Flutter Reverse Engineering Framework

Last update: Jan 01, 2023

Overview

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization process that allow you perform dynamic analysis in a convenient way.

Key features:

socket.cc is patched for traffic monitoring and interception;
dart.cc is modified to print classes, functions and some fields;
contains minor changes for successfull compilation;
if you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Dockerfile

Supported engines

Android: arm64, arm32;
IOS: arm64 (Unstable);
Release: Stable, Beta

Install

# Linux, Windows, MacOS
pip install reflutter

pip3 install reflutter

Usage

[email protected]:~$ reflutter main.apk

Please enter your Burp Suite IP: 
   

SnapshotHash: 8ee4ef7a67df9845fba331734198a953
The resulting apk file: ./release.RE.apk
Please sign the apk file

Configure Proxy in Burp Suite -> *:8083
Request Handling -> Support Invisible Proxying -> true

[email protected]:~$ reflutter main.ipa

Traffic interception

You need to specify the IP of your Burp Suite relative to your local network on which the device with the flutter application is located. Next, you must configure the Proxy in BurpSuite -> Listener Proxy -> Options tab

Add port: 8083
Bind to address: All interfaces
Request handling: Support invisible proxying = True

You don't need to install any certificates. On an Android device, you don't need root access. This also bypasses some of the flutter certificate pinning implementations.

Usage on Android

The resulting apk must be aligned and signed. I am using uber-apk-signer java -jar uber-apk-signer.jar --allowResign -a release.RE.apk. To see what code is loaded through DartVM, you must run the application on the device. You need LogCat you can use Android Studio with reflutter keyword search or use adb logcat

Output Example

[email protected]:~$ adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt

code output

Library:'package:anyapp/navigation/DeepLinkImpl.dart' Class: Navigation extends Object {  

String* DeepUrl = anyapp://evil.com/ ;

 Function 'Navigation.': constructor. (dynamic, dynamic, dynamic, dynamic) => NavigationInteractor { 
  
                   }
    
 Function 'initDeepLinkHandle':. (dynamic) => Future<void>* { 
  
                   }
    
 Function '[email protected]':. (dynamic, dynamic, {dynamic navigator}) => void { 

                   }
 
       }
 
Library:'package:anyapp/auth/navigation/AuthAccount.dart' Class: AuthAccount extends Account {

PlainNotificationToken* _instance = sentinel;
 
 Function 'getAuthToken':. (dynamic, dynamic, dynamic, dynamic) => Future<AccessToken*>* { 

                   }
  
 Function 'checkEmail':. (dynamic, dynamic) => Future<bool*>* { 
 
                   }

 Function 'validateRestoreCode':. (dynamic, dynamic, dynamic) => Future<bool*>* { 
 
                   }

 Function 'sendSmsRestorePassword':. (dynamic, dynamic) => Future<bool*>* { 

                   }
       }

Usage on IOS

stub

XCode

To Do

Display absolute code offset for functions;
Extract more strings and fields;
Add socket patch;
Extend engine support to Debug using Fork and Github Actions;
Improve detection of App.framework and libapp.so inside zip archive

Build Engine

The engines are built using reFlutter in Github Actions to build the desired version, commits and hash snapshots are used from this table. The hash of the snapshot is extracted from storage.googleapis.com/flutter_infra_release/flutter/ /android-arm64-release/linux-x64.zip

release

Custom Build

If you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Docker

sudo docker pull ptswarm/reflutter

# Linux, Windows
EXAMPLE BUILD ANDROID ARM64:
    sudo docker run -e WAIT=300 -e x64=0 -e arm=0 -e HASH_PATCH=
   
     -e COMMIT=
    
      --rm -iv${PWD}:/t ptswarm/reflutter

FLAGS:
    -e x64=0                         
     
      
    -e arm=0                         
      
       
    -e WAIT=300                      
       
         -e HASH_PATCH=[Snapshot_Hash] 
        
          -e COMMIT=[Engine_commit]

Comments

What is Burp Suite IP?
Morning, trying to figure out the usage of your tool. I found it very useful and wish you all the best in further app improvements.

Only one issue I've found is: The example usage of the tool is quite difficult to understand for the users that didn't work with Burp Suite.

For example: What IP should I insert here: Please enter your Burp Suite IP:

I've tried:

127.0.0.1

My Android Emulator's IP: 10.0.2.15

My Mac's Local IP: 192.168.*.*

The reason why am I asking about that is: When I run: adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt and launch the signed apk file: release.RE-aligned-debugSigned.apk on my Emulator I don't see any logs in reflutter.txt;

What did I do wrong?

Thank you
opened by KirillBorodin 7

This engine is currently not supported on some apk

Hello, I got this error when trying to run: reflutter app.apk

Engine SnapshotHash: e7ad14f921786dbf76b9add4b0a5c950

 This engine is currently not supported.
 Most likely this flutter application uses the Debug version engine which you need to build manually using Docker at the moment.
 More details: https://github.com/ptswarm/reFlutter

What can I do about this situation?

opened by uzumaki258 3

Patching base64Decode https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart

hello and thank you for sharing your great work,

Is it possible to change the code in base64Decode (https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart) so it print the input ( string)?

Can you please share steps to modify the code in the method base64Decode and re build the apk ?

