Mobile

Hermes

Hermes - JS Engine. ΠŸΠ΅Ρ€Π΅Π³ΠΎΠ½ΡΠ΅Ρ‚ jS Π² Π±Π°ΠΉΡ‚ΠΊΠΎΠ΄ ΠΈ ΠΎΡ‚ этого всС Ρ€Π°Π±ΠΎΡ‚Π°Π΅ быстрСС

https://facebook.github.io/react-native/docs/hermes release Π±ΠΈΠ½Π°Ρ€ΠΈ: https://github.com/facebook/hermes/releases

О ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΠΈ Π² React Native ΠΏΡ€ΠΎΠ΅ΠΊΡ‚ https://facebook.github.io/react-native/docs/hermes

ΠžΡ‚Π»ΠΈΡ‡ΠΈΠ΅ ΠΎΡ‚ React Native Π² Ρ‚ΠΎΠΌ, Ρ‡Ρ‚ΠΎ index.android.bundle Π±ΡƒΠ΄Π΅Ρ‚ сСриализован (Π±ΠΈΠ½Π°Ρ€Ρ‰ΠΈΠ½Π°)

$ hermes -b --dump-bytecode index.android.bundle
Error deserializing bytecode: Wrong bytecode version. Expected 74 but got 62%
$ hermes -version
74

Π•ΡΡ‚ΡŒ нСсколько Ρ€Π΅Π»ΠΈΠ·ΠΎΠ² hermes:
v0.8.0 - 83
v0.5.0 - 74
v0.3.* - 72
v0.2.1 - 62

Tools

ΠΎΡ„ Π±ΠΈΠ½Π°Ρ€ΠΈ ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΠΉΡ‚ΠΈ ΠΏΠΎ ссылкС: https://github.com/facebook/hermes/releases

Π’ΡƒΠ΄Π° входят:

  • hbcdump

  • hdb

  • hermes

  • hermesc

  • hvm

hermes

Запуск JS-ΠΊΠΎΠ΄Π°:
$ hermes test.js

Compiling and Executing JavaScript with Bytecode:
$ hermes -emit-binary -out test.hbc test.js
$ hermes test.hbc

hbcdump

hbcdump β€” Hermes bytecode disassembler

$ ./hbcdump -objdump-disassemble index.android.bundle
hbcdump> dis 234

d0310a88a868dfb1ee21d12e9011725b1f716875:     file format HBC-74

Disassembly of section .text:

000000000002ca48 <_0>:
0002ca48:       30 44 08 00 00        DeclareGlobalVar        $0x000844
0002ca4d:       30 48 08 00 00        DeclareGlobalVar        $0x000848
[...]
hbcdump> quit

Зная ID строк, инструкций, Ρ„ΡƒΠ½ΠΊΡ†ΠΈΠΉ (Ρ‡Π΅Ρ€Π΅Π· hbctool, Π½Π°ΠΏΡ€ΠΈΠΌΠ΅Ρ€), ΠΌΡ‹ ΠΌΠΎΠΆΠ΅ΠΌ ΠΈΠ·ΡƒΡ‡Π°Ρ‚ΡŒ Ρ€Π°Π±ΠΎΡ‚Ρƒ прилоТСния

./hbcdump -human -mode=function -pretty-disassemble index.android.bundle

hbcdump> help
These commands are defined internally. Type `help' to see this list.
Type `help name' to find out more about the function `name'.

epilogue
filename
at-virtual
block
summary
function
instruction
io
function-info
help
disassemble
string

hbcdump>

hbcdump> help string
Display string for ID

USAGE: string <STRING_ID>

hbcdump> help filename
Display file name for ID

USAGE: filename <FILENAME_ID>

hbcdump> help at-virtual
Display information about the function at a given virtual offset.

USAGE: at-virtual <OFFSET>

hdb

JavaScript command line debugger

hermesc

Standalone Hermes compiler. This can compile JavaScript to Hermes bytecode, but does not support executing it.

hvm

Standalone Hermes VM. This can execute Hermes bytecode, but does not support compiling it.

hbctool

hbctool Π˜Π½ΡΡ‚Ρ€ΡƒΠΌΠ΅Π½Ρ‚ для Π±ΠΎΠ»Π΅Π΅ ΡƒΠ΄ΠΎΠ±Π½ΠΎΠ³ΠΎ дизассСмблинга (Π² сравнСнии с hbcdump) ΠΈ возмоТности ΠΏΠ°Ρ‚Ρ‡ΠΈΠ½Π³Π°.

ПослС распаковки Π±ΡƒΠ΄Π΅Ρ‚ Ρ‚Ρ€ΠΈ Ρ„Π°ΠΉΠ»Π°: instruction.hasm (дизассСмблированный ΠΊΠΎΠ΄ Π² Π²ΠΈΠ΄Π΅ Ρ„ΡƒΠ½ΠΊΡ†ΠΈΠΉ листингом), metadata.json (содСрТит ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΡŽ, Π³Π΄Π΅ находятся ΠΊΠ°ΠΊΠΈΠ΅ Ρ„ΡƒΠ½ΠΊΡ†ΠΈΠΈ ΠΈ Ρ‚ΠΏ), string.json (строки ΠΈ ΠΈΡ… ID).

