[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74859":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":9,"rankLanguage":9,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":9,"pushedAt":9,"updatedAt":26,"readmeContent":27,"aiSummary":28,"trendingCount":15,"starSnapshotCount":15,"syncStatus":29,"lastSyncTime":30,"discoverSource":31},74859,"android-reverse-engineering-skill","SimoneAvogadro\u002Fandroid-reverse-engineering-skill","SimoneAvogadro","Claude Code skill to support Android app's reverse engineering",null,"Shell",6028,675,24,5,0,54,121,389,162,39.49,"Apache License 2.0",false,"master",true,[],"2026-06-12 02:03:29","# Android Reverse Engineering & API Extraction — Claude Code skill\n\n[![License: Apache-2.0](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache--2.0-blue.svg)](https:\u002F\u002Fopensource.org\u002Flicenses\u002FApache-2.0) [![GitHub stars](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002FSimoneAvogadro\u002Fandroid-reverse-engineering-skill?style=social)](https:\u002F\u002Fgithub.com\u002FSimoneAvogadro\u002Fandroid-reverse-engineering-skill\u002Fstargazers) [![GitHub last commit](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Flast-commit\u002FSimoneAvogadro\u002Fandroid-reverse-engineering-skill)](https:\u002F\u002Fgithub.com\u002FSimoneAvogadro\u002Fandroid-reverse-engineering-skill\u002Fcommits\u002Fmaster)\n\nA Claude Code skill that decompiles Android APK\u002FXAPK\u002FJAR\u002FAAR files and **extracts the HTTP APIs** used by the app — Retrofit endpoints, OkHttp calls, hardcoded URLs, authentication patterns — so you can document and reproduce them without the original source code.\n\n> **Windows \u002F PowerShell support (experimental)**: The `*.ps1` scripts alongside the bash ones are a recent community contribution, still being stabilised. For any issues please open an issue on **this** repository (not on the contributors' upstream forks): the PowerShell scripts are maintained here by [@SimoneAvogadro](https:\u002F\u002Fgithub.com\u002FSimoneAvogadro).\n\n## Table of Contents\n\n- [What it does](#what-it-does)\n- [Requirements](#requirements)\n- [Installation](#installation)\n- [Usage](#usage)\n- [Repository Structure](#repository-structure)\n- [References](#references)\n- [Acknowledgments](#acknowledgments)\n- [Disclaimer](#disclaimer)\n- [License](#license)\n\n## What it does\n\n| Capability | Description |\n|------------|-------------|\n| **Decompile** | APK, XAPK, JAR, and AAR files using jadx and Fernflower\u002FVineflower (single engine or side-by-side comparison) |\n| **Extract APIs** | Retrofit endpoints, OkHttp calls, hardcoded URLs, auth headers and tokens |\n| **Trace call flows** | From Activities\u002FFragments through ViewModels and repositories down to HTTP calls |\n| **Analyze structure** | Manifest, packages, architecture patterns |\n| **Handle obfuscation** | Strategies for navigating ProGuard\u002FR8 output |\n\n## Requirements\n\n**Required:**\n\n- Java JDK 17+\n- [jadx](https:\u002F\u002Fgithub.com\u002Fskylot\u002Fjadx) (CLI)\n\n**Optional (recommended):**\n\n- [Vineflower](https:\u002F\u002Fgithub.com\u002FVineflower\u002Fvineflower) or [Fernflower](https:\u002F\u002Fgithub.com\u002FJetBrains\u002Ffernflower) — better output on complex Java code\n- [dex2jar](https:\u002F\u002Fgithub.com\u002FThexXTURBOXx\u002Fdex2jar) — needed to use Fernflower on APK\u002FDEX files\n\nSee `plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Freferences\u002Fsetup-guide.md` for detailed installation instructions.\n\n## Installation\n\n### From GitHub (recommended)\n\nInside Claude Code, run:\n\n```text\n\u002Fplugin marketplace add SimoneAvogadro\u002Fandroid-reverse-engineering-skill\n\u002Fplugin install android-reverse-engineering@android-reverse-engineering-skill\n```\n\nThe skill will be permanently available in all future sessions.\n\n### From a local clone\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FSimoneAvogadro\u002Fandroid-reverse-engineering-skill.git\n```\n\nThen in Claude Code:\n\n```text\n\u002Fplugin marketplace add \u002Fpath\u002Fto\u002Fandroid-reverse-engineering-skill\n\u002Fplugin install android-reverse-engineering@android-reverse-engineering-skill\n```\n\n## Usage\n\n### Slash command\n\n```text\n\u002Fdecompile path\u002Fto\u002Fapp.apk\n```\n\nThis runs the full workflow: dependency check, decompilation, and initial structure analysis.