Skip to content

React Native

Identification

  • Look for clues to the words react or Facebook in the decompiled APK.

Special Bugs to look for

  • MFA bypass due to caching the OAuth login session for a long time.

Decompile the Hermes byte code

  • Unzip the APK
  • navigate to .\assets\index.android.bundle
  • identify if the bundle is indeed Hermes bytecode using file index.android.bundle

  • If the concerned file is indeed an Hermes JavaScript bytecode file, you may then decode most of its file headers using the following utility (which output may not be stable over time):

    # https://github.com/P1sec/hermes-dec
hbc-file-parser assets/index.android.bundle

  • You may then disassemble the contents of the React Native bytecode file to theΒ /tmp/my_output_file.hasmΒ output file using the following command (leave out the second parameter in order to send the disassembled content to the standard output):

    # https://github.com/P1sec/hermes-dec
hbc-disassembler index.android.bundle disassembly.hasm

  • And perform the decomplication to pseudo-code (which is not valid JavaScript yet as it does not retranscribe loop/conditional structures) using the following command:

    # https://github.com/P1sec/hermes-dec
hbc-decompiler index.android.bundle decomplied.js