npm - expose-kit - Versions diffs - 0.2.5 → 0.2.7 - Mend

expose-kit 0.2.5 → 0.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,99 +1,167 @@
 # Expose Kit
 ![release workflow](https://github.com/evex-dev/linejs/actions/workflows/release.yml/badge.svg)
-[![](https://dcbadge.limes.pink/api/server/evex)](https://discord.gg/evex)
+[![](https://dcbadge.limes.pink/api/server/evex)](https://discord.gg/evex)
-> A universal toolkit for deobfuscating JavaScript
----
+> A universal toolkit for JavaScript deobfuscation
-##### <center>❓ Question: Join our [Discord community](https://evex.land)</center>
 ---
-## Concept
-JavaScript deobfuscation tools are *everywhere*.
-<img width="145.2" height="113.5" alt="image" src="https://github.com/relative/synchrony/blob/master/.github/hm.png?raw=true" />
-But many of them are **too aggressive**, rewriting code until it breaks.
-<img width="654" height="24" alt="image" src="https://github.com/user-attachments/assets/fd11d250-0163-4cd2-b36c-5514137fe087" />
+## What is this?
-Expose Kit takes *a different path*.
+JavaScript deobfuscation tools are everywhere.
+But many of them are **too aggressive**, rewriting code until it breaks.
-Instead of brute force, it works **step by step**.
+Expose Kit takes a **different approach**.
-Alongside deobfuscation, Expose Kit includes a collection of practical utilities.
+- No brute force
+- Step-by-step, verifiable transforms
+- Designed to *not* break your code silently
-Everything you need is documented right here in this [README](README.md).
+Each transformation is meant to be **checked and validated**, so you always know *when* something goes wrong.
----
+Alongside deobfuscation, Expose Kit also provides a set of **practical utilities** for working with obfuscated JavaScript.
-##### If the feature you’re looking for doesn’t exist, please create an [issue](https://github.com/EdamAme-x/expose-kit/issues).
-##### If you know what you want to do but aren’t sure which feature to use, join our [Discord community](https://evex.land) and ask for help.
 ---
 ## Installation
-*Just one step*
-<!-- For Highlight -->
-```regex
+Just one step:
+```bash
 npm i -g expose-kit
 # or
 bun i -g expose-kit
 ```
-<!-- For Highlight -->
-```regex
+```bash
 expose --help
 expose parsable sample.js
 ```
-## Docs
-By default, the first argument should be the file name (alternatively, `--file` or `--input` can be used).
+---
+## Usage Notes
+### Default arguments
+- The first argument is the input file
+  (`--file` / `--input` can also be used)
+- If required options are missing, Expose Kit will **prompt you**
+- A timeout is enabled by default to avoid hangs
+  Use `--unlimited` for long-running execution
+---
+## Recommended Workflow
+First, an important premise:
+> It is **impossible** to create a static deobfuscation tool that *never* breaks.
+Reasons include:
+- Unpredictable execution (`eval`, dynamic code)
+- Bugs or edge cases in AST manipulation
-If no options are provided, this tool will prompt you for the required values.
+Because of this, you should **verify the code at every step**.
-To avoid memory leaks and hung processes, a reasonable timeout is set by default.
-When long-running execution is expected, the timeout can be disabled with `--unlimited`.
+### 1. Always verify with `parsable`
+After each transformation, run:
+```bash
+expose parsable file.js
+```
+This ensures the syntax is still valid.
-### Commands
 ---
-#### `expose parsable`
+### 2. Make scopes safe first
+One of the most common causes of breakage is **variable name confusion**.
+If you try to write your own deobfuscation logic (e.g. in Python), you’ll quickly realize how painful it is to track scopes correctly.
+That’s why you should **always start with**:
+```bash
+expose scope-safe input.js
+```
+This renames bindings per scope, producing code like:
+```js
+Before: var x = 810;((x) => console.log(x))(114514);
+After:  var x = 810;((_x) => console.log(_x))(114514);
+```
+With this alone:
+- The code becomes far more resistant to breakage
+- Writing custom deobfuscation logic becomes much easier
+- You no longer need to worry about scope collisions
+---
+### 3. Apply transforms step by step
+After `scope-safe`, combine common techniques like:
+- `expand-array` and more
+- legacy obfuscator-specific commands
+After **each step**, run `parsable` again.
+Expose Kit will also clearly indicate whether a **diff** exists, making inspection easy.
+Repeat this process, and the original code will gradually reveal itself.
+---
+## Commands
+### `expose parsable`
+Check whether a file is syntactically valid.
-Check if the file is parsable
 ```js
 parsable:     const x = 810;
 not parsable: cons x; = 810;
 ```
-##### Example
 ```bash
 expose parsable path/to/file.js
 ```
-##### Args
-- *Only default args*
+Args:
+- Default args only
 ---
-#### `expose scope-safe`
-Rename bindings per scope for safer transforms
-```js
-Before: var x = 810;((x) => console.log(x))(114514);
-After: var x = 810;((_x) => console.log(_x))(114514);
-```
+### `expose scope-safe`
+Rename bindings per scope for safer transformations.
-##### Example
 ```bash
 expose scope-safe path/to/file.js --output path/to/file.scope-safe.js
 ```
-##### Args
-- `--o, --output <file>`: Output file path
-  If the input has no extension, `path/to/file.scope-safe.js` is used.
-  Otherwise, `path/to/file.scope-safe.<ext>` is used (same directory).
+Args:
+- `--o, --output <file>`
+  Output file path
+  - No extension → `file.scope-safe.js`
+  - With extension → `file.scope-safe.<ext>`
+---
+## Community & Support
+- Missing a feature? → [Create an issue](https://github.com/EdamAme-x/expose-kit/issues)
+- Not sure which command to use? → Join our [Discord](https://evex.land)
+---
+## Author
-## Authors
 - [EdamAme-x](https://github.com/EdamAme-x)
 Built for research, not abuse.
-Want stronger obfuscation? Then make something this tool can’t reverse.
+Want stronger obfuscation? Then build something this tool can’t reverse.

