A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)

Overview

Bytecode Viewer

Bytecode Viewer - a lightweight user friendly Java Bytecode Viewer.

New Features

  • WAR & JSP Loading
  • JADX-Core Decompiler
  • Fixed APK & dex loading
  • Fixed Java 10+ classfiles
  • Better visual feedback due to the new busy icon system
  • Synchronized viewing pane option & quick method selection
  • Updated most libraries to their 2019 version
  • Tons of bug fixes and general improvements

Links

Key Features

  • Krakatau Integration for Bytecode assembly/disassembly.
  • Smali/BakSmali Integration - You can now edit class files/dex files via smali!
  • APK/DEX Support - Using Dex2Jar and Jar2Dex it's able to load and save APKs with ease!
  • Java Decompiler - It utilizes FernFlower, Procyon, CFR, and JD for decompilation.
  • Bytecode Decompiler - A modified version of CFIDE's.
  • Hex Viewer - Powered by JHexPane.
  • Each Decompiler/Editor/Viewer is toggleable, you can also select what will display on each pane.
  • Fully Featured Search System - Search through strings, functions, variables and more!
  • A Plugin System With Built In Plugins - (Show All Strings, Malicious Code Scanner, String Decrypters, etc)
  • Fully Featured Scripting System That Supports Groovy.
  • EZ-Inject - Graphically insert hooks and debugging code, invoke main and start the program.
  • Recent Files & Recent Plugins.
  • And more! Give it a try for yourself!

Command Line Input

	-help                         Displays the help menu
	-list                         Displays the available decompilers
	-decompiler <decompiler>      Selects the decompiler, procyon by default
	-i <input file>               Selects the input file (Jar, Class, APK, ZIP, DEX all work automatically)
	-o <output file>              Selects the output file (Java or Java-Bytecode)
	-t <target classname>         Must either be the fully qualified classname or "all" to decompile all as zip
	-nowait                       Doesn't wait for the user to read the CLI messages

What is Bytecode Viewer?

Bytecode Viewer (BCV) is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more. It's written completely in Java, and it's open sourced. It's currently being maintained and developed by Konloch.

There is also a plugin system that will allow you to interact with the loaded classfiles, for example you can write a String deobfuscator, a malicious code searcher, or something else you can think of. You can either use one of the pre-written plugins, or write your own. It supports groovy scripting. Once a plugin is activated, it will execute the plugin with a ClassNode ArrayList of every single class loaded in BCV, this allows the user to handle it completely using ASM.

How do I install BCV?

Download the latest version from https://github.com/konloch/bytecode-viewer/releases and run the Bytecode-Viewer-2.9.x.jar. You may need to execute it via command line java -jar Bytecode-Viewer-2.9.x.jar (replace the X with the current minor version)

How do I use BCV?

All you have to do is add a jar, class or APK file into the workspace. Then select the file you'd like to view from the workspace. BCV will automatically start decompiling the class in the background. When it's done it will show the Source code, Bytecode and Hexcode of the class file you chose (depending on the View panes you have selected). If you are trying to view a resource BCV will attempt to display it the best it can with code highlighting or by embedding the resources itself.

Are you a Java Reverse Engineer? Do you want to learn?

Join The Bytecode Club Today! - https://the.bytecode.club

Comments
  • Hooks appear to be broken

    Hooks appear to be broken

    Whenever I use the Inject Hooks feature, save the modified code as a Jar and run it, I get the following error:

    C:\Users\Alexander\Desktop>java -jar hook-test.jar
    Error: A JNI error has occurred, please check your installation and try again
    Exception in thread "main" java.lang.VerifyError: Operand stack overflow
    Exception Details:
      Location:
        Main.access$13()V @0: ldc_w
      Reason:
        Exceeded max stack size.
      Current Frame:
        bci: @0
        flags: { }
        locals: { }
        stack: { }
      Bytecode:
        0x0000000: 1301 4db8 002e b801 4fb1
    
            at java.lang.Class.getDeclaredMethods0(Native Method)
            at java.lang.Class.privateGetDeclaredMethods(Unknown Source)
            at java.lang.Class.privateGetMethodRecursive(Unknown Source)
            at java.lang.Class.getMethod0(Unknown Source)
            at java.lang.Class.getMethod(Unknown Source)
            at sun.launcher.LauncherHelper.validateMainClass(Unknown Source)
            at sun.launcher.LauncherHelper.checkAndLoadMain(Unknown Source)
    

    I have tried this with several Jars, with and without obfuscation. One of the Jars I tried to hook is a program I made long ago, so if you need an example, feel free to download it:

    My guess is that BCV inserts the bytecode for the hooks without updating the size of the method that the hook was inserted into.

    Bug 
    opened by Alexander01998 15
  • suggestions regarding Krakatau

    suggestions regarding Krakatau

    Hi, I just discovered this project. Anyway, I have some suggestions for the Krakatau decompiler and disassembler support.

    • You should disable assertions by passing -O to Python. The assertions are useful for testing or debugging, but for normal use, you're better off disabling them. Disabling assertions also makes things slightly faster. Note that this is an option for python itself, not Krakatau, so the command line would look like python -O Krakatau...
    • Likewise, you should pass the -skip option to the decompiler to skip each class or method on errors instead of stopping at the first error. It's better to decompile some classes than none.
    • Also, on Windows, Krakatau sanitizes the output paths to avoid collisions, so the path of the output file isn't necessarily the same as the actual name of the class. Even on other OSes, you can get errors if the class name is too long or contains special characters. I'd recommend outputting to a jar/zip file instead, since the output path inside the zip file is always the same as the actual class name. You can do this by passing a path ending in .jar or .zip to -out, e.g. -out temp.jar
    • Lastly, Pypy is usually faster than CPython, so I'd recommend using pypy over python when possible.
    Bug 
    opened by Storyyeller 15
  • Potential license conflicts

    Potential license conflicts

    I am by no means a licensing/law expert, but it seems there may be some licensing conflicts with some files in the repo. The only licensing details I can find seem to be GPLv3

    smali seems to be bsd and apache apktool seems to be bsd and apache enjarify seems to be apache etc

    Would it be appropriate to include license details for all of these?

    opened by CunningLogic 12
  • [Draft] Migrate to Maven and fix Code Style

    [Draft] Migrate to Maven and fix Code Style

    This PR also contains #288 and #266

    The project has mostly been migrated to Maven (it is able to compile on my machine at least. It reports a build failure, but it built successfully anyways).

    This way, updating most libraries was pretty easy and, thus, some decompilers even support newer Java versions (e.g. Java 14 records can be decompiled with CFR now)

    Also, this PR fixes the Code Style everywhere as far as humanly possible (for me at least, I spent 10 hours working on this project at the time of writing this lol).

    Please test and review, thank you :) This PR will help the community to develop this application easier and further.

