V8 字节码反编译与还原bytenode保护的JS代码<\/h1>

前言<\/h2>
本文详细讲解如何分析和反编译由bytenode保护的Electron应用中的V8字节码，还原原始JavaScript代码。通过逆向分析一个实际案例，展示从字节码提取到最终反编译的完整流程。<\/p>

1. 识别Electron应用的保护机制<\/h2>

1.1 寻找可疑文件<\/h3>

在分析Electron应用时，通常会寻找app.asar<\/code>文件，但在这个案例中：<\/p>


安装目录下没有找到任何ASAR文件<\/li>
发现两个可疑的.node<\/code>文件：wrapper.node<\/code>和major.node<\/code><\/li>
这些文件是PE格式，大小数十MB<\/li>
文件内包含少量明文JS代码和有规律的JS文件名结构<\/li>
<\/ul>
1.2 识别bytenode保护<\/h3>
通过分析发现：<\/p>

文件内组装了数百个ByteCodeInfo<\/code>结构体<\/li>
结构体数组[]ByteCodeInfo<\/code>储存了V8字节码和JS文件\/函数名的映射关系<\/li>
文件头包含V8字节码魔数?? ?? DE C0<\/code><\/li>
这与开源的bytenode保护机制相同：直接加载V8字节码缓存而非原始JS代码<\/li>
<\/ul>
2. V8字节码结构分析<\/h2>
2.1 V8字节码生成过程<\/h3>
字节码在SerializedCodeData::SerializedCodeData<\/code>中生成，主要步骤：<\/p>

计算大小并分配内存<\/li>
设置头部信息：

魔数(MagicNumber)<\/li>
版本哈希(VersionHash)<\/li>
源文件哈希(SourceHash)<\/li>
标志哈希(FlagHash)<\/li>
只读快照校验和<\/li>
有效载荷长度<\/li>
<\/ul>
<\/li>
复制序列化数据<\/li>
计算并设置校验和<\/li>
<\/ol>
2.2 V8字节码头部结构<\/h3>
V8字节码头部包含以下关键字段：<\/p>



