Claude Code skill to support Android app's reverse engineering

Go to file

Samuel Mensah c1dd4f7e8c feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage		2026-04-21 12:46:00 +00:00
.claude-plugin	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
.clinerules	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
.cursor/rules	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
.github	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
.roo/rules	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
.windsurf/rules	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
plugins	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
.aider.conf.yml	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
.gitattributes	ADDED: .gitattributes for better WSL/Windows cooperation	2026-03-02 11:36:38 +01:00
AGENTS.md	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
LICENSE	Fix GitHub username in all repository URLs and LICENSE	2026-02-02 21:06:15 +01:00
README.md	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
install.ps1	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00
install.sh	feat: add Windows RE plugin and multi-agent support for 9 coding agents - Add Windows reverse engineering plugin (Ghidra + ILSpy) - PowerShell scripts: check-deps, install-dep, decompile, find-api-calls - Ghidra headless Jython export script (ExportDecompiled.py) - Reference docs: setup guide, Ghidra/ILSpy CLI, API patterns, call flows - Add agent instruction files for Codex, Cursor, Copilot, Cline, Windsurf, Roo Code, Aider, OpenCode - Add universal installer (install.ps1 / install.sh) with interactive agent selection - Add AGENTS.md as universal agent instruction standard - Update README with multi-agent support and installer usage	2026-04-21 12:46:00 +00:00

README.md

Reverse Engineering & API Extraction — AI Coding Agent Skills

A collection of AI coding agent skills for reverse engineering mobile and desktop applications. Includes Android (APK/XAPK/JAR/AAR) and Windows (EXE/DLL/.NET) plugins that decompile binaries, extract APIs, trace call flows, and document findings.

Works with Claude Code, OpenAI Codex, Cursor, GitHub Copilot, Cline, Windsurf, Roo Code, Aider, and OpenCode.

🪟 Windows Reverse Engineering (NEW)

Decompiles Windows EXE/DLL/.NET assemblies and extracts Win32 API calls, network endpoints, registry operations, cryptographic usage, and more.

What it does

Auto-detects binary type (.NET vs native PE) and selects the best decompiler
Decompiles native PE binaries using Ghidra headless (C pseudocode output)
Decompiles .NET assemblies using ILSpy (ilspycmd) to C# source
Extracts and documents APIs: Win32 calls, WinHTTP/WinINet, Winsock, .NET HttpClient, registry, crypto, COM/WMI
Traces call flows from entry points (WinMain, DllMain, ServiceMain, Main) through to API calls
Analyzes PE structure: imports, exports, sections, strings, security features
Detects persistence mechanisms, process injection patterns, and hardcoded secrets

Requirements

Required (at least one decompiler):

Java JDK 17+ and Ghidra — for native PE binaries
ilspycmd (dotnet tool install -g ilspycmd) — for .NET assemblies

Optional (recommended):

strings2 or SysInternals Strings — extract embedded strings
dumpbin (Visual Studio C++ Build Tools) — PE header analysis
de4dot — .NET deobfuscation

Installation

Inside Claude Code, run:

/plugin install windows-reverse-engineering@android-reverse-engineering-skill

Usage

/decompile path/to/app.exe

The skill auto-detects the binary type and runs the appropriate decompiler. You can also use natural language: "Reverse engineer this DLL", "Extract API calls from this .NET app", "Trace the login flow".

Manual scripts (PowerShell)

# Check dependencies
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/check-deps.ps1

# Install a missing dependency
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/install-dep.ps1 ghidra
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/install-dep.ps1 ilspycmd

# Decompile (auto-detect engine)
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/decompile.ps1 app.exe

# Decompile with specific engine
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/decompile.ps1 -Engine ilspy MyDotNetApp.dll

# Find API calls
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/find-api-calls.ps1 output/sources/
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/find-api-calls.ps1 output/sources/ -Network
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/find-api-calls.ps1 output/sources/ -Urls
powershell -ExecutionPolicy Bypass -File plugins/windows-reverse-engineering/skills/windows-reverse-engineering/scripts/find-api-calls.ps1 output/sources/ -Process

🤖 Android Reverse Engineering

Decompiles APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower (single engine or side-by-side comparison)
Extracts and documents APIs: Retrofit endpoints, OkHttp calls, hardcoded URLs, auth headers and tokens
Traces call flows from Activities/Fragments through ViewModels and repositories down to HTTP calls
Analyzes app structure: manifest, packages, architecture patterns
Handles obfuscated code: strategies for navigating ProGuard/R8 output

Requirements

Required:

Java JDK 17+
jadx (CLI)

Optional (recommended):

Vineflower or Fernflower — better output on complex Java code
dex2jar — needed to use Fernflower on APK/DEX files

See plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.md for detailed installation instructions.

