Theia Logo

NWBin Reverse Engineering Plugin for Ghidra

Overview

"I'm an intellectual rapist who enjoys exposing things people try to hide. Got it?" — Furudo Erika

Theia (Θεία) is a Ghidra plugin that allows you to parse, disassemble, and decompile NW.js compiled (.bin) binaries. Based on the ghidra_nodejs plugin, Theia extends support to NWBin files, which are used to protect JavaScript source code in NW.js applications.

Theia makes it possible for reverse engineers and researchers to recover lost or obfuscated source code, analyze program behavior, and bypass encryption schemes. Built as a labor of love, Theia is our final answer to the numerous challenges posed by the V8 interpreter.

View Theia's source code here.

Overview Image

Installation

"All a woman needs in life are cigarettes, a roof, and a frilly dress, right?" — Minakami Yuki

Theia was developed for Ghidra v11.3.1 and has not been tested on other versions.

  1. Download the latest release from here.
  2. In Ghidra: File->Install Extensions...->Press green (Plus/+) button, then select the previously downloaded .zip archive to install it. Press OK, then restart Ghidra.
  3. Drag-n-drop .bin files.
  4. Check the V8RefsAnalyzer box in the Analysis Options window after opening the file.

Build

"Are you... Are you really still in the broom closet? Standing around doing nothing? Why?" — The Narrator
  1. Clone the repo.
    git clone https://github.com/Llamaware/Theia.git
  2. Import the repo into Eclipse with the GhidraDev plugin installed.
  3. Link Ghidra to your Ghidra installation (option in the project's context menu).
  4. Export & build plugin using the project's context menu. Eclipse will generate a resulting .zip archive with the plugin.
  5. Continue with step 2 in the Installation section.

Usage

"And the reason is because I am the insane mad scientist, Hououin Kyouma!" — Okabe Rintaro

After installation, you can now use Theia to disassemble binaries that have been compiled with nwjc. Follow any basic Ghidra usage guide and you should be on your way.

You can test Theia using the provided binaries in the /samples folder.

Theia currently supports NW.js v0.29.0 (x86). Other versions may be supported in the future, but none are planned at this time.

Theia will write logs to your Ghidra directory in the "Theia" folder, for debugging purposes.

Included scripts:

Features

"OHHHHHHH YEAAAAAAAH! VERY GOOOOOOOD! One more!" — Furudo Erika

Technical Details

"Don't think about it too hard. You'll give yourself a headache." — Willard H. Wright

The .bin file consists of a header and serialized data. The header of the .bin file is virtually identical to the header of bytenode-compiled .jsc files and is described as follows.

Table 1

More info to come later...

Modifying Theia to work with different version of NW.js is trivial and has been left as an exercise to the reader.

The scripts found in the /scripts directory of the repo will be helpful in this case.

Issues

"I just can't sit any other way than this. If I sit the way other people do, my reasoning ability drops by 40%." — L

Known issues:

If you encounter any other issues with Theia, feel free to open an issue on our GitHub repository.

Conclusion

"Illusions to illusions. The gold truth locks the lock of illusions." — Willard H. Wright

The NW.js developers claim:

"The JavaScript source code of your application can be protected by compiling to native code and loaded by NW.js. You only have to distribute the compiled code with your app for production."

Similarly, the developers of the RPG Maker MV/MZ Cook Tool claim:

"It allows RPG Maker MV and MZ game developers to protect the game's source code and plugins from being stolen by compiling the files to their binary form."

We find these claims to be dubious, to say the least. Relying on such tools to protect one's source code provides little more than a false sense of security. Compiling to native code or binary form may raise the bar for casual attempts at reverse engineering, but ultimately amounts to nothing more than security through obscurity. Given the tools and expertise available today, reversing such "protections" is often just a matter of time and effort.

Anything that can be compiled can be decompiled, and anything that can be executed can be analyzed. To believe otherwise is to indulge in an illusion — and the harsh truth of reverse engineering is that no locked room remains closed forever.

Legal Stuff

"Legends are a thing of the past. I am a von Karma. That is all." — Franziska von Karma

Theia — NWBin Reverse Engineering Plugin for Ghidra

Copyright (C) 2025 Llamaware

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.

Resources

"All according to plan." — Light Yagami

Greetz

"I finally did it. The most high-quality video game rip. This is my magnum opus." — SiIvaGunner

gotta do my shoutouts now.

peace to:
Positive Technologies
The NSA
OpenAI o1 & o3-mini-high (TsundereGPT)
Jesse
Charlotte
basil.cafe
peachy.moe
moggy.ai
Faust
Serika
and you, for making this possible.