ai-mobile-reverse-skills

# AI Mobile Reverse Skills ## Tool List ## Overview This is a 6-phase control skill for mobile security analysis scenarios. It is used to uniformly dispatch APK static reconnaissance, traffic and code alignment, SO/JNI in-depth analysis, comprehensive analysis of encryption and vulnerabilities, verification design, and report delivery processes. It supports JADX MCP, Burp/Yakit MCP, IDA/Ghidra MCP. ## I. Applicable Scenarios - Android APK static reverse and security image analysis - Decompiled code, packet capture results, and interface field linkage analysis - JNI / SO / native encryption, signature, and risk control logic positioning - Weak encryption, authentication authorization, component security, JSBridge, sensitive information, and other risk closure - Minimum verification scheme and POC template design under authorized test environment - Mobile penetration test report and structured Findings delivery ## II. Architecture Design The architecture consists of the following core modules: - Root control SKILL.md: As the scheduling center of the entire process, it is responsible for intention interception, standard input template return, task routing distribution, and phase execution rule constraints. - 6-phase Agent: A customized rule set for the entire life cycle of mobile security analysis, covering from phase 1 APK static reconnaissance to phase 6 security report summary. - MCP phase access specification: It clarifies the access and call standards of Jadx-MCP (static analysis), Burp/Yakit-MCP (analysis), and Ghidra/IDA-MCP (Native deep mining) in different phases. - Local index script (Python probe): A toolset for high-coverage blind scanning, including interface extraction (endpoint_extractor.py), hard-coded scanning (secret_scanner.py), JNI bridging index, and target SO automatic convergence and loading tool. - Unified structured output design: Through standardized JSON and Markdown output, it ensures that the analysis clues of the previous phase can be automatically inherited and deeply linked by the subsequent Agent. ```text ai-mobile-reverse-skills/ ├── SKILL.md # Control entrance: phase routing, input template, execution rules ├── README.md # User manual: process description, complete example, interaction method ├── agents/ # Six-phase Agent rule set │ ├── agent-01-sample-recon.md # Phase 1: APK static reconnaissance │ ├── agent-02-protocol-mapper.md # Phase 2: Traffic and code alignment │ ├── agent-03-crypto-native-analyzer.md # Phase 3: SO / JNI in-depth analysis │ ├── agent-04-crypto-vuln-analyzer.md # Phase 4: Weak encryption and high-risk vulnerability screening │ ├── agent-05-validation-designer.md # Phase 5: Minimum verification POC design │ └── agent-06-reporter.md # Phase 6: Security report summary ├── docs/ # Phase access and supplementary documents │ └── MCP-INTEGRATION.md # MCP phase access specification ├── templates/ # Report and reproduction template │ ├── mobile-reverse-report-template.md # Mobile security report template │ └── repro-steps-template.md # Reproduction steps template ├── tools/ # Supporting tools and template resources │ ├── frida/ # Frida-related templates │ │ ├── README.md # Frida template description │ │ └── android_phase1_bypass.js # Phase 1 runtime preparation / observation template │ ├── poc_templates/ # POC / verification template │ │ ├── README.md # POC template description │ │ ├── CASE_README.md.tmpl # Single vulnerability verification description template │ │ ├── frida_runtime_observe.js.tmpl # Frida runtime observation template │ │ └── python_http_validation.py.tmpl # HTTP verification script template │ └── scripts/ # Local index script │ ├── README.md # Script description and sample schema │ ├── endpoint_extractor.py # Interface / URL / field clue extraction │ ├── env_guard_indexer.py # Root / proxy / Frida / SSL Pinning clue extraction │ ├── native_bridge_indexer.py # JNI / JSBridge / native crypto clue extraction │ ├── secret_scanner.py # Hard-coded key / Token / certificate / cloud credential scanning │ ├── resolve_native_target.py # Automatic convergence of phase 3 priority analysis of SO targets │ └── ghidra_target_loader.py # Automatic import of target SO to Ghidra project ```  ## III. How to Use This Repository The core entrance of this repository is: - `ai-mobile-reverse-skills/SKILL.md` When used as a Skill package, put `ai-mobile-reverse-skills/` into the Codex / AI Skill search directory that supports `SKILL.md`, or let Codex directly read `SKILL.md` in the current workspace. The internal phase documents, scripts, and templates all use `ai-mobile-reverse-skills/` as the relative root directory reference. If you just want to understand the process, read `ai-mobile-reverse-skills/USER-README.md` first; if you want to execute the complete