ByteSpy is a multi-purpose JVM reverse engineering tool featuring decompiler gui, disassembler, debugger and more.
Config and projects are stored in
~/.ByteSpy. When opening jars, they are loaded into the memory.
When saving (
Ctrl+S) all loaded jars in the current project is being saved into the jar files.
You can also export the jar onto another file.
When opening ByteSpy a temp workspace will be loaded (
Jars can be opened by using
Ctrl+O or by navigating in the menu.
User can also open recent files from the menu.
Opening a file is simple as doubling clicking on it.
To export the jar/file, right click click on the jar/file then click
"Export" then select the destination.
To switch decompiler in the decompiler view, select
Config > Decompiler then select your preferred decompiler/disassembler.
I would personally recommend CFR for heavily obfuscated jars.
To view more info on the method, field or class, hold ctrl and hover over the symbol. And to navigate to it, left click it while the text is orange.
To edit class, method, field or instruction, double click them then a properties editor will show up.
To save changes, press
[ENTER] and to discard the changes press
The decompiler view will reload automatically after making changes to the node.
To delete the instruction, press
[DEL] or click
Delete on the menu.
To copy class, method or field's property, right click on them then click on
The property will be copied into the clipboard.
To insert instructions, select an instruction node then select
Insert Before or
A dialog will popup asking for the instruction type, then hit
[ENTER], to cancel place
To assemble instructions, select
Assemble Before or
A dialog will popup with premade instruction for
The bytecode will be assembled using Koffee.
To assemble the code click
Assemble or click
[ESC] to discard.
Deobfuscation gui can be accessed by right-clicking on a jar. The replace option replaces the the jar after deobfuscation.
You needs to select the libraries and transformers they need. The backend for this tool is Cubxity's java-deobfuscator fork. After hitting deobfuscate, the deobfuscator will do the work then the output jar will be opened (or the same jar if replace was selected).
To compare jars, navigate to File > Compare. Then select two jars that you would like to compare then select compare.
After that a dialog will show up with jar comparision. Files are compared using SHA-256 and methods are compared using instruction types and the instructions length.
+ Indicates that the opposite jar does not have the file.
- Indicates that the opposite jar has the file and not the current jar.
+- Indicates changes
You're able to navigate to the file, field or method by holding
[CTRL] and clicking the label
To dump a process, there're two options.
- Dumping by local PID
- Dumping from local debugger dialog
To dump by local PID, navigate to Tools > Dump (or open) then enter the PID.
NOTE: The process will crash if you've entered an invalid PID