    Fixes #289 Fixes #282 Fixes #269 Fixes #268

    opened by ThexXTURBOXx 10
  • Need to add support for JEB and JADX

    Need to add support for JEB and JADX

    I have both JEB (https://www.pnfsoftware.com/) and JADX (https://github.com/skylot/jadx) decompilers Could you advise how to integrate, write plugin or modify source? Both have cmd and GUI versions. Thanks

    Enhancement 
    opened by Sputuks3 10
  • StringIndexOutOfBoundsException

    StringIndexOutOfBoundsException

    Please send this error log to https://github.com/Konloch/bytecode-viewer/issues or Konloch at https://the.bytecode.club or [email protected]
    If you hold appropriate legal rights to the relevant class/jar/apk file please include that as well.
    Bytecode Viewer Version: 2.10.16 [Fat Jar], OS: Mac OS X, Java: 1.8.0_302
    
    java.lang.StringIndexOutOfBoundsException: String index out of range: -3
    	at java.lang.String.substring(String.java:1967)
    	at org.objectweb.asm.signature.SignatureReader.parseType(SignatureReader.java:178)
    	at org.objectweb.asm.signature.SignatureReader.accept(SignatureReader.java:111)
    	at org.objectweb.asm.commons.Remapper.mapSignature(Remapper.java:209)
    	at org.objectweb.asm.commons.ClassRemapper.visitMethod(ClassRemapper.java:193)
    	at org.objectweb.asm.ClassVisitor.visitMethod(ClassVisitor.java:366)
    	at com.googlecode.d2j.dex.Dex2Asm.collectBasicMethodInfo(Dex2Asm.java:330)
    	at com.googlecode.d2j.dex.Dex2Asm.convertMethod(Dex2Asm.java:639)
    	at com.googlecode.d2j.dex.Dex2Asm.convertClass(Dex2Asm.java:526)
    	at com.googlecode.d2j.dex.Dex2Asm.convertClass(Dex2Asm.java:428)
    	at com.googlecode.d2j.dex.Dex2Asm.convertDex(Dex2Asm.java:542)
    	at com.googlecode.d2j.dex.Dex2jar.doTranslate(Dex2jar.java:135)
    	at com.googlecode.d2j.dex.Dex2jar.to(Dex2jar.java:235)
    	at the.bytecode.club.bytecodeviewer.util.Dex2Jar.dex2Jar(Dex2Jar.java:42)
    	at the.bytecode.club.bytecodeviewer.resources.importing.impl.APKResourceImporter.open(APKResourceImporter.java:66)
    	at the.bytecode.club.bytecodeviewer.resources.importing.ImportResource.importKnownFile(ImportResource.java:88)
    	at the.bytecode.club.bytecodeviewer.resources.importing.ImportResource.run(ImportResource.java:60)
    	at java.lang.Thread.run(Thread.java:748)
    
    Bug Dependency Related Android 
    opened by nsonaniya2010 9
  • Error on first run

    Error on first run

    screenshot 2018-03-24 13 43 36 Hi,

    I have just downloaded this today and it keeps saying the files downloaded are corrupted and to restart.

    after every restart, the same messages appear (multiple items are corrupted)

    It starts with the following screenshot.

    Using version 2.9.10

    opened by riglerkarve 9
  • Found an apk can not decompile

    Found an apk can not decompile

    Get in touch to send you the apk or download from market Windfinder_1.9.3.apk

    Bytecode Viewer Version: 2.9.6

    java.io.FileNotFoundException: C:\Users\LimElect.Bytecode-Viewer\bcv_temp\eMLngxtvvwYrJCSTAkyJteXmHueLenzT.apk (The system cannot find the file specified) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.(Unknown Source) at the.bytecode.club.bytecodeviewer.JarUtils.loadResources(JarUtils.java:80) at the.bytecode.club.bytecodeviewer.BytecodeViewer$3.run(BytecodeViewer.java:627)

    Bytecode Viewer Version: 2.9.6

    brut.a.a.e: resource spec: 0x01010462 at brut.a.d.a.d.b(Unknown Source) at brut.a.d.a.g.a(Unknown Source) at brut.a.d.a.g.a(Unknown Source) at brut.a.d.a.a.q.c(Unknown Source) at brut.a.d.a.a.t.a(Unknown Source) at brut.a.d.a.a(Unknown Source) at brut.a.d.a.c(Unknown Source) at brut.a.a.b(Unknown Source) at brut.a.c.a(Unknown Source) at brut.apktool.Main.a(Unknown Source) at brut.apktool.Main.main(Unknown Source) at the.bytecode.club.bytecodeviewer.APKTool.decodeResources(APKTool.java:13) at the.bytecode.club.bytecodeviewer.BytecodeViewer$3.run(BytecodeViewer.java:626)

    opened by limelect 9
  • can't open file '/disassemble.py

    can't open file '/disassemble.py

    why? please help me. I have configured the python environment, but still error

    /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python: can't open file '/disassemble.py': [Errno 2] No such file or directory

    Exit Value is 2 Bytecode Viewer Version: 2.9.8

    java.io.FileNotFoundException: /Users/roy/.Bytecode-Viewer/bcv_temp/qprmTwYSTEJsGWWgKJVPaelBsNntxVfe/com/miui/zeus/b/a/b$a$a.j (No such file or directory) at java.io.FileInputStream.open0(Native Method) at java.io.FileInputStream.open(FileInputStream.java:195) at java.io.FileInputStream.(FileInputStream.java:138) at java.io.FileReader.(FileReader.java:72) at me.konloch.kontainer.io.DiskReader.loadAsString(DiskReader.java:62) at the.bytecode.club.bytecodeviewer.decompilers.KrakatauDisassembler.decompileClassNode(KrakatauDisassembler.java:87) at the.bytecode.club.bytecodeviewer.gui.ClassViewer$15.doShit(ClassViewer.java:1306) at the.bytecode.club.bytecodeviewer.gui.PaneUpdaterThread.run(PaneUpdaterThread.java:16)

    opened by royhook 8
  •  java.lang.NullPointerException in BytecodeViewer.java:868 and brut.a.a.e: resource spec: 0x010104e2

    java.lang.NullPointerException in BytecodeViewer.java:868 and brut.a.a.e: resource spec: 0x010104e2

    Bytecode Viewer Version: 2.9.8, Preview Copy: false, Fat Jar: false

    java.lang.NullPointerException at the.bytecode.club.bytecodeviewer.BytecodeViewer$6.run(BytecodeViewer.java:868)


    Bytecode Viewer Version: 2.9.8, Preview Copy: false, Fat Jar: false

    brut.a.a.e: resource spec: 0x010104e2 at brut.a.b.a.d.b(Unknown Source) at c.c.a.a.b.d.a(Unknown Source) at c.c.a.a.b.d.a(Unknown Source) at brut.a.b.a.a.r.d(Unknown Source) at brut.a.b.a.a.r.a(Unknown Source) at brut.a.b.a.a.s.h(Unknown Source) at brut.a.b.a.a.u.a(Unknown Source) at brut.a.b.a.c(Unknown Source) at brut.a.a.b(Unknown Source) at brut.a.c.a(Unknown Source) at brut.apktool.Main.main(Unknown Source) at the.bytecode.club.bytecodeviewer.APKTool.decodeResources(APKTool.java:13) at the.bytecode.club.bytecodeviewer.BytecodeViewer$6.run(BytecodeViewer.java:864)

    opened by utamir 8
  • Package not found

    Package not found

    I try decompile apk file. Open any java class and try save without changes. Bytecodeviewer gives an error message - " package android.util does not exist". I try make import android.util; but still gives the same error. What i make wrong? image

    opened by Radzhab 8
  • Out of Memory Everytime i run it (worked fine earlier)

    Out of Memory Everytime i run it (worked fine earlier)

    It worked fine initially for like 2-3 times but after that it always hangs on the step and while i waited for some time today, it threw Out of Memory exception.

    Happened while using command line as well as on dragging the apk on UI.

