HumanifyJS: Bridging Abstract Syntax Trees and LLMs for Semantic De-obfuscation

For security researchers and developers tasked with auditing third-party code, JavaScript obfuscation remains a persistent barrier. Traditional de-obfuscators have historically relied on static analysis and statistical renaming—tools like JSNice leverage conditional random fields to predict variable names based on large codebases. However, these methods often fail to capture the specific context of unique business logic. HumanifyJS represents a shift in this domain by integrating Large Language Models (LLMs) directly into the de-obfuscation pipeline, moving from syntactic formatting to semantic interpretation.

The Hybrid Architecture: AST Meets LLM

The core innovation of HumanifyJS lies in its separation of concerns. Pure LLM approaches to code generation often suffer from hallucinations or subtle syntax errors that render the output non-executable. HumanifyJS addresses this by utilizing a hybrid architecture. It employs Babel, a widely used JavaScript compiler, to handle the Abstract Syntax Tree (AST) operations. This ensures that the structural integrity of the code—its logic flow and execution path—remains untouched and functionally equivalent to the original obfuscated source.

Simultaneously, the tool queries LLMs (such as ChatGPT or Llama) to analyze the code's behavior and suggest context-aware names for variables and functions. For example, where a traditional tool might rename a variable a to var1, HumanifyJS analyzes the variable's usage in an authentication flow and renames it isUserLoggedIn. This semantic layer transforms the output from merely readable to logically comprehensible.

Dual Inference Modes and Hardware Acceleration

The tool acknowledges the trade-off between precision and data privacy through its dual inference modes. Users can opt for cloud-based APIs, such as OpenAI or Gemini, which offer the highest fidelity in renaming suggestions but incur usage costs and require data transmission.

Alternatively, HumanifyJS supports local execution using open-source models like Llama. While the documentation notes that local mode may be "limited in speed and accuracy" compared to cloud counterparts, it provides a critical pathway for analyzing sensitive or proprietary code that cannot leave the local environment. To mitigate the performance overhead of local inference, the tool supports GPU acceleration on Mac M-series chips, indicating a focus on modern developer hardware.

Economic and Operational Considerations

The integration of commercial LLM APIs introduces a variable cost structure to reverse engineering. The project documentation provides a benchmark for cost estimation: de-obfuscating a compressed library the size of Bootstrap costs approximately $0.50 via cloud APIs. While negligible for single-file analysis, this cost model suggests that large-scale audits of extensive codebases could become financially significant, necessitating a strategic choice between the high-cost cloud mode and the free, albeit less capable, local mode.

Workflow Integration

Beyond renaming, HumanifyJS attempts to streamline the pre-processing phase of reverse engineering. It integrates webcrack, a tool designed to automatically unpack Webpack bundles. This allows the tool to ingest complex, bundled applications directly, separating them into constituent modules before applying the LLM-based de-obfuscation. This integration targets the common friction point where analysts must manually debundle code using tools like CyberChef or Debundle before analysis can begin.

Limitations and Future Outlook

Despite the advancement in semantic analysis, the tool faces inherent limitations. The reliance on LLM context windows restricts the volume of code that can be analyzed simultaneously, potentially fragmenting the context for larger files. Furthermore, while the hybrid model protects code structure, the accuracy of the semantic renaming is entirely dependent on the underlying model's inference capabilities, which may vary significantly between GPT-4 and a quantized local Llama model. As LLM context windows expand and local model performance improves, tools like HumanifyJS are likely to replace statistical de-obfuscators as the standard for static analysis.