rtexit-method 0.1.14 → 0.1.15

package/packaged-assets/.agents/skills/rt-cross-platform-mobile/SKILL.md

@@ -0,0 +1,290 @@
+---
+name: rt-cross-platform-mobile
+description: "Cross-platform mobile app testing — React Native (JS bundle extraction, hermes bytecode), Flutter (libflutter.so reverse engineering, reFlutter), Xamarin (DLL extraction, IL2CPP), Ionic/Cordova (WebView injection), Unity mobile games. Each framework has unique reverse engineering and bypass techniques completely different from native Android/iOS."
+---
+
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+
+# rt-cross-platform-mobile — React Native, Flutter, Xamarin, Cordova
+
+## Overview
+
+Cross-platform frameworks compile differently than native apps — standard Android/iOS testing approaches often fail. Each framework requires specific tools and techniques.
+
+**Identify framework:**
+```bash
+docker exec rtexit-kali bash -c "
+unzip -l target.apk | grep -iE 'flutter|hermes|xamarin|cordova|react|unity'
+# hermes.bytecode → React Native (Hermes engine)
+# libflutter.so → Flutter
+# assemblies/*.dll → Xamarin
+# www/index.html → Cordova/Ionic
+# libunity.so → Unity
+"
+```
+
+---
+
+## React Native
+
+### Detect & Extract JS Bundle
+
+```bash
+docker exec rtexit-kali bash -c "
+# Unzip APK
+unzip target.apk -d /tmp/target_apk
+
+# Find JS bundle
+find /tmp/target_apk -name '*.bundle' -o -name '*.js' | head -20
+# Common paths:
+# assets/index.android.bundle
+# assets/App.bundle
+# res/raw/*.bundle
+
+# Check if Hermes bytecode (compiled) or plain JS
+file /tmp/target_apk/assets/index.android.bundle
+# 'Hermes bytecode' = compiled
+# 'ASCII text' or 'data' = plain JS (just read it!)
+"
+```
+
+### Plain JS Bundle — Read Directly
+
+```bash
+docker exec rtexit-kali bash -c "
+# Plain JS bundle = goldmine of secrets, API endpoints, logic
+cat /tmp/target_apk/assets/index.android.bundle | \
+  python3 -c \"import sys; import jsbeautifier; print(jsbeautifier.beautify(sys.stdin.read()))\" > /tmp/bundle_pretty.js
+
+# Hunt secrets
+grep -iE 'api_key|apikey|secret|password|token|endpoint|https?://' /tmp/bundle_pretty.js | sort -u | head -50
+
+# Find all hardcoded URLs
+grep -oE 'https?://[^\"]+' /tmp/bundle_pretty.js | sort -u
+"
+```
+
+### Hermes Bytecode — Decompile
+
+```bash
+docker exec rtexit-kali bash -c "
+# Install hermes-dec
+pip3 install hermes-dec
+
+# Decompile Hermes bytecode to JS
+hermes-dec /tmp/target_apk/assets/index.android.bundle > /tmp/decompiled.js
+
+# Alternative: hbctool
+pip3 install hbctool
+hbctool disasm /tmp/target_apk/assets/index.android.bundle /tmp/hbc_out/
+cat /tmp/hbc_out/instruction.hasm | grep -i 'secret\|key\|token'
+"
+```
+
+### React Native SSL Pinning Bypass
+
+```javascript
+// rn-ssl-bypass.js
+Java.perform(() => {
+  // OkHttp (RN Android uses this)
+  try {
+    const CertPinner = Java.use('okhttp3.CertificatePinner');
+    CertPinner.check.overload('java.lang.String', 'java.util.List').implementation = function() {
+      console.log('[*] RN OkHttp CertificatePinner bypassed');
+    };
+  } catch(e) {}
+
+  // react-native-ssl-pinning package bypass
+  try {
+    const OkHttpClientProvider = Java.use('com.facebook.react.modules.network.OkHttpClientProvider');
+    OkHttpClientProvider.createClientBuilder.implementation = function() {
