Flutter Reverse Engineering Framework

Last update: Jan 01, 2023

Overview

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization process that allow you perform dynamic analysis in a convenient way.

Key features:

socket.cc is patched for traffic monitoring and interception;
dart.cc is modified to print classes, functions and some fields;
contains minor changes for successfull compilation;
if you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Dockerfile

Supported engines

Android: arm64, arm32;
IOS: arm64 (Unstable);
Release: Stable, Beta

Install

# Linux, Windows, MacOS
pip install reflutter

pip3 install reflutter

Usage

[email protected]:~$ reflutter main.apk

Please enter your Burp Suite IP: 
   

SnapshotHash: 8ee4ef7a67df9845fba331734198a953
The resulting apk file: ./release.RE.apk
Please sign the apk file

Configure Proxy in Burp Suite -> *:8083
Request Handling -> Support Invisible Proxying -> true

[email protected]:~$ reflutter main.ipa

Traffic interception

You need to specify the IP of your Burp Suite relative to your local network on which the device with the flutter application is located. Next, you must configure the Proxy in BurpSuite -> Listener Proxy -> Options tab

Add port: 8083
Bind to address: All interfaces
Request handling: Support invisible proxying = True

You don't need to install any certificates. On an Android device, you don't need root access. This also bypasses some of the flutter certificate pinning implementations.

Usage on Android

The resulting apk must be aligned and signed. I am using uber-apk-signer java -jar uber-apk-signer.jar --allowResign -a release.RE.apk. To see what code is loaded through DartVM, you must run the application on the device. You need LogCat you can use Android Studio with reflutter keyword search or use adb logcat

Output Example

[email protected]:~$ adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt

code output

Library:'package:anyapp/navigation/DeepLinkImpl.dart' Class: Navigation extends Object {  

String* DeepUrl = anyapp://evil.com/ ;

 Function 'Navigation.': constructor. (dynamic, dynamic, dynamic, dynamic) => NavigationInteractor { 
  
                   }
    
 Function 'initDeepLinkHandle':. (dynamic) => Future<void>* { 
  
                   }
    
 Function '[email protected]':. (dynamic, dynamic, {dynamic navigator}) => void { 

                   }
 
       }
 
Library:'package:anyapp/auth/navigation/AuthAccount.dart' Class: AuthAccount extends Account {

PlainNotificationToken* _instance = sentinel;
 
 Function 'getAuthToken':. (dynamic, dynamic, dynamic, dynamic) => Future<AccessToken*>* { 

                   }
  
 Function 'checkEmail':. (dynamic, dynamic) => Future<bool*>* { 
 
                   }

 Function 'validateRestoreCode':. (dynamic, dynamic, dynamic) => Future<bool*>* { 
 
                   }

 Function 'sendSmsRestorePassword':. (dynamic, dynamic) => Future<bool*>* { 

                   }
       }

Usage on IOS

stub

XCode

To Do

Display absolute code offset for functions;
Extract more strings and fields;
Add socket patch;
Extend engine support to Debug using Fork and Github Actions;
Improve detection of App.framework and libapp.so inside zip archive

Build Engine

The engines are built using reFlutter in Github Actions to build the desired version, commits and hash snapshots are used from this table. The hash of the snapshot is extracted from storage.googleapis.com/flutter_infra_release/flutter/ /android-arm64-release/linux-x64.zip

release

Custom Build

If you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Docker

sudo docker pull ptswarm/reflutter

# Linux, Windows
EXAMPLE BUILD ANDROID ARM64:
    sudo docker run -e WAIT=300 -e x64=0 -e arm=0 -e HASH_PATCH=
   
     -e COMMIT=
    
      --rm -iv${PWD}:/t ptswarm/reflutter

FLAGS:
    -e x64=0                         
     
      
    -e arm=0                         
      
       
    -e WAIT=300                      
       
         -e HASH_PATCH=[Snapshot_Hash] 
        
          -e COMMIT=[Engine_commit]

Comments

What is Burp Suite IP?
Morning, trying to figure out the usage of your tool. I found it very useful and wish you all the best in further app improvements.

Only one issue I've found is: The example usage of the tool is quite difficult to understand for the users that didn't work with Burp Suite.

For example: What IP should I insert here: Please enter your Burp Suite IP:

I've tried:

127.0.0.1

My Android Emulator's IP: 10.0.2.15

My Mac's Local IP: 192.168.*.*

The reason why am I asking about that is: When I run: adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt and launch the signed apk file: release.RE-aligned-debugSigned.apk on my Emulator I don't see any logs in reflutter.txt;

What did I do wrong?

Thank you
opened by KirillBorodin 7

This engine is currently not supported on some apk

Hello, I got this error when trying to run: reflutter app.apk

Engine SnapshotHash: e7ad14f921786dbf76b9add4b0a5c950

 This engine is currently not supported.
 Most likely this flutter application uses the Debug version engine which you need to build manually using Docker at the moment.
 More details: https://github.com/ptswarm/reFlutter

What can I do about this situation?

opened by uzumaki258 3

Patching base64Decode https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart

hello and thank you for sharing your great work,

Is it possible to change the code in base64Decode (https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart) so it print the input ( string)?

