USP

It uniquely combines multi-engine decompilation (jadx, Fernflower/Vineflower) with advanced API extraction, including authentication patterns, and the ability to trace call flows from UI to network, supporting Windows PowerShell.

Use cases

• 01Decompiling Android APKs and libraries
• 02Extracting HTTP API endpoints
• 03Tracing app call flows
• 04Android security research
• 05Malware analysis

Detected files (2)

• plugins/android-reverse-engineering/skills/android-reverse-engineering/SKILL.mdskill
  Show content (12074 bytes)

  ---
  description: Decompile Android APK, XAPK, JAR, and AAR files using jadx or Fernflower/Vineflower. Reverse engineer Android apps, extract HTTP API endpoints (Retrofit, OkHttp, Volley), and trace call flows from UI to network layer. Use when the user wants to decompile, analyze, or reverse engineer Android packages, find API endpoints, or follow call flows. 中文触发词：反编译APK、安卓逆向、提取API、分析安卓应用、反编译安卓、逆向工程、追踪调用链、提取接口
  trigger: decompile APK|decompile XAPK|reverse engineer Android|extract API|analyze Android|jadx|fernflower|vineflower|follow call flow|decompile JAR|decompile AAR|Android reverse engineering|find API endpoints|反编译APK|安卓逆向|提取API|分析安卓应用
  ---
  
  # Android Reverse Engineering
  
  Decompile Android APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower, trace call flows through application code and libraries, and produce structured documentation of extracted APIs. Two decompiler engines are supported — jadx for broad Android coverage and Fernflower for higher-quality output on complex Java code — and can be used together for comparison.
  
  ## Prerequisites
  
  This skill requires **Java JDK 17+** and **jadx** to be installed. **Fernflower/Vineflower** and **dex2jar** are optional but recommended for better decompilation quality. Run the dependency checker to verify:
  
  ```bash
  bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.sh
  ```
  
  On Windows (PowerShell):
  ```powershell
  & "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.ps1"
  ```
  
  If anything is missing, follow the installation instructions in `${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/setup-guide.md`.
  
  ## Workflow
  
  ### Phase 1: Verify and Install Dependencies
  
  Before decompiling, confirm that the required tools are available — and install any that are missing.
  
  **Action**: Run the dependency check script.
  
  ```bash
  bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.sh
  ```
  
  On Windows (PowerShell):
  ```powershell
  & "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/check-deps.ps1"
  ```
  
  The output contains machine-readable lines:
  - `INSTALL_REQUIRED:<dep>` — must be installed before proceeding
  - `INSTALL_OPTIONAL:<dep>` — recommended but not blocking
  
  **If required dependencies are missing** (exit code 1), install them automatically:
  
  ```bash
  bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/install-dep.sh <dep>
  ```
  
  On Windows (PowerShell):
  ```powershell
  & "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/install-dep.ps1" <dep>
  ```
  
  The install script detects the OS and package manager, then:
  - Installs without sudo when possible (downloads to `~/.local/share/`, symlinks in `~/.local/bin/`)
  - Uses sudo and the system package manager when necessary (apt, dnf, pacman)
  - If sudo is needed but unavailable or the user declines, it prints the exact manual command and exits with code 2 — show these instructions to the user
  
  **Windows notes**: The PowerShell install script uses `winget`, `scoop`, or `choco` (in that order). If none are available, it downloads directly to `%USERPROFILE%\.local\share\` and adds the directory to the user's PATH. After running `install-dep.ps1`, the PATH is persisted but the current terminal session may not see it. The `check-deps.ps1` and `decompile.ps1` scripts automatically refresh PATH from the user environment, so re-running them will find newly installed tools without restarting the terminal.
  
  **For optional dependencies**, ask the user if they want to install them. Vineflower and dex2jar are recommended for best results.
  
  After installation, re-run `check-deps.sh` to confirm everything is in place. Do not proceed to Phase 2 until all required dependencies are OK.
  
  ### Phase 2: Decompile
  
  Use the decompile wrapper script to process the target file. The script supports three engines: `jadx`, `fernflower`, and `both`.
  
  **Action**: Choose the engine and run the decompile script. The script handles APK, XAPK, JAR, and AAR files.
  
  ```bash
  bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/decompile.sh [OPTIONS] <file>
  ```
  
  On Windows (PowerShell):
  ```powershell
  & "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/decompile.ps1" [OPTIONS] <file>
  ```
  
  For **XAPK** files (ZIP bundles containing multiple APKs, used by APKPure and similar stores): the script automatically extracts the archive, identifies all APK files inside (base + split APKs), and decompiles each one into a separate subdirectory. The XAPK manifest is copied to the output for reference.
  
