Claude Code技能：反编译Android文件并提取API，含功能、要求、安装及使用方法

Claude Code技能简介这是一项Claude Code技能能对Android APK/XAPK/JAR/AAR文件进行反编译还可提取应用使用的HTTP API像Retrofit端点、OkHttp调用、硬编码URL以及认证模式等让你在没有原始源代码的情况下也能记录和复现这些API。功能-文件反编译运用jadx和Fernflower/Vineflower可选择单一引擎或进行并排比较对APK、XAPK、JAR和AAR文件进行反编译。-API提取与记录提取并记录API例如Retrofit端点、OkHttp调用、硬编码URL、认证头和令牌。-调用流程追踪追踪从Activity/Fragment经ViewModel和仓库到HTTP调用的调用流程。-应用结构分析分析应用的清单文件、包结构和架构模式。-处理混淆代码提供处理ProGuard/R8输出混淆代码的策略。要求-必需项Java JDK 17及以上版本jadxCLI。-可选推荐Vineflower或Fernflower在处理复杂Java代码时输出效果更好dex2jar在APK/DEX文件上使用Fernflower时需要。详细安装说明请参考plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.md。安装从GitHub安装推荐在Claude Code中运行以下命令/plugin marketplace add SimoneAvogadro/android-reverse-engineering-skill/plugin install android-reverse-engineeringandroid-reverse-engineering-skill安装后该技能将在未来所有会话中永久可用。从本地克隆安装git clone https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git然后在Claude Code中运行/plugin marketplace add /path/to/android-reverse-engineering-skill/plugin install android-reverse-engineeringandroid-reverse-engineering-skill使用方法斜杠命令/decompile path/to/app.apk此命令将运行完整的工作流程包括依赖检查、反编译和初始结构分析。自然语言当输入类似以下短语时技能将自动激活“Decompile this APK”反编译此APK“Reverse engineer this Android app”逆向工程此Android应用“Extract API endpoints from this app”从此应用中提取API端点“Follow the call flow from LoginActivity”追踪LoginActivity的调用流程“Analyze this AAR library”分析此AAR库手动脚本脚本也可单独使用# 检查依赖bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh# 安装缺失的依赖自动检测操作系统和包管理器bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadxbash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower# 使用jadx反编译APK默认bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk# 反编译XAPK自动提取并反编译其中的每个APKbash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app-bundle.xapk# 使用Fernflower反编译bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower library.jar# 同时运行两个引擎并进行比较bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk# 查找API调用bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --retrofitbash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --urls仓库结构android-reverse-engineering-skill/├── .claude-plugin/│ └── marketplace.json # 市场目录├── plugins/│ └── android-reverse-engineering/│ ├── .claude-plugin/│ │ └── plugin.json # 插件清单│ ├── skills/│ │ └── android-reverse-engineering/│ │ ├── SKILL.md # 核心工作流程5个阶段│ │ ├── references/│ │ │ ├── setup-guide.md│ │ │ ├── jadx-usage.md│ │ │ ├── fernflower-usage.md│ │ │ ├── api-extraction-patterns.md│ │ │ └── call-flow-analysis.md│ │ └── scripts/│ │ ├── check-deps.sh│ │ ├── install-dep.sh│ │ ├── decompile.sh│ │ └── find-api-calls.sh│ └── commands/│ └── decompile.md # /decompile斜杠命令├── LICENSE└── README.md参考资料jadxDex到Java的反编译器FernflowerJetBrains分析型反编译器VineflowerFernflower的社区分支dex2jarDEX到JAR转换器apktoolAndroid资源解码器免责声明本插件仅用于合法目的包括但不限于安全研究和授权的渗透测试适用法律允许的互操作性分析如欧盟指令2009/24/EC、美国DMCA §1201(f)恶意软件分析和事件响应教育用途和CTF竞赛。你需自行确保使用本工具符合所有适用的法律法规和服务条款。未经授权对自己不拥有或未获分析许可的软件进行逆向工程可能违反你所在司法管辖区的知识产权法和计算机欺诈法规。作者对本工具的不当使用不承担任何责任。许可证本项目采用Apache 2.0许可证详情见LICENSE文件。