bongtrop / hbctool Goto Github PK
View Code? Open in Web Editor NEWHermes Bytecode Reverse Engineering Tool (Assemble/Disassemble Hermes Bytecode)
License: MIT License
Hermes Bytecode Reverse Engineering Tool (Assemble/Disassemble Hermes Bytecode)
License: MIT License
The example index.android.bundle
file is version 74 and not 76
00000000: c61f bc03 c103 191f 4a00 0000 d031 0a88 ........J....1..
byte 0x9
should be 4c
and not 4a
I tried to decompile hermes bytecode and failed.
hbctool disasm assets/index.android.bundle ../hermes_out [*] Disassemble 'assets/index.android.bundle' to '../hermes_out' path Traceback (most recent call last): File "/usr/local/bin/hbctool", line 8, in <module> sys.exit(main()) ^^^^^^ File "/usr/local/lib/python3.11/site-packages/hbctool/__init__.py", line 61, in main disasm(args['<HBC_FILE>'], args['<HASM_PATH>']) File "/usr/local/lib/python3.11/site-packages/hbctool/__init__.py", line 33, in disasm hbco = hbc.load(f) ^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/hbctool/hbc/__init__.py", line 29, in load assert version in HBC, f"The HBC version ({version}) is not supported." ^^^^^^^^^^^^^^ AssertionError: The HBC version (90) is not supported.
please!
I think it is hard to write patch code to hbc, when I added some patch code to hbc in some offset of instruction segment, the offset will be reuse in afterwards, which will cause beforehand code being modified and affect code to be disassembled incorrectly. Because added bytecode changes offset of some function.
I can't understand the decompiled file, can I restore it to JavaScript in the future? This is very helpful to me, thanks!
How to decode and change utf16 values in strings.json?
example:
{ "id": 27774, "isUTF16": true, "value": "3906270645062000480627062d062f06" }
When I " hbctool asm edited index.android.bundle"
hbc.setString(string["id"], string["value"])
\appdata\local\programs\python\python39-32\lib\site-packages\hbctool\hbc\hbc59_init_.py", line 142, in setString
assert l <= length, "Overflowed string length is not supported yet."
AssertionError: Overflowed string length is not supported yet.
I'm using Python 3.9.6, what should I fix?
I've listed commit tree url for every hermes bytecode version. So it can be easy to search for building the opcodes:
More to be added. On progress.
Sorry if this is a dumb question but to use this, what is <HASM_PATH>? I assume the path to some assembler binaries or something? Could you tell me what this is and/or where to get it? Thanks
Never mind, that is the output disassembled file, i am a dumb-dumb...
Hi, i got error with command "hbctool disasm index.android.bundle test_hasm". Please help:
[*] Disassemble 'index.android.bundle' to 'test_hasm' path
Traceback (most recent call last):
File "C:\Program Files\Python310\lib\runpy.py", line 196, in run_module_as_main
return run_code(code, main_globals, None,
File "C:\Program Files\Python310\lib\runpy.py", line 86, in run_code
exec(code, run_globals)
File "C:\Program Files\Python310\Scripts\hbctool.exe_main.py", line 7, in
File "C:\Program Files\Python310\lib\site-packages\hbctool_init.py", line 61, in main
disasm(args['<HBC_FILE>'], args['<HASM_PATH>'])
File "C:\Program Files\Python310\lib\site-packages\hbctool_init.py", line 33, in disasm
hbco = hbc.load(f)
File "C:\Program Files\Python310\lib\site-packages\hbctool\hbc_init_.py", line 28, in load
assert magic == MAGIC, f"The magic ({hex(magic)}) is invalid. (must be {hex(MAGIC)})"
AssertionError: The magic (0x55425f5f20726176) is invalid. (must be 0x1f1903c103bc1fc6)
Hi, thanks for making this tool, I thought I wouldn't be able to analyze react native apps anymore !
Anyway, I don't know if I should create another issue, but could you also add support for version 62 please ?
Used by: com.canaltp.ametis
Thank you
[*] Disassemble 'index.android.bundle' to 'hbctool' path
Traceback (most recent call last):
File "/usr/local/bin/hbctool", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.9/site-packages/hbctool/init.py", line 61, in main
disasm(args['<HBC_FILE>'], args['<HASM_PATH>'])
File "/usr/local/lib/python3.9/site-packages/hbctool/init.py", line 33, in disasm
hbco = hbc.load(f)
File "/usr/local/lib/python3.9/site-packages/hbctool/hbc/init.py", line 29, in load
assert version in HBC, f"The HBC version ({version}) is not supported."