+      const b = this.createClientBuilder();
+      const emptyPinner = Java.use('okhttp3.CertificatePinner$Builder').$new().build();
+      b.certificatePinner(emptyPinner);
+      return b;
+    };
+  } catch(e) {}
+});
+```
+
+---
+
+## Flutter
+
+### Identify Flutter Version
+
+```bash
+docker exec rtexit-kali bash -c "
+adb pull \$(adb shell pm path com.target.app | cut -d: -f2 | tr -d '\r') /tmp/target.apk
+unzip /tmp/target.apk -d /tmp/flutter_apk
+strings /tmp/flutter_apk/lib/arm64-v8a/libflutter.so | grep -E '^[0-9]+\.[0-9]+\.[0-9]'
+# Also check:
+strings /tmp/flutter_apk/lib/arm64-v8a/libflutter.so | grep 'Flutter '
+"
+```
+
+### Extract Dart Code (flutter_assets)
+
+```bash
+docker exec rtexit-kali bash -c "
+# Flutter stores compiled Dart in flutter_assets/kernel_blob.bin or snapshot_blob.bin
+ls /tmp/flutter_apk/assets/flutter_assets/
+
+# Use Doldrums or reFlutter to extract
+pip3 install doldrums 2>/dev/null
+doldrums /tmp/flutter_apk/assets/flutter_assets/kernel_blob.bin /tmp/dart_out/
+
+# Hunt secrets in extracted Dart
+grep -r 'apiKey\|secret\|password\|endpoint' /tmp/dart_out/
+"
+```
+
+### reFlutter — Patch Flutter SSL
+
+```bash
+docker exec rtexit-kali bash -c "
+# reFlutter patches libflutter.so to remove SSL pinning
+pip3 install reFlutter
+
+# Patch + rebuild APK
+reFlutter target.apk
+# Output: release.RE.apk (with patched Flutter engine)
+
+# Sign and install
+java -jar /opt/uber-apk-signer.jar -a release.RE.apk --out ./signed/
+adb install signed/release.RE-aligned-debugSigned.apk
+
+# Set up Burp proxy
+# reFlutter redirects all traffic to 127.0.0.1:8083
+adb reverse tcp:8083 tcp:8080
+# Now Burp intercepts all Flutter HTTPS traffic
+"
+```
+
+### Frida for Flutter (Native Hook)
+
+```javascript
+// flutter-ssl-bypass.js — hook BoringSSL directly
+
+setTimeout(() => {
+  const lib = Process.getModuleByName('libflutter.so');
+  if (!lib) { console.log('libflutter.so not loaded'); return; }
+  
+  // Find ssl_verify_peer_cert (varies by version)
+  // Use: $ nm -D libflutter.so | grep ssl_verify
+  // Or: $ objdump -d libflutter.so | grep -A5 "ssl_verify_peer"
+  
+  // Common Flutter 3.x offset (find yours with nm/objdump)
+  const exports = ['ssl_verify_peer_cert', 'ssl_crypto_x509_session_verify_cert_chain'];
+  exports.forEach(name => {
+    const addr = Module.findExportByName('libflutter.so', name);
+    if (addr) {
+      Interceptor.replace(addr, new NativeCallback(() => {
+        console.log('[*] Flutter ' + name + ' bypassed');
+        return 1;
+      }, 'int', ['pointer', 'pointer', 'int', 'pointer']));
+    }
+  });
+}, 500);
+```
+
+---
+
+## Xamarin
+
+### Extract .NET Assemblies
+
+```bash
+docker exec rtexit-kali bash -c "
+# Xamarin embeds .NET DLLs in assemblies/ directory
+unzip target.apk 'assemblies/*' -d /tmp/xamarin_apk
+
+# Assemblies are compressed in newer Xamarin — decompress
+cd /tmp/xamarin_apk/assemblies/
+# Try: LZ4 compressed
+python3 -c \"
+import lz4.frame, os
+for f in os.listdir('.'):
+    if f.endswith('.dll'):
+        try:
+            with open(f, 'rb') as fin:
+                data = fin.read()
+                if data[:4] == b'XALZ':  # Xamarin LZ4 header
+                    decompressed = lz4.frame.decompress(data[8:])
