Summary de4py is an AI-powered Python deobfuscator and reverse engineering toolkit for malware analysts and reverse engineers. It automates deobfuscation using local LLMs and traditional methods, offers robust analysis tools, and features a modern GUI. Its benefit lies in streamlining complex reverse engineering tasks with intelligent automation and manual analysis support.

How It Works

de4py employs a hybrid approach, combining a novel AI-driven "Onyx Engine" with established deobfuscation techniques. The Onyx Engine leverages local LLMs (via Ollama) alongside AST cleaning, control-flow flattening recovery, and pattern matching for sophisticated deobfuscation. This is complemented by direct support for numerous legacy obfuscators (e.g., Jawbreaker, Hyperion) and a file analyzer for packer detection and metadata extraction. A Pyshell GUI facilitates dynamic analysis within target processes.

Quick Start & Requirements

Install via git clone https://github.com/Fadi002/de4py.git, cd de4py, and pip install .. Launch GUI with python -m de4py or CLI with python -m de4py --cli. Prerequisites include Python 3.8+; Windows is recommended. For the AI Onyx Engine, install Ollama and pull a model (e.g., ollama run qwen2.5-coder:1.5b).

Highlighted Details

• Onyx Engine (AI): Advanced deobfuscation using local LLMs, AST cleaning, control-flow recovery, and pattern matching.
• Legacy Deobfuscation: Supports Jawbreaker, BlankOBF, PlusOBF, Wodx, Hyperion, pyobfuscate.
• File Analyzer: Packer detection, hash calculation, string lookup, metadata extraction.
• Pyshell GUI: Enables Python code execution within external target processes for dynamic analysis.
• Modern UI: PySide6 with dark theme; CLI mode available.
• Global Localization: 18+ languages via community engine.
• Plugin Architecture & API: Extensible system for custom analyzers and library usage.
• Behavior Monitor & DevTools: Monitors process handles, memory, sockets; includes real-time inspection.

Maintenance & Community

Maintained by Fadi002 and AdvDebug. Community channels include Matrix (recommended), Signal, and Discord. Translations are managed via Crowdin.

Licensing & Compatibility

Licensed under CC BY-NC 4.0 (Creative Commons Attribution-NonCommercial 4.0 International). This license strictly prohibits commercial use; any paid versions sold elsewhere are unauthorized.

Limitations & Caveats

Commercial use is explicitly forbidden. Full feature support is recommended on Windows. Advanced AI deobfuscation requires a correctly configured Ollama environment and LLM model.