Patcher doesn't work

[fedetrifo06]

There are new releases on ApkMirror but compilation fails

[JRoy]

Discord has changed the android app to use react native. To do any changes now we need to extract the react bundle and somehow inject code that way. I'm not too sure how to do that right now and I don't have the time yet to spend figuring it out.

[boomboompower]

Please see below. As of the 31st of May the apk uses hermes v89 and this method no longer works

All the react native code is now in the index.android.bundle file in the APK. They've used Hermes v84 to compile the file, I found a draft deobfuscator for hermes 84 here https://github.com/niosega/hbctool/tree/draft/hbc-v84

Might be possible to mod the apk based on the hbctool output (like change the isDeveloper flag) then recompile it.

[boomboompower]

Discord has changed the isDeveloper function to a property. it now looks like

                Object.defineProperties(this, {
                    isDeveloper: {
                        configurable: !1,
                        get: function() {
                            return p
                        }
                    }
                });

using hermes-dec it looks like

Outdated info

I've managed to find the isDeveloper function on the compiled app as well, which is shown as the following

Function<get>50786(1 params, 1 registers, 0 symbols):
	GetEnvironment      	Reg8:0, UInt8:1
	LoadFromEnvironment 	Reg8:0, Reg8:0, UInt8:9
	Ret                 	Reg8:0
EndFunction

Function<set>50787(2 params, 11 registers, 0 symbols):
	GetGlobalObject     	Reg8:0
	TryGetById          	Reg8:2, Reg8:0, UInt8:1, UInt16:16
	; Oper[3]: String(16) 'Error'

	GetByIdShort        	Reg8:0, Reg8:2, UInt8:2, UInt8:216
	; Oper[3]: String(216) 'prototype'

	CreateThis          	Reg8:1, Reg8:0, Reg8:2
	LoadConstStringLongIndex	Reg8:3, UInt32:71340
	; Oper[1]: String(71340) 'Username is not in the sudoers file. This incident will be reported'

	Mov                 	Reg8:4, Reg8:1
	Construct           	Reg8:0, Reg8:2, UInt8:2
	SelectObject        	Reg8:0, Reg8:1, Reg8:0
	Throw               	Reg8:0
EndFunction

which similarly in the web applet is the following code

            [{
                key: "isDeveloper",
                get: function() {
                    return f
                },
                set: function(e) {
                    throw new Error("Username is not in the sudoers file. This incident will be reported")
                }
            }]

I wonder if overriding and returning true on the getter would work?

Function<get>50786(1 params, 1 registers, 0 symbols):
	LoadConstTrue       	Reg8:0
	Ret                 	Reg8:0
EndFunction

This is just an untested theory, (not even sure if those opcodes are correct, theres a list here) however maybe something to try out or think on

[Compwnter]

Anything new?? It's been 2 months without updates..

[Zyrenth]

I don't know if anyone has time for this project, I'm not experienced with Hermes in general, but I would also look into this. First of all the latest stable discord app is on Hermes 89 and I couldn't find a deobfuscator for that version. If anyone here is more experienced with this, it could help me a lot. Thanks!

[boomboompower]

Hi @Suni29 - I believe a pull request on hbctool has some discussion on decompilation of Hermes 89 here - you might be able to get it working with a bit of tinkering.

I believe I tried patching the lines I mentioned above around the time I commented, however never fully succeeded in getting the developer tools to show. Hopefully someone else has better luck.

[Zyrenth]

Hi @Suni29 - I believe a pull request on hbctool has some discussion on decompilation of Hermes 89 here - you might be able to get it working with a bit of tinkering.

I believe I tried patching the lines I mentioned above around the time I commented, however never fully succeeded in getting the developer tools to show. Hopefully someone else has better luck.

Okay, thanks for your help I really appreciate it, if I get anywhere I'll post updates here.

[Zyrenth]

So I got something out of the bundle file, and I found isDeveloper functions (maybe, I'm not entirely sure) but I found a lot of similarities with the current webpack code.

Files are uploaded here because they're huge.

EDIT: I forgot to mention, I used this decompiler to get those files out.

[JRoy]

Need to wait for bongtrop/hbctool#25 to be working before I can get anywhere. Unless someone finds a working reassembler for hbc v89, that's the best bet. P1sec/hermes-dec looks promising and is able to disassemble v89 but they don't have a reassembler sadly yet.

[boomboompower]

Since I last looked at this, discord have moved from hermes v84 to v89 - I tried running the latest bundle through some of the hbctool forks, however it failed part-way through the decomplication. Might be due to the hbc bindings being incorrect?

--

I decided to take a look through the code Suni posted, and the isDeveloper function is in a different format (since it's been so long since discord changed how to enable dev mode)

The latest isDeveloper definition is a property and is formatted as

                Object.defineProperties(this, {
                    isDeveloper: {
                        configurable: !1,
                        get: function() {
                            return p
                        }
                    }
                });

dev mode can instantly be enabled if the current build is on staging, i.e

        var p = "staging" === window.GLOBAL_ENV.RELEASE_CHANNEL;

using hermes-dec - the isDeveloper property looks like

                r5 = r2.Object;
                r4 = r5.defineProperties;
                r7 = {};
                r3 = false;
                r7['configurable'] = r3;
                r3 = function() { // Original name: get, environment: r1
                    r0 = _closure1_slot8;
                    return r0;
                };
                r7['get'] = r3;
                r3 = {};
                r3['isDeveloper'] = r7;
                r3 = r4.bind(r5)(r6, r3);
                r3 = _closure1_slot10;

with the new changes discord has made to enabling dev mode, the easiest way is to probably override the p variable to true on initialization. Again, this line represented in hermes-dec

        r8 = r8.window;
        r8 = r8.GLOBAL_ENV;
        r9 = r8.RELEASE_CHANNEL;
        r8 = 'staging';
        r8 = r8 === r9;

---

I believe revanced has a few patches on react native applications, here's a patcher for instagram to remove ads. Maybe something similar could work here where we patch they bytecode of the application directly? Or even make use of revanced's patcher utility

[JRoy]

Interesting, I'll have a look at their patcher and see if it could work. It's possible they aren't using hermes (or an older version) but we'll see.

[JRoy]

Just looked at their patcher, it's just regular dalvik patching, they're not using react native bundles.