AssertionError: The HBC version (84) is not supported.
hbctool
Traceback (most recent call last):
File "/usr/local/bin/hbctool", line 11, in <module>
load_entry_point('hbctool==0.1.5', 'console_scripts', 'hbctool')()
File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 489, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2793, in load_entry_point
return ep.load()
File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2411, in load
return self.resolve()
File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2417, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/local/lib/python2.7/dist-packages/hbctool-0.1.5-py2.7.egg/hbctool/__init__.py", line 31
print(f"[*] Disassemble '{hbcfile}' to '{hasmpath}' path")
^
SyntaxError: invalid syntax
AssertionError: The HBC version (90) is not supported.
Hey, on version 90, provided by a pull request, upon compiling (without changing anything just simply disasm and re-asm), upon replacing the file and looking at the logs, the app instantly crashes and gives me this error
The actual size of the file is smaller than what it says in the headers, if anyone could help me out with this it would be much appreciated!
https://github.com/P1sec/hermes-dec
i dissembled index.android.bundle to instructions.hasm via p1sec
(Theres no option to reassemble hasm) so tried to reassemble it via bongtrop hbctool
Error:
assert os.path.exists(f"{path}/metadata.json"), f"metadata.json not found."
AssertionError: metadata.json not found
Add support for the latest Hermes.
C:\Users\Max\feeld\co.feeld\assets>hbctool disasm index.android.bundle test_hasm
[*] Disassemble 'index.android.bundle' to 'test_hasm' path
Traceback (most recent call last):
File "C:\Users\Max\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "C:\Users\Max\AppData\Local\Programs\Python\Python310\lib\runpy.py", line 86, in _run_code
exec(code, run_globals)
File "C:\Users\Max\AppData\Local\Programs\Python\Python310\Scripts\hbctool.exe\__main__.py", line 7, in <module>
File "C:\Users\Max\AppData\Local\Programs\Python\Python310\lib\site-packages\hbctool\__init__.py", line 61, in main
disasm(args['<HBC_FILE>'], args['<HASM_PATH>'])
File "C:\Users\Max\AppData\Local\Programs\Python\Python310\lib\site-packages\hbctool\__init__.py", line 33, in disasm
hbco = hbc.load(f)
File "C:\Users\Max\AppData\Local\Programs\Python\Python310\lib\site-packages\hbctool\hbc\__init__.py", line 29, in load
assert version in HBC, f"The HBC version ({version}) is not supported."
AssertionError: The HBC version (84) is not supported.
hbctool
# error
(hbctool) dnoscp@arupadaiveedu:~/Desktop/data/PATCH2$ hbctool disasm apktool/assets/index.android.bundle decompiled
[*] Disassemble 'apktool/assets/index.android.bundle' to 'decompiled' path
Traceback (most recent call last):
File "/opt/tools/hbctool/bin/hbctool", line 8, in <module>
sys.exit(main())
File "/opt/tools/hbctool/lib/python3.10/site-packages/hbctool/__init__.py", line 61, in main
disasm(args['<HBC_FILE>'], args['<HASM_PATH>'])
File "/opt/tools/hbctool/lib/python3.10/site-packages/hbctool/__init__.py", line 33, in disasm
hbco = hbc.load(f)
File "/opt/tools/hbctool/lib/python3.10/site-packages/hbctool/hbc/__init__.py", line 29, in load
assert version in HBC, f"The HBC version ({version}) is not supported."
AssertionError: The HBC version (84) is not supported.
# file info
(hbctool) dnoscp@arupadaiveedu:~/Desktop/data/PATCH2$ file apktool/assets/index.android.bundle
apktool/assets/index.android.bundle: Hermes JavaScript bytecode, version 84
When execute this command poetry install
,terminal says "Installing the current project: hbctool (0.1.3)", but where is the output, or where did it installed?
Thank you for this great tool. I wonder if a support for HBC version 59 can be added. I will try it myself but i am not sure I will succeeded.
[*] Disassemble '.\index.android.bundle' to '.\output' path
Traceback (most recent call last):
File "", line 198, in run_module_as_main
File "", line 88, in run_code
File "C:\Python311\Scripts\hbctool.exe_main.py", line 7, in
File "C:\Python311\Lib\site-packages\hbctool_init.py", line 61, in main
disasm(args['<HBC_FILE>'], args['<HASM_PATH>'])
File "C:\Python311\Lib\site-packages\hbctool_init_.py", line 33, in disasm
hbco = hbc.load(f)
^^^^^^^^^^^
File "C:\Python311\Lib\site-packages\hbctool\hbc_init_.py", line 29, in load
assert version in HBC, f"The HBC version ({version}) is not supported."
^^^^^^^^^^^^^^
AssertionError: The HBC version (85) is not supported.
Any solution for this?
