7

I stumbled with NW and it's ability to load "compiled javascript binary files". After further reading (first I thought that would be just some minified javascript) I discovered that the docs were talking about actual binary files. It turns out V8 can build a snapshot of a loaded JS source code and dump it to a file, which can then be loaded back into memory.

https://github.com/nwjs/nw.js/wiki/Protect-JavaScript-source-code-with-v8-snapshot

Are there any specifications about the structure of those binary files? Is there a way I can load such a binary file in a disassembler (say IDA Pro)?

alexandernst
  • 14,352
  • 22
  • 97
  • 197
  • Did you ever figure out any way to reverse engineer Electron V8 snapshot data blob files? I.e. like what x64dbg or IDA Pro does to x86 / x64 binaries. – Haapavuo Dec 04 '20 at 15:39

1 Answers1

4

(V8 developer here.) No, the format of V8's snapshot files is an internal implementation detail that is neither documented nor assumed to be stable across versions (on the contrary; V8 assumes that any snapshot that wasn't created by the exact same version is incompatible). There is no supported way to load a snapshot file into a disassembler; the way to inspect a snapshot's contents is to debug its creation and/or deserialization.

The background for this situation is that the snapshot files are intended to be a kind of on-disk cache to speed up startup. They are not intended to be distributable binaries.

jmrk
  • 34,271
  • 7
  • 59
  • 74
  • 1
    "They are not intended to be distributed binaries" Yet NW/Electron seem to be announcing that feature exactly as a way of distributing apps. :) How would I inspect the deserialisation of a snapshot in NW? Also, if I'm reading NW's docs correctly, they seem to be stripping the source code form the snapshot. What object/data would get loaded into memory after a (theoretical) `loadBinarySnapshot()` call? – alexandernst Oct 16 '17 at 16:46
  • I'm not familiar with NW, or how to debug/inspect it, or its feature announcement policies. From a pure-V8 point of view, you could set a breakpoint at the end of `v8::internal::Isolate::Init` (in `src/isolate.cc`) and inspect the contents of the heap at that point. The snapshot is a serialized version of V8's entire heap, so it contains "all sorts of stuff", including bytecode of functions. – jmrk Oct 18 '17 at 21:47