rtexit-method 0.1.26 → 0.1.28

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rtexit-method",
-  "version": "0.1.26",
+  "version": "0.1.28",
   "description": "RTExit - AI-assisted Red Team methodology installer",
   "license": "MIT",
   "author": "Exit Code",

package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md

@@ -76,9 +76,12 @@ sliver
 
 ### Havoc C2 Setup
 
+> ⚠️ **NOT in rtexit-kali container** — Havoc requires a GUI client. Run on your **host machine**, not inside Docker.
+
 **GitHub:** https://github.com/HavocFramework/Havoc
 
 ```bash
+# Run on HOST MACHINE (not in rtexit-kali container)
 # Dependencies
 sudo apt update && sudo apt install -y git build-essential cmake mingw-w64 \
   nasm python3 python3-pip libssl-dev libz-dev golang-go

package/packaged-assets/_rtexit/TOOLS.md

@@ -55,6 +55,10 @@ docker exec rtexit-kali bash -c "nmap -sV TARGET"
 | grype | `grype` | Vulnerability scan |
 | wpscan | `wpscan` | WordPress scanning |
 | graphql-cop | `graphql-cop` | GraphQL security |
+| gf | `gf` | Grep patterns for XSS/SQLi/SSRF/RCE in URLs |
+| linkfinder | `linkfinder` | Discover endpoints/APIs in JS files |
+| secretfinder | `secretfinder` | Extract secrets/tokens from JS files |
+| corsy | `corsy` | CORS misconfiguration scanner |
 
 ---
 
@@ -100,34 +104,48 @@ docker exec rtexit-kali bash -c "nmap -sV TARGET"
 
 ---
 
-## Phase 5 — Mobile Testing ✅ 29/31
+## Phase 5 — Mobile Testing ✅ 39/39
 
 | Tool | Command | Use Case |
 |------|---------|----------|
 | adb | `adb` | Android debugging |
-| apktool | `apktool` | APK decompile |
-| jadx | `jadx` | Java decompiler |
+| apktool | `apktool` | APK decompile/repackage |
+| jadx | `jadx` | Java/Kotlin decompiler |
 | dex2jar | `d2j-dex2jar` | DEX to JAR |
+| baksmali | `baksmali` | Disassemble DEX → smali |
+| smali | `smali` | Assemble smali → DEX (patching) |
+| bytecode-viewer | `bytecode-viewer` | Multi-decompiler GUI (jar at `/opt/bytecode-viewer/bytecode-viewer.jar`) |
+| apkid | `apkid` | Packer/obfuscator/protector detection |
+| quark-engine | `quark` | Android malware behavior analysis |
 | frida | `frida` | Dynamic instrumentation |
 | frida-ps | `frida-ps` | List processes |
 | frida-trace | `frida-trace` | Function tracing |
-| objection | `objection` | Runtime manipulation |
-| setup-frida-server | `setup-frida-server` | Auto-setup frida-server |
-| reflutter | `reflutter` | Flutter SSL pinning bypass |
-| apk-mitm | `apk-mitm` | SSL pinning bypass |
-| uber-apk-signer | `uber-apk-signer` | APK signing |
-| apkleaks | `apkleaks` | APK secret scanning |
-| androguard | `androguard` | APK static analysis |
+| objection | `objection` | Runtime manipulation (SSL/root/jailbreak bypass) |
+| fridump3 | `fridump3` | Memory dump via frida |
+| setup-frida-server | `setup-frida-server` | Auto-setup frida-server on device |
+| ssl-pinning-bypass | `/opt/frida-scripts/ssl-pinning-bypass.js` | Universal SSL pinning bypass (OkHttp/TrustManager/Conscrypt) |
+| root-bypass | `/opt/frida-scripts/root-bypass.js` | Root detection bypass (RootBeer/su/magisk) |
+| jwt-hook | `/opt/frida-scripts/jwt-hook.js` | JWT/Auth header interceptor |
+| intent-monitor | `/opt/frida-scripts/intent-monitor.js` | Android Intent + deeplink monitor |
+| extract-secrets | `/opt/frida-scripts/extract-secrets.js` | Runtime SharedPrefs/crypto key/SQLite extractor |
+| dump-all-traffic | `/opt/frida-scripts/dump-all-traffic.js` | HTTP/S traffic hooker |
+| reflutter | `reflutter` | Flutter SSL pinning bypass + repack |
+| apk-mitm | `apk-mitm` | Automated SSL pinning bypass |
+| uber-apk-signer | `uber-apk-signer` | APK signing after patching |