pip install hbctool

(hack) bongtrop@bongtrop-pc:lab/ $ hbctool disasm HermesReversingLab/assets/index.android.bundle HermesReversingLabHASM
[*] Disassemble 'HermesReversingLab/assets/index.android.bundle' to 'HermesReversingLabHASM' path
[*] Hermes Bytecode [ Source Hash: d0310a88a868dfb1ee21d12e9011725b1f716875, HBC Version: 74 ]
[*] Done

After disassembling HBC (Hermes Bytecode) to HASM (I named it; stands for Hermes Assembly). 
In the HermesReversingLabHASM directory, there are 3 files as follows:

    metadata.json: stores the important information of Hermes bytecode file
    instruction.hasm: stores the application instructions or logics in HASM format (edit application logics in this file)
    string.json: store the application strings or texts (edit strings in this file)

Edit the application’s instruction in HermesReversingLabHASM/instruction.hasm.

Save the file and assemble HASM to the HBC by using hbctool.

(hack) bongtrop@bongtrop-pc:lab/ $ hbctool asm HermesReversingLabHASM HermesReversingLab/assets/index.android.bundle 
[*] Assemble 'HermesReversingLabHASM' to 'HermesReversingLab/assets/index.android.bundle' path
[*] Hermes Bytecode [ Source Hash: d0310a88a868dfb1ee21d12e9011725b1f716875, HBC Version: 74 ]
[*] Done

ΠΈ Π΄Π°Π»Π΅Π΅ подписываСм apk

hermes-dec

Π˜Π½ΡΡ‚Ρ€ΡƒΠΌΠ΅Π½Ρ‚ ΠΎΡ‚ P1sec: https://github.com/P1sec/hermes-dec/

[Frida] Android

ΠΏΠΎΠ΄ΠΊΠ»ΡŽΡ‡Π΅Π½ΠΈΠ΅ ΠΊ ядру, ΠΈΡΠΏΠΎΠ»Π½ΠΈΡ‚ΡŒ ΠΊΠΎΠ΄ Π½Π΅ смог ΠΏΠΎΠΊΠ°


console.log("[+] Start");
Java.perform(function() {
    try {
        var ReactInstanceManagerHolder = Java.use('org.jitsi.meet.sdk.ReactInstanceManagerHolder');
        console.log("[+] ReactInstanceManagerHolder Found");
        var reactInstanceManager = ReactInstanceManagerHolder.getReactInstanceManager();  // com.facebook.react.h
        var reactContext = reactInstanceManager.i(); // com.facebook.react.bridge.ReactContext
        console.log("[+] Get reactContext");
        console.log("[+] test: " + reactContext.hasCurrentActivity());
    } catch (err) {
        console.log("[-] ReactInstanceManagerHolder Not Found")
    }
});

Π‘ΠΎΠΎΡ‚Π²Π΅Ρ‚ΡΡ‚Π²ΡƒΡŽΡ‰ΠΈΠΉ ΠΊΠΎΠ΄ Π² ΠΏΡ€ΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΠΈ

import com.facebook.hermes.reactexecutor.HermesExecutorFactory;
import com.facebook.react.ReactInstanceManager;

// Use the Hermes JavaScript engine.
HermesExecutorFactory jsFactory = new HermesExecutorFactory();

reactInstanceManager
    = ReactInstanceManager.builder()
        .setApplication(activity.getApplication())
        .setCurrentActivity(activity)
        .setBundleAssetName("index.android.bundle")
        .setJSMainModulePath("index.android")
        .setJavaScriptExecutorFactory(jsFactory)
        .addPackages(packages)
        .setUseDeveloperSupport(BuildConfig.DEBUG)
        .setInitialLifecycleState(LifecycleState.RESUMED)
        .build();

Π­Ρ‚ΠΎ Π±Ρ‹Π»Π° ΠΏΠΎΠΏΡ‹Ρ‚ΠΊΠ° Π΄ΠΎΠ±Ρ€Π°Ρ‚ΡŒΡΡ Π΄ΠΎ jsFactory, ΠΎΠ΄Π½Π°ΠΊΠΎ, всС Ρ€Π°Π²Π½ΠΎ Π½Π΅ смог Π½Π°ΠΉΡ‚ΠΈ ΠΌΠ΅Ρ‚ΠΎΠ΄Ρ‹, Ρ‡Ρ‚ΠΎΠ±Ρ‹ Ρ‡Ρ‚ΠΎ-Ρ‚ΠΎ ΠΈΡΠΏΠΎΠ»Π½ΠΈΡ‚ΡŒ Π² этом контСкстС. Π’Π°Ρ€ΠΈΠ°Π½Ρ‚ Π΄Π°Π»Π΅Π΅ - Ρ€Π°Π·ΠΎΠ±Ρ€Π°Ρ‚ΡŒΡΡ ΠΊΠ°ΠΊ Ρ€Π°Π±ΠΎΡ‚Π°Π΅Ρ‚ React Debug, ΠΈ ΠΏΠΎΠΏΡ€ΠΎΠ±ΠΎΠ²Π°Ρ‚ΡŒ Ρ‡Ρ‚ΠΎ-Ρ‚ΠΎ Ρ‚Π°ΠΊΠΎΠ΅ ΡΠ΄Π΅Π»Π°Ρ‚ΡŒ ΠΈΠ· frida.

PreviousIntroNextXamarin

Last updated