+                    with open(f + '.dec', 'wb') as fout:
+                        fout.write(decompressed)
+                    print('Decompressed:', f)
+        except: pass
+\"
+"
+```
+
+```bash
+docker exec rtexit-kali bash -c "
+# Decompile DLLs with ILSpy or dnSpy equivalent (ilspycmd)
+dotnet tool install ilspycmd -g 2>/dev/null || true
+~/.dotnet/tools/ilspycmd /tmp/xamarin_apk/assemblies/App.dll > /tmp/app_source.cs
+
+# Or use monodis
+monodis /tmp/xamarin_apk/assemblies/App.dll > /tmp/app.il
+
+# Hunt secrets
+grep -i 'apiKey\|secret\|password\|baseUrl\|endpoint' /tmp/app_source.cs
+"
+```
+
+---
+
+## Ionic / Cordova
+
+```bash
+docker exec rtexit-kali bash -c "
+# Cordova is basically a WebView app — JS source in www/
+unzip target.apk 'assets/www/*' -d /tmp/cordova_apk
+
+# Read JS directly — no compilation
+cat /tmp/cordova_apk/assets/www/js/app.js | head -200
+grep -r 'apiKey\|secret\|baseUrl\|password' /tmp/cordova_apk/assets/www/ -r
+
+# Cordova plugins are often vulnerable
+ls /tmp/cordova_apk/assets/www/plugins/
+
+# Intercept traffic — no special bypass needed usually
+# Just set Burp proxy + trust cert
+"
+```
+
+---
+
+## Unity Mobile Games
+
+```bash
+docker exec rtexit-kali bash -c "
+# Unity stores game logic in libil2cpp.so (IL2CPP) or in assets (Mono)
+unzip target.apk 'lib/arm64-v8a/libil2cpp.so' 'assets/bin/Data/*' -d /tmp/unity_apk
+
+# Check if Mono (easier) or IL2CPP
+ls /tmp/unity_apk/assets/bin/Data/*.assets
+
+# Mono: extract with AssetRipper or UABE
+# IL2CPP: use Il2CppInspector or il2cpp-analyzer
+
+# Secrets often in GameConfig.json or hardcoded in Assembly-CSharp.dll (Mono)
+find /tmp/unity_apk -name '*.json' | xargs grep -i 'api\|key\|token\|secret'
+"
+```
+
+---
+
+## Related Skills
+- `rt-frida-advanced` — hook any of these frameworks at runtime
+- `rt-mobile-ssl-pinning` — framework-specific pinning bypass
+- `rt-exploit-android` — full Android methodology
+- `rt-exploit-ios` — full iOS methodology
+- `rt-mobile-static-deep` — MobSF + automated analysis
+
+## References
+- https://github.com/Impact-I/reFlutter
+- https://github.com/nicowillis/doldrums (Dart extractor)
+- https://github.com/nicowillis/hermes-dec
+- https://attack.mitre.org/techniques/T1601/ — Modify System Image

package/packaged-assets/.agents/skills/rt-frida-advanced/SKILL.md

@@ -0,0 +1,355 @@
+---
+name: rt-frida-advanced
+description: "Advanced Frida dynamic instrumentation for mobile and desktop — custom hook scripts, API interception, memory scanning, bypass root/jailbreak/SSL detection at runtime, Frida gadget for non-rooted devices, process injection, stalking, code tracing, heap inspection. Works on Android + iOS + Windows + Linux. The single most powerful mobile hacking tool. Docker: rtexit/kali:v3.1 has frida-tools pre-installed."
+---
+
+> 🐳 **Docker Environment (Recommended):** `docker exec -it rtexit-kali bash`
+
+# rt-frida-advanced — Dynamic Instrumentation for Mobile Hacking
+
+## Overview
+
+Frida is the foundation of modern mobile pentesting. It injects a JavaScript engine into any running process and lets you hook, modify, and trace ANY function at runtime — without source code, without recompilation, without root (via Gadget). This skill covers advanced usage beyond basic Objection.
