by CreditTone
这是一套专为 Codex 适配的 Android 逆向分析 skill,支持在 Codex 会话中反编译 APK、XAPK、JAR、AAR,并结合 jadx、Fernflower/Vineflower 梳理 Manifest、包结构、网络层和调用链。它可辅助提取接口、URL、鉴权头、token 与签名逻辑,并提供 Frida、抓包、JNI/SO 分析前的静态侦察方法,适合接口分 析、安全研究和授权测试。
# Add to your Claude Code skills
git clone https://github.com/CreditTone/android-reverse-engineering-skillGuides for using ai agents skills like android-reverse-engineering-skill.
Last scanned: 7/17/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-07-17T06:14:20.695Z",
"npmAuditRan": true,
"pipAuditRan": true,
"promptInjectionRan": true
}android-reverse-engineering-skill is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by CreditTone. 这是一套专为 Codex 适配的 Android 逆向分析 skill,支持在 Codex 会话中反编译 APK、XAPK、JAR、AAR,并结合 jadx、Fernflower/Vineflower 梳理 Manifest、包结构、网络层和调用链。它可辅助提取接口、URL、鉴权头、token 与签名逻辑,并提供 Frida、抓包、JNI/SO 分析前的静态侦察方法,适合接口分 析、安全研究和授权测试。. It has 273 GitHub stars.
Yes. android-reverse-engineering-skill passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/CreditTone/android-reverse-engineering-skill" and add it to your Claude Code skills directory (see the Installation section above).
android-reverse-engineering-skill is primarily written in JavaScript. It is open-source under CreditTone on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh android-reverse-engineering-skill against similar tools.
No comments yet. Be the first to share your thoughts!
Android 逆向分析全家桶 — 从 APK 反编译到 Frida 动态插桩、从 HTTP 接口提取到 JNI/SO 原生层逆向,覆盖静态分析→动态分析→流量解密→签名追踪的完整链路。支持 Claude Code / Codex 双平台,兼容 macOS、Linux、Windows(PowerShell),一套技能打通 Android 安全研究与授权渗透测试的绝大部分需求。
基于 SimoneAvogadro/android-reverse-engineering-skill 做了大幅扩展:
| 方面 | 原项目 | 本仓库 |
|---|---|---|
| 平台支持 | Claude Code | Claude Code + Codex 双平台 |
| 反编译引擎 | jadx | jadx + Fernflower/Vineflower 双引擎对比 |
| 动态分析 | 概念提及 | 完整 Frida 实战指导 + 9 个开箱即用脚本 |
| Native 分析 | 无 | JNI/SO 完整分析流程 + rizin 命令参考 |
| Windows 支持 | 无 | 完整 PowerShell 脚本栈 |
| XAPK/套壳 | 基础支持 | 自动递归解包 + 分包识别 |
| 依赖管理 | 手动 | 一键检查 + 跨平台自动安装 |
| Frida 脚本 | 无 | 9 个实战脚本(SSL、DEX dump、SO dump、JNI trace、加密 hook、检测绕过、证书导出) |
| 文档语言 | 英文 | 中文 |
| 脚本 | 功能 |
|---|---|
ssl_log.js |
TLS 密钥日志导出,解密 HTTPS 流量 |
dump_dex.js |
内存 DEX dump,对抗加固/动态加载 |
dump_so.js |
内存 SO dump,保留完整 ELF 结构 |
jni_method_trace.js |
JNI 调用全量追踪,可指定目标 SO |
hook_artmethod_register.js |
ART Method 注册 hook,追踪 Native→Java 绑定 |
hook_encryption_algo.js |
AES/DES/RSA/哈希等加密算法调用拦截 |
keystore_dump.js |
双向认证场景下客户端证书导出为 p12 |
bypass_root_detect.js |
通用 Root 检测绕过(含 Magisk 检测) |
bypass_frida_svc_detect.js |
Frida SVC 指令级检测绕过(ARM32/ARM64) |
native 方法声明 → System.loadLibrary → SO 定位JNI_OnLoad → RegisterNatives 动态注册追踪必需:
可选但推荐:
# 克隆仓库
git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git
# 创建技能符号链接
mkdir -p ~/.claude/skills
ln -sfn $(pwd)/android-reverse-engineering-skill/android-reverse-engineering/skills/android-reverse-engineering ~/.claude/skills/android-reverse-engineering
# 创建命令符号链接
mkdir -p ~/.claude/commands
ln -sfn $(pwd)/android-reverse-engineering-skill/android-reverse-engineering/commands/decompile.md ~/.claude/commands/decompile.md
/decompile path/to/app.apk
自动完成:依赖检查 → 反编译 → 结构分析 → 下一步建议。
SKILL_DIR="android-reverse-engineering/skills/android-reverse-engineering/scripts"
# === 依赖管理 ===
bash $SKILL_DIR/check-deps.sh