偏移量<\/th>
字段名<\/th>
描述<\/th>
<\/tr>
<\/thead>


0x00<\/td>
MagicNumber<\/td>
魔数标识<\/td>
<\/tr>

0x04<\/td>
VersionHash<\/td>
版本哈希值<\/td>
<\/tr>

0x08<\/td>
SourceHash<\/td>
源文件哈希<\/td>
<\/tr>

0x0C<\/td>
FlagHash<\/td>
标志哈希<\/td>
<\/tr>

0x10<\/td>
ReadOnlySnapshotChecksum<\/td>
只读快照校验和<\/td>
<\/tr>

0x14<\/td>
PayloadLength<\/td>
有效载荷长度<\/td>
<\/tr>

0x18<\/td>
Checksum<\/td>
校验和<\/td>
<\/tr>
<\/tbody>
<\/table>
2.3 魔数分析<\/h3>
魔数计算公式：<\/p>
static<\/span> constexpr<\/span> uint32_t<\/span> kMagicNumber =<\/span> 0xC0DE0000<\/span> ^<\/span> ExternalReferenceTable::<\/span>kSize;
<\/span><\/span><\/code><\/pre>魔数间接编码了ExternalReferenceTable::kSize<\/code>信息，用于快速验证数据合法性。<\/p>
2.4 版本哈希计算<\/h3>
版本哈希通过MurmurHash算法计算：<\/p>
static<\/span> uint32_t<\/span> Hash<\/span>() {
<\/span><\/span>    return<\/span> static_cast<\/span><<\/span>uint32_t<\/span>><\/span>(base::<\/span>hash_combine(major_, minor_, build_, patch_));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>哈希计算函数实现：<\/p>
func<\/span> hashCombine<\/span>(seed<\/span>, value<\/span> int64<\/span>) int64<\/span> {
<\/span><\/span>    value<\/span> = (value<\/span> *<\/span> 0xCC9E2D51<\/span>) &<\/span> 0xFFFFFFFF<\/span>
<\/span><\/span>    value<\/span> = ((value<\/span> >><\/span> 15<\/span>) | (value<\/span> <<<\/span> (32<\/span> -<\/span> 15<\/span>))) &<\/span> 0xFFFFFFFF<\/span>
<\/span><\/span>    value<\/span> = (value<\/span> *<\/span> 0x1b873593<\/span>) &<\/span> 0xFFFFFFFF<\/span>
<\/span><\/span>    seed<\/span> ^= value<\/span>
<\/span><\/span>    seed<\/span> = ((seed<\/span> >><\/span> 13<\/span>) | (seed<\/span> <<<\/span> (32<\/span> -<\/span> 13<\/span>))) &<\/span> 0xFFFFFFFF<\/span>
<\/span><\/span>    seed<\/span> = (seed<\/span> *<\/span> 5<\/span> +<\/span> 0xE6546B64<\/span>) &<\/span> 0xFFFFFFFF<\/span>
<\/span><\/span>    return<\/span> seed<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.5 版本号爆破<\/h3>
通过暴力搜索匹配版本哈希：<\/p>
for<\/span> i<\/span> :=<\/span> 0<\/span>; i<\/span> < 20<\/span>; i<\/span>++<\/span> {
<\/span><\/span>    for<\/span> j<\/span> :=<\/span> 0<\/span>; j<\/span> < 20<\/span>; j<\/span>++<\/span> {
<\/span><\/span>        for<\/span> k<\/span> :=<\/span> 0<\/span>; k<\/span> < 500<\/span>; k<\/span>++<\/span> {
<\/span><\/span>            for<\/span> l<\/span> :=<\/span> 0<\/span>; l<\/span> < 100<\/span>; l<\/span>++<\/span> {
<\/span><\/span>                result<\/span> :=<\/span> versionHash64<\/span>(i<\/span>, j<\/span>, k<\/span>, l<\/span>)
<\/span><\/span>                if<\/span> result<\/span> ==<\/span> myUint32<\/span> {
<\/span><\/span>                    fmt<\/span>.Println<\/span>(i<\/span>, j<\/span>, k<\/span>, l<\/span>)
<\/span><\/span>                    return<\/span>
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 构建V8反编译环境<\/h2>
3.1 获取V8源代码<\/h3>

安装依赖：<\/li>
<\/ol>
apt-get install ninja-build clang pkg-config
<\/span><\/span><\/code><\/pre>
安装depot_tools：<\/li>
<\/ol>
mkdir ~\/v8tools\/
<\/span><\/span>cd ~\/v8tools\/
<\/span><\/span>git clone https:\/\/chromium.googlesource.com\/chromium\/tools\/depot_tools.git
<\/span><\/span>export PATH=<\/span>~\/v8tools\/depot_tools\/:$PATH
<\/span><\/span><\/code><\/pre>
拉取V8代码：<\/li>
<\/ol>
mkdir ~\/v8
<\/span><\/span>cd ~\/v8
<\/span><\/span>fetch v8
<\/span><\/span>cd v8
<\/span><\/span><\/code><\/pre>
切换到目标版本：<\/li>
<\/ol>
git checkout refs\/tags\/10.4.132.24
<\/span><\/span><\/code><\/pre>
同步依赖：<\/li>
<\/ol>
gclient sync -D
<\/span><\/span><\/code><\/pre>3.2 修改V8引擎代码<\/h3>
关键修改点：<\/p>


修改src\/snapshot\/code-serializer.cc<\/code>：<\/p>

在CodeSerializer::Deserialize<\/code>中插入打印代码<\/li>
修改SerializedCodeData::SanityCheck<\/code>直接返回成功<\/li>
<\/ul>
<\/li>

修改src\/diagnostics\/objects-printer.cc<\/code>：<\/p>

在SharedFunctionInfo::SharedFunctionInfoPrint<\/code>中插入字节码反汇编调用<\/li>
<\/ul>
<\/li>

修改src\/objects\/objects.cc<\/code>：<\/p>

在HeapObject::HeapObjectShortPrint<\/code>中添加各种类型的打印支持<\/li>
<\/ul>
<\/li>

修改src\/objects\/string.cc<\/code>：<\/p>

移除字符串打印长度限制<\/li>
<\/ul>
<\/li>

(可选)修改src\/snapshot\/deserializer.cc<\/code>：<\/p>

注释掉魔数检查CHECK_EQ(magic_number_, SerializedData::kMagicNumber)<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
3.3 编译V8引擎<\/h3>