+
+**When to use:**
+- Bypass SSL pinning in apps that survive standard Objection bypass
+- Understand how an app communicates with its backend
+- Bypass root/jailbreak detection to run dynamic analysis
+- Extract hardcoded keys, decrypt traffic, hook crypto functions
+- Trace exact function calls to find logic flaws
+- Any app where you need runtime visibility
+
+---
+
+## Setup in Docker + Android
+
+```bash
+# Docker has frida-tools installed
+docker exec rtexit-kali bash -c "frida --version"
+
+# Connect ADB to device (real device or emulator)
+# Option A: USB device passed through to Docker
+docker exec rtexit-kali bash -c "adb devices"
+
+# Option B: ADB over TCP (emulator on host)
+docker exec rtexit-kali bash -c "adb connect 192.168.200.1:5555 && adb devices"
+
+# Push frida-server to Android device
+docker exec rtexit-kali bash -c "
+# Get device architecture
+adb shell getprop ro.product.cpu.abi
+# arm64-v8a → download frida-server-<ver>-android-arm64
+
+# Download matching frida-server
+FRIDA_VER=\$(pip3 show frida | grep Version | awk '{print \$2}')
+wget https://github.com/frida/frida/releases/download/\${FRIDA_VER}/frida-server-\${FRIDA_VER}-android-arm64.xz
+unxz frida-server-\${FRIDA_VER}-android-arm64.xz
+adb push frida-server-\${FRIDA_VER}-android-arm64 /data/local/tmp/frida-server
+adb shell chmod 755 /data/local/tmp/frida-server
+adb shell /data/local/tmp/frida-server &
+"
+```
+
+---
+
+## Core: Hooking Functions
+
+```javascript
+// hook-template.js — hook any Java method
+
+Java.perform(() => {
+  // Hook a specific method
+  const TargetClass = Java.use('com.example.app.CryptoUtils');
+  
+  TargetClass.encrypt.overload('java.lang.String', 'java.lang.String').implementation = function(data, key) {
+    console.log('[*] encrypt called');
+    console.log('    data: ' + data);
+    console.log('    key: ' + key);
+    
+    // Call original and capture result
+    const result = this.encrypt(data, key);
+    console.log('    result: ' + result);
+    return result;
+  };
+});
+```
+
+```bash
+# Run hook script
+docker exec rtexit-kali bash -c "
+frida -U -f com.example.app -l hook-template.js --no-pause
+# -U = USB device
+# -f = spawn app fresh (ensures hooks before init)
+# --no-pause = don't stop at start
+"
+```
+
+---
+
+## SSL Pinning Bypass — Manual Frida Script
+
+```javascript
+// ssl-bypass-universal.js — works when Objection fails
+
+Java.perform(() => {
+  // Bypass OkHttp3 CertificatePinner
+  try {
+    const CertificatePinner = Java.use('okhttp3.CertificatePinner');
+    CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function() {
+      console.log('[*] OkHttp3 CertificatePinner.check bypassed');
+    };
+    CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function() {
+      console.log('[*] OkHttp3 CertificatePinner.check (cert array) bypassed');
+    };
+  } catch(e) {}
+
+  // Bypass TrustManagerImpl
+  try {
+    const TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl');
+    TrustManagerImpl.verifyChain.implementation = function(untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) {
+      console.log('[*] TrustManagerImpl.verifyChain bypassed for: ' + host);
+      return untrustedChain;
+    };
+  } catch(e) {}
+
+  // Bypass X509TrustManager
+  try {
+    const X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
+    const SSLContext = Java.use('javax.net.ssl.SSLContext');
+    const TrustManager = Java.registerClass({
+      name: 'com.frida.TrustManager',
+      implements: [X509TrustManager],
+      methods: {
+        checkClientTrusted: function(chain, authType) {},
+        checkServerTrusted: function(chain, authType) {},
+        getAcceptedIssuers: function() { return []; }