package/dist/index.js CHANGED Viewed

@@ -132,12 +132,25 @@ import traverse from "@babel/traverse";
 import generate from "@babel/generator";
 import loading2 from "loading-cli";
-// utils/babel/patchTraverse.ts
-import "@babel/traverse";
-var patchTraverse = (traverse2) => {
-  return traverse2.default;
+// utils/babel/patchDefault.ts
+var patchDefault = (babelFn) => {
+  return babelFn.default;
 };
+// utils/common/diff.ts
+function diff(before, after) {
+  const beforeLines = before.split(/\r?\n/);
+  const afterLines = after.split(/\r?\n/);
+  const changed = [];
+  const max = Math.max(beforeLines.length, afterLines.length);
+  for (let i = 0; i < max; i++) {
+    if (beforeLines[i] !== afterLines[i]) {
+      changed.push(i + 1);
+    }
+  }
+  return changed;
+}
 // commands/scope-safe/index.ts
 var createDefaultOutputPath = (inputPath) => {
   const ext = extname(inputPath);
@@ -150,7 +163,7 @@ var createDefaultOutputPath = (inputPath) => {
 var renameBindingsByScope = (code, filename) => {
   const ast = parse2(code, createParseOptions(filename));
   const renamedBindings = /* @__PURE__ */ new Set();
-  patchTraverse(traverse)(ast, {
+  patchDefault(traverse)(ast, {
     Scopable(path) {
       for (const [name, binding] of Object.entries(path.scope.bindings)) {
         if (renamedBindings.has(binding)) {
@@ -169,7 +182,7 @@ var renameBindingsByScope = (code, filename) => {
       }
     }
   });
-  return generate(ast).code;
+  return patchDefault(generate)(ast).code;
 };
 var scope_safe_default = createCommand((program2) => {
   program2.command("scope-safe").description("Rename bindings per scope for safer transforms").argument("[file]", "The file to transform").option("--input, --file <file>", "The file to transform").option("--o, --output <file>", "Output file path").option("--unlimited", "Unlimited timeout").action(
@@ -189,7 +202,7 @@ var scope_safe_default = createCommand((program2) => {
             try {
               const output = renameBindingsByScope(fileContent, filename);
               writeFileSync(outputPath, output, "utf8");
-              loader.succeed(`Saved scope-safe file to: ${outputPath}`);
+              loader.succeed(`Saved scope-safe file to: ${outputPath} (${diff(fileContent, output).length} lines changed)`);
               return finish();
             } catch (error) {
               loader.fail("Failed to apply scope-safe transform");

package/dist/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "expose-kit",
-	"version": "0.2.5",
+	"version": "0.2.7",
 	"type": "module",
 	"private": false,
 	"author": "EdamAmex <edame8080@gmail.com> (https://github.com/EdamAme-x)",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "expose-kit",
-	"version": "0.2.5",
+	"version": "0.2.7",
 	"type": "module",
 	"private": false,
 	"author": "EdamAmex <edame8080@gmail.com> (https://github.com/EdamAme-x)",