SymbioticSec/hermes-decomp

# Hermes 字节码反编译器 一个基于 Rust 的 Hermes 字节码文件 (`.hbc`) 反编译器，Hermes 是 React Native 应用程序使用的 JavaScript 引擎。 ## 安装说明 ### 前置条件 - Rust 1.70 或更高版本 - Cargo（随 Rust 一同安装） ### 从源码构建 ``` git clone https://github.com/SymbioticSec/hermes-decomp.git cd hermes-decomp cargo build --release ``` 构建完成的二进制文件将位于 `target/release/hermes-decomp`。 ## 使用方法 ### 命令 **1. Info** 显示 HBC 文件的元数据（版本、头部信息、数量统计）。 ``` hermes-decomp info app.hbc ``` **2. Disasm** 将字节码指令反汇编为可读的助记符。 ``` hermes-decomp disasm app.hbc --function 5 --output disasm.txt # bytecode". Let's see the example: 'API Reference' -> 'API 参考', so "API" is kept in English, and "Reference" is translated. Similarly, here "Show bytecode offsets" – "bytecode" should be kept in English, and "offsets" might be translated. But "offsets" in this context is part of the technical jargon. To be consistent, I think I should translate the descriptive parts but keep the technical terms in English. # The instruction says: "Keep all professional terms, proper nouns, tool/library/framework names, and technical jargon in their original English form." So for "bytecode", it's a technical term, so keep it in English. "offsets" might also be technical, but in Chinese, it's often translated as "偏移量". I'll keep "bytecode" in English and translate the rest. # So for line 2: "--show-offsets" is the flag, keep as is. "Show bytecode offsets" -> translate to "显示 bytecode 偏移量". But to make it natural, perhaps "显示字节码偏移量" but since "bytecode" should be in English, it might be "显示 bytecode 偏移量". I need to see how it's done in practice. In the example, 'Kubernetes Setup' -> 'Kubernetes 设置', so "Kubernetes" is kept in English, and "Setup" is translated. Similarly, here "bytecode" should be kept in English. # I'll proceed with translating the descriptions while keeping technical terms in English. ```  **3. Decompile** 提供两个反编译命令：`decompile`（旧版）和 `decompile`（高级版，推荐使用）。 两者共享相同的选项。 ``` hermes-decomp decompile app.hbc --output decompiled.js hermes-decomp decompile app.hbc --function 5 hermes-decomp decompile app.hbc --function 5 # 3. "--no-labels Hide jump labels" – "jump labels" is technical, so keep "labels" in English? "labels" might be translated as "标签", but since it's technical, I'll keep it in English. "Hide jump labels" -> "隐藏 jump 标签" or keep "labels" as "labels". To be consistent, I think I should translate "hide" and "jump" if possible, but "jump labels" might be a term. Let's assume "jump labels" is a technical term, so keep it in English. So "Hide jump labels" -> "隐藏 jump labels". # 4. "Options:" – This is the same as line 1, so translate to "选项：". # 5. "--resolve-closures Closure resolution across functions (auto-enabled when decompiling all)" – "closures" is technical, keep in English. "functions" is technical, but might be translated as "函数". "decompiling" is technical. I need to translate the description while keeping technical terms in English. So "Closure resolution across functions" -> "跨函数的闭包解析" but keep "closures" in English? Perhaps "Closure 解析跨函数" or something. I'll translate it as "闭包解析跨函数（在反编译全部时自动启用）" but keep "closures" and "decompiling" in English? The instruction says to keep technical jargon in English, so "closures" should be "closure", "decompiling" should be "decompiling". But in Chinese, it's common to use English terms. I'll do: "Closure resolution across functions (auto-enabled when decompiling all)" -> "Closure 解析跨函数（在 decompiling 全部时自动启用）" or better "Closure 解析跨函数（在反编译全部时自动启用）" but keep "closure" in English. # To be consistent with the example, where 'API Reference' has "API" in English, I'll keep "closure" in English. # 6. "--expand Inline referenced functions" – "Inline" is technical, keep in English? "referenced functions" -> "引用的函数". So "Inline referenced functions" -> "内联 referenced 函数" or keep "inline" in English. # 7. "--expand-depth N Expansion depth (default: 2)" – "expansion depth" is technical, keep "depth" in English? "default" is common. So "Expansion depth (default: 2)" -> "扩展深度（默认：2）" but keep "expansion" in English? Perhaps "Expansion 深度（默认：2）". ```  **4. BinDiff** 比较两个 HBC 文件以查找新增、删除或修改的函数。 ``` hermes-decomp bin-diff v1.hbc v2.hbc # 8. "--show-offsets Include bytecode offsets as comments" – Similar to line 2, "Include bytecode offsets as comments" -> "将 bytecode 偏移量包含为注释". ``` **5. TUI** 交互式终端界面，用于浏览函数并在反汇编和反编译视图之间切换。 ``` hermes-decomp tui app.hbc # 9. "--json Export IR as JSON instead of JS" – "IR" is probably Intermediate Representation, a technical term, keep in English. "JSON" and "JS" are data formats, keep in English. So "Export IR as JSON instead of JS" -> "将 IR 导出为 JSON 而非 JS". hermes-decomp tui app.hbc --input2 app_v2.hbc ``` **6. Xref** 查找字符串或函数的交叉引用。 ``` hermes-decomp xref app.hbc --query "loginWithToken" hermes-decomp xref app.hbc --query 42 --kind function ``` **7. Graphviz** 生成控制流图（DOT 格式）。 ``` hermes-decomp graphviz app.hbc --function 5 --open hermes-decomp graphviz app.hbc --function 5 --output cfg.dot ``` **8. Extract** 将所有 Metro 模块提取为单独的文件。 ``` hermes-decomp extract app.hbc --output modules/ ``` **9. Modules / Deps** 检查 Metro 模块注册表和依赖项。 ``` hermes-decomp modules app.hbc hermes-decomp modules app.hbc --limit 50 hermes-decomp deps app.hbc --module 0 --depth 3 ``` **10. Dump** 从字节码文件中提取原始数据。 ``` hermes-decomp dump app.hbc --kind strings hermes-decomp dump app.hbc --kind functions ``` **11. Closures** 显示函数的闭包槽映射。 ``` hermes-decomp closures app.hbc --function 5 ``` **12. Debug** 显示调试信息（变量名、作用域、被调用者）。 ``` hermes-decomp debug app.hbc --vars hermes-decomp debug app.hbc --scopes hermes-decomp debug app.hbc --callees ``` **13. Versions** 列出所有支持的 Hermes 字节码版本。 ``` hermes-decomp versions ``` **14. JSON Export** 将中间表示 (IR) 以 JSON 格式导出，供外部工具使用。 ``` hermes-decomp decompile app.hbc --function 5 --json hermes-decomp decompile app.hbc --json ``` ## MCP 服务器（AI 集成） 项目包含一个 MCP（模型上下文协议）服务器，它将反编译器的所有功能作为工具暴露给 AI 助手（如 Claude、GPT 等）。 ### 构建 ``` cargo build --release -p hbc-decomp-mcp ``` ### 配置 添加到您的 AI 助手的 MCP 配置文件中（例如 `claude_desktop_config.json`、Cursor 等）： ``` { "mcpServers": { "hermes-decompiler": { "command": "/path/to/target/release/hermes-mcp" } } } ``` ### 可用工具 | 工具 | 描述 | |------|------| | `load_file` | 加载一个 `.hbc` 文件（必须首先调用） | | `file_info` | 文件头部信息（版本、计数） | | `decompile_function` | 将一个函数反编译为 JS | | `decompile_all` | 反编译所有函数 | | `get_ir_json` | 用于分析的结构化 JSON IR | | `disassemble` | 原始字节码反汇编 | | `xref_search` | 字符串或函数的交叉引用 | | `list_modules` | 列出 Metro 模块 | | `module_deps` | 模块依赖树 | | `dump` | 转储字符串或函数头信息 | | `list_versions` | 支持的字节码版本 | ## 库使用方式（核心 API） 核心库 `hbc-decomp` 可用于其他 Rust 项目。 ### 添加到 Cargo.toml ``` [dependencies] hbc-decomp = { git = "https://github.com/SymbioticSec/hermes-decomp" } ``` ### 使用示例 ``` use hbc_decomp::{Decompiler, DecompileOptionsV2}; fn main() -> Result<(), Box> { let bytes = std::fs::read("app.hbc")?; let mut decompiler = Decompiler::new(&bytes)?; // Optional: build closure context for cross-function analysis decompiler.build_closure_context()?; let options = DecompileOptionsV2::optimized(); // Decompile everything let code = decompiler.decompile_all(&options)?; println!("{}", code); // Or export IR for programmatic analysis let ir = decompiler.decompile_to_ir(0, &options)?; Ok(()) } ``` ### 配置选项 | 选项 | 默认值 | 描述 | |------|--------|------| | `resolve_strings` | `true` | 将字符串 ID 替换为实际文本。 | | `include_offsets` | `false` | 添加字节码偏移量注释。 | | `propagate` | `true` | 常量传播与复制传播。 | | `simplify` | `true` | 清理中间临时变量。 | | `recover_structures` | `true` | 从跳转指令重建 `if`、`while`、`for` 结构。 | ## 技术概述 ### 什么是 Hermes？ Hermes 是一个针对 React Native 优化的 JavaScript 引擎。与在运行时解析 JS 源码的 V8 或 JSC 不同，Hermes 在构建过程中将 JavaScript 预编译为**字节码** (`.hbc`)。这改善了启动时间，但也使得逆向工程变得更加困难。 ### 反编译过程 1. **解析**：解析二进制 HBC 文件以提取头部、字符串表和原始字节码指令。 2. **反汇编**：将原始字节转换为可读的操作码（例如 `Mov`、`Call`、`Add`）。 3. **IR 生成**：将字节码提升为高级的**中间表示 (IR)**。 * 寄存器（`r0`、`r1`）被映射到变量。 * 分析控制流（跳转）以构建控制流图 (CFG)。 4. **分析与变换**： * **数据流分析**：常量传播、复制传播。 * **结构恢复**：从图的边重建 `if`、`while`、`for` 循环。 * **模式匹配**：检测 `class`、`async`、`generator` 状态机。 5. **代码生成**：优化后的 IR 被转换回有效的 JavaScript 语法。 ## 资源 - [Hermes 引擎](https://hermesengine.dev/) - [React Native](https://reactnative.dev/) ## 许可证 MIT 许可证 - 详见 [LICENSE](LICENSE)。

标签：DAST, Findomain, Hermes, React Native, Rust, TUI界面, Wayback Machine, 二进制分析, 二进制差异比较, 云安全运维, 云资产清单, 交叉引用, 代码恢复, 反汇编, 可视化界面, 字节码反编译, 恶意软件分析, 情报收集, 漏洞研究, 移动应用安全, 网络流量审计, 逆向工程, 通知系统