\n\n### Natural language\n\nThe skill activates on phrases like:\n\n- \"Decompile this APK\"\n- \"Reverse engineer this Android app\"\n- \"Extract API endpoints from this app\"\n- \"Follow the call flow from LoginActivity\"\n- \"Analyze this AAR library\"\n\n### Manual scripts\n\nThe scripts can also be used standalone:\n\n```bash\n# Check dependencies\nbash plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Fscripts\u002Fcheck-deps.sh\n\n# Install a missing dependency (auto-detects OS and package manager)\nbash plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Fscripts\u002Finstall-dep.sh jadx\nbash plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Fscripts\u002Finstall-dep.sh vineflower\n\n# Decompile APK with jadx (default)\nbash plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Fscripts\u002Fdecompile.sh app.apk\n\n# Decompile XAPK (auto-extracts and decompiles each APK inside)\nbash plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Fscripts\u002Fdecompile.sh app-bundle.xapk\n\n# Decompile with Fernflower\nbash plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Fscripts\u002Fdecompile.sh --engine fernflower library.jar\n\n# Run both engines and compare\nbash plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Fscripts\u002Fdecompile.sh --engine both --deobf app.apk\n\n# Find API calls\nbash plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Fscripts\u002Ffind-api-calls.sh output\u002Fsources\u002F\nbash plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Fscripts\u002Ffind-api-calls.sh output\u002Fsources\u002F --retrofit\nbash plugins\u002Fandroid-reverse-engineering\u002Fskills\u002Fandroid-reverse-engineering\u002Fscripts\u002Ffind-api-calls.sh output\u002Fsources\u002F --urls\n```\n\n## Repository Structure\n\n```text\nandroid-reverse-engineering-skill\u002F\n├── .claude-plugin\u002F\n│ └── marketplace.json # Marketplace catalog\n├── plugins\u002F\n│ └── android-reverse-engineering\u002F\n│ ├── .claude-plugin\u002F\n│ │ └── plugin.json # Plugin manifest\n│ ├── skills\u002F\n│ │ └── android-reverse-engineering\u002F\n│ │ ├── SKILL.md # Core workflow (5 phases)\n│ │ ├── references\u002F\n│ │ │ ├── setup-guide.md\n│ │ │ ├── jadx-usage.md\n│ │ │ ├── fernflower-usage.md\n│ │ │ ├── api-extraction-patterns.md\n│ │ │ └── call-flow-analysis.md\n│ │ └── scripts\u002F\n│ │ ├── check-deps.sh # Bash\n│ │ ├── check-deps.ps1 # PowerShell\n│ │ ├── install-dep.sh\n│ │ ├── install-dep.ps1\n│ │ ├── decompile.sh\n│ │ ├── decompile.ps1\n│ │ ├── find-api-calls.sh\n│ │ └── find-api-calls.ps1\n│ └── commands\u002F\n│ └── decompile.md # \u002Fdecompile slash command\n├── LICENSE\n└── README.md\n```\n\n## References\n\n- [jadx — Dex to Java decompiler](https:\u002F\u002Fgithub.com\u002Fskylot\u002Fjadx)\n- [Fernflower — JetBrains analytical decompiler](https:\u002F\u002Fgithub.com\u002FJetBrains\u002Ffernflower)\n- [Vineflower — Fernflower community fork](https:\u002F\u002Fgithub.com\u002FVineflower\u002Fvineflower)\n- [dex2jar — DEX to JAR converter](https:\u002F\u002Fgithub.com\u002FThexXTURBOXx\u002Fdex2jar)\n- [apktool — Android resource decoder](https:\u002F\u002Fapktool.org\u002F)\n\n## Acknowledgments\n\nThanks to the contributors who have shaped this skill:\n\n- [@philjn](https:\u002F\u002Fgithub.com\u002Fphiljn) — Native Windows \u002F PowerShell support (`check-deps.ps1`, `install-dep.ps1`, `decompile.ps1`, `find-api-calls.ps1`) and split\u002Fbundled APK detection in `decompile.sh` (#8)\n- [@txhno](https:\u002F\u002Fgithub.com\u002Ftxhno) — Migration to the maintained [`ThexXTURBOXx\u002Fdex2jar`](https:\u002F\u002Fgithub.com\u002FThexXTURBOXx\u002Fdex2jar) fork (#12)\n- [@muqiao215](https:\u002F\u002Fgithub.com\u002Fmuqiao215) — Decompile partial-success handling, Fernflower timeout safeguard, intermediate-artifact directory (#10)\n- [@kevinaimonster](https:\u002F\u002Fgithub.com\u002Fkevinaimonster) — Chinese localization (`SKILL.md` discovery keywords) (#4)\n\n## Disclaimer\n\nThis plugin is provided strictly for **lawful purposes**, including but not limited to:\n\n- Security research and authorized penetration testing\n- Interoperability analysis permitted under applicable law (e.g., EU Directive 2009\u002F24\u002FEC, US DMCA §1201(f))\n- Malware analysis and incident response\n- Educational use and CTF competitions\n\n**You are solely responsible** for ensuring that your use of this tool complies with all applicable laws, regulations, and terms of service. Unauthorized reverse engineering of software you do not own or do not have permission to analyze may violate intellectual property laws and computer fraud statutes in your jurisdiction.\n\nThe authors disclaim any liability for misuse of this tool.\n\n## License\n\nApache 2.0 — see [LICENSE](LICENSE)\n","该项目主要用于支持Android应用程序的逆向工程,特别是从APK\u002FXAPK\u002FJAR\u002FAAR文件中解压并提取HTTP API。它能够解析Retrofit端点、OkHttp调用、硬编码URL以及认证模式等关键信息,即使没有原始源代码也能帮助开发者文档化和重现这些API。采用Shell脚本编写,并支持实验性的PowerShell版本,依赖于Java JDK 17+及jadx等工具来完成复杂任务如处理ProGuard\u002FR8混淆输出。适用于需要理解第三方应用内部网络请求逻辑、进行安全审计或学习目的场景。项目遵循Apache License 2.0开源许可协议。",2,"2026-06-11 03:51:09","high_star"]