                logger.info('Detected: Control Flow Flattening');
-                code = await this.unflattenControlFlow(code);
-            }
-            if (this.detectStringArrayRotation(code)) {
-                detectedTechniques.push('string-array-rotation');
-                logger.info('Detected: String Array Rotation');
-                code = this.derotateStringArray(code);
-            }
-            if (this.detectDeadCodeInjection(code)) {
-                detectedTechniques.push('dead-code-injection');
-                logger.info('Detected: Dead Code Injection');
-                code = this.removeDeadCode(code);
-            }
-            if (this.detectOpaquePredicates(code)) {
-                detectedTechniques.push('opaque-predicates');
-                logger.info('Detected: Opaque Predicates');
-                code = this.removeOpaquePredicates(code);
-            }
-            if (options.useASTOptimization !== false) {
-                logger.info('Applying AST optimizations...');
-                const optimized = this.applyASTOptimizations(code);
-                if (optimized !== code) {
-                    code = optimized;
-                    astOptimized = true;
-                    detectedTechniques.push('ast-optimized');
-                }
-            }
-            if (this.llm && detectedTechniques.length > 0) {
-                logger.info('Using LLM for final cleanup...');
-                const llmResult = await this.llmCleanup(code, detectedTechniques);
-                if (llmResult) {
-                    code = llmResult;
-                }
-            }
-            const duration = Date.now() - startTime;
-            const confidence = this.calculateConfidence(detectedTechniques, warnings, code);
-            logger.success(`Advanced deobfuscation completed in ${duration}ms`);
+        if (options.aggressiveVM !== undefined) {
+            warnings.push('aggressiveVM is deprecated and ignored; VM-specific legacy logic has been removed.');
+        }
+        if (options.useASTOptimization !== undefined) {
+            warnings.push('useASTOptimization is deprecated and ignored; legacy AST post-processing has been removed.');
+        }
+        if (options.timeout !== undefined) {
+            warnings.push('timeout is currently ignored; webcrack controls its own execution flow.');
+        }
+        if (options.detectOnly) {
             return {
-                code,
+                code: options.code,
                 detectedTechniques,
-                confidence,
-                warnings,
-                vmDetected,
-                astOptimized,
+                confidence: Math.min(0.6 + detectedTechniques.length * 0.05, 0.9),
+                warnings: [
+                    ...warnings,
+                    'detectOnly does not invoke a separate legacy detector anymore; techniques are inferred from the current static signature pass.',
+                ],
+                astOptimized: false,
+                engine: 'webcrack',
+                webcrackApplied: false,
             };
         }
-        catch (error) {
-            logger.error('Advanced deobfuscation failed', error);
-            throw error;
+        const webcrackResult = await runWebcrack(options.code, {
+            unpack: options.unpack,
+            unminify: options.unminify,
+            jsx: options.jsx,
+            mangle: options.mangle,
+            mappings: options.mappings,
+            includeModuleCode: options.includeModuleCode,
+            maxBundleModules: options.maxBundleModules,
+            outputDir: options.outputDir,
+            forceOutput: options.forceOutput,
+        });
+        if (!webcrackResult.applied) {
+            const reason = webcrackResult.reason ?? 'webcrack did not return a result';
+            logger.error(`advanced webcrack deobfuscation failed: ${reason}`);
+            throw new Error(reason);
         }
-    }
-    detectInvisibleUnicode(code) {
-        const invisibleChars = ['\u200B', '\u200C', '\u200D', '\u2060', '\uFEFF'];
-        return invisibleChars.some((char) => code.includes(char));
-    }
-    decodeInvisibleUnicode(code) {
-        logger.info('Decoding invisible unicode...');
-        const charToBit = {
-            '\u200B': '0',
-            '\u200C': '1',
-            '\u200D': '00',
-            '\u2060': '01',
-            '\uFEFF': '10',
-        };
-        let decoded = code;
-        const invisiblePattern = /[\u200B\u200C\u200D\u2060\uFEFF]+/g;
-        const matches = code.match(invisiblePattern);
-        if (matches) {
-            matches.forEach((match) => {
-                let binary = '';
-                for (const char of match) {
-                    binary += charToBit[char] || '';
-                }
-                if (binary.length % 8 === 0) {
-                    let text = '';
-                    for (let i = 0; i < binary.length; i += 8) {
-                        const byte = binary.substring(i, i + 8);
-                        text += String.fromCharCode(parseInt(byte, 2));
-                    }
-                    decoded = decoded.replace(match, text);
-                }
-            });
+        if (webcrackResult.bundle) {
+            detectedTechniques.push('bundle-unpack');
         }
-        return decoded;
-    }
-    detectControlFlowFlattening(code) {
-        const pattern = /while\s*\(\s*!!\s*\[\s*\]\s*\)\s*\{[\s\S]*?switch\s*\(/i;
-        return pattern.test(code);
-    }
-    async unflattenControlFlow(code) {
-        logger.info('Unflattening control flow...');
-        if (this.llm) {
-            try {
-                const codeSnippet = code.length > 2000 ? code.slice(0, 2000) + '\n...(truncated)' : code;
-                const response = await this.llm.chat(generateControlFlowUnflatteningMessages(codeSnippet), {