  **Split/bundled APK detection**: Some APKs are actually bundle wrappers — the outer APK contains `base.apk` plus `split_config.*.apk` files inside its resources directory. When this happens, jadx will decompile the thin wrapper and produce very few Java files. The decompile scripts automatically detect this (≤10 Java files + inner APKs present) and re-decompile `base.apk` into an `<output>/base/` subdirectory. Config-only splits (ABI, language, density) are skipped. The main decompiled source will be in `<output>/base/sources/`.
  
  Options:
  - `-o <dir>` — Custom output directory (default: `<filename>-decompiled`)
  - `--deobf` — Enable deobfuscation (recommended for obfuscated apps)
  - `--no-res` — Skip resources, decompile code only (faster)
  - `--engine ENGINE` — `jadx` (default), `fernflower`, or `both`
  
  **Engine selection strategy**:
  
  | Situation | Engine |
  |---|---|
  | First pass on any APK | `jadx` (fastest, handles resources) |
  | JAR/AAR library analysis | `fernflower` (better Java output) |
  | jadx output has warnings/broken code | `both` (compare and pick best per class) |
  | Complex lambdas, generics, streams | `fernflower` |
  | Quick overview of a large APK | `jadx --no-res` |
  
  When using `--engine both`, the outputs go into `<output>/jadx/` and `<output>/fernflower/` respectively, with a comparison summary at the end showing file counts and jadx warning counts. Review classes with jadx warnings in the Fernflower output for better code.
  
  For APK files with Fernflower, the script automatically uses dex2jar as an intermediate step. dex2jar must be installed for this to work.
  
  See `${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/jadx-usage.md` and `${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/fernflower-usage.md` for the full CLI references.
  
  ### Phase 3: Analyze Structure
  
  Navigate the decompiled output to understand the app's architecture.
  
  **Actions**:
  
  1. **Read AndroidManifest.xml** from `<output>/resources/AndroidManifest.xml`:
     - Identify the main launcher Activity
     - List all Activities, Services, BroadcastReceivers, ContentProviders
     - Note permissions (especially `INTERNET`, `ACCESS_NETWORK_STATE`)
     - Find the application class (`android:name` on `<application>`)
  
  2. **Survey the package structure** under `<output>/sources/`:
     - Identify the main app package and sub-packages
     - Distinguish app code from third-party libraries
     - Look for packages named `api`, `network`, `data`, `repository`, `service`, `retrofit`, `http` — these are where API calls live
  
  3. **Identify the architecture pattern**:
     - MVP: look for `Presenter` classes
     - MVVM: look for `ViewModel` classes and `LiveData`/`StateFlow`
     - Clean Architecture: look for `domain`, `data`, `presentation` packages
     - This informs where to look for network calls in the next phases
  
  ### Phase 4: Trace Call Flows
  
  Follow execution paths from user-facing entry points down to network calls.
  
  **Actions**:
  
  1. **Start from entry points**: Read the main Activity or Application class identified in Phase 3.
  
  2. **Follow the initialization chain**: Application.onCreate() often sets up the HTTP client, base URL, and DI framework. Read this first.
  
  3. **Trace user actions**: From an Activity, follow:
     - `onCreate()` → view setup → click listeners
     - Click handler → ViewModel/Presenter method
     - ViewModel → Repository → API service interface
     - API service → actual HTTP call
  
  4. **Map DI bindings** (if Dagger/Hilt is used): Find `@Module` classes to understand which implementations are provided for which interfaces.
  
  5. **Handle obfuscated code**: When class names are mangled, use string literals and library API calls as anchors. Retrofit annotations and URL strings are never obfuscated.
  
  See `${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/call-flow-analysis.md` for detailed techniques and grep commands.
  
  ### Phase 5: Extract and Document APIs
  
  Find all API endpoints and produce structured documentation.
  
  **Action**: Run the API search script for a broad sweep.
  
  ```bash
  bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/
  ```
  
  On Windows (PowerShell):
  ```powershell
  & "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.ps1" <output>/sources/
  ```
  
  Targeted searches:
  ```bash
  # Only Retrofit
  bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --retrofit
  
  # Only hardcoded URLs
  bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --urls
  
  # Only auth patterns
  bash ${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.sh <output>/sources/ --auth
  ```
  
  On Windows (PowerShell):
  ```powershell
  # Only Retrofit
  & "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.ps1" <output>/sources/ -Retrofit
  
  # Only hardcoded URLs
  & "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.ps1" <output>/sources/ -Urls
  
  # Only auth patterns
  & "${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/scripts/find-api-calls.ps1" <output>/sources/ -Auth
  ```
  