生成编译脚本：<\/li>
<\/ol>
.\/tools\/dev\/v8gen.py x64.release
<\/span><\/span><\/code><\/pre>
修改编译参数(out.gn\/x64.release\/args.gn<\/code>)：<\/li>
<\/ol>
dcheck_always_on = false
is_component_build = false
is_debug = false
target_cpu = "x64"
use_custom_libcxx = false
v8_monolithic = true
v8_use_external_startup_data = false
v8_static_library = true
v8_enable_disassembler = true
v8_enable_object_print = true
# 对于Node应用可能需要添加
v8_enable_pointer_compression = false
<\/code><\/pre>

编译共享库：<\/li>
<\/ol>
ninja -C out.gn\/x64.release v8_monolith
<\/span><\/span><\/code><\/pre>3.4 编译反汇编工具<\/h3>
使用修改后的V8引擎编译反汇编工具：<\/p>
对于Electron应用：<\/p>
clang++ v8dasm.cpp -g -std=<\/span>c++17 -Iinclude -Lout.gn\/x64.release\/obj -lv8_libbase -lv8_libplatform -lv8_monolith -o v8dasm -DV8_COMPRESS_POINTERS -ldl -pthread
<\/span><\/span><\/code><\/pre>对于Node应用(不使用压缩指针)：<\/p>
clang++ v8dasm.cpp -g -std=<\/span>c++17 -Iinclude -Lout.gn\/x64.release\/obj -lv8_libbase -lv8_libplatform -lv8_monolith -o v8dasm
<\/span><\/span><\/code><\/pre>4. 使用View8工具反编译<\/h2>

安装View8：<\/li>
<\/ol>
git clone https:\/\/github.com\/j4k0xb\/View8
<\/span><\/span>cd View8
<\/span><\/span>pip install -r requirements.txt
<\/span><\/span><\/code><\/pre>
执行反编译：<\/li>
<\/ol>
python view8.py input_file output_file --path \/path\/to\/disassembler
<\/span><\/span><\/code><\/pre>5. 完整流程总结<\/h2>

识别Electron应用的保护机制<\/li>
提取V8字节码文件<\/li>
分析字节码头部信息，确定V8版本<\/li>
获取对应版本的V8源代码<\/li>
修改V8引擎代码以支持反编译<\/li>
编译修改后的V8引擎<\/li>
编译反汇编工具<\/li>
使用View8工具进行最终反编译<\/li>
<\/ol>
6. 注意事项<\/h2>

确保V8版本与目标字节码版本完全匹配<\/li>
编译环境要求较高(建议16GB内存，SSD)<\/li>
对于不同Electron\/Node版本可能需要调整编译参数<\/li>
反编译结果不是原始JS代码，而是字节码的伪代码表示<\/li>
新版本V8(如12.x)可能需要额外修改代码位置和参数<\/li>
<\/ol>
通过以上步骤，可以有效地分析和还原由bytenode保护的Electron应用中的JavaScript代码。<\/p>

