Flutter Reverse Engineering Framework

Last update: Jan 1, 2023

Overview

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization process that allow you perform dynamic analysis in a convenient way.

Key features:

socket.cc is patched for traffic monitoring and interception;
dart.cc is modified to print classes, functions and some fields;
contains minor changes for successfull compilation;
if you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Dockerfile

Supported engines

Android: arm64, arm32;
IOS: arm64 (Unstable);
Release: Stable, Beta

Install

# Linux, Windows, MacOS
pip install reflutter

pip3 install reflutter

Usage

impact@f:~$ reflutter main.apk

Please enter your Burp Suite IP: 
   

SnapshotHash: 8ee4ef7a67df9845fba331734198a953
The resulting apk file: ./release.RE.apk
Please sign the apk file

Configure Proxy in Burp Suite -> *:8083
Request Handling -> Support Invisible Proxying -> true

impact@f:~$ reflutter main.ipa

Traffic interception

You need to specify the IP of your Burp Suite relative to your local network on which the device with the flutter application is located. Next, you must configure the Proxy in BurpSuite -> Listener Proxy -> Options tab

Add port: 8083
Bind to address: All interfaces
Request handling: Support invisible proxying = True

You don't need to install any certificates. On an Android device, you don't need root access. This also bypasses some of the flutter certificate pinning implementations.

Usage on Android

The resulting apk must be aligned and signed. I am using uber-apk-signer java -jar uber-apk-signer.jar --allowResign -a release.RE.apk. To see what code is loaded through DartVM, you must run the application on the device. You need LogCat you can use Android Studio with reflutter keyword search or use adb logcat

Output Example

impact@f:~$ adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt

code output

Library:'package:anyapp/navigation/DeepLinkImpl.dart' Class: Navigation extends Object {  

String* DeepUrl = anyapp://evil.com/ ;

 Function 'Navigation.': constructor. (dynamic, dynamic, dynamic, dynamic) => NavigationInteractor { 
  
                   }
    
 Function 'initDeepLinkHandle':. (dynamic) => Future<void>* { 
  
                   }
    
 Function '_navigateDeepLink@547106886':. (dynamic, dynamic, {dynamic navigator}) => void { 

                   }
 
       }
 
Library:'package:anyapp/auth/navigation/AuthAccount.dart' Class: AuthAccount extends Account {

PlainNotificationToken* _instance = sentinel;
 
 Function 'getAuthToken':. (dynamic, dynamic, dynamic, dynamic) => Future<AccessToken*>* { 

                   }
  
 Function 'checkEmail':. (dynamic, dynamic) => Future<bool*>* { 
 
                   }

 Function 'validateRestoreCode':. (dynamic, dynamic, dynamic) => Future<bool*>* { 
 
                   }

 Function 'sendSmsRestorePassword':. (dynamic, dynamic) => Future<bool*>* { 

                   }
       }

Usage on IOS

stub

XCode

To Do

Display absolute code offset for functions;
Extract more strings and fields;
Add socket patch;
Extend engine support to Debug using Fork and Github Actions;
Improve detection of App.framework and libapp.so inside zip archive

Build Engine

The engines are built using reFlutter in Github Actions to build the desired version, commits and hash snapshots are used from this table. The hash of the snapshot is extracted from storage.googleapis.com/flutter_infra_release/flutter/ /android-arm64-release/linux-x64.zip

release

Custom Build

If you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Docker

sudo docker pull ptswarm/reflutter

# Linux, Windows
EXAMPLE BUILD ANDROID ARM64:
    sudo docker run -e WAIT=300 -e x64=0 -e arm=0 -e HASH_PATCH=
   
     -e COMMIT=
    
      --rm -iv${PWD}:/t ptswarm/reflutter

FLAGS:
    -e x64=0                         
     
      
    -e arm=0                         
      
       
    -e WAIT=300                      
       
         -e HASH_PATCH=[Snapshot_Hash] 
        
          -e COMMIT=[Engine_commit]

Comments

What is Burp Suite IP?
Morning, trying to figure out the usage of your tool. I found it very useful and wish you all the best in further app improvements.

Only one issue I've found is: The example usage of the tool is quite difficult to understand for the users that didn't work with Burp Suite.