+| apkleaks | `apkleaks` | APK secret/key scanning |
+| androguard | `androguard` | Deep APK static analysis |
 | trufflehog3 | `trufflehog3` | Secret scanning |
-| drozer | `drozer` | Component exploitation |
+| drozer | `drozer` | Android component exploitation (IPC/intent/content provider) |
 | drozer-agent.apk | `/opt/drozer/drozer-agent.apk` | Install on device |
-| hermes-dec | `hermes-dec` | React Native HBC decompile |
+| hermes-dec | `hermes-dec` | React Native Hermes bytecode decompile |
 | hbctool | `hbctool` | Hermes bytecode tool |
 | monodis | `monodis` | Xamarin/Mono analysis |
 | js-beautify | `js-beautify` | JS deobfuscation |
 | qrcode | `qrcode` | QR code generation |
-| msfvenom | `msfvenom` | Mobile payload gen |
-| ssh | `ssh` | iOS device access |
+| msfvenom | `msfvenom` | Mobile payload generation |
+| apkeep | `apkeep` | Download APKs from Google Play / APKPure |
+| ipatool | `ipatool` | Download IPA from App Store |
+| ssh | `ssh` | iOS device access (jailbroken) |
 | bleak | `bleak` (python) | BLE scanning |
 | crackle | `/opt/crackle` | BLE crack |
 

package/packaged-assets/docker/frida-scripts/dump-all-traffic.js

@@ -0,0 +1,53 @@
+// HTTP/S Traffic Dumper — HttpURLConnection + OkHttp request/response
+// Usage: frida -U -f com.target.app -l dump-all-traffic.js --no-pause
+// Combine with: mitmproxy or Burp Suite on port 8080
+
+Java.perform(function() {
+    // --- HttpURLConnection ---
+    try {
+        var HttpURLConnection = Java.use('java.net.HttpURLConnection');
+        HttpURLConnection.getInputStream.implementation = function() {
+            console.log('[HTTP] ' + this.getRequestMethod() + ' ' + this.getURL().toString());
+            return this.getInputStream();
+        };
+        HttpURLConnection.getResponseCode.implementation = function() {
+            var code = this.getResponseCode();
+            console.log('[HTTP] Response: ' + code + ' ' + this.getURL().toString());
+            return code;
+        };
+    } catch(e) {}
+
+    // --- URL.openConnection ---
+    try {
+        var URL = Java.use('java.net.URL');
+        URL.openConnection.overload().implementation = function() {
+            console.log('[URL] openConnection: ' + this.toString());
+            return this.openConnection();
+        };
+    } catch(e) {}
+
+    // --- OkHttp3 Request builder ---
+    try {
+        var RequestBuilder = Java.use('okhttp3.Request$Builder');
+        RequestBuilder.build.implementation = function() {
+            var req = this.build();
+            console.log('[OkHttp3] ' + req.method() + ' ' + req.url().toString());
+            var headers = req.headers();
+            for (var i = 0; i < headers.size(); i++) {
+                console.log('  Header: ' + headers.name(i) + ': ' + headers.value(i));
+            }
+            return req;
+        };
+    } catch(e) {}
+
+    // --- WebView URL load ---
+    try {
+        var WebView = Java.use('android.webkit.WebView');
+        WebView.loadUrl.overload('java.lang.String').implementation = function(url) {
+            console.log('[WebView] loadUrl: ' + url);
+            return this.loadUrl(url);
+        };
+    } catch(e) {}
+
+    console.log('[RTExit] Traffic dumper loaded. Use with Burp/mitmproxy on 8080.');
+});

package/packaged-assets/docker/frida-scripts/extract-secrets.js

@@ -0,0 +1,75 @@
+// Runtime Secret Extractor — SharedPreferences, SQLite queries, crypto keys, JWT
+// Usage: frida -U -f com.target.app -l extract-secrets.js --no-pause
+
+Java.perform(function() {
+    // --- SharedPreferences ---
+    try {