Installation

From GitHub (recommended)

Inside Claude Code, run:

/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill

The skill will be permanently available in all future sessions.

From a local clone

git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git

Then in Claude Code:

/plugin marketplace add /path/to/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill

Usage

Slash command

/decompile path/to/app.apk

This runs the full workflow: dependency check, decompilation, and initial structure analysis.

Natural language

The skill activates on phrases like:

"Decompile this APK"
"Reverse engineer this Android app"
"Extract API endpoints from this app"
"Follow the call flow from LoginActivity"
"Analyze this AAR library"

Manual scripts

The scripts can also be used standalone:

# Check dependencies
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh

# Install a missing dependency (auto-detects OS and package manager)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadx
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower

# Decompile APK with jadx (default)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk

# Decompile XAPK (auto-extracts and decompiles each APK inside)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app-bundle.xapk

# Decompile with Fernflower
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower library.jar

# Run both engines and compare
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk

# Find API calls
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --retrofit
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --urls

Repository Structure

android-reverse-engineering-skill/
├── .claude-plugin/
│   └── marketplace.json                    # Marketplace catalog (both plugins)
├── plugins/
│   ├── android-reverse-engineering/        # Android plugin
│   │   ├── .claude-plugin/
│   │   │   └── plugin.json
│   │   ├── skills/
│   │   │   └── android-reverse-engineering/
│   │   │       ├── SKILL.md
│   │   │       ├── references/
│   │   │       │   ├── setup-guide.md
│   │   │       │   ├── jadx-usage.md
│   │   │       │   ├── fernflower-usage.md
│   │   │       │   ├── api-extraction-patterns.md
│   │   │       │   └── call-flow-analysis.md
│   │   │       └── scripts/
│   │   │           ├── check-deps.sh
│   │   │           ├── install-dep.sh
│   │   │           ├── decompile.sh
│   │   │           └── find-api-calls.sh
│   │   └── commands/
│   │       └── decompile.md
│   └── windows-reverse-engineering/        # Windows plugin (NEW)
│       ├── .claude-plugin/
│       │   └── plugin.json
│       ├── skills/
│       │   └── windows-reverse-engineering/
│       │       ├── SKILL.md                # Core workflow (5 phases)
│       │       ├── references/
│       │       │   ├── setup-guide.md
│       │       │   ├── ghidra-headless-usage.md
│       │       │   ├── ilspy-usage.md
│       │       │   ├── api-extraction-patterns.md
│       │       │   └── call-flow-analysis.md
│       │       └── scripts/
│       │           ├── check-deps.ps1
│       │           ├── install-dep.ps1
│       │           ├── decompile.ps1
│       │           ├── find-api-calls.ps1
│       │           └── ghidra-scripts/
│       │               └── ExportDecompiled.py
│       └── commands/
│           └── decompile.md
├── LICENSE
└── README.md

References

Android

Windows

Supported Agents

This skill works with all major AI coding agents. Use the universal installer to set up for your agent:

# Windows (PowerShell)
.\install.ps1                    # Interactive — choose your agent
.\install.ps1 -Agent cursor      # Install for Cursor
.\install.ps1 -Agent all         # Install for all agents
.\install.ps1 -List              # List supported agents
.\install.ps1 -CheckDeps         # Run dependency check

# Linux / macOS / WSL
./install.sh                     # Interactive
./install.sh --agent codex       # Install for Codex
./install.sh --agent all         # Install for all agents
./install.sh --list              # List supported agents

Agent	Config Files	Auto-Detection
Claude Code	`.claude-plugin/`	Plugin manifest + SKILL.md
OpenAI Codex	`AGENTS.md`	Reads from repo root
OpenCode	`AGENTS.md`	Reads from repo root
Cursor	`.cursor/rules/*.mdc`	Glob-matched + description-based
GitHub Copilot	`.github/instructions/*.instructions.md`	File-pattern matched
Cline	`.clinerules/*.md`	Auto-loaded into context
Windsurf	`.windsurf/rules/*.md`	Auto-loaded by Cascade
Roo Code	`.roo/rules/*.md`	Auto-loaded, alphabetical order
Aider	`.aider.conf.yml` → `AGENTS.md`	Loaded via `read:` config

Disclaimer

This plugin is provided strictly for lawful purposes, including but not limited to:

Security research and authorized penetration testing
Interoperability analysis permitted under applicable law (e.g., EU Directive 2009/24/EC, US DMCA §1201(f))
Malware analysis and incident response
Educational use and CTF competitions

You are solely responsible for ensuring that your use of this tool complies with all applicable laws, regulations, and terms of service. Unauthorized reverse engineering of software you do not own or do not have permission to analyze may violate intellectual property laws and computer fraud statutes in your jurisdiction.

The authors disclaim any liability for misuse of this tool.

License

Apache 2.0 — see LICENSE