Patcher doesn't work

[fedetrifo06]

There are new releases on ApkMirror but compilation fails

[JRoy]

Discord has changed the android app to use react native. To do any changes now we need to extract the react bundle and somehow inject code that way. I'm not too sure how to do that right now and I don't have the time yet to spend figuring it out.

[Compwnter]

Anything new?? It's been 2 months without updates..

[Zyrenth]

I don't know if anyone has time for this project, I'm not experienced with Hermes in general, but I would also look into this. First of all the latest stable discord app is on Hermes 89 and I couldn't find a deobfuscator for that version. If anyone here is more experienced with this, it could help me a lot. Thanks!

[boomboompower]

Hi @Suni29 - I believe a pull request on hbctool has some discussion on decompilation of Hermes 89 here - you might be able to get it working with a bit of tinkering.

I believe I tried patching the lines I mentioned above around the time I commented, however never fully succeeded in getting the developer tools to show. Hopefully someone else has better luck.

[Zyrenth]

Hi @Suni29 - I believe a pull request on hbctool has some discussion on decompilation of Hermes 89 here - you might be able to get it working with a bit of tinkering.

I believe I tried patching the lines I mentioned above around the time I commented, however never fully succeeded in getting the developer tools to show. Hopefully someone else has better luck.

Okay, thanks for your help I really appreciate it, if I get anywhere I'll post updates here.

[Zyrenth]

So I got something out of the bundle file, and I found isDeveloper functions (maybe, I'm not entirely sure) but I found a lot of similarities with the current webpack code.

Files are uploaded here because they're huge.

EDIT: I forgot to mention, I used this decompiler to get those files out.

[JRoy]

Need to wait for bongtrop/hbctool#25 to be working before I can get anywhere. Unless someone finds a working reassembler for hbc v89, that's the best bet. P1sec/hermes-dec looks promising and is able to disassemble v89 but they don't have a reassembler sadly yet.

[boomboompower]

Since I last looked at this, discord have moved from hermes v84 to v89 - I tried running the latest bundle through some of the hbctool forks, however it failed part-way through the decomplication. Might be due to the hbc bindings being incorrect?

--

I decided to take a look through the code Suni posted, and the isDeveloper function is in a different format (since it's been so long since discord changed how to enable dev mode)

The latest isDeveloper definition is a property and is formatted as

                Object.defineProperties(this, {
                    isDeveloper: {
                        configurable: !1,
                        get: function() {
                            return p
                        }
                    }
                });

dev mode can instantly be enabled if the current build is on staging, i.e

        var p = "staging" === window.GLOBAL_ENV.RELEASE_CHANNEL;

using hermes-dec - the isDeveloper property looks like

                r5 = r2.Object;
                r4 = r5.defineProperties;
                r7 = {};
                r3 = false;
                r7['configurable'] = r3;
                r3 = function() { // Original name: get, environment: r1
                    r0 = _closure1_slot8;
                    return r0;
                };
                r7['get'] = r3;
                r3 = {};
                r3['isDeveloper'] = r7;
                r3 = r4.bind(r5)(r6, r3);
                r3 = _closure1_slot10;

with the new changes discord has made to enabling dev mode, the easiest way is to probably override the p variable to true on initialization. Again, this line represented in hermes-dec

        r8 = r8.window;
        r8 = r8.GLOBAL_ENV;
        r9 = r8.RELEASE_CHANNEL;
        r8 = 'staging';
        r8 = r8 === r9;

---

I believe revanced has a few patches on react native applications, here's a patcher for instagram to remove ads. Maybe something similar could work here where we patch they bytecode of the application directly? Or even make use of revanced's patcher utility

[JRoy]

Interesting, I'll have a look at their patcher and see if it could work. It's possible they aren't using hermes (or an older version) but we'll see.

[JRoy]

Just looked at their patcher, it's just regular dalvik patching, they're not using react native bundles.

[Zyrenth]

I came across this modded client called Vendetta, they have an open-source patcher that may be useful.
https://github.com/vendetta-mod/VendettaManager/

I also came across a plugin for it (enables experiments) which also might be useful: https://github.com/Beefers/strife/tree/master/plugins/Experiments/src

I haven't had time to read-through their patcher though.

[JRoy]

Looking at that, I came across https://github.com/LSPosed/LSPatch which allows Xposed modules to be bundled with apks and ran without root.

I got a proof of concept working which gives me JavaScript execution.

I couldn't find a payload that worked which enabled experiments. Once I have a bit more free time I'll try to port over the better discord plugin to vanilla javascript or if you one of you guys have a payload first I'll use that.

Overall, positive direction, once I find a payload that works I'll be able to automate this again.

[JRoy]

Release continue once again starting with https://github.com/JRoy/discord-experiments-android/releases/tag/182114

Thanks for your guys' help and patience.