偏移量<\/th>	字段名<\/th>	描述<\/th> <\/tr> <\/thead>
0x00<\/td>	MagicNumber<\/td>	魔数标识<\/td> <\/tr>
0x04<\/td>	VersionHash<\/td>	版本哈希值<\/td> <\/tr>
0x08<\/td>	SourceHash<\/td>	源文件哈希<\/td> <\/tr>
0x0C<\/td>	FlagHash<\/td>	标志哈希<\/td> <\/tr>
0x10<\/td>	ReadOnlySnapshotChecksum<\/td>	只读快照校验和<\/td> <\/tr>
0x14<\/td>	PayloadLength<\/td>	有效载荷长度<\/td> <\/tr>
0x18<\/td>	Checksum<\/td>	校验和<\/td> <\/tr> <\/tbody> <\/table> 2.3 魔数分析<\/h3> 魔数计算公式：<\/p> static<\/span> constexpr<\/span> uint32_t<\/span> kMagicNumber =<\/span> 0xC0DE0000<\/span> ^<\/span> ExternalReferenceTable::<\/span>kSize; <\/span><\/span><\/code><\/pre>魔数间接编码了ExternalReferenceTable::kSize<\/code>信息，用于快速验证数据合法性。<\/p> 2.4 版本哈希计算<\/h3> 版本哈希通过MurmurHash算法计算：<\/p> static<\/span> uint32_t<\/span> Hash<\/span>() { <\/span><\/span> return<\/span> static_cast<\/span><<\/span>uint32_t<\/span>><\/span>(base::<\/span>hash_combine(major_, minor_, build_, patch_)); <\/span><\/span>} <\/span><\/span><\/code><\/pre>哈希计算函数实现：<\/p> func<\/span> hashCombine<\/span>(seed<\/span>, value<\/span> int64<\/span>) int64<\/span> { <\/span><\/span> value<\/span> = (value<\/span> <\/span> 0xCC9E2D51<\/span>) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span> value<\/span> = ((value<\/span> >><\/span> 15<\/span>) \| (value<\/span> <<<\/span> (32<\/span> -<\/span> 15<\/span>))) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span> value<\/span> = (value<\/span> <\/span> 0x1b873593<\/span>) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span> seed<\/span> ^= value<\/span> <\/span><\/span> seed<\/span> = ((seed<\/span> >><\/span> 13<\/span>) \| (seed<\/span> <<<\/span> (32<\/span> -<\/span> 13<\/span>))) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span> seed<\/span> = (seed<\/span> *<\/span> 5<\/span> +<\/span> 0xE6546B64<\/span>) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span> return<\/span> seed<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>2.5 版本号爆破<\/h3> 通过暴力搜索匹配版本哈希：<\/p> for<\/span> i<\/span> :=<\/span> 0<\/span>; i<\/span> < 20<\/span>; i<\/span>++<\/span> { <\/span><\/span> for<\/span> j<\/span> :=<\/span> 0<\/span>; j<\/span> < 20<\/span>; j<\/span>++<\/span> { <\/span><\/span> for<\/span> k<\/span> :=<\/span> 0<\/span>; k<\/span> < 500<\/span>; k<\/span>++<\/span> { <\/span><\/span> for<\/span> l<\/span> :=<\/span> 0<\/span>; l<\/span> < 100<\/span>; l<\/span>++<\/span> { <\/span><\/span> result<\/span> :=<\/span> versionHash64<\/span>(i<\/span>, j<\/span>, k<\/span>, l<\/span>) <\/span><\/span> if<\/span> result<\/span> ==<\/span> myUint32<\/span> { <\/span><\/span> fmt<\/span>.Println<\/span>(i<\/span>, j<\/span>, k<\/span>, l<\/span>) <\/span><\/span> return<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 构建V8反编译环境<\/h2> 3.1 获取V8源代码<\/h3> 安装依赖：<\/li> <\/ol> apt-get install ninja-build clang pkg-config <\/span><\/span><\/code><\/pre> 安装depot_tools：<\/li> <\/ol> mkdir ~\/v8tools\/ <\/span><\/span>cd ~\/v8tools\/ <\/span><\/span>git clone https:\/\/chromium.googlesource.com\/chromium\/tools\/depot_tools.git <\/span><\/span>export PATH=<\/span>~\/v8tools\/depot_tools\/:$PATH <\/span><\/span><\/code><\/pre> 拉取V8代码：<\/li> <\/ol> mkdir ~\/v8 <\/span><\/span>cd ~\/v8 <\/span><\/span>fetch v8 <\/span><\/span>cd v8 <\/span><\/span><\/code><\/pre> 切换到目标版本：<\/li> <\/ol> git checkout refs\/tags\/10.4.132.24 <\/span><\/span><\/code><\/pre> 同步依赖：<\/li> <\/ol> gclient sync -D <\/span><\/span><\/code><\/pre>3.2 修改V8引擎代码<\/h3> 关键修改点：<\/p> 修改src\/snapshot\/code-serializer.cc<\/code>：<\/p> 在CodeSerializer::Deserialize<\/code>中插入打印代码<\/li> 修改SerializedCodeData::SanityCheck<\/code>直接返回成功<\/li> <\/ul> <\/li> 修改src\/diagnostics\/objects-printer.cc<\/code>：<\/p> 在SharedFunctionInfo::SharedFunctionInfoPrint<\/code>中插入字节码反汇编调用<\/li> <\/ul> <\/li> 修改src\/objects\/objects.cc<\/code>：<\/p> 在HeapObject::HeapObjectShortPrint<\/code>中添加各种类型的打印支持<\/li> <\/ul> <\/li> 修改src\/objects\/string.cc<\/code>：<\/p> 移除字符串打印长度限制<\/li> <\/ul> <\/li> (可选)修改src\/snapshot\/deserializer.cc<\/code>：<\/p> 注释掉魔数检查CHECK_EQ(magic_number_, SerializedData::kMagicNumber)<\/code><\/li> <\/ul> <\/li> <\/ol> 3.3 编译V8引擎<\/h3> 生成编译脚本：<\/li> <\/ol> .\/tools\/dev\/v8gen.py x64.release <\/span><\/span><\/code><\/pre> 修改编译参数(out.gn\/x64.release\/args.gn<\/code>)：<\/li> <\/ol> dcheck_always_on = false is_component_build = false is_debug = false target_cpu = "x64" use_custom_libcxx = false v8_monolithic = true v8_use_external_startup_data = false v8_static_library = true v8_enable_disassembler = true v8_enable_object_print = true # 对于Node应用可能需要添加 v8_enable_pointer_compression = false <\/code><\/pre> 编译共享库：<\/li> <\/ol> ninja -C out.gn\/x64.release v8_monolith <\/span><\/span><\/code><\/pre>3.4 编译反汇编工具<\/h3> 使用修改后的V8引擎编译反汇编工具：<\/p> 对于Electron应用：<\/p> clang++ v8dasm.cpp -g -std=<\/span>c++17 -Iinclude -Lout.gn\/x64.release\/obj -lv8_libbase -lv8_libplatform -lv8_monolith -o v8dasm -DV8_COMPRESS_POINTERS -ldl -pthread <\/span><\/span><\/code><\/pre>对于Node应用(不使用压缩指针)：<\/p> clang++ v8dasm.cpp -g -std=<\/span>c++17 -Iinclude -Lout.gn\/x64.release\/obj -lv8_libbase -lv8_libplatform -lv8_monolith -o v8dasm <\/span><\/span><\/code><\/pre>4. 使用View8工具反编译<\/h2> 安装View8：<\/li> <\/ol> git clone https:\/\/github.com\/j4k0xb\/View8 <\/span><\/span>cd View8 <\/span><\/span>pip install -r requirements.txt <\/span><\/span><\/code><\/pre> 执行反编译：<\/li> <\/ol> python view8.py input_file output_file --path \/path\/to\/disassembler <\/span><\/span><\/code><\/pre>5. 完整流程总结<\/h2> 识别Electron应用的保护机制<\/li> 提取V8字节码文件<\/li> 分析字节码头部信息，确定V8版本<\/li> 获取对应版本的V8源代码<\/li> 修改V8引擎代码以支持反编译<\/li> 编译修改后的V8引擎<\/li> 编译反汇编工具<\/li> 使用View8工具进行最终反编译<\/li> <\/ol> 6. 注意事项<\/h2> 确保V8版本与目标字节码版本完全匹配<\/li> 编译环境要求较高(建议16GB内存，SSD)<\/li> 对于不同Electron\/Node版本可能需要调整编译参数<\/li> 反编译结果不是原始JS代码，而是字节码的伪代码表示<\/li> 新版本V8(如12.x)可能需要额外修改代码位置和参数<\/li> <\/ol> 通过以上步骤，可以有效地分析和还原由bytenode保护的Electron应用中的JavaScript代码。<\/p>

V8 字节码反编译与还原bytenode保护的JS代码<\/h1>

前言<\/h2> 本文详细讲解如何分析和反编译由bytenode保护的Electron应用中的V8字节码，还原原始JavaScript代码。通过逆向分析一个实际案例，展示从字节码提取到最终反编译的完整流程。<\/p>

1. 识别Electron应用的保护机制<\/h2>

2. V8字节码结构分析<\/h2>

3. 构建V8反编译环境<\/h2>

前言<\/h2>
本文详细讲解如何分析和反编译由bytenode保护的Electron应用中的V8字节码，还原原始JavaScript代码。通过逆向分析一个实际案例，展示从字节码提取到最终反编译的完整流程。<\/p>