+        var SharedPreferencesImpl = Java.use('android.app.SharedPreferencesImpl');
+        SharedPreferencesImpl.getString.implementation = function(key, defVal) {
+            var val = this.getString(key, defVal);
+            if (val && val.length > 0) console.log('[SharedPrefs] ' + key + ' = ' + val);
+            return val;
+        };
+        SharedPreferencesImpl.getInt.implementation = function(key, defVal) {
+            var val = this.getInt(key, defVal);
+            console.log('[SharedPrefs:int] ' + key + ' = ' + val);
+            return val;
+        };
+    } catch(e) {}
+
+    // --- Crypto key material ---
+    try {
+        var SecretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
+        SecretKeySpec.$init.overload('[B', 'java.lang.String').implementation = function(key, algo) {
+            var hexKey = Array.from(key, function(b) { return ('0' + (b & 0xff).toString(16)).slice(-2); }).join('');
+            console.log('[CRYPTO KEY] algo=' + algo + ' key(hex)=' + hexKey);
+            return this.$init(key, algo);
+        };
+    } catch(e) {}
+
+    // --- Cipher init — IV + key ---
+    try {
+        var Cipher = Java.use('javax.crypto.Cipher');
+        Cipher.init.overload('int', 'java.security.Key', 'java.security.spec.AlgorithmParameterSpec').implementation = function(mode, key, params) {
+            var modeStr = mode === 1 ? 'ENCRYPT' : mode === 2 ? 'DECRYPT' : 'mode=' + mode;
+            console.log('[CIPHER] ' + modeStr + ' algo=' + key.getAlgorithm());
+            return this.init(mode, key, params);
+        };
+    } catch(e) {}
+
+    // --- SQLiteDatabase queries ---
+    try {
+        var SQLiteDatabase = Java.use('android.database.sqlite.SQLiteDatabase');
+        SQLiteDatabase.rawQuery.overload('java.lang.String', '[Ljava.lang.String;').implementation = function(sql, args) {
+            console.log('[SQLite] ' + sql);
+            return this.rawQuery(sql, args);
+        };
+        SQLiteDatabase.execSQL.overload('java.lang.String').implementation = function(sql) {
+            console.log('[SQLite execSQL] ' + sql);
+            return this.execSQL(sql);
+        };
+    } catch(e) {}
+
+    // --- JWT/Base64 encoded tokens ---
+    try {
+        var Base64 = Java.use('android.util.Base64');
+        Base64.decode.overload('java.lang.String', 'int').implementation = function(str, flags) {
+            if (str && str.startsWith('ey')) console.log('[JWT TOKEN] ' + str);
+            return this.decode(str, flags);
+        };
+    } catch(e) {}
+
+    // --- Authorization headers ---
+    try {
+        var Headers = Java.use('okhttp3.Headers');
+        Headers.get.overload('java.lang.String').implementation = function(name) {
+            var val = this.get(name);
+            if (name.toLowerCase() === 'authorization' && val) {
+                console.log('[AUTH HEADER] ' + val);
+            }
+            return val;
+        };
+    } catch(e) {}
+
+    console.log('[RTExit] Secret extractor loaded.');
+});

package/packaged-assets/docker/frida-scripts/intent-monitor.js

@@ -0,0 +1,64 @@
+// Android Intent Monitor — logs all intents, deeplinks, exported component calls
+// Usage: frida -U -f com.target.app -l intent-monitor.js --no-pause
+
+Java.perform(function() {
+    // --- Intent creation/actions ---
+    try {
+        var Intent = Java.use('android.content.Intent');
+        Intent.setAction.implementation = function(action) {
+            if (action) console.log('[INTENT] setAction: ' + action);
+            return this.setAction(action);
+        };
+        Intent.setData.implementation = function(uri) {
