Read the essay in English or Chinese to understand the LLM-driven reverse engineering thesis.
Copy the hypothesis loop methodology when attacking another obfuscated mobile signing scheme.
Cite the Douyin v38.1.0 case study in a paper or blog post on AI-assisted security research.
Use the tag list as a starting point for tools to learn for AI-assisted Android RE.
This is an essay repository, not a runnable tool, so nothing to install but using the methodology yourself requires Frida and an LLM with budget.
This repository is not a software tool. It is an essay, in English and Chinese, arguing that large language models have ended reverse engineering as a high-barrier specialty. The author backs the claim with a case study: in 30 days and roughly 100 US dollars in API spend, they reconstructed six out of seven custom HTTP signing parameters in the native library of Douyin v38.1.0, the Chinese version of TikTok, using Claude Opus. The author says they did this without a deep cryptography background, without prior Frida scripting experience, and without years of reverse engineering history. The paper frames the shift as the bottleneck moving from human knowledge accumulation to token consumption. Reverse engineering traditionally needed assembly fluency, low-level OS knowledge, the ability to recognize cryptographic primitives by sight, and a personal toolchain built over three to five years. The author claims LLMs collapse these barriers because they pattern-match across millions of code samples at once, they treat complexity as a token cost rather than a cognitive cost, and they can infer the structure of an unfamiliar variant from differential input-output pairs alone. The target is described as commercial mobile security at the current ceiling. Static protection includes OLLVM control-flow flattening and a custom bytecode virtual machine with 414 handlers. Dynamic protection includes integrity checks of Dex and native layers plus anti-debugging through ptrace and timing anomalies. The signature itself uses SPECK-128/256, the Chinese SM3 hash, a GF(2^8) affine transformation, an ARX sponge permutation, CRC64-Jones, and a modified Broken-RC4 variant. The methodology was dynamic first. Frida hooks captured function inputs and outputs at runtime, turning opaque routines into observable streams of data. The author then ran a hypothesis loop: form a guess, write a Frida script with the model, collect runtime data, confirm or refute, update notes, repeat. The model generated scripts, interpreted differential outputs, and kept the hypothesis register. The human role was to direct, judge plausibility, and decide when to advance. The most-used prompt was reportedly the two Classical Chinese characters meaning continue. The corollary the paper draws is that operating within LLM safety mechanisms now matters more than reverse engineering knowledge itself. The repo is tagged ai-assisted, android-security, bytecode-vm, cryptography, frida, llm, mobile-security, and ollvm.
Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.