Analysis updated 2026-05-18
Reverse engineer encryption algorithms used inside a mobile app from a captured trace
Identify what generates a specific ciphertext or signature in an Android or iOS app
Search massive ARM64 execution traces for known algorithm patterns like AES or SHA-256
| icloudza/algokiller-plugin | alibaba/omnidoc-tokenbench | arccalc/dwmfix | |
|---|---|---|---|
| Stars | 43 | 43 | 43 |
| Language | Python | Python | Python |
| Setup difficulty | hard | moderate | easy |
| Complexity | 4/5 | 3/5 | 2/5 |
| Audience | developer | researcher | general |
Figures from each repo's GitHub metadata at analysis time.
Requires a captured ARM64 trace from GumTrace and Frida, and runs only on macOS.
algokiller-plugin is a specialized security research tool that helps analysts figure out how encrypted or obfuscated code works inside mobile apps, without needing access to the original source code. It plugs into Claude, the AI assistant, turning Claude into an interactive analysis partner for a very specific technical task: examining detailed logs of app behavior (called "traces") to reverse-engineer encryption algorithms, signature schemes, and other hidden logic. Here is the core problem it solves: when security researchers or app developers want to understand what an Android or iOS app is doing under the hood, for example, how it generates a login token or signs a network request, they need to study a recording of every CPU instruction the app executed. These recordings, called ARM64 traces, can be gigabytes in size. Manually reading them is impractical. algokiller-plugin provides a set of automated search and analysis commands that can scan those massive trace files in seconds, spotting patterns associated with known encryption algorithms like AES, SHA-256, or MD5. A researcher would use this when they have captured a trace from a running app (using a companion tool called GumTrace, which hooks into the app via Frida, a standard instrumentation framework) and want to answer questions like "what algorithm generated this ciphertext?" or "where does this register value come from?" The plugin exposes slash commands and AI skills directly inside Claude, so the analyst can ask questions in plain language and Claude will run the appropriate search tools automatically. The codebase is written in Python and runs on macOS. It communicates with a native search engine (ak_search) through a local server using a standard protocol called MCP (which allows AI assistants to call external tools). No external Python libraries are required.
A Claude plugin that helps security researchers reverse engineer encryption inside mobile apps by searching massive ARM64 execution traces.
Mainly Python. The stack also includes Python, MCP, Frida.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.