GitHub - zboralski/spidermonkey-dumper: Decode + disassemble SpiderMonkey .jsc bytecode

smdis

Decode + disassemble SpiderMonkey .jsc bytecode. Currently supports version 33 (Firefox 33, common in Cocos2d-x games). Optional LLM-assisted "decompile" to JavaScript (best-effort).

Build

go test ./...
go build ./cmd/smdis

Usage

# Disassemble (strict mode by default)
./smdis path/to/file.jsc > out.dis

# Best-effort mode keeps going on malformed inputs and prints diagnostics to stderr
./smdis -mode=besteffort path/to/file.jsc > out.dis

# Disassemble + decompile via an LLM backend
./smdis -decompile -backend=claude-code samples/simple.jsc > /dev/null
./smdis -decompile -backend=codex samples/simple.jsc > /dev/null

# Generate graphs (requires graphviz: `dot` on PATH)
./smdis -callgraph samples/simple.jsc
./smdis -controlflow samples/simple.jsc

Output files are written alongside the input: file.dis and (when -decompile is enabled) file-<backend>.js. Graph outputs (when enabled) are written alongside the input: file.dot/file.svg/file.png (callgraph) and file.cfg.dot/file.cfg.svg/file.cfg.png (control flow).

Why This Exists (A Small RE Irony)

Some Cocosx games shipped SpiderMonkey .jsc bytecode unencrypted. That should make reversing easier, but in practice it often made it harder. The only thing available was an unfinished disassembly API inside the Firefox sources. It didn't support lambdas, nested functions, or most of the operand format.

This tool focuses on the boring part: reliably parsing the raw XDR format and turning it into stable disassembly we can build analyses on.

Samples

Each .jsc input in samples/ has paired outputs: .dis (disassembly), *-claudecode.js and *-codex.js (LLM decompilations), plus callgraph and control flow visualizations.

Regenerate all with make samples.

Reference Source

Built from SpiderMonkey 33 (Firefox 33):

• Opcodes.h — opcode definitions
• jsopcode.h, jsopcode.cpp — opcode implementation
• Xdr.h, jsscript.cpp — XDR serialization