For example: What IP should I insert here: Please enter your Burp Suite IP:

I've tried:

127.0.0.1

My Android Emulator's IP: 10.0.2.15

My Mac's Local IP: 192.168.*.*

The reason why am I asking about that is: When I run: adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt and launch the signed apk file: release.RE-aligned-debugSigned.apk on my Emulator I don't see any logs in reflutter.txt;

What did I do wrong?

Thank you
opened by KirillBorodin 7

This engine is currently not supported on some apk

Hello, I got this error when trying to run: reflutter app.apk

Engine SnapshotHash: e7ad14f921786dbf76b9add4b0a5c950

 This engine is currently not supported.
 Most likely this flutter application uses the Debug version engine which you need to build manually using Docker at the moment.
 More details: https://github.com/ptswarm/reFlutter

What can I do about this situation?

opened by uzumaki258 3

Patching base64Decode https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart

hello and thank you for sharing your great work,

Is it possible to change the code in base64Decode (https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart) so it print the input ( string)?

Can you please share steps to modify the code in the method base64Decode and re build the apk ?

Regards

opened by openadcenter 2
Missing build engine for this version 63ca99584a1aef79722b2a7c6414570b54416bab

Example: (192.168.1.154) etc. Please enter your BurpSuite IP: 192.168.1.2 63ca99584a1aef79722b2a7c6414570b54416bab

I got this message when try to reflutter file apk. Could you help me to check it? I believe that is missing build engine for this version.

opened by leowilbur 1
App can't connect to Internet

Everythning seems to work, i reproduced the app using reflutter main.apk, and signed the apk.

I can intercept the first request, but the app is stuck on the first screen (waiting for a response from server before continuing) I can see some code in the reflutter.txt file, but it's not enough since I can't access the rest of the app.

opened by ilsx 1
NOT CLEAR

hey,

T his is not working for me, & I don't know & or am not able to get steps to do this clearly.

please add steps to do from start.

thankyou

opened by stish834 1

Releases(ios-v2-f10776149bf76be288def3c2ca73bdc1)

Owner

PT SWARM

Positive Technologies Offensive Team

GitHub

Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks.

Driver Buddy Reloaded Quickstart Table of Contents Installation Usage About Driver Buddy Reloaded Finding DispatchDeviceControl Labelling WDM & WDF St

199 Jan 4, 2023

IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Re-Scripts IA32-VMX-Helper (IDA-Script) IA32-MSR-Decoder (IDA-Script) IA32 VMX Helper It's an IDA script (Updated IA32 MSR Decoder) which helps you to

16 Oct 8, 2022

A Radare2 based Python module for Binary Analysis and Reverse Engineering.

Zepu1chr3 A Radare2 based Python module for Binary Analysis and Reverse Engineering. Installation You can simply run this command. pip3 install zepu1c

5 Aug 25, 2022

Reverse engineered Parler API

Parler's unofficial API with all endpoints present in their iOS app as of 08/12/2020. For the most part undocumented, but the error responses are alre

393 Nov 26, 2022

Generate MIPS reverse shell shellcodes easily !

MIPS-Reverse MIPS-Reverse is a tool that can generate shellcodes for the MIPS architecture that launches a reverse shell where you can specify the IP

29 Jul 27, 2021

Meterpreter Reverse shell over TOR network using hidden services

Poiana Reverse shell over TOR network using hidden services Features -> Create a hidden service -> Generate non-staged payload (python/meterpreter_rev

80 Dec 21, 2022

A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF.

TProxer A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF. How • Install • Todo • Join Discord How it works

162 Nov 25, 2022

An advanced multi-threaded, multi-client python reverse shell for hacking linux systems

PwnLnX An advanced multi-threaded, multi-client python reverse shell for hacking linux systems. There's still more work to do so feel free to help out

212 Dec 24, 2022

A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries

A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including Python 3.10.*)

95 Dec 26, 2022

An open-source post-exploitation framework for students, researchers and developers.

Questions? Join the Discord support server Disclaimer: This project should be used for authorized testing or educational purposes only. BYOB is an ope

8.1k Dec 31, 2022

Hubble is a modular, open-source security compliance framework. The project provides on-demand profile-based auditing, real-time security event notifications, alerting, and reporting. HubbleStack is a free and open source project made possible by Adobe. https://github.com/adobe

Welcome to HubbleStack!! You can find the docs here You can file an issue here Follow us on Twitter! Development Below are sample instructions to setu

368 Jan 4, 2023

Flutter Reverse Engineering Framework

Related tags