View8 is a static analysis tool designed to decompile serialized V8 bytecode objects (JSC files) into high-level readable code. To parse and disassemble these serialized objects, View8 utilizes a patched compiled V8 binary. As a result, View8 produces a textual output similar to JavaScript.
- Python 3.x
- Disassembler binary. Available versions:
- V8 Version
9.4.146.24(Used in Node V16.x) - V8 Version
10.2.154.26(Used in Node V18.x) - V8 Version
11.3.244.8(Used in Node V20.x)
For compiled versions, visit the releases page.
--inp,-i: The input file name--out,-o: Path to the output (depending on the type of the output, a single file or a directory tree may be generated)--input_format,-f: Indicate format of the input. Options are:raw: the output is a raw JSC file;disassembled: the input file is already disassembled;serialized: the input is already decompiled, and stored in a serialized format (pickle; trusted input only)--export_format,-e: Specify the export format(s). Options arev8_opcode,translated,decompiled, andserialized. Multiple options can be combined (optional, default:decompiled).--path,-p: Path to disassembler binary. Required if the input is in the raw format.--tree,-t: Split output into a tree structure (rather than storing all functions in one file). Specify the function that will be used as a top node of the tree. To start from the default main function, use 'start' (optional).--mainlimit,-l: In tree mode: a tree with depth above this limit will be treated as different module than main (optional).--include,-n: Functions tree to Include in the output (optional).--exclude,-x: Functions tree to Exclude from the output (optional).
To decompile a V8 bytecode file and export the decompiled code:
python view8.py -i input_file -o output_fileBy default, view8 detects the V8 bytecode version of the input file (using VersionDetector.exe) and automatically searches for a compatible disassembler binary in the Bin folder. This can be changed by specifing a different disassembler binary, use the --path (or -p) option:
python view8.py -i input_file -o output_file --path /path/to/disassemblerTo skip the disassembling process and provide an already disassembled file as the input, use the --input_format disassembled (or -f disassembled) option:
python view8.py -i input_file -o output_file -f disassembledSometimes we may want to decompile the file into a serialized format (preserving all the objects and structures). This type of an output may be easier to post-process than a text format, and useful i.e. for further deobfuscation. To create a serialized output we use a specific export format: --export_format serialized (or -e serialized)
Security warning: the current serialized format is a Python pickle file (.pkl). Unpickling data from untrusted sources can execute arbitrary code. Only load serialized files that you generated yourself.
python view8.py -i input_file -o output_file -e serializedIf we ever want to load the serialized output back, and decompile it as a different type of an output, we can do it using --input_format serialized (or -f serialized) option:
python view8.py -i input_file -o output_file -f serializedSpecify the export format(s) using the --export_format (or -e) option. You can combine multiple formats:
v8_opcodetranslateddecompiledserialized
For example, to export both V8 opcodes and decompiled code side by side:
python view8.py -i input_file -o output_file -e v8_opcode decompiledBy default, the format used is decompiled.
The V8 bytecode version is stored as a hash at the beginning of the file. Below are the options available for VersionDetector.exe:
-h: Retrieves a version and returns its hash.-d: Retrieves a hash (little-endian) and returns its corresponding version using brute force.-f: Retrieves a file and returns its version.