+            if (uri) console.log('[INTENT] setData (deeplink): ' + uri.toString());
+            return this.setData(uri);
+        };
+        Intent.putExtra.overload('java.lang.String', 'java.lang.String').implementation = function(k, v) {
+            console.log('[INTENT EXTRA] ' + k + ' = ' + v);
+            return this.putExtra(k, v);
+        };
+        Intent.getData.implementation = function() {
+            var data = this.getData();
+            if (data) console.log('[INTENT DATA] ' + data.toString());
+            return data;
+        };
+    } catch(e) {}
+
+    // --- Activity navigation ---
+    try {
+        var Activity = Java.use('android.app.Activity');
+        Activity.startActivity.overload('android.content.Intent').implementation = function(intent) {
+            var action = intent.getAction ? intent.getAction() : '?';
+            var data = intent.getData ? intent.getData() : null;
+            console.log('[startActivity] action=' + action + (data ? ' data=' + data : ''));
+            return this.startActivity(intent);
+        };
+        Activity.startActivityForResult.overload('android.content.Intent', 'int').implementation = function(intent, req) {
+            console.log('[startActivityForResult] requestCode=' + req + ' intent=' + intent.toString());
+            return this.startActivityForResult(intent, req);
+        };
+    } catch(e) {}
+
+    // --- Broadcast intents ---
+    try {
+        var Context = Java.use('android.content.ContextWrapper');
+        Context.sendBroadcast.overload('android.content.Intent').implementation = function(intent) {
+            console.log('[sendBroadcast] ' + intent.toString());
+            return this.sendBroadcast(intent);
+        };
+    } catch(e) {}
+
+    // --- Content Provider access ---
+    try {
+        var ContentResolver = Java.use('android.content.ContentResolver');
+        ContentResolver.query.overload(
+            'android.net.Uri', '[Ljava.lang.String;',
+            'android.os.Bundle', 'android.os.CancellationSignal'
+        ).implementation = function(uri, proj, sel, cancel) {
+            console.log('[ContentProvider] query: ' + uri.toString());
+            return this.query(uri, proj, sel, cancel);
+        };
+    } catch(e) {}
+
+    console.log('[RTExit] Intent monitor loaded.');
+});

package/packaged-assets/docker/frida-scripts/jwt-hook.js

@@ -0,0 +1,43 @@
+// JWT Token Interceptor — captures tokens from Base64 decode, headers, and memory strings
+// Usage: frida -U -f com.target.app -l jwt-hook.js --no-pause
+
+Java.perform(function() {
+    // --- Base64 JWT detection ---
+    try {
+        var Base64 = Java.use('android.util.Base64');
+        Base64.encodeToString.overload('[B', 'int').implementation = function(input, flags) {
+            var result = this.encodeToString(input, flags);
+            if (result.length > 50) console.log('[Base64 OUT] ' + result.substring(0, 300));
+            return result;
+        };
+        Base64.decode.overload('java.lang.String', 'int').implementation = function(str, flags) {
+            if (str && str.startsWith('ey')) console.log('[JWT DECODE] ' + str);
+            return this.decode(str, flags);
+        };
+    } catch(e) {}
+
+    // --- OkHttp3 Authorization header ---
+    try {
+        var RequestBuilder = Java.use('okhttp3.Request$Builder');
+        RequestBuilder.header.implementation = function(name, value) {
+            if (name.toLowerCase() === 'authorization') console.log('[JWT/AUTH] ' + name + ': ' + value);
+            if (name.toLowerCase() === 'x-auth-token') console.log('[TOKEN] ' + name + ': ' + value);