Add support for latest hermes
======================================================================
FAIL: test_get_function (hbctool.hbc.hbc76.test.TestHBC76)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/media/x/all/hack_tools/android_pentest/hbctool/hbctool/hbc/hbc76/test.py", line 22, in test_get_function
self.assertEqual(functionCount, len(target_offsets))
AssertionError: 31666 != 3946
======================================================================
FAIL: test_get_string (hbctool.hbc.hbc76.test.TestHBC76)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/media/x/all/hack_tools/android_pentest/hbctool/hbctool/hbc/hbc76/test.py", line 43, in test_get_string
self.assertEqual(stringCount, len(target_strings))
AssertionError: 57366 != 4656
----------------------------------------------------------------------
Ran 23 tests in 43.542s
I recieved error when try to disasm hermes 76.
Please! Help me :(
Hi @bongtrop Thanks for the nice tool.
I have been working on updating few things here : https://github.com/cyfinoid/hbctool
I see 84,85 support got merged recently hence cant open a clear pull request. Following changes are available in my branch if you want to cherrypick
Feel free to pick and choose
I get the following error when trying to disassemble an android bundle using hermes bytecode version 84:
[*] Disassemble 'index.android.bundle' to 'out' path
[*] Hermes Bytecode [ Source Hash: d47dd92ea0ad2ab0ad46438a7f6f4a2ee383dbf5, HBC Version: 84 ]
Traceback (most recent call last):
File "hbctool\.venv\Scripts\\hbctool", line 6, in <module>
sys.exit(main())
^^^^^^
File "hbctool\hbctool\__init__.py", line 61, in main
disasm(args['<HBC_FILE>'], args['<HASM_PATH>'])
File "hbctool\hbctool\__init__.py", line 41, in disasm
hasm.dump(hbco, hasmpath)
File "hbctool\hbctool\hasm.py", line 67, in dump
write_func(f, hbc.getFunction(i), i, hbc)
^^^^^^^^^^^^^^^^^^
File "hbctool\hbctool\hbc\hbc84\__init__.py", line 59, in getFunction
insts = disassemble(bc)
^^^^^^^^^^^^^^^
File "hbctool\hbctool\hbc\hbc84\translator.py", line 33, in disassemble
opcode = opcode_mapper[bc[i]]
~~~~~~~~~~~~~^^^^^^^
IndexError: list index out of range
If not, can it be supported?
As it stands, it's difficult to (a) determine the object keys/values used in New*WithBuffer
instructions, and (b) determine the exact location of a jump.
It would be great if this information could be displayed in the disassembly output (see below for examples).
I've done a proof-of-concept here, but it's very dodgy.
Function offsets:
0000: Function<Ie>9746(3 params, 16 registers, 2 symbols):
0000: CreateEnvironment Reg8:0
0002: LoadParam Reg8:3, UInt8:1
0005: LoadConstUInt8 Reg8:7, UInt8:1
0008: LoadConstUndefined Reg8:6
0010: LoadConstUndefined Reg8:4
0012: GetArgumentsLength Reg8:5, Reg8:4
0015: LoadConstUInt8 Reg8:2, UInt8:2
0018: Mov Reg8:1, Reg8:7
0021: JNotGreater Addr8:19, Reg8:5, Reg8:2
0021: ; Oper[1]; Offset(40)
0025: GetArgumentsPropByVal Reg8:5, Reg8:2, Reg8:4
0029: Mov Reg8:1, Reg8:7
0032: JStrictEqual Addr8:8, Reg8:6, Reg8:5
0032: ; Oper[1]; Offset(40)
0036: GetArgumentsPropByVal Reg8:1, Reg8:2, Reg8:4
0040: LoadParam Reg8:2, UInt8:2
0043: StoreToEnvironment Reg8:0, UInt8:1, Reg8:2
...
Object keys & values:
...
0085: Call4 Reg8:9, Reg8:14, Reg8:15, Reg8:5, Reg8:9, Reg8:13
0092: NewObjectWithBuffer Reg8:9, UInt16:11, UInt16:11, UInt16:33863, UInt16:288
0092: ; Oper[3]: ObjectKey(33863, String(12426)) 'updateId'
0092: ; Oper[3]: ObjectKey(33863, String(25017)) 'releaseChannel'
0092: ; Oper[4]: ObjectVal(288, Boolean(True))
0092: ; Oper[4]: ObjectVal(288, Boolean(True))
...
Hi,
First thank you for the support of Version 59. It works well for me.
I am trying to understand the bytecode in the instruction file and have a hard time knowing the offset of the jump.
I looked at the source code of Hermes, they mentioned clearly that : "The address is relative to the offset of the instruction."
In the instruction file, I don't see the addresses of instructions.
Here is my question let's say the code says:
Line 100 JmpFalse Addr8:18, Reg8:0
my understanding is if Reg8:0 is false, then the instruction will jump to a relative address to the JumpFalse instruction by 18.
Is that means it will jump to line 118?
The number 18 in Addr8:18 is what I don't understand. How I will know where the code will jump if Reg8:0 is False? If it is True, I imagine the next instruction will be executed, but if it is false, I can't see the addresses to knows what will be the next executed instruction.
I know it is Hermes question, but I hope you can make it clear for me.
Thank you.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.