Skip to content

Reference Overview

The following tool domains are available:

  1. Start with browser / network / workflow to understand the day-to-day path.
  2. Continue with debugger / instrumentation / streaming for runtime analysis.
  3. Finish with core / sourcemap / transform / wasm / process / platform for deeper reverse-engineering coverage.

Domain matrix

DomainTitleProfilesTypical use
adb-bridgeADB BridgefullAndroid Debug Bridge integration domain for device management, application analysis, and remote debugging.
binary-instrumentBinary InstrumentfullBinary instrumentation domain providing binary analysis, runtime instrumentation, APK packer identification, and hardcoded key candidate scanning.
boringssl-inspectorBoringSSL Inspectorworkflow, fullBoringSSL/TLS inspection domain supporting TLS traffic analysis and certificate inspection.
browserBrowserworkflow, fullPrimary browser control and DOM interaction domain; the usual entry point for most workflows.
canvasCanvasworkflow, fullCanvas game engine reverse analysis domain plus Skia rendering capture, supporting Laya, Pixi, Phaser, Cocos, and Unity engines for fingerprinting, scene tree dumping, object picking, and Skia GPU backend detection and scene extraction.
coordinationCoordinationworkflow, fullCoordination domain for session insights, MCP Task Handoff, and cross-agent shared state board, bridging the planning and execution boundaries of LLMs.
coreCoreworkflow, fullCore static and semi-static analysis domain for script collection, deobfuscation, semantic inspection, webpack analysis, source map recovery, and crypto detection.
cross-domainCross-DomainfullCross-domain correlation domain that bridges analysis results across multiple domains, supporting workflow orchestration and evidence graph integration.
dart-inspectorDart InspectorfullExtract and classify strings, recover Smi integer constants, and resolve obfuscated identifiers from Flutter AOT libapp.so using a developer-supplied obfuscation map.
debuggerDebuggerworkflow, fullCDP-based debugging domain covering breakpoints, stepping, call stacks, watches, debugger sessions, and anti-anti-debug.
encodingEncodingworkflow, fullBinary format detection, encoding conversion, entropy analysis, and raw protobuf decoding.
exploit-devExploit DevelopmentfullBinary exploit development domain providing ROP/JOP gadget search, shellcode encoding, mitigation detection, and offset calculation.
extension-registryExtension RegistryfullExtension registry domain for managing and discovering community extensions.
graphqlGraphQLworkflow, fullGraphQL discovery, extraction, replay, and introspection tooling.
instrumentationInstrumentationfullUnified instrumentation-session domain that groups hooks, intercepts, traces, evidence graphs, and artifacts into a queryable session.
maintenanceMaintenanceworkflow, fullOperations and maintenance domain covering cache hygiene, token budget, environment diagnostics, artifact cleanup, extension management, and secure sandbox execution.
memoryMemoryfullMemory analysis domain for native scans, pointer-chain discovery, structure inference, and breakpoint-based observation.
mojo-ipcMojo IPCfullMojo IPC monitoring domain for Chromium inter-process communication analysis.
native-emulatorNative EmulatorfullIn-process, dependency-free self-built ARM64 interpreter for emulating Android .so libraries: load a shared object, register mock Java methods, and invoke exported or Java_* JNI functions to recover signing/crypto algorithms — no device, JVM, or Frida. Sessions are isolated and explicitly managed (create → … → destroy) with idle auto-expiry. libapp.so (Flutter Dart AOT) is not executable here and routes to the Dart layer.
networkNetworkworkflow, fullRequest capture, response extraction, HAR export, safe replay, and performance tracing.
platformPlatformfullPlatform and package analysis domain covering miniapps, ASAR archives, and Electron apps.
processProcessfullProcess, module, memory diagnostics, and controlled injection domain for host-level inspection, troubleshooting, and Windows process experimentation workflows.
protocol-analysisProtocol AnalysisfullCustom protocol analysis domain supporting protocol pattern definition, automatic field detection from hex payloads, state machine inference from captured messages, and Mermaid diagram visualization.
proxyProxyfullFull-stack HTTP/HTTPS MITM proxy domain for system-level traffic interception, modification, and application configuration.
sourcemapSourceMapfullSource map discovery, fetching, parsing, and source tree reconstruction.
streamingStreamingworkflow, fullWebSocket and SSE monitoring domain.
syscall-hookSyscall HookfullSystem call hooking domain providing system call monitoring and mapping capabilities.
traceTracefullTime-travel debugging domain that records CDP events into SQLite for SQL-based querying and heap snapshot comparison.
transformTransformfullAST/string transform domain plus crypto extraction, harnessing, and comparison tooling.
v8-inspectorV8 Inspectorworkflow, fullV8 inspector domain providing heap snapshot analysis, CPU profiling, and memory inspection.
wasmWASMfullWebAssembly dump, disassembly, decompilation, optimization, and offline execution domain.
webgpuWebGPUworkflow, fullWebGPU reverse analysis domain supporting GPU adapter info, shader compile/disassembly, timing side-channel analysis, and memory layout inspection.
workflowWorkflowworkflow, fullComposite workflow, script-library, and macro-orchestration domain; the main built-in orchestration layer.

Key high-level entry points

  • api_probe_batch — batch-probe OpenAPI / Swagger / API paths
  • js_bundle_search — fetch a bundle remotely and search it with multiple patterns
  • page_script_register / page_script_run — register reusable page-side snippets and execute them on demand
  • doctor_environment — diagnose dependencies and local bridge health
  • cleanup_artifacts — clean retained artifacts by age or size
  • list_extension_workflows / run_extension_workflow — discover and execute external extension workflows

Released under AGPL-3.0-only