    System: MacOS Monterey 12.4; 8GB RAM

    Bytecode Viewer 2.11.2 [Fat Jar] - Created by @Konloch https://bytecodeviewer.com - https://the.bytecode.club Warning: the fonts "Times" and "Lucida Bright" are not available for the Java logical font "Serif", which may have unexpected appearance or behavior. Re-enable the "Times" font to remove this warning. Extracting Krakatau Start up took 4 seconds Opening...myapk_apkcombo.com.apk

    I: Using Apktool 2.6.1 on AqIMUKmjlbgmPUEySdIbuZbvBeABWF.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /Users/myUser/.Bytecode-Viewer/bcv_temp/yOFBVttFREvW/1.apk I: Regular manifest package... I: Decoding file-resources... Successfully extracted Krakatau Extracting Enjarify I: Decoding values / XMLs... I: Baksmaling classes.dex... I: Baksmaling classes2.dex... Successfully extracted Enjarify I: Baksmaling classes3.dex... I: Baksmaling classes4.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... I: Copying META-INF/services directory Exception in thread "Import Resource" java.lang.OutOfMemoryError: GC overhead limit exceeded at java.util.HashMap.newNode(HashMap.java:1750) at java.util.HashMap.putVal(HashMap.java:642) at java.util.HashMap.put(HashMap.java:612) at java.util.HashSet.add(HashSet.java:220) at com.googlecode.dex2jar.ir.ts.UniqueQueue.add(UniqueQueue.java:31) at com.googlecode.dex2jar.ir.ts.UniqueQueue.addAll(UniqueQueue.java:21) at com.googlecode.dex2jar.ir.ts.UnSSATransformer$LiveA.markUsed(UnSSATransformer.java:401) at com.googlecode.dex2jar.ir.ts.UnSSATransformer$LiveA.analyzeValue(UnSSATransformer.java:374) at com.googlecode.dex2jar.ir.ts.an.BaseAnalyze.analyze(BaseAnalyze.java:57) at com.googlecode.dex2jar.ir.ts.UnSSATransformer.transform(UnSSATransformer.java:274) at com.googlecode.d2j.dex.Dex2jar$2.optimize(Dex2jar.java:132) at com.googlecode.d2j.dex.Dex2Asm.convertCode(Dex2Asm.java:598) at com.googlecode.d2j.dex.ExDex2Asm.convertCode(ExDex2Asm.java:24) at com.googlecode.d2j.dex.Dex2jar$2.convertCode(Dex2jar.java:91) at com.googlecode.d2j.dex.Dex2Asm.convertMethod(Dex2Asm.java:782) at com.googlecode.d2j.dex.Dex2Asm.convertClass(Dex2Asm.java:549) at com.googlecode.d2j.dex.Dex2Asm.convertClass(Dex2Asm.java:450) at com.googlecode.d2j.dex.Dex2Asm.convertDex(Dex2Asm.java:606) at com.googlecode.d2j.dex.Dex2jar.doTranslate(Dex2jar.java:146) at com.googlecode.d2j.dex.Dex2jar.to(Dex2jar.java:246) at the.bytecode.club.bytecodeviewer.util.Dex2Jar.dex2Jar(Dex2Jar.java:42) at the.bytecode.club.bytecodeviewer.resources.importing.impl.APKResourceImporter.open(APKResourceImporter.java:66) at the.bytecode.club.bytecodeviewer.resources.importing.ImportResource.importKnownFile(ImportResource.java:87) at the.bytecode.club.bytecodeviewer.resources.importing.ImportResource.run(ImportResource.java:59) at java.lang.Thread.run(Thread.java:748)

    opened by tarun0 1
  • [SECURITY] Fix Partial Path Traversal Vulnerability

    [SECURITY] Fix Partial Path Traversal Vulnerability

    Security Vulnerability Fix

    This pull request fixes a partial-path traversal vulnerability due to an insufficient path traversal guard.

    Even if you deem, as the maintainer of this project, this is not necessarily fixing a security vulnerability, it is still a valid security hardening.

    Preamble

    Impact

    This issue allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.

    Why?

    To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although /outnot is not under the /out directory. It's important to understand that the terminating slash may be removed when using various String representations of the File object. For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/; however, println(new File("/var", "/").getCanonicalPath()) will print /var.

    The Fix

    Comparing paths with the java.nio.files.Path#startsWith will adequately protect againts this vulnerability.

    For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())

    Other Examples

    :arrow_right: Vulnerability Disclosure :arrow_left:

    :wave: Vulnerability disclosure is a super important part of the vulnerability handling process and should not be skipped! This may be completely new to you, and that's okay, I'm here to assist!

    First question, do we need to perform vulnerability disclosure? It depends!

    1. Is the vulnerable code only in tests or example code? No disclosure required!
    2. Is the vulnerable code in code shipped to your end users? Vulnerability disclosure is probably required!

    For partial path traversal, consider if user-supplied input could ever flow to this logic. If user supplied input could reach this conditional, it's insufficient and, as such, most likely a vulnerability.

    Vulnerability Disclosure How-To

    You have a few options options to perform vulnerability disclosure. However, I'd like to suggest the following 2 options:

    1. Request a CVE number from GitHub by creating a repository-level GitHub Security Advisory. This has the advantage that, if you provide sufficient information, GitHub will automatically generate Dependabot alerts for your downstream consumers, resolving this vulnerability more quickly.
    2. Reach out to the team at Snyk to assist with CVE issuance. They can be reached at the Snyk's Disclosure Email. Note: Please include JLLeitschuh Disclosure in the subject of your email so it is not missed.

    Detecting this and Future Vulnerabilities

    You can automatically detect future vulnerabilities like this by enabling the free (for open-source) GitHub Action.

    I'm not an employee of GitHub, I'm simply an open-source security researcher.

    Source

    This contribution was automatically generated with an OpenRewrite refactoring recipe, which was lovingly hand crafted to bring this security fix to your repository.

    The source code that generated this PR can be found here: PartialPathTraversalVulnerability

    Why didn't you disclose privately (ie. coordinated disclosure)?

    This PR was automatically generated, in-bulk, and sent to this project as well as many others, all at the same time.

    This is technically what is called a "Full Disclosure" in vulnerability disclosure, and I agree it's less than ideal. If GitHub offered a way to create private pull requests to submit pull requests, I'd leverage it, but that infrastructure, sadly, doesn't exist yet.

    The problem is that as an open source software security researcher, I (exactly like open source maintainers), I only have so much time in a day. I'm able to find vulnerabilities impacting hundreds, or sometimes thousands of open source projects with tools like GitHub Code Search and CodeQL. The problem is that my knowledge of vulnerabilities doesn't scale very well.

    Individualized vulnerability disclosure takes time and care. It's a long and tedious process, and I have a significant amount of experience with it (I have over 50 CVEs to my name). Even tracking down the reporting channel (email, Jira, ect..) can take time and isn't automatable. Unfortunately, when facing prblems of this scale, individual reporting doesn't work well either.

    Additionally, if I just spam out emails or issues, I'll just overwhelm already over taxed maintainers, I don't want to do this either.

    By creating a pull request, I am aiming to provide maintainers something highly actionable to actually fix the identified vulnerability; a pull request.

    There's a larger discussion on this topic that can be found here: https://github.com/JLLeitschuh/security-research/discussions/12

    Opting-Out

    If you'd like to opt-out of future automated security vulnerability fixes like this, please consider adding a file called .github/GH-ROBOTS.txt to your repository with the line:

    User-agent: JLLeitschuh/security-research
    Disallow: *
    

    This bot will respect the ROBOTS.txt format for future contributions.

    Alternatively, if this project is no longer actively maintained, consider archiving the repository.

