Flutter Reverse Engineering Framework

Related tags

Security related resourcesreverse-engineeringbugbountymobile-securityssl-pinning
Overview

workflow

stars github_downloads

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization process that allow you perform dynamic analysis in a convenient way.

Key features:

  • socket.cc is patched for traffic monitoring and interception;
  • dart.cc is modified to print classes, functions and some fields;
  • contains minor changes for successfull compilation;
  • if you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Dockerfile

Supported engines

  • Android: arm64, arm32;
  • IOS: arm64 (Unstable);
  • Release: Stable, Beta

Install

# Linux, Windows, MacOS
pip install reflutter

pip3 install reflutter

Usage

[email protected]:~$ reflutter main.apk

Please enter your Burp Suite IP: 
   

SnapshotHash: 8ee4ef7a67df9845fba331734198a953
The resulting apk file: ./release.RE.apk
Please sign the apk file

Configure Proxy in Burp Suite -> *:8083
Request Handling -> Support Invisible Proxying -> true

[email protected]:~$ reflutter main.ipa

Traffic interception

You need to specify the IP of your Burp Suite relative to your local network on which the device with the flutter application is located. Next, you must configure the Proxy in BurpSuite -> Listener Proxy -> Options tab

  • Add port: 8083
  • Bind to address: All interfaces
  • Request handling: Support invisible proxying = True

You don't need to install any certificates. On an Android device, you don't need root access. This also bypasses some of the flutter certificate pinning implementations.

Usage on Android

The resulting apk must be aligned and signed. I am using uber-apk-signer java -jar uber-apk-signer.jar --allowResign -a release.RE.apk. To see what code is loaded through DartVM, you must run the application on the device. You need LogCat you can use Android Studio with reflutter keyword search or use adb logcat

Output Example

[email protected]:~$ adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt
code output 
Library:'package:anyapp/navigation/DeepLinkImpl.dart' Class: Navigation extends Object {  

String* DeepUrl = anyapp://evil.com/ ;

 Function 'Navigation.': constructor. (dynamic, dynamic, dynamic, dynamic) => NavigationInteractor { 
  
                   }
    
 Function 'initDeepLinkHandle':. (dynamic) => Future<void>* { 
  
                   }
    
 Function '[email protected]':. (dynamic, dynamic, {dynamic navigator}) => void { 

                   }
 
       }
 
Library:'package:anyapp/auth/navigation/AuthAccount.dart' Class: AuthAccount extends Account {

PlainNotificationToken* _instance = sentinel;
 
 Function 'getAuthToken':. (dynamic, dynamic, dynamic, dynamic) => Future<AccessToken*>* { 

                   }
  
 Function 'checkEmail':. (dynamic, dynamic) => Future<bool*>* { 
 
                   }

 Function 'validateRestoreCode':. (dynamic, dynamic, dynamic) => Future<bool*>* { 
 
                   }

 Function 'sendSmsRestorePassword':. (dynamic, dynamic) => Future<bool*>* { 

                   }
       }

Usage on IOS

stub

XCode

To Do

  • Display absolute code offset for functions;
  • Extract more strings and fields;
  • Add socket patch;
  • Extend engine support to Debug using Fork and Github Actions;
  • Improve detection of App.framework and libapp.so inside zip archive

Build Engine

The engines are built using reFlutter in Github Actions to build the desired version, commits and hash snapshots are used from this table. The hash of the snapshot is extracted from storage.googleapis.com/flutter_infra_release/flutter/ /android-arm64-release/linux-x64.zip

release

gif

Custom Build

If you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Docker

sudo docker pull ptswarm/reflutter

# Linux, Windows
EXAMPLE BUILD ANDROID ARM64:
    sudo docker run -e WAIT=300 -e x64=0 -e arm=0 -e HASH_PATCH=
   
     -e COMMIT=
    
      --rm -iv${PWD}:/t ptswarm/reflutter

FLAGS:
    -e x64=0                         
     
      
    -e arm=0                         
      
       
    -e WAIT=300                      
       
         -e HASH_PATCH=[Snapshot_Hash] 
        
          -e COMMIT=[Engine_commit]
Comments
  • What is Burp Suite IP?

