2.2 KiB
2.2 KiB
Android Reverse Engineering
Decompile Android APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower. Extract Retrofit endpoints, OkHttp calls, hardcoded URLs, and authentication patterns.
Dependencies
Run the dependency checker before decompiling:
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh
Required: Java JDK 17+, jadx. Optional: Fernflower/Vineflower, dex2jar, apktool.
Install missing:
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh <dep>
Workflow
- Check deps:
check-deps.sh→ outputsINSTALL_REQUIRED:<dep>for missing tools - Decompile:
decompile.sh <file>with--engine jadx|fernflower|both,--deobf - Analyze: Review AndroidManifest.xml, package structure, architecture patterns
- Trace flows: Follow Activity → ViewModel → Repository → Retrofit/OkHttp → HTTP
- Extract APIs:
find-api-calls.sh <dir>with--retrofit,--okhttp,--urls,--auth
Script Locations
All scripts are at: plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/
check-deps.sh— verify dependenciesinstall-dep.sh— install a dependencydecompile.sh— main decompile wrapperfind-api-calls.sh— API call search
Reference Documentation
plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.mdplugins/android-reverse-engineering/skills/android-reverse-engineering/references/jadx-usage.mdplugins/android-reverse-engineering/skills/android-reverse-engineering/references/fernflower-usage.mdplugins/android-reverse-engineering/skills/android-reverse-engineering/references/api-extraction-patterns.mdplugins/android-reverse-engineering/skills/android-reverse-engineering/references/call-flow-analysis.md
Output Format
Document each API endpoint as:
### `METHOD /api/endpoint`
- **Source**: ClassName.java:42
- **Retrofit**: @POST("/api/endpoint")
- **Headers**: Authorization: Bearer {token}
- **Body**: { "key": "value" }
- **Called from**: Activity → ViewModel → Repository → ApiService