Hey everyone! I just released Noctyra, a tool i built to handle Python deobfuscation using AST transformers. It's been a fun side project and I figured it was time to share it.
Why AST and not regex?
Most quick deobfuscation scripts you'll find online rely on regex replacements or target specific obfuscators. That works for simple cases, but fall apart easily when the obfuscation is layered or unknown.
Noctyra works directly on the Abstract Syntax Tree (AST). Instead of treating the code as text, it:
- Parses the source into an AST
- Applies a sequence of transformers on the nodes
- Unparses the result back into clean, readable and formated Python
This means it can handle things like constant folding, resolving encoded strings, junk code without ever caring about formatting or unreadable code.
How the pipeline works
The pipeline runs transformers in iterations until the AST stops changing between passes. This is what makes it effective against layered obfuscation.
For example, something like:
exec(base64.b64decode(bytes([x ^ 0x42 for x in rot13_encoded])))
gets unwrapped step by step: ROT13 first, then XOR, then base64 until you're left with the original code.
Current state
It's still early and there are plenty of obfuscation patterns i haven't covered yet, but it handles a decent chunk of what you'd encounter in the wild. The architecture is modular, so adding new transformers is straightforward.
Top comments (0)