    CLA Requirements

    This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

    It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed-off.

    The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

    - Git Commit Signoff documentation

    If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.

    Sponsorship & Support

    This contribution is sponsored by HUMAN Security Inc. and the new Dan Kaminsky Fellowship, a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

    This PR was generated by Moderne, a free-for-open source SaaS offering that uses format-preserving AST transformations to fix bugs, standardize code style, apply best practices, migrate library versions, and fix common security vulnerabilities at scale.

    Tracking

    All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/security-research/issues/13

    opened by JLLeitschuh 0
  • [SECURITY] Fix Zip Slip Vulnerability

    [SECURITY] Fix Zip Slip Vulnerability

    Security Vulnerability Fix

    This pull request fixes a Zip Slip vulnerability either due to an insufficient, or missing guard when unzipping zip files.

    Even if you deem, as the maintainer of this project, this is not necessarily fixing a security vulnerability, it is still, most likely, a valid security hardening.

    Preamble

    Impact

    This issue allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability.

    Why?

    The best description of Zip-Slip can be found in the white paper published by Snyk: Zip Slip Vulnerability

    But I had a guard in place, why wasn't it sufficient?

    If the changes you see are a change to the guard, not the addition of a new guard, this is probably because this code contains a Zip-Slip vulnerability due to a partial path traversal vulnerability.

    To demonstrate this vulnerability, consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although /outnot is not under the /out directory. It's important to understand that the terminating slash may be removed when using various String representations of the File object. For example, on Linux, println(new File("/var")) will print /var, but println(new File("/var", "/") will print /var/; however, println(new File("/var", "/").getCanonicalPath()) will print /var.

    The Fix

    Implementing a guard comparing paths with the method java.nio.files.Path#startsWith will adequately protect against this vulnerability.

    For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())

    Other Examples

    :arrow_right: Vulnerability Disclosure :arrow_left:

    :wave: Vulnerability disclosure is a super important part of the vulnerability handling process and should not be skipped! This may be completely new to you, and that's okay, I'm here to assist!

    First question, do we need to perform vulnerability disclosure? It depends!

    1. Is the vulnerable code only in tests or example code? No disclosure required!
    2. Is the vulnerable code in code shipped to your end users? Vulnerability disclosure is probably required!

    For partial path traversal, consider if user-supplied input could ever flow to this logic. If user-supplied input could reach this conditional, it's insufficient and, as such, most likely a vulnerability.

    Vulnerability Disclosure How-To

    You have a few options options to perform vulnerability disclosure. However, I'd like to suggest the following 2 options:

    1. Request a CVE number from GitHub by creating a repository-level GitHub Security Advisory. This has the advantage that, if you provide sufficient information, GitHub will automatically generate Dependabot alerts for your downstream consumers, resolving this vulnerability more quickly.
    2. Reach out to the team at Snyk to assist with CVE issuance. They can be reached at the Snyk's Disclosure Email. Note: Please include JLLeitschuh Disclosure in the subject of your email so it is not missed.

    Detecting this and Future Vulnerabilities

    You can automatically detect future vulnerabilities like this by enabling the free (for open-source) GitHub Action.

    I'm not an employee of GitHub, I'm simply an open-source security researcher.

    Source

    This contribution was automatically generated with an OpenRewrite refactoring recipe, which was lovingly handcrafted to bring this security fix to your repository.

    The source code that generated this PR can be found here: Zip Slip

    Why didn't you disclose privately (ie. coordinated disclosure)?

    This PR was automatically generated, in-bulk, and sent to this project as well as many others, all at the same time.

    This is technically what is called a "Full Disclosure" in vulnerability disclosure, and I agree it's less than ideal. If GitHub offered a way to create private pull requests to submit pull requests, I'd leverage it, but that infrastructure, sadly, doesn't exist yet.

    The problem is that, as an open source software security researcher, I (exactly like open source maintainers), I only have so much time in a day. I'm able to find vulnerabilities impacting hundreds, or sometimes thousands of open source projects with tools like GitHub Code Search and CodeQL. The problem is that my knowledge of vulnerabilities doesn't scale very well.

    Individualized vulnerability disclosure takes time and care. It's a long and tedious process, and I have a significant amount of experience with it (I have over 50 CVEs to my name). Even tracking down the reporting channel (email, Jira, etc..) can take time and isn't automatable. Unfortunately, when facing problems of this scale, individual reporting doesn't work well either.

    Additionally, if I just spam out emails or issues, I'll just overwhelm already over-taxed maintainers, I don't want to do this either.

    By creating a pull request, I am aiming to provide maintainers something highly actionable to actually fix the identified vulnerability; a pull request.

    There's a larger discussion on this topic that can be found here: https://github.com/JLLeitschuh/security-research/discussions/12

    Opting Out

    If you'd like to opt out of future automated security vulnerability fixes like this, please consider adding a file called .github/GH-ROBOTS.txt to your repository with the line:

    User-agent: JLLeitschuh/security-research
    Disallow: *
    

    This bot will respect the ROBOTS.txt format for future contributions.

    Alternatively, if this project is no longer actively maintained, consider archiving the repository.

    CLA Requirements

    This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

    It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed off.

    The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

    - Git Commit Signoff documentation

    If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.

    Sponsorship & Support

    This contribution is sponsored by HUMAN Security Inc. and the new Dan Kaminsky Fellowship, a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

    This PR was generated by Moderne, a free-for-open source SaaS offering that uses format-preserving AST transformations to fix bugs, standardize code style, apply best practices, migrate library versions, and fix common security vulnerabilities at scale.

    Tracking

    All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/security-research/issues/16

    opened by JLLeitschuh 5
  • Unexpected error on cancelling [ Change ClassFile Versions] plugin window

    Unexpected error on cancelling [ Change ClassFile Versions] plugin window

    Steps to reproduce

    1. open up any jar

    2. go to Plugins -> Change ClassFile Versions menu item it'll show this window: image

    3. press Cancel button

    it'll print out some exception:

    Please send this error log to https://github.com/Konloch/bytecode-viewer/issues or Konloch at https://the.bytecode.club or [email protected]
    If you hold appropriate legal rights to the relevant class/jar/apk file please include that as well.
    Bytecode Viewer Version: 2.11.2 [Fat Jar], OS: Windows 7, Java: 1.8.0_331
    
    java.lang.NumberFormatException: null
    	at java.lang.Integer.parseInt(Integer.java:542)
    	at java.lang.Integer.parseInt(Integer.java:615)
    	at the.bytecode.club.bytecodeviewer.plugin.preinstalled.ChangeClassFileVersions.execute(ChangeClassFileVersions.java:25)
    	at the.bytecode.club.bytecodeviewer.api.Plugin.lambda$executeContainer$0(Plugin.java:88)
    	at java.util.LinkedHashMap$LinkedValues.forEach(LinkedHashMap.java:608)
    	at the.bytecode.club.bytecodeviewer.api.Plugin.executeContainer(Plugin.java:83)
    	at the.bytecode.club.bytecodeviewer.api.Plugin.run(Plugin.java:49)
    
    

    Expectation: no exception at all

    opened by greenozon 0
  • Procyon Decompile Save error

    Procyon Decompile Save error

    Description

    When viewing this file in the editor it works fine, however if you try to decompile any jar/zip with this file it will fail.

    Only on Procyon.

    File

    Default IOUtils.class From org.apache.commons.io

    IOUtils.zip

    Fix

    I believe in the.bytecode.club.bytecodeviewer.decompilers.impl.ProcyonDecompiler.doSaveJarDecompiled

    The issue lies in resolvedType not directly being checked for a null, along with type.resolve().