+      }
+    });
+    const ctx = SSLContext.getInstance('TLS');
+    ctx.init(null, [TrustManager.$new()], null);
+    SSLContext.setDefault(ctx);
+    console.log('[*] SSLContext TrustManager replaced');
+  } catch(e) {}
+
+  // Bypass Conscrypt verifyHostname
+  try {
+    const OkHostnameVerifier = Java.use('okhttp3.internal.tls.OkHostnameVerifier');
+    OkHostnameVerifier.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function(host, session) {
+      return true;
+    };
+  } catch(e) {}
+});
+```
+
+```bash
+docker exec rtexit-kali bash -c "
+frida -U -f com.target.app -l ssl-bypass-universal.js --no-pause
+"
+```
+
+---
+
+## Root Detection Bypass
+
+```javascript
+// root-bypass.js
+
+Java.perform(() => {
+  // RootBeer bypass
+  try {
+    const RootBeer = Java.use('com.scottyab.rootbeer.RootBeer');
+    RootBeer.isRooted.implementation = function() {
+      console.log('[*] RootBeer.isRooted() bypassed → false');
+      return false;
+    };
+    RootBeer.isRootedWithoutBusyBoxCheck.implementation = function() { return false; };
+  } catch(e) {}
+
+  // File existence checks for su binary
+  const File = Java.use('java.io.File');
+  File.exists.implementation = function() {
+    const path = this.getAbsolutePath();
+    if (path.includes('su') || path.includes('supersu') || path.includes('magisk') || path.includes('busybox')) {
+      console.log('[*] File.exists blocked for: ' + path);
+      return false;
+    }
+    return this.exists();
+  };
+
+  // Runtime.exec bypass (blocks 'which su', 'su', etc.)
+  const Runtime = Java.use('java.lang.Runtime');
+  Runtime.exec.overload('java.lang.String').implementation = function(cmd) {
+    if (cmd.includes('su') || cmd.includes('which') || cmd.includes('busybox')) {
+      console.log('[*] Runtime.exec blocked: ' + cmd);
+      throw Java.use('java.io.IOException').$new('Command blocked by Frida');
+    }
+    return this.exec(cmd);
+  };
+});
+```
+
+---
+
+## Memory Scanning — Find Secrets at Runtime
+
+```javascript
+// memory-scan.js — scan process memory for keys, tokens, secrets
+
+Process.enumerateRanges('r--').forEach(range => {
+  try {
+    Memory.scanSync(range.base, range.size, 'Bearer ').forEach(match => {
+      const token = match.address.readUtf8String(200);
+      console.log('[TOKEN] @' + match.address + ': ' + token.substring(0, 100));
+    });
+  } catch(e) {}
+});
+
+// Scan for specific patterns
+const patterns = [
+  { name: 'AWS Key', pattern: 'AKIA' },
+  { name: 'JWT', pattern: 'eyJ' },
+  { name: 'API Key header', pattern: 'X-Api-Key' },
+];
+
+Process.enumerateRanges('r--').forEach(range => {
+  patterns.forEach(p => {
+    try {
+      Memory.scanSync(range.base, range.size, p.pattern).forEach(match => {
+        console.log('[' + p.name + '] @' + match.address + ': ' + match.address.readUtf8String(100));
+      });
+    } catch(e) {}
+  });
+});
+```
+
+---
+
+## Stalker — Trace Every Function Call
+
+```javascript
+// trace-calls.js — trace all calls in a specific class
+
+Java.perform(() => {
+  const TargetClass = Java.use('com.example.app.AuthManager');
+  
+  // Trace ALL methods in class
+  Object.getOwnPropertyNames(TargetClass).forEach(method => {
+    try {
+      TargetClass[method].implementation = function() {
+        console.log('[CALL] AuthManager.' + method + '(' + Array.from(arguments).join(', ') + ')');
+        const result = this[method].apply(this, arguments);
+        console.log('[RET]  AuthManager.' + method + ' → ' + result);
+        return result;
+      };
+    } catch(e) {}
+  });
+});
+```
+
+---
+
+## Frida Gadget — Non-Rooted Devices
+
+```bash
+# Gadget = inject Frida as a shared library into the APK
+# No root required!