-                    temperature: 0.1,
-                    maxTokens: ADV_DEOBF_LLM_MAX_TOKENS,
-                });
-                return this.vmDeobfuscator.extractCodeFromLLMResponse(response.content);
-            }
-            catch (error) {
-                logger.warn('LLM control flow unflattening failed', error);
-            }
+        if (webcrackResult.optionsUsed.unminify) {
+            detectedTechniques.push('unminify');
         }
-        return code;
-    }
-    detectStringArrayRotation(code) {
-        return /\w+\s*=\s*\w+\s*\+\s*0x[0-9a-f]+/.test(code);
-    }
-    derotateStringArray(code) {
-        return derotateStringArrayUtil(code);
-    }
-    detectDeadCodeInjection(code) {
-        return /if\s*\(\s*false\s*\)|if\s*\(\s*!!\s*\[\s*\]\s*\)/.test(code);
-    }
-    removeDeadCode(code) {
-        return removeDeadCodeUtil(code);
-    }
-    detectOpaquePredicates(code) {
-        return /if\s*\(\s*\d+\s*[<>!=]+\s*\d+\s*\)/.test(code);
-    }
-    removeOpaquePredicates(code) {
-        return removeOpaquePredicatesUtil(code);
-    }
-    async llmCleanup(code, techniques) {
-        if (!this.llm)
-            return null;
-        try {
-            const response = await this.llm.chat(generateCodeCleanupMessages(code, techniques), {
-                temperature: 0.15,
-                maxTokens: 3000,
-            });
-            const cleanedCode = this.vmDeobfuscator.extractCodeFromLLMResponse(response.content);
-            if (this.vmDeobfuscator.isValidJavaScript(cleanedCode)) {
-                logger.success('LLM cleanup succeeded');
-                return cleanedCode;
-            }
-            else {
-                logger.warn('LLM cleanup produced invalid JavaScript');
-                return null;
-            }
+        if (webcrackResult.optionsUsed.jsx) {
+            detectedTechniques.push('jsx-decompile');
         }
-        catch (error) {
-            logger.warn('LLM cleanup failed', error);
-            return null;
+        if (webcrackResult.optionsUsed.mangle) {
+            detectedTechniques.push('mangle');
         }
+        detectedTechniques.push('webcrack');
+        return {
+            code: webcrackResult.code,
+            detectedTechniques: Array.from(new Set(detectedTechniques)),
+            confidence: this.calculateConfidence(webcrackResult, detectedTechniques),
+            warnings,
+            astOptimized: false,
+            bundle: webcrackResult.bundle,
+            savedTo: webcrackResult.savedTo,
+            savedArtifacts: webcrackResult.savedArtifacts,
+            engine: 'webcrack',
+            webcrackApplied: true,
+        };
     }
-    normalizeCode(code) {
-        code = code.replace(/\s+/g, ' ');
-        code = code.replace(/\/\*[\s\S]*?\*\//g, '');
-        code = code.replace(/\/\/.*/g, '');
-        return code.trim();
-    }
-    detectStringEncoding(code) {
-        const patterns = [/\\x[0-9a-f]{2}/i, /\\u[0-9a-f]{4}/i, /String\.fromCharCode/i, /atob\(/i];
-        return patterns.some((p) => p.test(code));
-    }
-    decodeStrings(code) {
-        return decodeStringsUtil(code);
-    }
-    applyASTOptimizations(code) {
-        return applyASTOptimizationsUtil(code);
-    }
-    calculateConfidence(techniques, warnings, code) {
-        let confidence = 0.3;
-        const techniqueBonus = Math.min(techniques.length * 0.12, 0.5);
-        confidence += techniqueBonus;
-        const warningPenalty = warnings.length * 0.08;
-        confidence -= warningPenalty;
-        const highConfidenceTechniques = [
-            'invisible-unicode',
-            'string-array-rotation',
-            'dead-code-injection',
-            'opaque-predicates',
-            'string-encoding',
-            'ast-optimized',
-        ];
-        const highConfidenceCount = techniques.filter((t) => highConfidenceTechniques.some((ht) => t.includes(ht))).length;
-        confidence += highConfidenceCount * 0.05;
-        if (techniques.some((t) => t.includes('vm-protection'))) {
-            confidence -= 0.15;
+    calculateConfidence(webcrackResult, detectedTechniques) {
+        let confidence = 0.72 + detectedTechniques.length * 0.03;
+        if (webcrackResult.bundle) {
+            confidence += 0.08;
         }
-        if (techniques.some((t) => t.includes('control-flow-flattening'))) {
-            confidence -= 0.05;
+        if (webcrackResult.savedTo) {
+            confidence += 0.04;
         }
-        const complexity = this.estimateCodeComplexity(code);
-        if (complexity < 10) {
-            confidence += 0.1;
-        }
-        else if (complexity > 100) {
-            confidence -= 0.1;
-        }
-        return Math.max(0.1, Math.min(0.95, confidence));
-    }
-    estimateCodeComplexity(code) {
-        return estimateCodeComplexityUtil(code);
+        return Math.min(confidence, 0.99);
     }
 }

package/dist/modules/deobfuscator/Deobfuscator.d.ts

@@ -2,21 +2,14 @@ import type { DeobfuscateOptions, DeobfuscateResult } from '../../types/index.js
 import { LLMService } from '../../services/LLMService.js';
 export declare class Deobfuscator {
     private llm?;
-    private stringArrays;
     private resultCache;
     private maxCacheSize;
     constructor(llm?: LLMService);
     private generateCacheKey;
     deobfuscate(options: DeobfuscateOptions): Promise<DeobfuscateResult>;
     private detectObfuscationType;
-    private basicTransform;
-    private decodeStrings;
-    private llmAnalysis;
-    private calculateConfidence;
-    private extractStringArrays;
-    private decryptArrays;
-    private unflattenControlFlow;
-    private simplifyExpressions;
-    private renameVariables;
     private calculateReadabilityScore;
+    private calculateConfidence;
+    private buildAnalysis;
+    private llmAnalysis;
 }