|
| 1 | +#!/usr/bin/env bash |
| 2 | + |
| 3 | +### |
| 4 | +# This is the test script to test the working on Jadx MCP Server. |
| 5 | +# 1. Start the jadx |
| 6 | +# 2. Load DVAC apk into jadx -> https://github.com/zinja-coder/Damn-Vulnerable-Android-Components/ |
| 7 | +# 3. Start the jadx on port 8652 |
| 8 | +# 4. Start the jadx mcp server in http stream mode on port 9000 |
| 9 | +# 5. Command for step 4. -> `uv run jadx_mcp_server.py --http --port 9000 --jadx--port 8652` |
| 10 | +### |
| 11 | + |
| 12 | +set -euo pipefail |
| 13 | + |
| 14 | +MCP_URL="${MCP_URL:-http://127.0.0.1:9000/mcp/}" |
| 15 | +ACCEPT_HDR="application/json, text/event-stream" |
| 16 | +CONTENT_HDR="application/json" |
| 17 | + |
| 18 | +# Helper: extract data: JSON items from SSE and drop [DONE] |
| 19 | +sse_to_json() { |
| 20 | + grep '^data: ' | sed 's/^data: //' | grep -v '^\[DONE\]$' |
| 21 | +} |
| 22 | + |
| 23 | +# 1) initialize, capture session id header |
| 24 | +echo "== initialize ==" |
| 25 | +INIT_RESP_HEADERS=$(mktemp) |
| 26 | +curl -i -s -X POST "$MCP_URL" \ |
| 27 | + -H "Content-Type: $CONTENT_HDR" \ |
| 28 | + -H "Accept: $ACCEPT_HDR" \ |
| 29 | + -d '{ |
| 30 | + "jsonrpc":"2.0", |
| 31 | + "method":"initialize", |
| 32 | + "params":{ |
| 33 | + "protocolVersion":"2024-11-05", |
| 34 | + "capabilities":{}, |
| 35 | + "clientInfo":{"name":"curl-automation","version":"1.0.0"} |
| 36 | + }, |
| 37 | + "id":1 |
| 38 | + }' | tee "$INIT_RESP_HEADERS" >/dev/null |
| 39 | + |
| 40 | +SESSION_ID=$(awk -F': ' 'BEGIN{IGNORECASE=1} /^mcp-session-id:/ {print $2}' "$INIT_RESP_HEADERS" | tr -d '\r') |
| 41 | +if [[ -z "${SESSION_ID:-}" ]]; then |
| 42 | + echo "Failed to obtain MCP-Session-Id header" >&2 |
| 43 | + exit 1 |
| 44 | +fi |
| 45 | +echo "Session: $SESSION_ID" |
| 46 | + |
| 47 | +# 2) send notifications/initialized (no output expected) |
| 48 | +curl -s -X POST "$MCP_URL" \ |
| 49 | + -H "Content-Type: $CONTENT_HDR" \ |
| 50 | + -H "Accept: $ACCEPT_HDR" \ |
| 51 | + -H "Mcp-Session-Id: $SESSION_ID" \ |
| 52 | + -d '{"jsonrpc":"2.0","method":"notifications/initialized","params":{}}' >/dev/null |
| 53 | + |
| 54 | +# Optional: discover tools dynamically |
| 55 | +echo "== tools/list ==" |
| 56 | +TOOLS_JSON=$(curl -s -X POST "$MCP_URL" \ |
| 57 | + -H "Content-Type: $CONTENT_HDR" \ |
| 58 | + -H "Accept: $ACCEPT_HDR" \ |
| 59 | + -H "Mcp-Session-Id: $SESSION_ID" \ |
| 60 | + -d '{"jsonrpc":"2.0","method":"tools/list","params":{},"id":2}' \ |
| 61 | + | sse_to_json | tail -n 1) |
| 62 | +echo "$TOOLS_JSON" | jq -r '.result.tools[].name' |
| 63 | + |
| 64 | +# Helper: call a tool with a JSON arguments object string |
| 65 | +call_tool() { |
| 66 | + local name="$1" |
| 67 | + local args_json="$2" # must be a valid JSON object string |
| 68 | + local id="${3:-1000}" |
| 69 | + |
| 70 | + curl -s -X POST "$MCP_URL" \ |
| 71 | + -H "Content-Type: $CONTENT_HDR" \ |
| 72 | + -H "Accept: $ACCEPT_HDR" \ |
| 73 | + -H "Mcp-Session-Id: $SESSION_ID" \ |
| 74 | + -d "{ |
| 75 | + \"jsonrpc\":\"2.0\", |
| 76 | + \"method\":\"tools/call\", |
| 77 | + \"params\":{ |
| 78 | + \"name\":\"$name\", |
| 79 | + \"arguments\":$args_json |
| 80 | + }, |
| 81 | + \"id\":$id |
| 82 | + }" \ |
| 83 | + | sse_to_json |
| 84 | +} |
| 85 | + |
| 86 | +echo "== Run selected tools ==" |
| 87 | + |
| 88 | +# 3) fetch_current_class (no args) |
| 89 | +echo "--- fetch_current_class ---" |
| 90 | +call_tool "fetch_current_class" '{}' 10 | jq -r '.result | .content?, .name? // . | tostring' |
| 91 | + |
| 92 | +# 4) get_selected_text (no args) |
| 93 | +echo "--- get_selected_text ---" |
| 94 | +call_tool "get_selected_text" '{}' 11 | jq -r '.result | .selectedText // .' |
| 95 | + |
| 96 | +# 5) get_android_manifest (no args) |
| 97 | +echo "--- get_android_manifest ---" |