    Error

    Please send this error log to https://github.com/Konloch/bytecode-viewer/issues or Konloch at https://the.bytecode.club or [email protected]    
    If you hold appropriate legal rights to the relevant class/jar/apk file please include that as well.
    Bytecode Viewer Version: 2.11.2 [Fat Jar], OS: Windows 10, Java: 15.0.1
    
    java.lang.NullPointerException: Cannot invoke "com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentNode.getNodeStatus()" because "node" is null
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis.changeNodeStatus(DefiniteAssignmentAnalysis.java:276)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis.access$400(DefiniteAssignmentAnalysis.java:40)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentVisitor.visitLambdaExpression(DefiniteAssignmentAnalysis.java:562)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentVisitor.visitLambdaExpression(DefiniteAssignmentAnalysis.java:445)
    at com.strobel.decompiler.languages.java.ast.LambdaExpression.acceptVisitor(LambdaExpression.java:49)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentVisitor.visitChildren(DefiniteAssignmentAnalysis.java:465)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentVisitor.visitChildren(DefiniteAssignmentAnalysis.java:445)
    at com.strobel.decompiler.languages.java.ast.DepthFirstAstVisitor.visitObjectCreationExpression(DepthFirstAstVisitor.java:344)
    at com.strobel.decompiler.languages.java.ast.ObjectCreationExpression.acceptVisitor(ObjectCreationExpression.java:98)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentVisitor.visitVariableInitializer(DefiniteAssignmentAnalysis.java:498)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentVisitor.visitVariableInitializer(DefiniteAssignmentAnalysis.java:445)
    at com.strobel.decompiler.languages.java.ast.VariableInitializer.acceptVisitor(VariableInitializer.java:80)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentVisitor.visitChildren(DefiniteAssignmentAnalysis.java:465)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentVisitor.visitChildren(DefiniteAssignmentAnalysis.java:445)
    at com.strobel.decompiler.languages.java.ast.DepthFirstAstVisitor.visitVariableDeclaration(DepthFirstAstVisitor.java:199)
    at com.strobel.decompiler.languages.java.ast.VariableDeclarationStatement.acceptVisitor(VariableDeclarationStatement.java:115)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentVisitor.visitTryCatchStatement(DefiniteAssignmentAnalysis.java:532)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis$DefiniteAssignmentVisitor.visitTryCatchStatement(DefiniteAssignmentAnalysis.java:445)
    at com.strobel.decompiler.languages.java.ast.TryCatchStatement.acceptVisitor(TryCatchStatement.java:78)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis.changeNodeStatus(DefiniteAssignmentAnalysis.java:292)
    at com.strobel.decompiler.languages.java.ast.DefiniteAssignmentAnalysis.analyze(DefiniteAssignmentAnalysis.java:194)
    at com.strobel.decompiler.languages.java.ast.transforms.TryWithResourcesTransform.visitTryCatchStatement(TryWithResourcesTransform.java:290)
    at com.strobel.decompiler.languages.java.ast.transforms.TryWithResourcesTransform.visitTryCatchStatement(TryWithResourcesTransform.java:34)
    at com.strobel.decompiler.languages.java.ast.TryCatchStatement.acceptVisitor(TryCatchStatement.java:78)
    at com.strobel.decompiler.languages.java.ast.DepthFirstAstVisitor.visitChildren(DepthFirstAstVisitor.java:41)
    at com.strobel.decompiler.languages.java.ast.DepthFirstAstVisitor.visitBlockStatement(DepthFirstAstVisitor.java:104)
    at com.strobel.decompiler.languages.java.ast.BlockStatement.acceptVisitor(BlockStatement.java:72)
    at com.strobel.decompiler.languages.java.ast.DepthFirstAstVisitor.visitChildren(DepthFirstAstVisitor.java:41)
    at com.strobel.decompiler.languages.java.ast.DepthFirstAstVisitor.visitMethodDeclaration(DepthFirstAstVisitor.java:234)
    at com.strobel.decompiler.languages.java.ast.ContextTrackingVisitor.visitMethodDeclarationOverride(ContextTrackingVisitor.java:84)
    at com.strobel.decompiler.languages.java.ast.ContextTrackingVisitor.visitMethodDeclaration(ContextTrackingVisitor.java:76)
    at com.strobel.decompiler.languages.java.ast.ContextTrackingVisitor.visitMethodDeclaration(ContextTrackingVisitor.java:31)
    at com.strobel.decompiler.languages.java.ast.MethodDeclaration.acceptVisitor(MethodDeclaration.java:94)
    at com.strobel.decompiler.languages.java.ast.DepthFirstAstVisitor.visitChildren(DepthFirstAstVisitor.java:41)
    at com.strobel.decompiler.languages.java.ast.DepthFirstAstVisitor.visitTypeDeclaration(DepthFirstAstVisitor.java:264)
    at com.strobel.decompiler.languages.java.ast.ContextTrackingVisitor.visitTypeDeclarationOverride(ContextTrackingVisitor.java:69)
    at com.strobel.decompiler.languages.java.ast.ContextTrackingVisitor.visitTypeDeclaration(ContextTrackingVisitor.java:60)
    at com.strobel.decompiler.languages.java.ast.ContextTrackingVisitor.visitTypeDeclaration(ContextTrackingVisitor.java:31)
    at com.strobel.decompiler.languages.java.ast.TypeDeclaration.acceptVisitor(TypeDeclaration.java:98)
    at com.strobel.decompiler.languages.java.ast.DepthFirstAstVisitor.visitChildren(DepthFirstAstVisitor.java:41)
    at com.strobel.decompiler.languages.java.ast.DepthFirstAstVisitor.visitCompilationUnit(DepthFirstAstVisitor.java:274)
    at com.strobel.decompiler.languages.java.ast.CompilationUnit.acceptVisitor(CompilationUnit.java:82)
    at com.strobel.decompiler.languages.java.ast.ContextTrackingVisitor.run(ContextTrackingVisitor.java:100)
    at com.strobel.decompiler.languages.java.ast.transforms.TryWithResourcesTransform.run(TryWithResourcesTransform.java:169)
    at com.strobel.decompiler.languages.java.ast.transforms.TransformationPipeline.runTransformationsUntil(TransformationPipeline.java:101)
    at com.strobel.decompiler.languages.java.ast.AstBuilder.runTransformations(AstBuilder.java:122)
    at com.strobel.decompiler.languages.java.JavaLanguage.runTransforms(JavaLanguage.java:97)
    at com.strobel.decompiler.languages.java.JavaLanguage.buildAst(JavaLanguage.java:72)
    at com.strobel.decompiler.languages.java.JavaLanguage.decompileType(JavaLanguage.java:59)
    at the.bytecode.club.bytecodeviewer.decompilers.impl.ProcyonDecompiler.doSaveJarDecompiled(ProcyonDecompiler.java:187)
    at the.bytecode.club.bytecodeviewer.decompilers.impl.ProcyonDecompiler.decompileToZip(ProcyonDecompiler.java:141)
    at the.bytecode.club.bytecodeviewer.resources.ResourceDecompiling.decompileSaveAll(ResourceDecompiling.java:262)
    at the.bytecode.club.bytecodeviewer.resources.ResourceDecompiling.lambda$decompileSaveAll$0(ResourceDecompiling.java:122)
    at java.base/java.lang.Thread.run(Thread.java:832)
    
    opened by ormaq 0
Releases(v2.11.2)
  • v2.11.2(Apr 11, 2022)