bash $SKILL_DIR/install-dep.sh jadx
bash $SKILL_DIR/install-dep.sh vineflower
bash $SKILL_DIR/install-dep.sh rizin
# === 反编译 ===
bash $SKILL_DIR/decompile.sh app.apk # jadx 默认
bash $SKILL_DIR/decompile.sh --engine fernflower library.jar # Fernflower
bash $SKILL_DIR/decompile.sh --engine both app.apk # 双引擎对比
bash $SKILL_DIR/decompile.sh app-bundle.xapk # XAPK 自动解包
# === API 提取 ===
bash $SKILL_DIR/find-api-calls.sh output/sources/
bash $SKILL_DIR/find-api-calls.sh output/sources/ --retrofit
bash $SKILL_DIR/find-api-calls.sh output/sources/ --urls
bash $SKILL_DIR/find-api-calls.sh output/sources/ --auth
$SKILL_DIR="android-reverse-engineering/skills/android-reverse-engineering/scripts"
& "$SKILL_DIR/check-deps.ps1"
& "$SKILL_DIR/install-dep.ps1" jadx
& "$SKILL_DIR/decompile.ps1" app.apk
& "$SKILL_DIR/find-api-calls.ps1" output/sources/ -Retrofit
# SSL 密钥日志(配合 Wireshark 解密 HTTPS)
frida -U -f com.example.app -l ssl_log.js --no-pause
# Dump 内存中的 DEX(对抗加固/动态加载)
frida -U -f com.example.app -l dump_dex.js --no-pause
# Dump 内存中的 SO(保留 ELF 完整结构)
frida -U -f com.example.app -l dump_so.js --no-pause
# 追踪指定 SO 的 JNI 调用
frida -U -f com.example.app -l jni_method_trace.js --no-pause
# Hook 加密/解密算法调用
frida -U -f com.example.app -l hook_encryption_algo.js --no-pause
# 绕过 Root 检测
frida -U -f com.example.app -l bypass_root_detect.js --no-pause
# 绕过 Frida SVC 指令级检测
frida -U -f com.example.app -l bypass_frida_svc_detect.js --no-pause
# 导出双向认证客户端证书
frida -U -f com.example.app -l keystore_dump.js --no-pause
# Hook ART Method 注册(追踪 Native→Java 绑定)
frida -U -f com.example.app -l hook_artmethod_register.js --no-pause
当 Java 层分析看到 native 方法、System.loadLibrary() 或 RegisterNatives 时:
# ELF 元数据
rz-bin -I libfoo.so && rz-bin -s libfoo.so && rz-bin -i libfoo.so
# 字符串速查
rz-strings -a libfoo.so | rg 'http|https|Java_|JNI_OnLoad|encrypt|sign|ssl|socket'
# JNI_OnLoad 反汇编
rizin -qc "aaa; pdf @ sym.JNI_OnLoad; q" libfoo.so
# 无 rizin 时回退
readelf -Ws libfoo.so && nm -D libfoo.so | rg 'JNI_OnLoad|Java_'
objdump -d libfoo.so > libfoo.asm
首次反编译不要加 --deobf:
FindClass、Class.forName、Frida hook、unidbg 模拟--deobf 适用于:
android-reverse-engineering-skill/
├── .claude-plugin/
│ └── marketplace.json
├── android-reverse-engineering/
│ ├── .codex-plugin/
│ │ └── plugin.json
│ ├── .claude-plugin/
│ │ └── plugin.json
│ ├── commands/
│ │ └── decompile.md
│ └── skills/
│ └── android-reverse-engineering/
│ ├── SKILL.md
│ ├── references/
│ │ ├── setup-guide.md
│ │ ├── jadx-usage.md
│ │ ├── fernflower-usage.md
│ │ ├── api-extraction-patterns.md
│ │ ├── call-flow-analysis.md
│ │ ├── dynamic-analysis.md
│ │ └── native-analysis.md
│ └── scripts/
│ ├── check-deps.sh / .ps1 # 依赖检查
│ ├── install-dep.sh / .ps1 # 自动安装
│ ├── decompile.sh / .ps1 # 反编译
│ ├── find-api-calls.sh / .ps1 # API 提取
│ ├── ssl_log.js # TLS 密钥导出
│ ├── dump_dex.js # 内存 DEX dump
│ ├── dump_so.js # 内存 SO dump
│ ├── jni_method_trace.js # JNI 调用追踪
│ ├── hook_artmethod_register.js # ART 注册 hook
│ ├── hook_encryption_algo.js # 加密算法 hook
│ ├── keystore_dump.js # 证书导出
│ ├── bypass_root_detect.js # Root 检测绕过
│ └── bypass_frida_svc_detect.js # Frida 检测绕过
├── LICENSE
└── README.md
本工具仅可用于合法用途:
你需自行确保使用行为符合所在司法辖区法律、法规及目标软件服务条款。对未授权软件进行逆向可能触犯知识产权或计算机相关法律。作者不对任何滥用行为承担责任。
Apache 2.0,见 LICENSE