+
+docker exec rtexit-kali bash -c "
+# 1. Decompile APK
+apktool d target.apk -o target_decompiled
+
+# 2. Download frida-gadget .so for target arch
+wget https://github.com/frida/frida/releases/download/16.x.x/frida-gadget-16.x.x-android-arm64.so.xz
+unxz frida-gadget-16.x.x-android-arm64.so.xz
+mv frida-gadget-16.x.x-android-arm64.so target_decompiled/lib/arm64-v8a/libfrida-gadget.so
+
+# 3. Inject gadget loader into smali (MainActivity.smali)
+# Add to onCreate() before super.onCreate():
+# invoke-static {}, Lcom/example/app/MainActivity;->loadLibrary()V
+# Actually: add System.loadLibrary('frida-gadget') call in smali
+
+# 4. Repackage + sign
+apktool b target_decompiled -o target_patched.apk
+uber-apk-signer -a target_patched.apk --out ./signed/
+
+# 5. Install + run — app waits for Frida to attach
+adb install signed/target_patched-aligned-debugSigned.apk
+adb shell am start -n com.example.app/.MainActivity
+# App pauses → attach Frida
+frida -U Gadget -l your-script.js
+"
+```
+
+---
+
+## iOS Frida
+
+```bash
+docker exec rtexit-kali bash -c "
+# iOS: frida-server installed via Sileo on jailbroken device
+# Connect via SSH tunnel
+ssh -p 2222 root@192.168.200.50
+
+# List processes
+frida-ps -H 192.168.200.50
+
+# Attach to iOS app
+frida -H 192.168.200.50 -n 'TargetApp' -l ssl-bypass-ios.js
+"
+```
+
+```javascript
+// ssl-bypass-ios.js — iOS SSL pinning bypass
+
+ObjC.schedule(ObjC.mainQueue, () => {
+  // NSURLSession bypass
+  try {
+    const NSURLSessionTask = ObjC.classes.NSURLSessionTask;
+    Interceptor.attach(NSURLSessionTask['- resume'].implementation, {
+      onEnter: function() {
+        const task = new ObjC.Object(this.context.x0);
+        console.log('[*] NSURLSession resume: ' + task.currentRequest().URL().absoluteString());
+      }
+    });
+  } catch(e) {}
+});
+
+// Bypass SecTrustEvaluate (common pinning method)
+Interceptor.replace(Module.findExportByName('Security', 'SecTrustEvaluate'), new NativeCallback((trust, result) => {
+  console.log('[*] SecTrustEvaluate bypassed');
+  const p = Memory.alloc(4);
+  Memory.writeS32(p, 1); // kSecTrustResultProceed
+  result.writePointer(p);
+  return 0; // errSecSuccess
+}, 'int', ['pointer', 'pointer']));
+```
+
+---
+
+## Useful One-Liners
+
+```bash
+# List all loaded classes
+docker exec rtexit-kali bash -c "frida -U -f com.target.app --eval 'Java.perform(() => { Java.enumerateLoadedClasses({ onMatch: (c) => console.log(c), onComplete: () => {} }) })' --no-pause 2>&1 | grep -i 'auth\|crypto\|pin\|cert\|ssl'"
+
+# Watch all HTTP traffic class
+docker exec rtexit-kali bash -c "frida -U -n com.target.app -l /opt/frida-scripts/watch-http.js"
+
+# Dump all SharedPreferences
+docker exec rtexit-kali bash -c "objection -g com.target.app explore --startup-command 'android sslpinning disable'"
+```
+
+---
+
+## Related Skills
+- `rt-exploit-android` — Android testing methodology
+- `rt-exploit-ios` — iOS testing methodology
+- `rt-mobile-ssl-pinning` — deep SSL pinning bypass techniques
+- `rt-apk-repackaging` — inject Frida gadget into APK
+- `rt-cross-platform-mobile` — Flutter/React Native specific bypasses
+
+## References
+- https://frida.re/docs/javascript-api/
+- https://github.com/interference-security/frida-scripts
+- https://codeshare.frida.re (community scripts)
+- https://attack.mitre.org/techniques/T1625/ — Hooking