    Notable Changes

    • Java 18/19 support - @ThexXTURBOXx
    • Security Manager has been adjusted to work on Java 18+ - @ThexXTURBOXx
    • ASM update for Java 19 support - @ThexXTURBOXx
    • Added Croatian, Czech, Bulgarian, Danish and Serbian translations - @Konloch
    • Fixed running precompiled plugins - @Lucaskyy
    • CFR interface improvements - @GraxCode / @ThexXTURBOXx
    • Procyon update - @ThexXTURBOXx
    • FernFlower update - @ThexXTURBOXx
    • Jadx update - @ThexXTURBOXx
    • Dependency updates and fixes- @ThexXTURBOXx
    • Bytecode Disassembler improvements & additions - @GraxCode
    • General bug fixes and improvements - @Konloch / @ThexXTURBOXx / @GraxCode
    • And more! Thank you to everyone who has contributed to this patch. @ThexXTURBOXx / @Konloch / @GraxCode / @Lucaskyy

    Issues Resolved

    #396, #397, #402, #405, #410, #412

    Note

    If you encounter any issues, try v2.11.1 or v2.10.16

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.11.2.jar(59.59 MB)
  • v2.11.1(Feb 28, 2022)

    Notable Changes

    • Sandbox has been removed, allowing for improved Mac and Unix compatibility - @Konloch
    • Procyon update - @ThexXTURBOXx
    • Dex2Jar update - @ThexXTURBOXx
    • Dependency updates plus optimizations - @ThexXTURBOXx
    • General bug fixes and improvements - @Konloch
    • And more! Thank you to everyone who has contributed to this patch. @ThexXTURBOXx / @Konloch

    Issues Resolved

    #368, #361, #332

    Note

    If you encounter any issues, try v2.10.16 or v2.9.22

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.11.1.jar(59.52 MB)
  • v2.11.0(Jan 11, 2022)

    Notable Changes

    • Zip Slip exploit has been patched (CVE-2022-21675) - Thanks to @ready-research for reporting it! Thanks to @ThexXTURBOXx for patching it!
    • FernFlower update - @ThexXTURBOXx
    • Plugins template has been adjusted - @ThexXTURBOXx
    • Dependency updates plus optimizations - @ThexXTURBOXx
    • General bug fixes/improvements - @ThexXTURBOXx
    • And more! Thank you to everyone who has contributed to this patch. @ThexXTURBOXx / @sschr15 / @lujiefsi / @hajdam / @thomasleplus / @Konloch

    Issues Resolved

    #350, #369

    Note

    If you encounter any issues, try v2.10.16 or v2.9.22

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.11.0.jar(59.38 MB)
  • v2.10.16(Aug 19, 2021)

    Notable Changes

    • Dex2Jar has been fixed, this should resolve opening APKs that would previously fail - @ThexXTURBOXx
    • DarkLaf compatibility has been resolved - @weisJ
    • Tabs have been introduced for windows that were previously individual panes - @Konloch
    • The plugin console has been redesigned to support multiple resources in a single workspace - @Konloch
    • Right-click context menus on the resource list, including quick-open and other useful commands - @Konloch
    • Improved searching through the search pane - @Konloch
    • BCV will now automatically import a resource instead of displaying the binary hex of known classfiles/archives - @Konloch
    • Most file leaks should be fixed - @ThexXTURBOXx
    • All of the dependency warnings should be resolved - @ThexXTURBOXx
    • General bug fixes/UI improvements (Anti aliasing, etc) - @Konloch
    • And more! Thank you to everyone who has contributed to this patch. @ThexXTURBOXx @weisJ @Konloch

    Note

    If you encounter any issues, try v2.9.22

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.10.16.jar(40.89 MB)
  • v2.10.15(Jul 23, 2021)

    Notable Changes

    • More translation support - @Konloch / @ThexXTURBOXx
    • Limited GraalJS support (You will need to supply the Graal.JS dependencies - v2.11.0 will have full GraalJS support) - @Konloch
    • Better Hex-Viewer Dark Mode - @ThexXTURBOXx
    • Better zoom functionality - @ThexXTURBOXx
    • WebP support - @ThexXTURBOXx
    • Bug fixes - @ThexXTURBOXx
    • And more! Thank you to everyone who has contributed to this patch. @ThexXTURBOXx / @Konloch

    Note

    If you encounter any issues, try v2.9.22

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.10.15.jar(35.28 MB)
  • v2.10.14(Jul 20, 2021)

    Notable Changes

    • Improved translations Thanks to @ThexXTURBOXx / @TechComet / @antonymcgreen / @liuxilu / @cn-fairy
    • Added javap disassembler - @Konloch
    • Automatic python path detection - @Konloch
    • Improved plugin console - @Konloch
    • Cleaned up settings dialogue - @Konloch
    • Dynamic width Hex-Viewer - @Konloch
    • Better resource handling - @Konloch
    • Lots of code cleanup - @Konloch
    • Patched a few Security Manager escapes - @Konloch
    • Bug fixes and general improvements Thanks to @ThexXTURBOXx
    • And more! Thank you to everyone who has contributed to this patch. @ThexXTURBOXx / @TechComet / @antonymcgreen / @liuxilu / @cn-fairy / @Konloch

    Note

    If you encounter any issues, try v2.9.22

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.10.14.jar(32.68 MB)
  • v2.10.13(Jul 9, 2021)

    Notable Changes

    • Translated Into 25 Languages Including: Arabic, German, Japanese, Mandarin, Russian, Spanish - Thank you to everyone who helped provide translations! (Expect some translation issues, if you encounter any please help us fix them!) - DeepL / Google Translate / @Konloch / @ThexXTURBOXx
    • Plugin Writer: Create and edit external plugins from within BCV - @Konloch
    • Fixed Krakatau & Smali Disassembler/Assembler - @Konloch
    • Fixed Java & Bytecode Editing/Compiling - @Konloch
    • Lots of code cleanup - @Konloch
    • Bug fixes and general improvements - @Konloch / @ThexXTURBOXx
    • And more! Thank you to everyone who has contributed to this patch. @ThexXTURBOXx / @Konloch

    Note

    If you encounter any issues, try v2.9.22

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.10.13.jar(32.13 MB)
  • v2.10.12(Jun 29, 2021)

    Notable Changes

    • Dark mode (Opt-in) & theme selection thanks to @ThexXTURBOXx
    • XAPK file support - @Konloch
    • Translation process has started - @Konloch
    • Javascript plugin support - @Konloch
    • Bug fixes and general improvements - @Konloch
    • And more! Thank you to everyone who has contributed to this patch. @ThexXTURBOXx / @Konloch

    Note

    If you encounter any issues, try v2.9.22

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.10.12.jar(32.02 MB)
  • v2.10.11(Jun 21, 2021)

  • v2.10.10(Jun 21, 2021)

    NOTE: This version has a pretty nasty bug, use v2.10.11 instead

    Notable Changes

    • Fixed loading JDK 14+ compiled classes - @ThexXTURBOXx
    • Maven has been added for building the project and maintaining the libraries - @ThexXTURBOXx
    • The search regex has been greatly improved - @tiziw
    • ASMTexifier view pane - @thiakil
    • UTF-8 character support - @hopana
    • Almost all of the libraries have been updated to their current version (JADX and APKTool excluded) - @ThexXTURBOXx
    • The refactoring process has started so expect random bugs in places there was none previously - @Konloch
    • Various bug fixes & improvements - @Konloch
    • And more! Thank you to everyone who has contributed to this patch. @ThexXTURBOXx / @tiziw / @thiakil / @hopana / @Konloch

    Note

    This version will probably have some bugs, if you find any issues revert back to v2.9.22 for now.

