ByteSpy Documentation

ByteSpy is a multi-purpose JVM reverse engineering tool featuring decompiler gui, disassembler, debugger and more.

Project structure

Config and projects are stored in ~/.ByteSpy. When opening jars, they are loaded into the memory. When saving (Ctrl+S) all loaded jars in the current project is being saved into the jar files. You can also export the jar onto another file. When opening ByteSpy a temp workspace will be loaded (tmp)

Basic operations

Jars can be opened by using Ctrl+O or by navigating in the menu. User can also open recent files from the menu.

file menu

Opening a file is simple as doubling clicking on it. To export the jar/file, right click click on the jar/file then click "Export" then select the destination.

export menu

To switch decompiler in the decompiler view, select Config > Decompiler then select your preferred decompiler/disassembler. I would personally recommend CFR for heavily obfuscated jars.

switch decompiler

Bytecode editing

To view more info on the method, field or class, hold ctrl and hover over the symbol. And to navigate to it, left click it while the text is orange.

bytecode hover

To edit class, method, field or instruction, double click them then a properties editor will show up. To save changes, press [ENTER] and to discard the changes press [ESC]. The decompiler view will reload automatically after making changes to the node. To delete the instruction, press [DEL] or click Delete on the menu.

properties editor

To copy class, method or field's property, right click on them then click on Copy .... The property will be copied into the clipboard.

properties editor

To insert instructions, select an instruction node then select Insert Before or Insert After. A dialog will popup asking for the instruction type, then hit [ENTER], to cancel place [ESC]

properties editor

To assemble instructions, select Assemble Before or Assemble After. A dialog will popup with premade instruction for System.out.println("Hello, world!"). The bytecode will be assembled using Koffee. To assemble the code click Assemble or click [ESC] to discard.

properties editor

Tools

Deobfuscation gui can be accessed by right-clicking on a jar. The replace option replaces the the jar after deobfuscation.

deobf menu

You needs to select the libraries and transformers they need. The backend for this tool is Cubxity's java-deobfuscator fork. After hitting deobfuscate, the deobfuscator will do the work then the output jar will be opened (or the same jar if replace was selected).

deobfuscation dialog

To compare jars, navigate to File > Compare. Then select two jars that you would like to compare then select compare.

Compare menu

Compare chooser dialog

After that a dialog will show up with jar comparision. Files are compared using SHA-256 and methods are compared using instruction types and the instructions length.

+ Indicates that the opposite jar does not have the file.

- Indicates that the opposite jar has the file and not the current jar.

+- Indicates changes

You're able to navigate to the file, field or method by holding [CTRL] and clicking the label

Compare jar

Debugging

To dump a process, there're two options.

  • Dumping by local PID
  • Dumping from local debugger dialog

To dump by local PID, navigate to Tools > Dump (or open) then enter the PID.

NOTE: The process will crash if you've entered an invalid PID

Dump menu

Dump by pid