The latest articles on DEV Community by 0p4n1k (@0p4n1k). https://dev.to/0p4n1k https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3854040%2Fd462102c-457f-4bda-85af-4f84547aaa69.gif https://dev.to/0p4n1k en 0p4n1k Tue, 31 Mar 2026 18:47:23 +0000 https://dev.to/0p4n1k/i-built-a-python-deobfuscator-using-ast-transformers-noctyra-24g3 https://dev.to/0p4n1k/i-built-a-python-deobfuscator-using-ast-transformers-noctyra-24g3 <p>Hey everyone! I just released <strong>Noctyra</strong>, a tool i built to handle Python deobfuscation using AST transformers. It's been a fun side project and I figured it was time to share it.</p> <h2> Why AST and not regex? </h2> <p>Most quick deobfuscation scripts you'll find online rely on regex replacements or target specific obfuscators. That works for simple cases, but fall apart easily when the obfuscation is layered or unknown.</p> <p>Noctyra works directly on the <strong>Abstract Syntax Tree</strong> (AST). Instead of treating the code as text, it:</p> <ol> <li>Parses the source into an AST</li> <li>Applies a sequence of transformers on the nodes</li> <li>Unparses the result back into clean, readable and formated Python</li> </ol> <p>This means it can handle things like constant folding, resolving encoded strings, junk code without ever caring about formatting or unreadable code.</p> <h2> How the pipeline works </h2> <p>The pipeline runs transformers in <strong>iterations</strong> until the AST stops changing between passes. This is what makes it effective against layered obfuscation.</p> <p>For example, something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nf">exec</span><span class="p">(</span><span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="nf">bytes</span><span class="p">([</span><span class="n">x</span> <span class="o">^</span> <span class="mh">0x42</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">rot13_encoded</span><span class="p">])))</span> </code></pre> </div> <p>gets unwrapped step by step: ROT13 first, then XOR, then base64 until you're left with the original code.</p> <h2> Current state </h2> <p>It's still early and there are plenty of obfuscation patterns i haven't covered yet, but it handles a decent chunk of what you'd encounter in the wild. The architecture is modular, so adding new transformers is straightforward.</p> <p><strong>Repo:</strong> <a href="https://github.com/0p4n1k/Noctyra" rel="noopener noreferrer">https://github.com/0p4n1k/Noctyra</a></p> python security reverseengineering opensource