CONSTRAINT (dual-use): This skill contains dual-use security techniques. Before proceeding, confirm authorization and legal compliance. For authorized security research, malware analysis, and educational purposes only.
Master Anti-Reversing & JavaScript Deobfuscation
Overview
This is the master knowledge base for anti-reversing techniques and JavaScript deobfuscation. It provides:
- Comprehensive reference for all protection/obfuscation techniques
- Intelligent routing to specialized tools based on analysis needs
- Structured workflows for different analysis scenarios
- Production-ready tools for automated deobfuscation
Quick Decision Guide
| Your Situation | Navigate To |
|---|---|
| Don't know where to start | Workflow Guide |
| See obfuscated code, don't recognize patterns | Pattern Catalog |
| Need static analysis (safe, offline) | Static Workflow |
| Need dynamic analysis (unpacking) | Dynamic Workflow |
| Analyzing Webpack/Rollup bundles | Bundle Workflow |
| Quick IOC extraction for malware triage | IOC Workflow |
| Binary reversing (anti-debug, packing) | Binary Techniques |
| Need production-ready scripts | Tools Library |
Core Capabilities
1. Pattern Recognition
Identify obfuscation techniques and select appropriate analysis strategies.
- 8 major obfuscation families documented
- Confidence levels and AST signatures
- Decision trees for automated routing
2. Static Analysis (Safe/Offline)
Safe deobfuscation using AST transforms without code execution.
- Constant folding and binary expression simplification
- String array resolution
- Variable inlining (const-only)
- Unicode/hex escape decoding
3. Dynamic Analysis (Sandboxed)
Controlled unpacking for multi-stage and eval-staged code.
- isolated-vm for secure execution
- Instrumented evaluation hooks
- Artifact extraction with timestamps
- Multiple environment support (Node.js, Browser)
4. Bundle Reversal
Modern JavaScript bundle analysis (Webpack/Rollup/Vite).
- Module boundary recovery
- Source map leveraging
- Developer intent reconstruction
- Security-critical module identification
5. IOC Extraction
Rapid malware triage without full deobfuscation.
- Network indicators (domains, URLs, IPs)
- Suspicious API detection
- Behavioral classification
- STIX 2.1 formatted output
6. Binary Techniques
Traditional reverse engineering approaches.
- Anti-debugging bypass strategies
- Anti-VM detection evasion
- Code obfuscation analysis
- Packing/unpacking methodologies
Workflow Selection
Primary Analysis Paths
Path 1: Safe Static First (Recommended)
1. Pattern Recognition → Identify obfuscation type
2. Static Deobfuscation → Apply AST transforms
3. IOC Extraction → Extract indicators
4. Complete
Path 2: Dynamic Unpacking
1. Pattern Recognition → Detect eval staging
2. Dynamic Sandbox → Extract stages
3. Static Deobfuscation → Analyze each stage
4. IOC Extraction → Final triage
5. Complete
Path 3: Bundle Analysis
1. Identify bundler → Webpack/Rollup/Vite
2. Extract module index → Parse structure
3. Source map recovery → Original sources
4. Security analysis → Critical modules
5. Complete
Path 4: Quick Triage
1. IOC Extraction → Network indicators
2. Behavioral assessment → Threat classification
3. Blocking rules → Immediate action
4. Complete
Specialized Skills Available
This master skill orchestrates access to:
JavaScript Deobfuscation
- js-deobfuscation-static-ast: Safe offline AST transforms
- js-deobfuscation-dynamic-sandbox: Controlled unpacking
- js-obfuscator-patterns-catalog: Pattern recognition & routing
- js-malware-triage-iocs: Rapid IOC extraction
Bundle Analysis
- webpack-bundle-reversal: Modern bundle reversal
Binary Analysis
- anti-reversing-techniques: Traditional RE techniques
Tool Ecosystem
Production Scripts
Ready-to-use tools in tools library:
deobf.mjs- AST deobfuscation scriptextract_iocs.mjs- IOC extraction toolunpack_dynamic.mjs- Dynamic unpacking harness
Detection Tools
- obfuscation-detector - Pattern classification
- Babel toolchain - AST manipulation
- webpack-bundle-analyzer - Bundle visualization
Security & Ethics
Authorization Requirements
Before analysis, confirm:
- Ownership/permission to analyze the code
- Legal jurisdiction compliance (CFAA, DMCA)
- Scope definition (what's in/out of bounds)
- Purpose clarity (security research, malware analysis, authorized auditing)
Dual-Use Awareness
This knowledge applies to:
- Legitimate: Malware analysis, security research, CTFs, authorized auditing
- Prohibited: Software piracy, unauthorized access, malicious use
Safety Protocols
- Always use isolated-vm for dynamic analysis
- Set timeouts on all execution
- Use containerization when possible
- Log all artifacts for forensic value
Progressive Disclosure Structure
Immediate Access (This File)
- Quick decision guide
- Core capabilities overview
- Workflow selection paths
Deep Knowledge
- Workflows: Step-by-step analysis procedures
- References: Comprehensive technique documentation
- Examples: Working code and tool implementations
Usage Examples
Example 1: Unknown Obfuscated JavaScript
# Step 1: Identify patterns
node detect_patterns.mjs sample.js
# Output: ['string-array', 'variable-rename']
# Step 2: Apply static deobfuscation
node deobf.mjs sample.js deobf.js
# Output: readable code
# Step 3: Extract IOCs
node extract_iocs.mjs deobf.js
# Output: iocs.json with domains/URLs
Example 2: Multi-Stage Malware
# Step 1: Detect staging
grep -E "eval\(|Function\(" sample.js
# Found: eval() calls present
# Step 2: Dynamic extraction
node unpack_dynamic.mjs sample.js
# Output: stage_0.js, stage_1.js, ...
# Step 3: Deobfuscate each stage
for stage in stage_*.js; do
node deobf.mjs $stage deobf_$stage
done
Example 3: Webpack Bundle Analysis
# Step 1: Visualize bundle
webpack-bundle-analyzer bundle.js
# Step 2: Extract modules
node parse_webpack.mjs bundle.js
# Output: module_index.json
# Step 3: Find security-critical code
node find_critical.mjs module_index.json
# Output: SECURITY_FINDINGS.md
Getting Started
- Identify your use case using the Quick Decision Guide above
- Follow the appropriate workflow in the workflows/ directory
- Reference technique details in the references/ directory
- Use production tools from the examples/ directory
- Report findings using standard formats (STIX 2.1, YARA, etc.)
Additional Resources
- MITRE ATT&CK - Tactics, techniques for malware analysis
- Babel Plugin Guide - AST manipulation reference
- OWASP Code Injection - Security context
- STIX 2.1 - Threat intelligence sharing
Next Steps: Navigate to workflows/quick-start.md to begin your analysis, or jump directly to references/pattern-catalog.md if you already know what you're looking at.