Mobile operators are distributing more and more Android and iOS applications in order to interface with their APIs and provide enhanced services to their subscribers. The need for P1 Security to reverse engineer mobile platform-targeted applications in the context of black-box security audits, as well as the global lack of effective tools regarding reverse engineering React Native-based applications, led us to develop hermes-dec.
P1 Security is publishing the initial release of hermes-dec, a new tool for reverse engineering React Native mobile applications for Android and iOS embedding a JS bundle compiled within the bytecode language of the Hermes virtual machine.
Hermes bytecode files can be recognized by the libmagic library on Linux, which means that the type of the corresponding files can be identified using the “file” command-line utility:
The hermes-dec tool released by P1 Security allows to disassemble the Hermes bytecode, with the intent to be compatible will all public version of the Hermes virtual machines (from 0.1.0 to the current 0.12.0, or bytecode version 89, at the time of writing, end of 2022). Other tools such as the hbctool utility support a more restricted set of versions of the Hermes bytecode, and the hbcdump tool present in the Hermes source tree supports the exact version of the Hermes virtual machine it was built for.
It was developed considering the need for P1 Security to often reverse engineer mobile platform-targeted applications in the context of black-box security audits, as well as the global lack of effective tools regarding reverse engineering React Native-based applications.
Currently, hermes-dec should be able to decode the whole Hermes VM instruction set and to produce a single decompiled bundle file with nested closures (as the pre-binary compilation code step is).
- It outputs jump instructions and labels instead of structured conditions and loops (we hope to reconstruct conditions and loops in the future, but this will require some graph-based processing of the basic blocks present within the decompiled code in order to undo certain LLVM optimization, as the Hermes VM compiler relies on LLVM)
- It uses registers rather than local variables.
Here is a sample of what the pseudo-code produced by the decompiler (using the "hbc-decompiler"command) currently looks like:
Here is a sample of what the disassembled code (produced by the "hbc-disassembler" script) looks like:
This is open-source software, feel free to give it a try and provide any feedback and contribution. Please also note that this tool was initially made by P1 Security for its internal use and that its stability for other uses is not guaranteed.
-> Check code and usage instructions on Github<-