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
  • v2.9.22(Jun 14, 2019)

  • v2.9.21(Jun 14, 2019)

    Notable Changes

    • Fixed the pre-Java 1 class format bug in ASM - thanks to @ItzSomebody, not only for the Stop Decompiling My Java list (https://github.com/ItzSomebody/StopDecompilingMyJava), but also for open sourcing the fix for the ASM library (https://github.com/ItzSomebody/asm-fix).
    • CFR updated to v0.145 - @Konloch
    • General bug fixes - @Konloch

    Note

    This version may have some bugs, if you find any issues revert back to v2.9.20 for now.

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.9.21.jar(27.03 MB)
  • v2.9.20(Jun 1, 2019)

  • v2.9.19(May 6, 2019)

  • v2.9.18(Apr 25, 2019)

  • v2.9.17(Apr 17, 2019)

  • v2.9.16(Apr 17, 2019)

    Notable Changes

    • Fixed APK & dex loading - @Konloch
    • Fixed Java 10+ classfiles - @Konloch
    • Better visual feedback thanks to the new busy icon system - @Konloch
    • Synchronized viewing pane option & quick method selection - @DreamSworK
    • Tons of bug fixes and general improvements - @Konloch
    • Updated most libraries to their 2019 versions (still a WIP) - @Konloch

    Note

    This is a well tested and stable version

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.9.16.jar(24.20 MB)
  • v2.9.15(Apr 13, 2019)

  • v2.9.14(Apr 13, 2019)

  • v2.9.13(Apr 13, 2019)

    Notable Changes

    • Added autofinding of RT.jar
    • Fixed decompiling java 10+ classes & jars (updated to ASM 7.1)
    • Fixed a caching issue with the Krakatau decompiler/disassemble. While working with big jars (10+mb) you should notice a massive difference if you had Krakatau enabled in one of your panes.
    • General bug fixes

    Note

    If you encounter any issues, try v2.9.12

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.9.13.jar(22.63 MB)
  • v2.9.12(Apr 13, 2019)

  • 2.9.11(Mar 24, 2018)

    Notable Changes

    • This version should work with JRE 8, 9 and 10, it's a 'FatJar' version that doesn't downstream any libraries from GitHub, this means you'll need to update BCV if any libraries release an update. - @Konloch

    Note

    Hopefully we can go back to having the dynamic classloader in the future, but for now this should work for anyone using JRE 8.x, 9.x or 10.x (I've tested this with JRE 8, 9 and 10, however if isn't working please let me know)

    If you find any bugs just open up a GitHub issue or email me at [email protected]

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.9.11.jar(22.43 MB)
  • 2.9.10(Mar 22, 2018)

    Notable Changes

    • Emergency patch released, this should fix the startup issues that have been happening over the past few days.
    • Java 9.x is not supported yet, I've included a little startup message to alert those on 9.x that it won't work. I'll try to push out a 2.9.11 this weekend that includes a 9.x patch.

    Huge thanks to @ItzSomebody, without him this release would not be possible.

    Source code(tar.gz)
    Source code(zip)
    Bytecode-Viewer-2.9.10.jar(1.62 MB)
  • v2.9.8(Jul 30, 2015)

    Change Log

    07/19/2015 - Fixed enjarify. 07/20/2015 - Bibl sexified the boot loading time. 07/20/2015 - Decode APK Resources is selected by default. 07/20/2015 - Made the security manager slightly safer, it can still be targeted but not as obviously now. 07/20/2015 - Added CLI to the boot page. 07/21/2015 - Added support for offline mode in case you cannot connect to github for some reason. (kicks in after 7 seconds) 07/21/2015 - Added fatjar option back, in case anyone wants a 100% portable version. 07/21/2015 - Made it so it now shows the decompiler it's using - http://i.imgur.com/yMEzXwv.png. 07/21/2015 - Rewrote the file system, it now shows the path of the jar it's got loaded. 07/21/2015 - Now it shows if the decompiler is in editable mode or not. 07/21/2015 - Fixed Enjarify bug from new security manager. 07/22/2015 - Fixed a typo (Thanks affffsdsd) 07/22/2015 - Finally added icons to the File Navigator, credits to http://famfamfam.com/lab/icons/silk/ for the icons. 07/22/2015 - JD-GUI is now the default decompiler for GUI. 07/22/2015 - Added Set Python 3.X to the UI. 07/22/2015 - Fixed krakatau/export as jar bug introduced by file system update. 07/22/2015 - Sped up krakatau decompiler/disassembler on big files. 07/22/2015 - Made it so when you press enter on the file navigation pane it opens the class. 07/22/2015 - The Quick file search now opens the files again. 07/23/2015 - Fixed opening single files and file folders into BCV 07/24/2015 - Added File>Reload Resources. 07/26/2015 - Fixed the view pane refresh after toggling a viewer, it's now flawless. 07/26/2015 - Fixed Krakatau Disassembler. 07/30/2015 - Removed Janino Compiler & moved to Javac, it can now compile decompiled classes again. 07/30/2015 - Affssdd fixed the File Navigator Pane's Quick Class Search. 07/30/2015 - Fixed a process leak in KrakatauDisassembler. 07/30/2015 - Started working on converting all the decompilers to launch in their own process in an effort to reduce BCV resources (only for non-fatjar version).

    Source code(tar.gz)
    Source code(zip)
    BytecodeViewer.2.9.8.zip(2.23 MB)
  • v2.9.7(Jul 19, 2015)

    Change Log

    07/02/2015 - Added ajustable font size. 07/05/2015 - Started working on the new Boot Screen. 07/06/2015 - Moved the font size to be under the view menu. 07/06/2015 - Fixed a bug with plugins not being able to grab the currently viewed class. 07/07/2015 - Started adding enjarify as an optional APK converter instead of Dex2Jar. 07/07/2015 - Finished the new Boot Screen 07/09/2015 - Fixed a process leak with krakatau decompiler. 07/09/2015 - Finished adding enjarify. 07/09/2015 - Supressed syntax exceptions due to JD-GUI. 07/09/2015 - Fixed refresh on non-refreshable resources. 07/09/2015 - Fixed opening a class and the name is so big, you cannot close because the [X] does not appear. 07/09/2015 - Added support for smaller screens for the boot screen. 07/16/2015 - Removed the FileFilter classes. 07/16/2015 - Updated the decompiler class to make more sense. 07/16/2015 - Started working on BCV CLI. 07/16/2015 - Finished BCV CLI.