phase rules, follow `ai-mobile-reverse-skills/SKILL.md` and the 6 Agent documents under `agents/`. ## IV. Phase Process Description | Phase | Agent | Goal | Main Output | |---|---|---|---| | Phase 1 | SampleRecon | APK static reconnaissance, technical stack identification, environment detection, sensitive entrance, and SO clue preliminary screening | `file_inventory.json`, `tech_stack.json`, `entrypoints.json`, `env_guard_report.json` | | Phase 2 | ProtocolMapper | Align packet capture requests, interface fields, signature parameters, and code implementation | `api_endpoints.json`, `protocol_map.json`, `traffic_alignment.json` | | Phase 3 | CryptoNativeAnalyzer | Analyze JNI / SO / native encryption and signature logic around Phase 2 clues | `crypto_native_analysis.json`, `jni_analysis.json` | | Phase 4 | CryptoVulnAnalyzer | Comprehensive previous evidence, close weak encryption and high-risk vulnerabilities | `vuln_analysis.json`, `risk_matrix.json`, `secrets_report.json`, `jsbridge_analysis.json` | | Phase 5 | ValidationDesigner | Design minimum verification scheme and POC template under authorized environment | `validation_cases.json`, `test_plan.md`, `repro_steps.md` | | Phase 6 | Reporter | Summarize Phase 1-5, generate delivery report and Findings | `security_report.md`, `findings.json` | All modes start from Phase 1. The automatic chain will not skip the first phase.  ## V. MCP Access Description MCP is a tool context entrance that does not replace phase judgment. This skill uses the following MCPs. | MCP | Main Purpose | Typical Phase | |---|---|---| | `jadx-mcp` | Read Jadx current sample class, method, resource, string, and call clues | Phase 1, Phase 4 | | Burp MCP / Yakit MCP | Read packet capture request, Header, Body, response summary, and interface scene | Phase 2, Phase 5 | | `ida-mcp` / `ghidra-mcp` | Analyze SO, JNI, pseudo-code, cross-reference, and native encryption logic | Phase 3 |  Complete specifications see: - `ai-mobile-reverse-skills/docs/MCP-INTEGRATION.md` ## VI. Running Mode ### 5.1 Step-by-Step Suitable for scenarios where each step needs manual review and analysis focus adjustment. ```text run_mode: step_by_step ``` Characteristics: - Each phase ends with a default pause - Manual confirmation of current phase results before entering the next phase - Suitable for complex samples, unstable packet capture preconditions, and projects that require step-by-step judgment ### 5.2 Automatic Chain Suitable for scenarios with complete pre-materials, hoping the system will continuously advance to the report. ```text run_mode: auto_chain auto_chain_mode: A/B/C ``` | Mode | Automation Range | Suitable Situation | |---|---|---| | A | Phase 1 manual confirmation, Phase 2-6 automatic advancement | After Phase 1, manual completion of proxy, packet capture, MCP connection, etc. | | B | Phase 1-3 manual confirmation, Phase 4-6 automatic advancement | Manual deep excavation in front, back-end vulnerability closure, verification, and report automation | | C | Phase 1-6尽量自动推进 | Already prepared for decompiled directory, packet capture, MCP, and native analysis materials before startup | The automatic chain will pause at the earliest blocking phase when encountering critical condition loss, such as lack of packet capture results, lack of `ghidra_root`, lack of previous phase output, etc. ## VI. Quick Start It is recommended to start with a "two-stage" approach: select the mode first, then enter the first phase. ### 6.1 Select Mode Manual step-by-step execution: ```text run_mode: step_by_step ``` Or choose automatic chain: ```text run_mode: auto_chain auto_chain_mode: B ``` ### 6.2 Provide First-Phase Input Analyze local decompiled directory: ```text step: 1 analysis_mode: local_source target_dir: sample_target/decompiled output_dir: analysis_runs/current_run jadx_mcp: no ``` Use current Jadx MCP session: ```text step: 1 analysis_mode: jadx_mcp_session output_dir: analysis_runs/current_run jadx_mcp: yes ``` Field description: - `analysis_mode`: `local_source` indicates analysis of local decompiled/unpacked directory, `jadx_mcp_session` indicates use of opened Jadx MCP session - `target_dir`: Decompiled main analysis directory; not required when using Jadx MCP - `output_dir`: Unified output directory, subsequent phases default inheritance - `jadx_mcp`: Whether `jadx-mcp` is connected ## VII. Update Description ### 2026/4/23 Initial release ### 2026/5/20 - Added `ai_summarizer.py`: Automatically generate compressed summary after 4 index scripts execution, reducing AI token consumption - Added `sign_rebuilder.py`: Supports 17 algorithms and pipeline chain combination, Phase 5 directly generates sign reproduction request - `ghidra_target_loader.py` supports macOS and Windows, users need to fill in `ghidra_root` in advance