RomanNum3ral
/
android-reverse-engineering-skill
mirror of https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
android-reverse-engineering.../AGENTS.md

167 lines
7.0 KiB
Markdown
Raw Blame History

# Reverse Engineering Skills
This repository provides AI-assisted reverse engineering tools for **Windows** (EXE/DLL/.NET) and **Android** (APK/XAPK/JAR/AAR) binaries. It includes decompilation scripts, API extraction, call flow tracing, and structured output documentation.
All scripts and references live under `plugins/`. The instructions below tell you how to use them.
---
## Windows Reverse Engineering
Decompile Windows EXE, DLL, SYS, and .NET assemblies using Ghidra (native PE → C pseudocode) and ILSpy (managed .NET → C# source). Auto-detects binary type.
### Dependencies
Run the dependency checker first:
```powershell
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/check-deps.ps1
```
**Required (at least one decompiler):**
- Java JDK 17+ and Ghidra (set `GHIDRA_INSTALL_DIR` env var) — for native PE
- ilspycmd (`dotnet tool install -g ilspycmd`) — for .NET assemblies
**Optional:** strings/strings2, dumpbin (requires Visual Studio C++ Build Tools), de4dot (.NET deobfuscator)
Install missing dependencies:
```powershell
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/install-dep.ps1 <dep>
# Available: java, ghidra, ilspycmd, dotnet-sdk, strings, dumpbin, de4dot
```
### PowerShell Execution Policy
If scripts are blocked, auto-fix with:
```powershell
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -Force
```
If group policy prevents this, prefix all script calls with `powershell -ExecutionPolicy Bypass -File`.
### Workflow
#### Phase 1: Verify Dependencies
```powershell
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/check-deps.ps1
```
Output includes `INSTALL_REQUIRED:<dep>` and `INSTALL_OPTIONAL:<dep>` lines. Install any required deps before proceeding.
#### Phase 2: Decompile
```powershell
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/decompile.ps1 [OPTIONS] <file>
```
Options:
- `-Output <dir>` — custom output directory (default: `<filename>-decompiled`)
- `-Engine auto|ghidra|ilspy` — decompiler engine (default: `auto`)
- `-NoStrings` — skip strings extraction
Auto-detection: .NET assemblies (CLI header present) → ILSpy. Native PE → Ghidra. The script reads the PE header to determine binary type.
**Output structure (Ghidra):**
```
<output>/decompiled/ — C pseudocode per function
<output>/imports.txt — import table
<output>/exports.txt — export table
<output>/strings.txt — extracted strings
<output>/summary.txt — analysis summary
```
**Output structure (ILSpy):**
```
<output>/sources/ — C# source files with .csproj
```
#### Phase 3: Analyze Structure
- Review PE headers (architecture, subsystem, entry point, security features)
- Survey import table — reveals which DLLs/APIs the binary uses
- For .NET: examine namespace structure, referenced assemblies, DI container setup
- For native: group functions by purpose, identify entry points, look for C++ vtables
#### Phase 4: Trace Call Flows
- Start from entry points: `WinMain`, `main`, `DllMain`, `ServiceMain`, `DriverEntry` (native) or `static void Main()`, `Program.cs`, `Startup.cs` (.NET)
- Follow initialization chain → user action handlers → business logic → API calls
- Map dependency injection in .NET (`AddScoped`, `AddSingleton`, `AddTransient`)
- Handle obfuscated code: use framework type names and string refs as anchors
#### Phase 5: Extract APIs
```powershell
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/find-api-calls.ps1 <output>/sources/ [OPTIONS]
```
Options: `-Network`, `-Registry`, `-FileSystem`, `-Process`, `-Crypto`, `-Com`, `-Services`, `-Urls`, `-Auth`, `-Persistence`
Document each API call:
```markdown
### `FunctionName` (DLL: source.dll)
- **Source**: filename.c:42
- **Category**: Network / Registry / File I/O / Process / Crypto
- **Parameters**: param1: value, param2: value
- **Called from**: Main → InitNetwork → SendData → WinHttpSendRequest
- **Purpose**: Description
```
### Reference Documentation
- `plugins/windows-reverse-engineering/skills/windows-reverse-engineering/references/setup-guide.md`
- `plugins/windows-reverse-engineering/skills/windows-reverse-engineering/references/ghidra-headless-usage.md`
- `plugins/windows-reverse-engineering/skills/windows-reverse-engineering/references/ilspy-usage.md`
- `plugins/windows-reverse-engineering/skills/windows-reverse-engineering/references/api-extraction-patterns.md`
- `plugins/windows-reverse-engineering/skills/windows-reverse-engineering/references/call-flow-analysis.md`
---
## Android Reverse Engineering
Decompile Android APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower. Extract Retrofit endpoints, OkHttp calls, hardcoded URLs, and authentication patterns.
### Dependencies
```bash
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh
```
**Required:** Java JDK 17+, jadx
**Optional:** Fernflower/Vineflower, dex2jar, apktool
Install missing:
```bash
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh <dep>
```
### Workflow
#### Phase 1: Verify Dependencies
```bash
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh
```
#### Phase 2: Decompile
```bash
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh [OPTIONS] <file>
```
Options:
- `--output <dir>` — custom output directory
- `--engine jadx|fernflower|both` — decompiler engine (default: `jadx`)
- `--deobf` — enable deobfuscation
#### Phase 3: Analyze Structure
- Review AndroidManifest.xml for activities, services, receivers, permissions
- Survey package structure and identify architecture patterns (MVP, MVVM, Clean Architecture)
- Find application entry points (Application class, main Activity, ContentProviders)
#### Phase 4: Trace Call Flows
- Start from Activity/Fragment → ViewModel → Repository → API client
- Follow Dagger/Hilt dependency injection
- Map Retrofit interface → OkHttp interceptors → actual HTTP calls
#### Phase 5: Extract APIs
```bash
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ [OPTIONS]
```
Options: `--retrofit`, `--okhttp`, `--urls`, `--auth`, `--volley`
### Reference Documentation
- `plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.md`
- `plugins/android-reverse-engineering/skills/android-reverse-engineering/references/jadx-usage.md`
- `plugins/android-reverse-engineering/skills/android-reverse-engineering/references/fernflower-usage.md`
- `plugins/android-reverse-engineering/skills/android-reverse-engineering/references/api-extraction-patterns.md`
- `plugins/android-reverse-engineering/skills/android-reverse-engineering/references/call-flow-analysis.md`
Reference in New Issue View Git Blame Copy Permalink