+            if (name.toLowerCase() === 'x-api-key') console.log('[API KEY] ' + name + ': ' + value);
+            return this.header(name, value);
+        };
+    } catch(e) {}
+
+    // --- String patterns for JWT/API keys ---
+    try {
+        var String = Java.use('java.lang.String');
+        String.valueOf.overload('java.lang.Object').implementation = function(obj) {
+            var result = this.valueOf(obj);
+            if (result && result.startsWith('ey') && result.length > 50) {
+                console.log('[JWT String] ' + result.substring(0, 300));
+            }
+            return result;
+        };
+    } catch(e) {}
+
+    console.log('[RTExit] JWT hook loaded.');
+});

package/packaged-assets/docker/frida-scripts/root-bypass.js

@@ -0,0 +1,65 @@
+// Root Detection Bypass — RootBeer, SafetyNet basics, su/magisk file checks, Runtime.exec
+// Usage: frida -U -f com.target.app -l root-bypass.js --no-pause
+
+Java.perform(function() {
+    // --- RootBeer ---
+    try {
+        var RootBeer = Java.use('com.scottyab.rootbeer.RootBeer');
+        RootBeer.isRooted.implementation = function() { return false; };
+        RootBeer.isRootedWithoutBusyBox.implementation = function() { return false; };
+        RootBeer.checkForSuBinary.implementation = function() { return false; };
+        RootBeer.detectRootManagementApps.implementation = function() { return false; };
+        RootBeer.detectPotentiallyDangerousApps.implementation = function() { return false; };
+        console.log('[+] RootBeer bypassed');
+    } catch(e) {}
+
+    // --- File-based su/magisk/busybox checks ---
+    try {
+        var File = Java.use('java.io.File');
+        File.exists.implementation = function() {
+            var name = this.getAbsolutePath();
+            if (name.indexOf('su') !== -1 || name.indexOf('magisk') !== -1 || name.indexOf('busybox') !== -1) {
+                console.log('[+] File.exists blocked: ' + name);
+                return false;
+            }
+            return this.exists();
+        };
+    } catch(e) {}
+
+    // --- Runtime.exec su ---
+    try {
+        var Runtime = Java.use('java.lang.Runtime');
+        Runtime.exec.overload('java.lang.String').implementation = function(cmd) {
+            if (cmd.indexOf('su') !== -1) {
+                console.log('[+] Runtime.exec(su) blocked');
+                throw Java.use('java.io.IOException').$new('Permission denied');
+            }
+            return this.exec(cmd);
+        };
+    } catch(e) {}
+
+    // --- System Properties ---
+    try {
+        var SystemProperties = Java.use('android.os.SystemProperties');
+        SystemProperties.get.overload('java.lang.String').implementation = function(key) {
+            if (key === 'ro.debuggable') return '0';
+            if (key === 'ro.secure') return '1';
+            return this.get(key);
+        };
+    } catch(e) {}
+
+    // --- PackageManager root app detection ---
+    try {
+        var PackageManager = Java.use('android.app.ApplicationPackageManager');
+        var rootPkgs = ['com.topjohnwu.magisk', 'eu.chainfire.supersu', 'com.koushikdutta.superuser'];
+        PackageManager.getPackageInfo.overload('java.lang.String', 'int').implementation = function(pkg, flags) {
+            if (rootPkgs.indexOf(pkg) !== -1) {
+                console.log('[+] PackageManager blocked: ' + pkg);
+                throw Java.use('android.content.pm.PackageManager$NameNotFoundException').$new();
+            }
+            return this.getPackageInfo(pkg, flags);
+        };
+    } catch(e) {}
+
+    console.log('[RTExit] Root bypass loaded.');
+});

