commit iniziale

README.md

@@ -0,0 +1,141 @@
+# Android Reverse Engineering — Claude Code Plugin
+
+A Claude Code plugin for decompiling Android APK/XAPK/JAR/AAR files with jadx, tracing call flows through application code, and documenting extracted APIs.
+
+## What it does
+
+- **Decompiles** APK, XAPK, JAR, and AAR files using jadx and Fernflower/Vineflower (single engine or side-by-side comparison)
+- **Analyzes** app structure: manifest, packages, architecture patterns
+- **Traces call flows** from Activities/Fragments through ViewModels and repositories down to HTTP calls
+- **Extracts and documents APIs**: Retrofit endpoints, OkHttp calls, hardcoded URLs, auth patterns
+- **Handles obfuscated code**: strategies for navigating ProGuard/R8 output
+
+## Requirements
+
+**Required:**
+- Java JDK 17+
+- [jadx](https://github.com/skylot/jadx) (CLI)
+
+**Optional (recommended):**
+- [Vineflower](https://github.com/Vineflower/vineflower) or [Fernflower](https://github.com/JetBrains/fernflower) — better output on complex Java code
+- [dex2jar](https://github.com/pxb1988/dex2jar) — needed to use Fernflower on APK/DEX files
+
+See `plugins/android-reverse-engineering/skills/android-reverse-engineering/references/setup-guide.md` for detailed installation instructions.
+
+## Installation
+
+### From GitHub (recommended)
+
+Inside Claude Code, run:
+
+```
+/plugin marketplace add simonea/android-reverse-engineering-skill
+/plugin install android-reverse-engineering@android-reverse-engineering-skill
+```
+
+The plugin will be permanently available in all future sessions.
+
+### From a local clone
+
+```bash
+git clone https://github.com/simonea/android-reverse-engineering-skill.git
+```
+
+Then in Claude Code:
+
+```
+/plugin marketplace add /path/to/android-reverse-engineering-skill
+/plugin install android-reverse-engineering@android-reverse-engineering-skill
+```
+
+## Usage
+
+### Slash command
+
+```
+/decompile path/to/app.apk
+```
+
+This runs the full workflow: dependency check, decompilation, and initial structure analysis.
+
+### Natural language
+
+The skill activates on phrases like:
+
+- "Decompile this APK"
+- "Reverse engineer this Android app"
+- "Extract API endpoints from this app"
+- "Follow the call flow from LoginActivity"
+- "Analyze this AAR library"
+
+### Manual scripts
+
+The scripts can also be used standalone:
+
+```bash
+# Check dependencies
+bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/check-deps.sh
+
+# Install a missing dependency (auto-detects OS and package manager)
+bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh jadx
+bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/install-dep.sh vineflower
+
+# Decompile APK with jadx (default)
+bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app.apk
+
+# Decompile XAPK (auto-extracts and decompiles each APK inside)
+bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh app-bundle.xapk
+
+# Decompile with Fernflower
+bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine fernflower library.jar
+
+# Run both engines and compare
+bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/decompile.sh --engine both --deobf app.apk
+
+# Find API calls
+bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/
+bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --retrofit
+bash plugins/android-reverse-engineering/skills/android-reverse-engineering/scripts/find-api-calls.sh output/sources/ --urls
+```
+
+## Repository Structure
+
+```
+android-reverse-engineering-skill/
+├── .claude-plugin/
+│   └── marketplace.json                    # Marketplace catalog
+├── plugins/
+│   └── android-reverse-engineering/
+│       ├── .claude-plugin/
+│       │   └── plugin.json                 # Plugin manifest
+│       ├── skills/
+│       │   └── android-reverse-engineering/
+│       │       ├── SKILL.md                # Core workflow (5 phases)
+│       │       ├── references/
+│       │       │   ├── setup-guide.md
+│       │       │   ├── jadx-usage.md
+│       │       │   ├── fernflower-usage.md
+│       │       │   ├── api-extraction-patterns.md
+│       │       │   └── call-flow-analysis.md
+│       │       └── scripts/
+│       │           ├── check-deps.sh
+│       │           ├── install-dep.sh
+│       │           ├── decompile.sh
+│       │           └── find-api-calls.sh
+│       └── commands/
+│           └── decompile.md                # /decompile slash command
+├── LICENSE
+└── README.md
+```
+
+## References
+
+- [jadx — Dex to Java decompiler](https://github.com/skylot/jadx)
+- [Fernflower — JetBrains analytical decompiler](https://github.com/JetBrains/fernflower)
+- [Vineflower — Fernflower community fork](https://github.com/Vineflower/vineflower)
+- [dex2jar — DEX to JAR converter](https://github.com/pxb1988/dex2jar)
+- [apktool — Android resource decoder](https://apktool.org/)
+
+## License
+
+Apache 2.0 — see [LICENSE](LICENSE)