Agent Skillszhaoxuya520/reverse-skill › competition-android-hooking

competition-android-hooking

GitHub

用于CTF沙箱中Android应用的动态分析技能,涵盖APK Hooking、Frida追踪、SSL证书固定绕过、JNI边界检查及签名逻辑恢复。需在沙箱环境建立后使用,通过静态分析与最小化Hook定位信任边界,重现合法请求以突破安全限制。

CTF-Sandbox-Orchestrator/competition-android-hooking/SKILL.md zhaoxuya520/reverse-skill

Trigger Scenarios

用户要求对Android APK进行Hook或注入 需要绕过SSL Pinning或Root检测 分析JNI边界或Java原生接口调用 恢复应用请求签名逻辑或解密数据 检查SharedPreferences或本地数据库内容

Install

npx skills add zhaoxuya520/reverse-skill --skill competition-android-hooking -g -y
More Options

Non-standard path

npx skills add https://github.com/zhaoxuya520/reverse-skill/tree/main/CTF-Sandbox-Orchestrator/competition-android-hooking -g -y

Use without installing

npx skills use zhaoxuya520/reverse-skill@competition-android-hooking

指定 Agent (Claude Code)

npx skills add zhaoxuya520/reverse-skill --skill competition-android-hooking -a claude-code -g -y

安装 repo 全部 skill

npx skills add zhaoxuya520/reverse-skill --all -g -y

预览 repo 内 skill

npx skills add zhaoxuya520/reverse-skill --list

SKILL.md

Frontmatter
{
    "name": "competition-android-hooking",
    "description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for Android APK hooking, Frida tracing, request-signing recovery, SSL pinning bypass, JNI boundary inspection, and app trust-boundary analysis. Use when the user asks to hook an APK, inspect signer logic, trace Java or native boundaries, bypass pinning or root checks, inspect shared prefs or app databases, or replay accepted mobile requests. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}

Competition Android Hooking

Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.

Use this skill when the decisive path runs through an Android app's live trust boundary rather than static strings alone.

Reply in Simplified Chinese unless the user explicitly requests English.

Quick Start

  1. Preserve the original APK, extracted resources, and decompiled output before patching or resigning.
  2. Start with manifest, exported components, deeplinks, native libs, prefs, local DBs, and bundled configs.
  3. Decide the narrowest runtime boundary to hook: signer, crypto helper, JNI bridge, WebView bridge, or request builder.
  4. Correlate static evidence and dynamic traces before claiming a trust edge is understood.
  5. Reproduce the signed request, accepted token, or gated branch from the smallest hook set.

Workflow

1. Static Triage Before Hooks

  • Map package structure, exported activities, services, receivers, providers, and deeplink handlers.
  • Note SSL pinning logic, root checks, feature flags, token storage, shared prefs, SQLite tables, and protobuf or RPC boundaries.
  • Identify whether the sensitive logic sits in Java, Kotlin, JNI, or a bundled WebView.

2. Hook The Narrowest Boundary

  • Prefer hooking request signers, crypto helpers, keystore access, protobuf encode or decode, or JNI marshaling instead of broad UI hooks.
  • Record plaintext inputs, signed strings, headers, nonces, and outputs at the boundary that actually changes trust.
  • If pinning or environment checks block progress, patch or hook only enough to expose the real request path.

3. Replay The Accepted Path

  • Rebuild the smallest sequence that reaches the accepted server-side branch: local state, nonce, request body, signature, and headers.
  • Keep hook logs, captured request shapes, and local storage paths tied to the same account or session state.
  • If the challenge becomes more about transform recovery than Android runtime, switch back to the broader crypto or mobile skill.

Read This Reference

  • Load references/android-hooking.md for hook targets, storage checklist, and evidence packaging.

What To Preserve

  • Hook points, class names, JNI symbols, signer inputs and outputs, and header names
  • Shared prefs, local DB rows, deeplinks, exported components, and token storage paths
  • The smallest replayable request or branch that proves the trust boundary

Version History

  • 1bec1f2 Current 2026-07-05 18:44

Same Skill Collection

CTF-Sandbox-Orchestrator/competition-crypto-mobile/SKILL.md
CTF-Sandbox-Orchestrator/competition-reverse-pwn/SKILL.md
CTF-Sandbox-Orchestrator/competition-stego-media/SKILL.md
CTF-Sandbox-Orchestrator/competition-web-runtime/SKILL.md
CTF-Sandbox-Orchestrator/ctf-sandbox-orchestrator/SKILL.md
skills/apk-reverse/SKILL.md
skills/binary-diff/SKILL.md
skills/browser-automation/SKILL.md
skills/docs-generator/SKILL.md
skills/dotnet-reverse/SKILL.md
skills/firmware-pentest/SKILL.md
skills/js-reverse/SKILL.md
skills/patch-diff-exploit/SKILL.md
skills/pentest-tools/SKILL.md
skills/pentest-tools/src-hunter/SKILL.md
skills/pwn-chain/SKILL.md
skills/radare2/SKILL.md
CTF-Sandbox-Orchestrator/competition-ad-certificate-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-agent-cloud/SKILL.md
CTF-Sandbox-Orchestrator/competition-browser-persistence/SKILL.md
CTF-Sandbox-Orchestrator/competition-bundle-sourcemap-recovery/SKILL.md
CTF-Sandbox-Orchestrator/competition-cloud-metadata-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-container-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-custom-protocol-replay/SKILL.md
CTF-Sandbox-Orchestrator/competition-dpapi-credential-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-file-parser-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-firmware-layout/SKILL.md
CTF-Sandbox-Orchestrator/competition-forensic-timeline/SKILL.md
CTF-Sandbox-Orchestrator/competition-graphql-rpc-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-identity-windows/SKILL.md
CTF-Sandbox-Orchestrator/competition-ios-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-jwt-claim-confusion/SKILL.md
CTF-Sandbox-Orchestrator/competition-k8s-control-plane/SKILL.md
CTF-Sandbox-Orchestrator/competition-kerberos-delegation/SKILL.md
CTF-Sandbox-Orchestrator/competition-kernel-container-escape/SKILL.md
CTF-Sandbox-Orchestrator/competition-linux-credential-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-lsass-ticket-material/SKILL.md
CTF-Sandbox-Orchestrator/competition-mailbox-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-malware-config/SKILL.md
CTF-Sandbox-Orchestrator/competition-oauth-oidc-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-pcap-protocol/SKILL.md
CTF-Sandbox-Orchestrator/competition-prompt-injection/SKILL.md
CTF-Sandbox-Orchestrator/competition-queue-worker-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-race-condition-state-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-relay-coercion-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-request-normalization-smuggling/SKILL.md
CTF-Sandbox-Orchestrator/competition-runtime-routing/SKILL.md
CTF-Sandbox-Orchestrator/competition-ssrf-metadata-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-supply-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-template-render-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-websocket-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-windows-pivot/SKILL.md
skills/diagram-generator/SKILL.md
skills/edr-bypass-re/SKILL.md
skills/ida-reverse/SKILL.md
skills/reverse-engineering/SKILL.md

Metadata

Files
0
Version
1bec1f2
Hash
01ed954e
Indexed
2026-07-05 18:44

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 21:17
浙ICP备14020137号-1 $Гость$