gda-analyze
- Repo stars 4,750
- License Apache-2.0
- Author updated Live
- Author repo GDA-android-reversing-Tool
- Domain
- Other
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 94 / 100 · audit passed
- Author / version / license
- @charles2gan · Apache-2.0
- Token usage
- Lean
- Setup complexity
- Plug-and-play
- External API key
- Not required
- Operating systems
- Unspecified (assume cross-platform)
- Runtime requirements
- Python
- Permissions
-
- Read-only
- Write / modify
- Network behavior
- Local-only
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: gda-analyze
description: Android APK analysis using GDA.exe. AI drives analysis by tracing code paths, extracting IOCs (i…
category: other
runtime: Python
---
# gda-analyze output preview
## PART A: Task fit
- Use case: Android APK analysis using GDA.exe. AI drives analysis by tracing code paths, extracting IOCs (including encrypted), and producing structured malware reports. This skill performs malware analysis on Android APKs using GDA.exe. The workflow is: Recon -> Trace -> Extract -> Decrypt -> Report. runs entirely locally; runs on Python. Works with Claude Code, Cu….
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Overview / Analysis Workflow / Phase 1: Recon” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Android APK analysis using GDA.exe. AI drives analysis by tracing code paths, extracting IOCs (including encrypted), and producing structured malware reports. This skill performs malware analysis on Android APKs using GDA.exe. The workflow is: Recon -> Trace -> Extract -> Decrypt -> Report. runs entirely locally; runs on Python. Works with Claude Code, Cu…”.
- **02** When the source has headings, the agent prioritizes “Overview / Analysis Workflow / Phase 1: Recon” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files; mostly runs locally; usually needs no extra API key.
## Running Rules
- read files, write/modify files; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files.
Start with a small task and check whether the result follows “Overview / Analysis Workflow / Phase 1: Recon”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: gda-analyze
description: Android APK analysis using GDA.exe. AI drives analysis by tracing code paths, extracting IOCs (i…
category: other
source: charles2gan/GDA-android-reversing-Tool
---
# gda-analyze
## When to use
- Android APK analysis using GDA.exe. AI drives analysis by tracing code paths, extracting IOCs (including encrypted), a…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Overview / Analysis Workflow / Phase 1: Recon” and keep inference separate from source facts.
- read files, write/modify files; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "gda-analyze" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Overview / Analysis Workflow / Phase 1: Recon
rules -> SKILL.md triggers / order / output contract
runtime -> Python | read files, write/modify files | mostly runs locally
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Overview
This skill performs malware analysis on Android APKs using GDA.exe. The workflow is: Recon -> Trace -> Extract -> Decrypt -> Report.
GDA.exe Path: GDA_EXE="${CLAUDE_SKILL_DIR}/bin/gda.exe"
Analysis Workflow
Phase 1: Recon
python gda_analyze.py sample.apk binfo
python gda_analyze.py sample.apk permission
python gda_analyze.py sample.apk axml
Phase 2: Trace
# 1. Attack surface - exported components
python gda_analyze.py sample.apk attsf
# 2. Malware scan - automated detection
python gda_analyze.py sample.apk malscan
# 3. Trace suspicious components
python gda_analyze.py sample.apk "listm com.suspicious.Class"
python gda_analyze.py sample.apk "dec -c com.suspicious.Class"
python gda_analyze.py sample.apk "xref -c com.suspicious.Class"
python gda_analyze.py sample.apk "dasm method@xxxxx"
Phase 3: Extract
# Network IOCs
python gda_analyze.py sample.apk sensinf
python gda_analyze.py sample.apk "find -s http"
python gda_analyze.py sample.apk "find -s 192"
python gda_analyze.py sample.apk "find -s socket"
python gda_analyze.py sample.apk uri
# Encryption strings
python gda_analyze.py sample.apk "find -s Base64"
python gda_analyze.py sample.apk "find -s DES"
python gda_analyze.py sample.apk "find -s AES"
python gda_analyze.py sample.apk "find -s RC4"
Phase 4: Decrypt
# Find encryption-related method calls
python gda_analyze.py sample.apk "find -m getInstance"
python gda_analyze.py sample.apk "find -m doFinal"
python gda_analyze.py sample.apk "find -m SecretKeySpec"
python gda_analyze.py sample.apk "find -m IvParameterSpec"
# Trace encryption class
python gda_analyze.py sample.apk "dec -c com.malware.CryptoClass"
# Find key storage
python gda_analyze.py sample.apk "find -s SharedPreferences"
python gda_analyze.py sample.apk "find -s getString"
# If key found, generate Python decrypt script
Malware Analysis Report Template
# [APK Name] - Malware Analysis Report
## 1. Sample Overview
| Attribute | Value |
|-----------|-------|
| Package Name | from binfo |
| File Size | from binfo |
| MD5 | from binfo |
| SHA256 | from binfo |
| DEX Info | class count, method count from binfo |
## 2. Plaintext IOCs
- C2 Addresses: [from sensinf/find -s]
- URLs: [from find -s http]
- IPs: [from find -s 192]
- Paths: [from uri]
