Pure Python JavaScript deobfuscator for malware analysis and security automation.
pip install pyjsclearFor development:
git clone https://github.com/intezer/PyJSClear.git
cd PyJSClear
pip install -e .
pip install pytestfrom pyjsclear import deobfuscate, deobfuscate_file
# From a string
cleaned = deobfuscate(obfuscated_code)
# From a file
deobfuscate_file("input.js", "output.js")
# Or get the result as a string
cleaned = deobfuscate_file("input.js")# File to stdout
pyjsclear input.js
# File to file
pyjsclear input.js -o output.js
# Stdin to stdout
cat input.js | pyjsclear -
# With custom iteration limit
pyjsclear input.js --max-iterations 20PyJSClear applies transforms in a multi-pass loop until the code stabilizes (default limit: 50 iterations). A final one-shot pass renames variables and converts var/let to const.
Capabilities:
- Whole-file encoding detection: JSFuck, JJEncode, AAEncode, eval-packing
- String array decoding (obfuscator.io basic/base64/RC4, XOR, class-based)
- Constant propagation & reassignment elimination
- Dead code / dead branch / unreachable code removal
- Control-flow unflattening (switch-dispatch recovery)
- Proxy function & proxy object inlining
- Expression simplification & modern syntax recovery (?., ??)
- Anti-tamper / anti-debug removal
- Variable renaming (_0x… → readable names)
Large files (>500 KB / >50K AST nodes) automatically use a lite mode that skips expensive transforms.
- Best results on obfuscator.io output. JSFuck, JJEncode, AAEncode, and eval-packed code are fully decoded; other obfuscation tools may only partially deobfuscate.
- Large files get reduced treatment. Files >500 KB or ASTs >50 K nodes skip expensive transforms; files >2 MB use a minimal lite mode.
- Very deep AST nesting — traversal automatically falls back from recursion to an iterative strategy at depth thresholds, but pathologically deep inputs may still produce partial results.
Apache License 2.0 — see LICENSE.
This project is a derivative work based on obfuscator-io-deobfuscator (Apache 2.0), javascript-deobfuscator (Apache 2.0), and webcrack (MIT). See THIRD_PARTY_LICENSES.md and NOTICE for full attribution.
Test samples include obfuscated JavaScript from the JSIMPLIFIER dataset (GPL-3.0) and the Obfuscated JavaScript Dataset, used solely for evaluation purposes.