  Then, for each discovered endpoint, read the surrounding source code to extract:
  - HTTP method and path
  - Base URL
  - Path parameters, query parameters, request body
  - Headers (especially authentication)
  - Response type
  - Where it's called from (the call chain from Phase 4)
  
  **Document each endpoint** using this format:
  
  ```markdown
  ### `METHOD /path`
  
  - **Source**: `com.example.api.ApiService` (ApiService.java:42)
  - **Base URL**: `https://api.example.com/v1`
  - **Path params**: `id` (String)
  - **Query params**: `page` (int), `limit` (int)
  - **Headers**: `Authorization: Bearer <token>`
  - **Request body**: `{ "email": "string", "password": "string" }`
  - **Response**: `ApiResponse<User>`
  - **Called from**: `LoginActivity → LoginViewModel → UserRepository → ApiService`
  ```
  
  See `${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/api-extraction-patterns.md` for library-specific search patterns and the full documentation template.
  
  ## Output
  
  At the end of the workflow, deliver:
  
  1. **Decompiled source** in the output directory
  2. **Architecture summary** — app structure, main packages, pattern used
  3. **API documentation** — all discovered endpoints in the format above
  4. **Call flow map** — key paths from UI to network (especially authentication and main features)
  
  ## References
  
  - `${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/setup-guide.md` — Installing Java, jadx, Fernflower/Vineflower, dex2jar, and optional tools
  - `${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/jadx-usage.md` — jadx CLI options and workflows
  - `${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/fernflower-usage.md` — Fernflower/Vineflower CLI options, when to use, APK workflow
  - `${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/api-extraction-patterns.md` — Library-specific search patterns and documentation template
  - `${CLAUDE_PLUGIN_ROOT}/skills/android-reverse-engineering/references/call-flow-analysis.md` — Techniques for tracing call flows in decompiled code
  

• .claude-plugin/marketplace.jsonmarketplace
  Show content (964 bytes)

  {
    "$schema": "https://anthropic.com/claude-code/marketplace.schema.json",
    "name": "android-reverse-engineering-skill",
    "description": "Claude Code plugins for Android reverse engineering",
    "owner": {
      "name": "Simone Avogadro"
    },
    "metadata": {
      "description": "Claude Code plugins for Android reverse engineering",
      "version": "1.1.0"
    },
    "plugins": [
      {
        "name": "android-reverse-engineering",
        "source": "./plugins/android-reverse-engineering",
        "description": "Decompile Android APK/JAR/AAR with jadx, trace call flows through libraries, and document extracted APIs.",
        "version": "1.1.0",
        "author": {
          "name": "Simone Avogadro"
        },
        "repository": "https://github.com/SimoneAvogadro/android-reverse-engineering-skill",
        "license": "Apache-2.0",
        "keywords": ["android", "reverse-engineering", "apk", "jadx", "decompile", "api-extraction"],
        "category": "security"
      }
    ]
  }
  

README

/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill

git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git

/plugin marketplace add /path/to/android-reverse-engineering-skill
/plugin install android-reverse-engineering@android-reverse-engineering-skill

/decompile path/to/app.apk

# Check dependencies
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh

# Install a missing dependency (auto-detects OS and package manager)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadx
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower

# Decompile APK with jadx (default)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk

# Decompile XAPK (auto-extracts and decompiles each APK inside)
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app-bundle.xapk

# Decompile with Fernflower
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower library.jar

# Run both engines and compare
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk

# Find API calls
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --retrofit
bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --urls

android-reverse-engineering-skill/
├── .claude-plugin/
│   └── marketplace.json                    # Marketplace catalog
├── plugins/
│   └── android-reverse-engineering/
│       ├── .claude-plugin/
│       │   └── plugin.json                 # Plugin manifest
│       ├── skills/
│       │   └── android-reverse-engineering/
│       │       ├── SKILL.md                # Core workflow (5 phases)
│       │       ├── references/
│       │       │   ├── setup-guide.md
│       │       │   ├── jadx-usage.md
│       │       │   ├── fernflower-usage.md
│       │       │   ├── api-extraction-patterns.md
│       │       │   └── call-flow-analysis.md
│       │       └── scripts/
│       │           ├── check-deps.sh       # Bash
│       │           ├── check-deps.ps1      # PowerShell
│       │           ├── install-dep.sh
│       │           ├── install-dep.ps1
│       │           ├── decompile.sh
│       │           ├── decompile.ps1
│       │           ├── find-api-calls.sh
│       │           └── find-api-calls.ps1
│       └── commands/
│           └── decompile.md                # /decompile slash command
├── LICENSE
└── README.md