## 3. Encrypted IOCs & Decryption
| IOC Type | Cipher | Mode | Key Source | Encrypted Value |
|----------|--------|------|------------|----------------|
| C2 URL | AES | CBC | hardcoded | [base64] |
### Decryption Script
```python
#!/usr/bin/env python3
"""Decrypt [IOC type] from [APK Name]"""
from Crypto.Cipher import AES
import base64
# Key: [extracted as hex or base64]
key = b'[16-byte key]'
# IV: [extracted or None for ECB]
iv = b'[16-byte iv]' # or None
cipher = AES.new(key, AES.MODE_CBC, iv)
encrypted = base64.b64decode('[encrypted]')
decrypted = cipher.decrypt(encrypted)
print(decrypted.decode(errors='replace').rstrip('\x00'))
4. Suspicious Components
| Component | Class Index | Key Methods | Risk |
|---|---|---|---|
| [name] | class@xxxxx | method@xxxxx | High |
5. Code Analysis
[Component Name]
- File: com/package/ClassName.class
- Evidence: [relevant code snippet from dec]
- Call Chain: [xref results]
6. Persistence Mechanism
- Boot: [receiver/service for BOOT_COMPLETED]
- Service: [from axml]
- Anti: [from code analysis]
7. Conclusion
Threat Type: [Trojan/Spyware/Adware/etc] Risk Level: [Critical/High/Medium/Low]
---
## Command Reference
### Recon Commands (Phase 1)
| Command | Purpose |
|---------|---------|
| `binfo` | File hashes, size, package, DEX info |
| `permission` | All permissions |
| `axml` | AndroidManifest.xml |
### Trace Commands (Phase 2)
| Command | Usage | Purpose |
|---------|-------|---------|
| `attsf` | `attsf` | Exported components - attack entry points |
| `malscan` | `malscan` | Malicious pattern detection |
| `listm` | `listm com.example.Class` | List methods in class |
| `dec` | `dec -c com.example.Class` | Decompile class |
| `xref` | `xref -c ClassName` | Find class references |
| `dasm` | `dasm method@xxxxx` | Disassemble method |
| `native` | `native` | Native methods |
### IOC Extract Commands (Phase 3)
| Command | Usage | Purpose |
|---------|-------|---------|
| `sensinf` | `sensinf` | API keys, passwords, tokens |
| `find -s` | `find -s pattern` | Search strings |
| `uri` | `uri` | File paths, content URIs |
| `api` | `api` | Sensitive API calls |
### Decrypt Commands (Phase 4)
| Command | Usage | Purpose |
|---------|-------|---------|
| `find -m` | `find -m methodName` | Find method calls |
| `find -s` | `find -s CryptoClass` | Find crypto classes |
| `dec` | `dec -c CryptoClass` | Analyze crypto implementation |
| `xref` | `xref -m methodName` | Trace method usage |
---
## Encryption Analysis Guide
### Step 1: Identify Encryption
Search strings:
```bash
python gda_analyze.py sample.apk "find -s Base64"
python gda_analyze.py sample.apk "find -s AES"
python gda_analyze.py sample.apk "find -s DES"
python gda_analyze.py sample.apk "find -s RC4"
Search methods:
python gda_analyze.py sample.apk "find -m getInstance"
python gda_analyze.py sample.apk "find -m doFinal"
python gda_analyze.py sample.apk "find -m SecretKeySpec"
python gda_analyze.py sample.apk "find -m IvParameterSpec"
Step 2: Trace Encryption Flow
# Find encryption utility class
python gda_analyze.py sample.apk "dec -c com.malware.CryptoUtil"
# Trace key/IV extraction
python gda_analyze.py sample.apk "find -s getBytes"
python gda_analyze.py sample.apk "find -s SharedPreferences"
Step 3: Extract Parameters
From decompiled code, identify:
- Algorithm: AES/DES/RC4 (from
Cipher.getInstance) - Mode: ECB/CBC/GCM (from
Cipher.getInstancestring) - Key: hardcoded string, byte array, or SharedPreferences
- IV: hardcoded or derived
- Padding: PKCS5/PKCS7/NoPadding
Example Cipher.getInstance string pattern:
"Cipher.getInstance(\"AES/CBC/PKCS5Padding\")"
Step 4: Generate Decrypt Script
from Crypto.Cipher import AES
import base64
import binascii
# Parameters from code analysis
key = binascii.unhexlify('[hex key]') # or base64.b64decode
iv = binascii.unhexlify('[hex iv]') # or None for ECB
cipher = AES.new(key, AES.MODE_CBC, iv)
encrypted = base64.b64decode('[base64 encrypted]')
decrypted = cipher.decrypt(encrypted)
print(decrypted.decode(errors='replace').rstrip('\x00'))
Malware Pattern Commands
SMS Malware
python gda_analyze.py sample.apk "find -m sendTextMessage"
python gda_analyze.py sample.apk "find -m abortBroadcast"
python gda_analyze.py sample.apk "dec -c com.package.SmsReceiver"
Banking Trojan
python gda_analyze.py sample.apk "find -m WindowManager"
python gda_analyze.py sample.apk "find -s TYPE_TEXT_VARIATION_PASSWORD"
Spyware/RAT
python gda_analyze.py sample.apk "find -s http"
python gda_analyze.py sample.apk "find -s socket"
python gda_analyze.py sample.apk "dec -c com.spy.DataSender"
Adware
python gda_analyze.py sample.apk "find -s admob"
python gda_analyze.py sample.apk "find -s mopub"
Analysis Principles
- Recon first - Gather context before deep analysis
- Trace suspicious components - attsf/malscan reveal malicious code
- Search encryption patterns - Many malware encrypt C2/config
- Generate decrypt scripts - When key+ciphertext found
- Cite evidence - Always include class@xxxxx and method@xxxxx
- Be adaptive - Different malware types need different focus
Constraints
- GDA closes connection after each command
- Class index: 6-digit hex from attsf/listm (e.g.,
0002d3) - Method ID:
method@xxxxxfrom listm - Quote commands:
"find -s 192.168" find -msearches method names,find -ssearches strings
Decide Fit First
Design Intent
How To Use It
Boundaries And Review