Regards

opened by openadcenter 2
Missing build engine for this version 63ca99584a1aef79722b2a7c6414570b54416bab

Example: (192.168.1.154) etc. Please enter your BurpSuite IP: 192.168.1.2 63ca99584a1aef79722b2a7c6414570b54416bab

I got this message when try to reflutter file apk. Could you help me to check it? I believe that is missing build engine for this version.

opened by leowilbur 1
App can't connect to Internet

Everythning seems to work, i reproduced the app using reflutter main.apk, and signed the apk.

I can intercept the first request, but the app is stuck on the first screen (waiting for a response from server before continuing) I can see some code in the reflutter.txt file, but it's not enough since I can't access the rest of the app.

opened by ilsx 1
NOT CLEAR

hey,

T his is not working for me, & I don't know & or am not able to get steps to do this clearly.

please add steps to do from start.

thankyou

opened by stish834 1

Releases(ios-v2-f10776149bf76be288def3c2ca73bdc1)

Owner

PT SWARM

Positive Technologies Offensive Team

GitHub Repository

Deobfuscate Log4Shell payloads with ease

Ox4Shell Deobfuscate Log4Shell payloads with ease. Description Since the release

137 Jan 02, 2023

Simple yara rule manager

Yara Manager A simple program to manage your yara ruleset in a (sqlite) database. Todos Search rules and descriptions Cluster rules in rulesets Enforc

65 Nov 17, 2022

Generate malicious files using recently published bidi-attack (CVE-2021-42574)

CVE-2021-42574 - Code generator Generate malicious files using recently published bidi-attack vulnerability, which was discovered in Unicode Specifica

7 Nov 09, 2022

An IDA pro python script to decrypt Qbot malware string

Qbot-Strings-Decrypter An IDA pro python script to decrypt Qbot malware strings.

6 Sep 01, 2022

Simple tool to create passwords.

PasswordGenerator Simple password generator: -Simplisitc Window Application -Allows Numbers, Symbols & letters upper and lowercase -Restricts rows of

1 Jan 10, 2022

In this program, I generate the strong password from existing password without class using python. The special thing in this program is that is generate very strong password from our existing password. It replaces some elements from password and put another elements in it.

Strong-password-Generator-from-existing-password-using-python In this program, I generate the strong password from existing password without class usi

4 Sep 24, 2021

Grafana-POC(CVE-2021-43798)

Grafana-Poc 此工具请勿用于违法用途。一、使用方法：python3 grafana_hole.py 在domain.txt中填入ip:port 二、漏洞影响范围影响版本： Grafana 8.0.0 - 8.3.0 安全版本： Grafana 8.3.1, 8.2.7, 8.1.8,

8 Jan 03, 2023

Microsoft Exchange Server SSRF漏洞(CVE-2021-26855)

Microsoft_Exchange_Server_SSRF_CVE-2021-26855 zoomeye dork：app:"Microsoft Exchange Server" 使用Seebug工具箱及pocsuite3编写的脚本Microsoft_Exchange_Server_SSRF_CV

37 Nov 12, 2022

A tool to extract the IdP cert from vCenter backups and log in as Administrator

vCenter SAML Login Tool A tool to extract the Identity Provider (IdP) cert from vCenter backups and log in as Administrator Background Commonly, durin

343 Dec 31, 2022

Password List Maker

Red-Key Red-Key Password List Maker Version 1.1.2 Created By FireKing255 -=Features=- Create Random Password List Create Password List Create Password

7 Dec 26, 2021

A passive-recon tool that parses through found assets and interacts with the Hackerone API

Hackerone Passive Recon Tool A passive-recon tool that parses through found assets and interacts with the Hackerone API. Setup Simply run setup.sh to

4 Jan 13, 2022

Tool To generate Stable Undetected Payload

windowsPayload Tool To generate Stable Undetected Payload Don t Upload to Virus Total :) Follow on Social Media Platforms ScreenShots How to install +

117 Dec 30, 2022

Crypto Meta Extractor

Crypto Meta Extractor This repository contains the code which extracts some metadata of all the cryptocurrencies listed (9K) on CoinMarketCap. Coding

3 Jul 03, 2022

OLOP: One-Line & Obfuscated Python

OLOP: One-Line & Obfuscated Python This repository contains useful python modules for one-line and obfuscated python. pip install olop-ShadowLugia650

1 Jan 09, 2022

LeLeLe: A tool to simplify the application of Lattice attacks.

LeLeLe is a very simple library (300 lines) to help you more easily implement lattice attacks, the library is inspired by Z3Py (python interfa

4 Dec 14, 2021

This is a multi-password‌ cracking tool that can help you hack facebook accounts very quickly

Pro_Crack Facebook Fast Cracking Tool This is a multi-password‌ cracking tool that can help you hack facebook accounts very quickly Installation On Te

1 Jan 16, 2022

It's a simple tool for test vulnerability Apache Path Traversal

SimplesApachePathTraversal Simples Apache Path Traversal It's a simple tool for test vulnerability Apache Path Traversal https://blog.mrcl0wn.com/2021

56 Dec 27, 2022

A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

2.1k Dec 25, 2022

Open-source keylogger write in python

Python open-source keylogger Language Python open-source keylogger using pynput module Using Install dependences in archive setup.py or install.sh in

4 Jan 15, 2022

Monty Hall Problem simulation written in Python.

Monty Hall Problem Simulation monty_hall_sim is a brute-force method of determining the optimal strategy for the Monty Hall Problem. Usage Set boolean

1 Aug 29, 2022