| 98 | +call_tool "get_android_manifest" '{}' 12 | jq -r '.result.content' |
| 99 | + |
| 100 | +# 6) get_main_activity_class (no args) |
| 101 | +echo "--- get_main_activity_class ---" |
| 102 | +call_tool "get_main_activity_class" '{}' 13 | jq -r '.result.name, .result.content' |
| 103 | + |
| 104 | +# 7) get_all_classes (supports offset/count) |
| 105 | +echo "--- get_all_classes (offset=0,count=50) ---" |
| 106 | +call_tool "get_all_classes" '{"offset":0,"count":50}' 14 | jq -r '.result.items[]? // .result.classes[]? // .' |
| 107 | + |
| 108 | +# 8) get_class_source |
| 109 | +echo "--- get_class_source ---" |
| 110 | +call_tool "get_class_source" '{"class_name":"com.zin.dvac.AuthActivity"}' 15 | jq -r '.result // .error?.message // .' |
| 111 | + |
| 112 | +# 9) get_method_by_name |
| 113 | +echo "--- get_method_by_name ---" |
| 114 | +call_tool "get_method_by_name" '{"class_name":"com.zin.dvac.AuthActivity","method_name":"onCreate"}' 16 | jq -r '.result.code // .error?.message // .' |
| 115 | + |
| 116 | +# 10) search_method_by_name |
| 117 | +echo "--- search_method_by_name ---" |
| 118 | +call_tool "search_method_by_name" '{"method_name":"onCreate"}' 17 | jq -r '.result[]? // .result.matches[]? // .' |
| 119 | + |
| 120 | +# 11) get_methods_of_class |
| 121 | +echo "--- get_methods_of_class ---" |
| 122 | +call_tool "get_methods_of_class" '{"class_name":"com.zin.dvac.AuthActivity"}' 18 | jq -r '.result[]? // .' |
| 123 | + |
| 124 | +# 12) get_fields_of_class |
| 125 | +echo "--- get_fields_of_class ---" |
| 126 | +call_tool "get_fields_of_class" '{"class_name":"com.zin.dvac.AuthActivity"}' 19 | jq -r '.result[]? // .' |
| 127 | + |
| 128 | +# 13) get_smali_of_class |
| 129 | +echo "--- get_smali_of_class ---" |
| 130 | +call_tool "get_smali_of_class" '{"class_name":"com.zin.dvac.AuthActivity"}' 20 | jq -r '.result // .' |
| 131 | + |
| 132 | +# 14) get_strings (pagination) |
| 133 | +echo "--- get_strings (offset=0,count=100) ---" |
| 134 | +call_tool "get_strings" '{"offset":0,"count":100}' 21 | jq -r ' |
| 135 | + .result.items? // .result.strings? // .result.file? // .result // . |
| 136 | +' |
| 137 | + |
| 138 | +# 15) get_all_resource_file_names |
| 139 | +echo "--- get_all_resource_file_names ---" |
| 140 | +call_tool "get_all_resource_file_names" '{}' 22 | jq -r '.result.files[]? // .' |
| 141 | + |
| 142 | +# 16) get_resource_file |
| 143 | +echo "--- get_resource_file ---" |
| 144 | +call_tool "get_resource_file" '{"resource_name":"res/xml/network_security_config.xml"}' 23 | jq -r '.result.file.content // .' |
| 145 | + |
| 146 | +# 17) get_main_application_classes_names |
| 147 | +echo "--- get_main_application_classes_names ---" |
| 148 | +call_tool "get_main_application_classes_names" '{}' 24 | jq -r '.result[]? // .result.classes[]?.name // .' |
| 149 | + |
| 150 | +# 18) get_main_application_classes_code (pagination) |
| 151 | +echo "--- get_main_application_classes_code (offset=0,count=3) ---" |
| 152 | +call_tool "get_main_application_classes_code" '{"offset":0,"count":3}' 25 | jq -r '.result.items[]?.name, .result.items[]?.content' |
| 153 | + |
| 154 | +# 19) rename operations (use with care; examples commented) |
| 155 | +echo "--- rename_class ---" |
| 156 | +call_tool "rename_class" '{"class_name":"com.zin.dvac.AuthActivity","new_name":"WebViewActivity"}' 26 | jq |
| 157 | +echo "--- rename_method ---" |
| 158 | +call_tool "rename_method" '{"method_name":"com.zin.dvac.AuthActivity.onCreate","new_name":"initializeWebView"}' 27 | jq |
| 159 | +echo "--- rename_field ---" |
| 160 | +call_tool "rename_field" '{"class_name":"com.zin.dvac.LoginActivity","field_name":"editTextLoginPassword","new_name":"passwordInputField"}' 28 | jq |
| 161 | + |
| 162 | +echo "== done ==" |
0 commit comments