package/packaged-assets/docker/frida-scripts/ssl-pinning-bypass.js

@@ -0,0 +1,60 @@
+// Universal SSL Pinning Bypass — OkHttp3, TrustManager, X509, Conscrypt, HostnameVerifier
+// Usage: frida -U -f com.target.app -l ssl-pinning-bypass.js --no-pause
+
+Java.perform(function() {
+    // --- OkHttp3 CertificatePinner ---
+    try {
+        var CertificatePinner = Java.use('okhttp3.CertificatePinner');
+        CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function() {
+            console.log('[+] OkHttp3 CertificatePinner.check bypassed');
+        };
+        CertificatePinner.check.overload('java.lang.String', '[Ljava.security.cert.Certificate;').implementation = function() {
+            console.log('[+] OkHttp3 CertificatePinner.check (cert) bypassed');
+        };
+    } catch(e) {}
+
+    // --- Custom TrustManager (accept all) ---
+    try {
+        var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
+        var SSLContext = Java.use('javax.net.ssl.SSLContext');
+        var TrustManager = Java.registerClass({
+            name: 'com.rtexit.bypass.TrustManager',
+            implements: [X509TrustManager],
+            methods: {
+                checkClientTrusted: function(chain, authType) {},
+                checkServerTrusted: function(chain, authType) { console.log('[+] checkServerTrusted bypassed'); },
+                getAcceptedIssuers: function() { return []; }
+            }
+        });
+        var SSLContextInst = SSLContext.getInstance('TLS');
+        SSLContextInst.init(null, [TrustManager.$new()], null);
+        SSLContext.getDefault.implementation = function() { return SSLContextInst; };
+    } catch(e) {}
+
+    // --- HostnameVerifier ---
+    try {
+        var HttpsURLConnection = Java.use('javax.net.ssl.HttpsURLConnection');
+        HttpsURLConnection.setDefaultHostnameVerifier.implementation = function(verifier) {
+            console.log('[+] HostnameVerifier bypassed');
+        };
+    } catch(e) {}
+
+    // --- Conscrypt (Android network stack) ---
+    try {
+        var PlatformTrustManager = Java.use('com.android.org.conscrypt.TrustManagerImpl');
+        PlatformTrustManager.checkTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'boolean').implementation = function(a, b, c) {
+            console.log('[+] Conscrypt TrustManagerImpl bypassed');
+            return Java.use('java.util.ArrayList').$new();
+        };
+    } catch(e) {}
+
+    // --- Network Security Config bypass ---
+    try {
+        var NetworkSecurityTrustManager = Java.use('android.security.net.config.NetworkSecurityTrustManager');
+        NetworkSecurityTrustManager.checkServerTrusted.implementation = function(chain, authType, hostname) {
+            console.log('[+] NetworkSecurityTrustManager bypassed: ' + hostname);
+        };
+    } catch(e) {}
+
+    console.log('[RTExit] SSL Pinning bypass loaded.');
+});

package/packaged-assets/docker/verify/phase3-ad.sh

@@ -72,7 +72,7 @@ chk_dir "ScareCrow"           /opt/ScareCrow
 chk_dir "KrbRelayUp"          /opt/KrbRelayUp
 
 section "BloodHound"
-chk_dir "BloodHound.py"       /opt/BloodHound.py
+chk "BloodHound.py"           bloodhound-python
 chk "bloodhound-python"       bloodhound-python
 
 section "Post-Auth Lateral"

package/packaged-assets/docker/verify/phase8-creds.sh

@@ -7,7 +7,7 @@ phase_header "PHASE 8 — Password Attacks & Credential Access"
 section "Hash Cracking"
 chk "hashcat"           hashcat
 chk "john"              john
-chk "ophcrack"          ophcrack
+chk_opt "ophcrack"      ophcrack   # not in Kali rolling repos
 
 section "Online Brute Force"
 chk "hydra"             hydra

