HumanifyJS

Deobfuscate Javascript code using LLMs ("AI")

This tool uses large language modeles (like ChatGPT & llama) and other tools to deobfuscate, unminify, transpile, decompile and unpack Javascript code. Note that LLMs don't perform any structural changes – they only provide hints to rename variables and functions. The heavy lifting is done by Babel on AST level to ensure code stays 1-1 equivalent.

Version 2 is out! 🎉

v2 highlights compared to v1:

• Python not required anymore!
• A lot of tests, the codebase is actually maintanable now
• Renewed CLI tool humanify installable via npm

➡️ Check out the introduction blog post for in-depth explanation!

Example

Given the following minified code:

function a(e,t){var n=[];var r=e.length;var i=0;for(;i<r;i+=t){if(i+t<r){n.push(e.substring(i,i+t))}else{n.push(e.substring(i,r))}}return n}

The tool will output a human-readable version:

function splitString(inputString, chunkSize) {
  var chunks = [];
  var stringLength = inputString.length;
  var startIndex = 0;
  for (; startIndex < stringLength; startIndex += chunkSize) {
    if (startIndex + chunkSize < stringLength) {
      chunks.push(inputString.substring(startIndex, startIndex + chunkSize));
    } else {
      chunks.push(inputString.substring(startIndex, stringLength));
    }
  }
  return chunks;
}

🚨 NOTE: 🚨

Large files may take some time to process and use a lot of tokens if you use ChatGPT. For a rough estimate, the tool takes about 2 tokens per character to process a file:

echo "$((2 * $(wc -c < yourscript.min.js)))"

So for refrence: a minified bootstrap.min.js would take about $0.5 to un-minify using ChatGPT.

Using humanify local is of course free, but may take more time, be less accurate and not possible with your existing hardware.

Getting started

Installation

Prerequisites:

• Node.js >=20

The preferred whay to install the tool is via npm:

npm install -g humanifyjs

This installs the tool to your machine globally. After the installation is done, you should be able to run the tool via:

humanify

If you want to try it out before installing, you can run it using npx:

npx humanifyjs

This will download the tool and run it locally. Note that all examples here expect the tool to be installed globally, but they should work by replacing humanify with npx humanifyjs as well.

Usage

Next you'll need to decide whether to use openai, gemini or local mode. In a nutshell:

• openai or gemini mode
  • Runs on someone else's computer that's specifically optimized for this kind of things
  • Costs money depending on the length of your code
  • Is more accurate
• local mode
  • Runs locally
  • Is free
  • Is less accurate
  • Runs as fast as your GPU does (it also runs on CPU, but may be very slow)

See instructions below for each option:

OpenAI mode

You'll need a ChatGPT API key. You can get one by signing up at https://openai.com/.

There are several ways to provide the API key to the tool:

humanify openai --apiKey="your-token" obfuscated-file.js

Alternatively you can also use an environment variable OPENAI_API_KEY. Use humanify --help to see all available options.

Checkpoint Feature (Resume on Failure)

The OpenAI mode now supports checkpointing to resume processing if the request is interrupted:

# Enable checkpoint saving
humanify openai --checkpoint obfuscated-file.js

# Resume from last checkpoint
humanify openai --resume obfuscated-file.js

When checkpoint is enabled:

• Progress is saved every 5 renamed identifiers
• If the process is interrupted, you can resume from where it left off
• Partial results are saved and merged at the end
• Checkpoint data is stored in .checkpoints folder in the output directory

Gemini mode

You'll need a Google AI Studio key. You can get one by signing up at https://aistudio.google.com/.

You need to provice the API key to the tool:

humanify gemini --apiKey="your-token" obfuscated-file.js

Alternatively you can also use an environment variable GEMINI_API_KEY. Use humanify --help to see all available options.

Checkpoint Feature (Resume on Failure)

The Gemini mode also supports checkpointing:

# Enable checkpoint saving
humanify gemini --checkpoint obfuscated-file.js

# Resume from last checkpoint
humanify gemini --resume obfuscated-file.js

Local mode

The local mode uses a pre-trained language model to deobfuscate the code. The model is not included in the repository due to its size, but you can download it using the following command:

humanify download 2b

This downloads the 2b model to your local machine. This is only needed to do once. You can also choose to download other models depending on your local resources. List the available models using humanify download.

After downloading the model, you can run the tool with:

humanify local obfuscated-file.js

This uses your local GPU to deobfuscate the code. If you don't have a GPU, the tool will automatically fall back to CPU mode. Note that using a GPU speeds up the process significantly.

Humanify has native support for Apple's M-series chips, and can fully utilize the GPU capabilities of your Mac.

Checkpoint Feature (Resume on Failure)

The Local mode also supports checkpointing:

# Enable checkpoint saving
humanify local --checkpoint obfuscated-file.js

# Resume from last checkpoint
humanify local --resume obfuscated-file.js

Note: Local mode saves checkpoints every 10 identifiers (compared to 5 for API-based modes) to balance between checkpoint frequency and performance.

Features

The main features of the tool are:

• Uses ChatGPT functions/local models to get smart suggestions to rename variable and function names
• Uses custom and off-the-shelf Babel plugins to perform AST-level unmanging
• Uses Webcrack to unbundle Webpack bundles

Contributing

If you'd like to contribute, please fork the repository and use a feature branch. Pull requests are warmly welcome.

Licensing

The code in this project is licensed under MIT license.