    What is Burp Suite IP?

    Morning, trying to figure out the usage of your tool. I found it very useful and wish you all the best in further app improvements.

    Only one issue I've found is: The example usage of the tool is quite difficult to understand for the users that didn't work with Burp Suite.

    For example: What IP should I insert here: Please enter your Burp Suite IP:

    I've tried:

    • 127.0.0.1
    • My Android Emulator's IP: 10.0.2.15
    • My Mac's Local IP: 192.168.*.*

    The reason why am I asking about that is: When I run: adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt and launch the signed apk file: release.RE-aligned-debugSigned.apk on my Emulator I don't see any logs in reflutter.txt;

    What did I do wrong?

    Thank you

    opened by KirillBorodin 7
  • This engine is currently not supported on some apk

    This engine is currently not supported on some apk

    Hello, I got this error when trying to run: reflutter app.apk

    Engine SnapshotHash: e7ad14f921786dbf76b9add4b0a5c950

 This engine is currently not supported.
 Most likely this flutter application uses the Debug version engine which you need to build manually using Docker at the moment.
 More details: https://github.com/ptswarm/reFlutter

    What can I do about this situation?

    opened by uzumaki258 3
  • Patching base64Decode https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart

    Patching base64Decode https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart

    hello and thank you for sharing your great work,

    Is it possible to change the code in base64Decode (https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart) so it print the input ( string)?

    Can you please share steps to modify the code in the method base64Decode and re build the apk ?

    Regards

    opened by openadcenter 2
  • Missing build engine for this version 63ca99584a1aef79722b2a7c6414570b54416bab

    Missing build engine for this version 63ca99584a1aef79722b2a7c6414570b54416bab

    Example: (192.168.1.154) etc. Please enter your BurpSuite IP: 192.168.1.2 63ca99584a1aef79722b2a7c6414570b54416bab

    I got this message when try to reflutter file apk. Could you help me to check it? I believe that is missing build engine for this version.

    opened by leowilbur 1
  • App can't connect to Internet

    App can't connect to Internet

    Everythning seems to work, i reproduced the app using reflutter main.apk, and signed the apk.

    I can intercept the first request, but the app is stuck on the first screen (waiting for a response from server before continuing) I can see some code in the reflutter.txt file, but it's not enough since I can't access the rest of the app.

    opened by ilsx 1
  • NOT CLEAR

    NOT CLEAR

    hey,

    T Screenshot from 2021-10-12 09-30-32 his is not working for me, & I don't know & or am not able to get steps to do this clearly.

    please add steps to do from start.

    thankyou

    opened by stish834 1
Releases(ios-v2-f10776149bf76be288def3c2ca73bdc1)
Owner
PT SWARM
Positive Technologies Offensive Team
PT SWARM
GitHub Repository
CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection

CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection Usage usage: cve-2021-26084_confluence_rce.py [-h] --url URL [--cmd CMD] [--shell] CVE-2021-2

r0cky 92 Jul 20, 2022
A deobfuscator for multiple python obfuscators

PY4COC A deobfuscator for multiple python obfuscators, supports exe's packed with pyinstaller too. How to use python3 py4coc.py exe file or py file o

svenskithesource 16 Dec 03, 2022
A Safer PoC for CVE-2022-22965 (Spring4Shell)

Safer_PoC_CVE-2022-22965 A Safer PoC for CVE-2022-22965 (Spring4Shell) Functionality Creates a file called CVE_2022-22965_exploited.txt in the tomcat

Colin Cowie 46 Nov 12, 2022
This repository will contain python scripts for hackers and pentesters

This repository will contain python scripts for hackers and pentesters. stop being limited with availble tools. Build your own.