    Source code(tar.gz)
    Source code(zip)
    BytecodeViewer.2.9.7.zip(3.08 MB)
  • v2.9.6(Jul 3, 2015)

    Change Log

    05/05/2015 - Fixed a typo in the about window 05/28/2015 - Started importing JD-GUI Decompiler. 05/28/2015 - Compile on refresh and compile on save are now enabled by default. 05/28/2015 - Renamed the File>Save As options to be much more informative. 06/24/2015 - Fixed a logic error with the Field & Method searchers. 06/26/2015 - Updated Procyon & CFR to their latest versions. 07/02/2015 - Added JD-GUI Decompiler. - Huge thanks to the guys behind JD-GUI! <3 (FIVE DECOMPILERS NOW WOOHOO)

    Source code(tar.gz)
    Source code(zip)
    BytecodeViewer.2.9.6.zip(46.20 MB)
  • v2.9.5(May 1, 2015)

  • v2.9.4(Apr 28, 2015)

    Change Log

    04/19/2015 - Added -O to be passed for Krakatau Decompiler/Disassembler/Assembler. (Thanks Storyyeller). 04/19/2015 - Added -skip to be passed for Krakatau Decompiler. (Thanks Storyyeller). 04/19/2015 - Changed the warning window for Python to recommend PyPy. (Thanks Storyyeller). 04/20/2015 - Happy 2015 4/20 (Shoutout to @announce420 for being 2 years old). 04/21/2015 - Started reworking the View Panes. 04/21/2015 - Finished reworking the View Panes - http://i.imgur.com/SqIw4Vj.png - Cheers to whoever's idea this was (I forget sorry <3). 04/21/2015 - Updated CFR to 0_100.jar 04/21/2015 - Added CTRL + R for run. 04/21/2015 - Added CTRL + S for save files as. 04/21/2015 - Added CTRL + T for compile. 04/21/2015 - Added Krakatau optional library. 04/21/2015 - The about pane now provides a lot more up to date information. 04/21/2015 - Changed 'View Panes' to simply 'View'.

    Source code(tar.gz)
    Source code(zip)
    BytecodeViewer.2.9.4.zip(42.55 MB)
  • v2.9.3(Mar 20, 2015)

    Change Log

    02/28/2015 - Added drag and drop for any file. 02/28/2015 - Added ctrl + w to close the current opened tab. 02/28/2015 - Updated to CFR 0_97.jar 02/28/2015 - Fixed a concurrency issue with the decompilers. 02/28/2015 - Added image resize via scroll on mouse. 02/28/2015 - Added resource refreshing. 02/28/2015 - Im Frizzy started working on Obfuscation. 03/20/2015 - Updated Dex2Jar to 2.0. 03/20/2015 - Updated CFR to 0_98.jar

    Source code(tar.gz)
    Source code(zip)
    BytecodeViewer.2.9.3.zip(28.89 MB)
  • v2.9.2(Feb 24, 2015)

Owner
Kalen (Konloch) Kinloch
Java Addict, Open Source Developer, Administrator of https://the.bytecode.club and creator of Bytecode Viewer
Kalen (Konloch) Kinloch
Java bytecode engineering toolkit

Java bytecode engineering toolkit Javassist version 3 Copyright (C) 1999-2020 by Shigeru Chiba, All rights reserved. Javassist (JAVA programming ASSIS

null 3.7k Sep 29, 2022
cglib - Byte Code Generation Library is high level API to generate and transform Java byte code. It is used by AOP, testing, data access frameworks to generate dynamic proxy objects and intercept field access.

cglib Byte Code Generation Library is high level API to generate and transform JAVA byte code. It is used by AOP, testing, data access frameworks to g

Code Generation Library 4.5k Oct 3, 2022
Mixin is a trait/mixin and bytecode weaving framework for Java using ASM

Mixin is a trait/mixin framework for Java using ASM and hooking into the runtime classloading process via a set of pluggable built-in or user-provided

SpongePowered 1k Oct 2, 2022
Jitescript - Java API for Bytecode

Jitescript - Java API for Bytecode This project is inspired by @headius's BiteScript. The goal is to produce a Java library with a similar API so that

Doug Campos 181 Sep 19, 2022
Chasm is a java bytecode transformer designed to handle collision between transformers wherever possible.

NOTE: This project is still in its early development. There's guaranteed bugs and missing functionality. Chasm - Collision Handling ASM What is Chasm?

null 44 Sep 23, 2022
A tool for reverse engineering Android apk files

Apktool This is the repository for Apktool. If you are looking for the Apktool website. Click here. It is a tool for reverse engineering 3rd party, cl

Connor Tumbleson 14.9k Sep 30, 2022
Source code of APK-Explorer-Editor (AEE), an open-source tool to explore the contents of an installed APK!

APK Explorer & Editor (AEE) APK Explorer & Editor, an open-source tool to explore the contents of an installed APK, is strictly made with an aim to in

APK Explorer & Editor 217 Sep 28, 2022
Castled is an open source reverse ETL solution that helps you to periodically sync the data in your warehouses and databases to sales, marketing, support or custom apps without any help from engineering teams

Open source reverse-ETL platform to operationalize your data warehouse Introduction Castled is a Reverse ETL solution which enables you to make the va

Castled 314 May 2, 2022
Ghidra is a software reverse engineering (SRE) framework

Ghidra Software Reverse Engineering Framework Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security

National Security Agency 34.8k Oct 5, 2022
HopLa Burp Suite Extender plugin - Adds autocompletion support and useful payloads in Burp Suite

HopLa ?? All the power of PayloadsAllTheThings, without the overhead. This extension adds autocompletion support and useful payloads in Burp Suite to

Synacktiv 507 Oct 2, 2022
🌄 Image editor using native modules for iOS and Android. Inherit from 2 available libraries, Brightroom (iOS) and PhotoEditor (Android)

React Native Photo Editor (RNPE) ?? Image editor using native modules for iOS and Android. Inherit from 2 available libraries, Brightroom (iOS) and Ph

Baron Ha. 218 Sep 24, 2022
Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstall apk.

Tinker Tinker is a hot-fix solution library for Android, it supports dex, library and resources update without reinstalling apk. Getting started Add t

Tencent 16.6k Sep 26, 2022
A demo of Rongcloud uniapp sdk integration for compiling debug-apk in Android Studio

Rongcloud-uniapp-sdk-demo A demo of Rongcloud uniapp sdk integration for compiling debug-apk in Android Studio 这是一个为了给uniapp在Android平台打出debug-apk的demo

Zongkui Guo 1 Oct 13, 2021
ijrd - internal java runtime debugger (loads through java agents LOL)

ijrd ijrd - internal java runtime debugger (loads through java agents LOL) this actually requires brain to build and then setup little guide to setup

null 6 Jan 28, 2022
A standalone Java Decompiler GUI

JD-GUI JD-GUI, a standalone graphical utility that displays Java sources from CLASS files. Java Decompiler projects home page: http://java-decompiler.

Java Decompiler 11.7k Oct 5, 2022
Dex to Java decompiler

JADX jadx - Dex to Java decompiler Command line and GUI tools for producing Java source code from Android Dex and Apk files ❗ ❗ ❗ Please note that in

null 31.8k Sep 30, 2022
kotlin decompiler based on quiltflower

Quiltflower Quiltflower is a fork of Fernflower and ForgeFlower adding additional features for use with the Quilt toolchain. Changes include: Javadoc

Joseph Burton 38 Sep 28, 2022
Hexagon decompiler for Ghidra

Ghidra hexagon plugin WIP Hexagon decompiler plugin for ghidra Pcode is more or less autogenerated, essentially copying and adapting from binja-hexago

Toshi Piazza 16 Aug 3, 2022
Redstone analyzer and debugger

Minecraft Multimeter Mod Install and use This mod runs on Fabric, so make sure you have that installed. Download the Fabric API if you don't have it a

Antoni Spaanderman 1 Dec 28, 2021
Sidekick is a live application debugger that lets you troubleshoot your applications while they keep on running

Explore Docs » Quick Start Tutorial » Table of Contents What is Sidekick? Sidekick Actions Why Sidekick? Features Who should use Sidekick? How does Si

Sidekick 1.5k Oct 1, 2022