{"id":4625,"date":"2023-08-29T11:39:59","date_gmt":"2023-08-29T19:39:59","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=4625"},"modified":"2025-09-10T15:06:21","modified_gmt":"2025-09-10T23:06:21","slug":"jeb-assistant","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/jeb-assistant\/","title":{"rendered":"JEB Assistant (legacy)"},"content":{"rendered":"\n

Update (2025\/09\/10): The legacy assistant is superseded by VIBRE, a full-blown conversational AI agent available in JEB 5.32+. Read more here<\/a>!<\/em><\/p>\n\n\n\n

Update (2025\/08\/17): The assistant was updated for the release of JEB 5.31. Restrictions in terms of decompiled code size were loosened; back-end language models were upgraded to provide better suggestions.<\/em><\/p>\n\n\n\n

Update (2023\/12\/06): Several restrictions are lifted in JEB 5.6 to make the Assistant available for Java decompiled output generated by dexdec (it is currently limited to C output generated by gendec).<\/em><\/p>\n\n\n\n

Starting from JEB 5.2, you may use the experimental “JEB Assistant” to infer names for decompiled classes, fields, methods and method parameters.<\/p>\n\n\n\n

Below is a decompiled aarch64 routine found in the BPFDoor<\/code> malware. A raw decompilation does not produce any useful name (the default routine name is sub_40157C<\/code>).<\/p>\n\n\n\n

\"\"<\/a>
An unnamed arm64 decompiled routine<\/figcaption><\/figure>\n\n\n\n

You may click the “Call the Assistant” button (also available via the Action<\/em> menu, Request Assistant<\/em> handler, or the back-tick keyboard shortcut) to query the assistant via JEB.IO. At the time of writing, a JEB.IO account is not required to access the assistant.<\/p>\n\n\n\n

Upon first request, a disclaimer will be shown, letting you know that the decompiled code must be sent to our server:<\/p>\n\n\n\n

\"\"<\/a>
The disclaimer is shown the first time the assistant is called<\/figcaption><\/figure>\n\n\n\n

The assistant may<\/strong> return a better name for the method and its parameters. Sometimes, the names may be incorrect, yet provide some insight into what the method is doing. Other times, they may be entirely out of scope! It is always better to take the provided results as hints, rather than absolute truths.<\/strong><\/p>\n\n\n\n

In the case of our mysterious method, the assistant did provide valuable information: decryptData(data, size, key)<\/code>. Indeed, the method is a decryption function — more specifically, rc4 with a pre-computed sbox. The parameter names are (almost) correct.<\/p>\n\n\n\n

You may decide to apply the suggested method name directly. The suggested parameter names are not applied automatically.<\/p>\n\n\n\n

\"\"<\/a>
The assistant is providing the suggestions, it is up to the user to apply them<\/figcaption><\/figure>\n\n\n\n

Currently, some limitations apply:<\/p>\n\n\n\n