Can you please share steps to modify the code in the method base64Decode and re build the apk ?

Regards

opened by openadcenter 2
Missing build engine for this version 63ca99584a1aef79722b2a7c6414570b54416bab

Example: (192.168.1.154) etc. Please enter your BurpSuite IP: 192.168.1.2 63ca99584a1aef79722b2a7c6414570b54416bab

I got this message when try to reflutter file apk. Could you help me to check it? I believe that is missing build engine for this version.

opened by leowilbur 1
App can't connect to Internet

Everythning seems to work, i reproduced the app using reflutter main.apk, and signed the apk.

I can intercept the first request, but the app is stuck on the first screen (waiting for a response from server before continuing) I can see some code in the reflutter.txt file, but it's not enough since I can't access the rest of the app.

opened by ilsx 1
NOT CLEAR

hey,

T his is not working for me, & I don't know & or am not able to get steps to do this clearly.

please add steps to do from start.

thankyou

opened by stish834 1

Releases(ios-v2-f10776149bf76be288def3c2ca73bdc1)

Owner

PT SWARM

Positive Technologies Offensive Team

GitHub Repository

Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm.

RITA (Real Intelligence Threat Analytics) in Jupyter Notebook RITA is an open source framework for network traffic analysis sponsored by Active Counte

157 Nov 24, 2022

BF-Hash - A Python Tool to decrypt hashes by brute force

BF-Hash Herramienta para descifrar hashes por fuerza bruta Instalación git clone

5 Apr 09, 2022

Simple and easy framework for phishing 🎣

👋 It's in beta, I'm still building How to install Linux and Termux: Clone Rp: git clone https://github.com/J4c5/superfish.git Install the dependencie

4 Jan 27, 2022

macOS Initial Access Payload Generator

Mystikal macOS Initial Access Payload Generator Related Blog Post: https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 Usage: Install Xcode

206 Dec 31, 2022

Patching - Interactive Binary Patching for IDA Pro

Patching - Interactive Binary Patching for IDA Pro Overview Patching assembly code to change the behavior of an existing program is not uncommon in ma

589 Dec 30, 2022

S2-062 (CVE-2021-31805) / S2-061 / S2-059 RCE

CVE-2021-31805 Remote code execution S2-062 (CVE-2021-31805) Due to Apache Struts2's incomplete fix for S2-061 (CVE-2020-17530), some tag attributes c

31 Nov 22, 2022

Discord Token Stealer Malware Protection

TokenGuard TokenGuard, protect your account, prevent token steal. Totally free and open source Discord Server: https://discord.gg/EmwfaGuBE8 Source Co

10 Nov 23, 2022

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regardin

39 Dec 10, 2022

KeyLogger

By-Emirhan KeyLogger Hangi Sistemlerde Çalışır? | On Which Systems Does It Work? KALİ LİNUX UBUNTU PARDUS MİNT TERMUX ARCH YÜKLEME & ÇALIŞTIRMA KOMUTL

2 Feb 24, 2022

NoSecerets is a python script that is designed to crack hashes extremely fast. Faster even than Hashcat

NoSecerets NoSecerets is a python script that is designed to crack hashes extremely fast. Faster even than Hashcat How does it work? Instead of taking

9 Jul 04, 2022

A simple way to store your passwords without requiring third party applications

SimplePasswordManager A simple way to store your passwords without requiring third party applications Simple To Use. Store Your Passwords For Each Web

1 Dec 23, 2021

A cross-platform Python module that displays **** for password input. Works on Windows, unlike getpass. Formerly called stdiomask.

PWInput A cross-platform Python module that displays **** for password input. Works on Windows, unlike getpass. Formerly called stdiomask. Installatio

26 Sep 04, 2022

A toolkit for web reconnaissance, it's fast and easy to use.

A toolkit for web reconnaissance, it's fast and easy to use. File Structure httpsuite/ main.py init.py db/ db.py init.py subdomains_db directories_db

22 Jul 22, 2022

SonicWALL SSL-VPN Web Server Vulnerable Exploit

44 Nov 15, 2022

proxyshell payload generate

Py Permutative Encoding https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd Generate proxyshell

63 Nov 15, 2022

An intranet tool for easily intranet pentesting

IntarKnife v1.0 a tool can be used in intarnet for easily pentesting moudle hash spray U can use this tool to spray hash on a webshell IntraKnife.exe

4 Nov 24, 2021

LittleBrother is a simple parental control application monitoring specific processes on Linux hosts to monitor and limit the play time of children.

Parental Control Application LittleBrother Overview LittleBrother is a simple parental control application monitoring specific processes (read "games"

40 Dec 21, 2022