0xTRAW 24 Nov 29, 2022
The Modern Hash Identification System

🔗 Don't know what type of hash it is? Name That Hash will name that hash type! 🤖 Identify MD5, SHA256 and 3000+ other hashes ☄ Comes with a neat web app 🔥

1.2k Dec 28, 2022
RDP Stealer

RDP Stealer RDP Stealer by lamp Require Python How To Use Download This Source Extract The Zip File Change webhook url Convert to exe send to target I

Lamp 14 Nov 26, 2022
Scans for Log4j versions effected by CVE-2021-44228

check_mkExtension to check for log4j2 CVE-2021-44228 This Plugin wraps around logpresso/CVE-2021-44228-Scanner (Apache License 2.0) How it works Run i

inett GmbH 4 Jun 30, 2022
SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.

SSLyze SSLyze is a fast and powerful SSL/TLS scanning tool and Python library. SSLyze can analyze the SSL/TLS configuration of a server by connecting

Alban Diquet 2.8k Jan 03, 2023
Crypto Meta Extractor

Crypto Meta Extractor This repository contains the code which extracts some metadata of all the cryptocurrencies listed (9K) on CoinMarketCap. Coding

Samyak Jain 3 Jul 03, 2022
Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

O365DevicePhish Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack This is a simple proof-of-concept script t

Trewis [work] Scotch 4 Sep 23, 2022
Hack computer in the form of RAR files from all types of clients, even Linux

Program Features 📌 Hide malware 📌 Vulnerability software vulnerabilities RAR 📌 Creating malware 📌 Access client files 📌 Client Hacking 📌 Link Do

hack4lx 5 Nov 25, 2022
Security offerings for AWS Control Tower

Caylent Security Catalyst Reference Architecture Examples This repository contains solutions for Caylent's Security Catalyst. The Security Catalyst is

Steven Connolly 1 Oct 22, 2021
This script allows you to make a onion host instantly.

Installation It only works in Debian based Linux distros. Clone the repo: git clone https://github.com/0xStevenson/Auto-Tor-Host.git Go to the direct

Steven 4 Feb 22, 2022
Password list generator for password spraying - prebaked with goodies

Generates permutations of Months, Seasons, Years, Sports Teams (NFL, NBA, MLB, NHL), Sports Scores, "Password", and even Iterable Keyspaces of a specified size.

Casey Erdmann 65 Dec 22, 2022
The Web Application Firewall Paranoia Level Test Tool.

Quick WAF "paranoid" Doctor Evaluation WAFPARAN01D3 The Web Application Firewall Paranoia Level Test Tool. — From alt3kx.github.io Introduction to Par

22 Jul 25, 2022
💣 Bomb Crypto Bot 💣

💣 Bomb Crypto Bot 💣 ⚠️ Warning I am not responsible for any penalties incurred by those who use the bot, use it at your own risk. 📄 Documentation -

Matheus Benites 4 Apr 27, 2022
Remote Desktop Protocol in Twisted Python

RDPY Remote Desktop Protocol in twisted python. RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client a

Sylvain Peyrefitte 1.6k Dec 30, 2022
NS-LOOKUP - A python script for scanning website for getting ip address of a website

NS-LOOKUP A python script for scanning website for getting ip address of a websi

Spider Anongreyhat 5 Aug 02, 2022
一款辅助探测Orderby注入漏洞的BurpSuite插件,Python3编写,适用于上xray等扫描器被ban的场景

OrderbyHunter 一款辅助探测Orderby注入漏洞的BurpSuite插件,Python3编写,适用于上xray等扫描器被ban的场景 1. 支持Get/Post型请求参数的探测,被动探测,对于存在Orderby注入的请求将会在HTTP Histroy里标红 2. 自定义排序参数list

Automne 21 Aug 12, 2022
Keystroke logging, often referred to as keylogging or keyboard capturing

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware

Harsha G 2 Jan 11, 2022