package/packaged-assets/resources/tools.md

@@ -33,13 +33,56 @@ Use tools only inside the authorized scope and record commands through the autod
 
 ## Mobile and Desktop
 
-| Tool | Purpose | Notes |
+### Static Analysis
+| Tool | Command | Purpose |
+|---|---|---|
+| apktool | `apktool d app.apk -o out/` | Decompile APK → smali + resources |
+| jadx | `jadx -d output/ app.apk` | Java/Kotlin decompiler |
+| baksmali | `baksmali d classes.dex -o smali/` | Disassemble DEX → smali |
+| smali | `smali a smali/ -o patched.dex` | Reassemble smali → DEX (patching) |
+| apkid | `apkid app.apk` | Detect packer/obfuscator/protector |
+| quark-engine | `quark -a app.apk` | Malware behavior + MITRE ATT&CK |
+| apkleaks | `apkleaks -f app.apk` | Hardcoded secrets/keys/endpoints |
+| androguard | `androguard analyze app.apk` | Deep APK static analysis |
+| bytecode-viewer | `bytecode-viewer` | Multi-decompiler GUI (jadx+cfr+procyon) |
+| dex2jar | `d2j-dex2jar app.apk` | DEX → JAR for jd-gui |
+
+### Dynamic / Runtime
+| Tool | Command | Purpose |
 |---|---|---|
-| apktool | Android package inspection | Static analysis |
-| jadx | Android decompilation | Source review |
-| Frida | Dynamic instrumentation | Requires explicit authorization |
-| MobSF | Mobile assessment platform | Good triage and reporting |
-| dnSpy/ILSpy | .NET inspection | Desktop/.NET review |
+| frida | `frida -U -f com.target.app -l script.js --no-pause` | Dynamic instrumentation |
+| objection | `objection -g com.target.app explore` | Runtime SSL/root/jailbreak bypass |
+| fridump3 | `fridump3 -U com.target.app -o dump/` | Full memory dump |
+| drozer | `drozer console connect` | IPC/intent/content-provider exploitation |
+
+### Frida Scripts Library (`docker/frida-scripts/`)
+| Script | Purpose |
+|---|---|
+| `ssl-pinning-bypass.js` | OkHttp3 + TrustManager + Conscrypt + NetworkSecurityConfig |
+| `root-bypass.js` | RootBeer + magisk + su + PackageManager detection |
+| `extract-secrets.js` | SharedPrefs + crypto keys + SQLite + JWT at runtime |
+| `jwt-hook.js` | Authorization headers + API keys + Base64 JWT |
+| `intent-monitor.js` | Intents + deeplinks + ContentProvider + Broadcasts |
+| `dump-all-traffic.js` | HTTP/S requests via HttpURLConnection + OkHttp3 + WebView |
+
+### SSL Pinning Bypass
+| Tool | Command | Purpose |
+|---|---|---|
+| apk-mitm | `apk-mitm app.apk` | Automated SSL pinning bypass + repack |
+| reflutter | `reflutter app.apk` | Flutter SSL pinning bypass |
+| uber-apk-signer | `uber-apk-signer -a patched.apk` | Sign APK after patching |
+
+### Downloaders
+| Tool | Command | Purpose |
+|---|---|---|
+| apkeep | `apkeep -a com.target.app -d google-play ./` | Download APK from Google Play |
+| ipatool | `ipatool download -b com.target.app` | Download IPA from App Store |
+
+### Desktop / .NET
+| Tool | Purpose |
+|---|---|
+| dnSpy/ILSpy | .NET inspection |
+| monodis | Xamarin/Mono assembly analysis |
 
 ## Cloud and Infrastructure
 

package/tools/installer/rt-cli.js

@@ -13,8 +13,14 @@ program
   .description('Install RTExit into the current project')
   .action(() => installCommand());
 
-program.parse(process.argv);
+// When run via npx with no args, auto-trigger install
+const args = process.argv.slice(2);
+const isNpx = process.env.npm_lifecycle_event === undefined && process.env.npm_execpath !== undefined;
+const isDirectRun = args.length === 0;
 
-if (process.argv.slice(2).length === 0) {
-  program.outputHelp();
+if (isDirectRun) {
+  // npx rtexit-method  OR  rtexit  → run install directly
+  require('./commands/install').installCommand();
+} else {
+  program.parse(process.argv);
 }