https://github.com/ptswarm/reFlutter

Flutter Reverse Engineering Framework
https://github.com/ptswarm/reFlutter

bugbounty mobile-security reverse-engineering ssl-pinning

Last synced: 22 days ago
JSON representation

Flutter Reverse Engineering Framework

• Host: GitHub
• URL: https://github.com/ptswarm/reFlutter
• Owner: ptswarm
• License: gpl-3.0
• Archived: true
• Created: 2021-09-29T19:35:16.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2022-04-11T10:45:21.000Z (over 2 years ago)
• Last Synced: 2024-09-27T04:02:13.386Z (3 months ago)
• Topics: bugbounty, mobile-security, reverse-engineering, ssl-pinning
• Language: Python
• Homepage:
• Size: 328 KB
• Stars: 1,270
• Watchers: 16
• Forks: 176
• Open Issues: 79
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - ptswarm/reFlutter - Flutter Reverse Engineering Framework (Python)

README

        
[![Twitter](https://img.shields.io/twitter/follow/lmpact_l.svg?logo=twitter)](https://twitter.com/lmpact_l)

[![stars](https://img.shields.io/github/stars/ptswarm/reFlutter)](https://github.com/ptswarm/reFlutter/stargazers) [![workflow](https://img.shields.io/github/workflow/status/ptswarm/reFlutter/Build)](https://github.com/ptswarm/reFlutter/actions)



#

This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.

Key features:

- `socket.cc` is patched for traffic monitoring and interception;

- `dart.cc` is modified to print classes, functions and some fields;

- contains minor changes for successfull compilation;

- if you would like to implement your own patches, there is manual Flutter code change is supported using specially crafted `Dockerfile`

### Supported engines

- Android: arm64, arm32;

- iOS: arm64;

- Release: Stable, Beta

### Install

```

# Linux, Windows, MacOS

pip3 install reflutter

```

### Usage

```console

impact@f:~$ reflutter main.apk

Please enter your Burp Suite IP: 

SnapshotHash: 8ee4ef7a67df9845fba331734198a953

The resulting apk file: ./release.RE.apk

Please sign the apk file

Configure Burp Suite proxy server to listen on *:8083

Proxy Tab -> Options -> Proxy Listeners -> Edit -> Binding Tab

Then enable invisible proxying in Request Handling Tab

Support Invisible Proxying -> true

impact@f:~$ reflutter main.ipa

```

### Traffic interception

You need to specify the IP of your Burp Suite Proxy Server located in the same network where the device with the flutter application is. Next, you should configure the Proxy in  `BurpSuite -> Listener Proxy -> Options tab`

- Add port: `8083`

- Bind to address: `All interfaces`

- Request handling: Support invisible proxying = `True`



You don't need to install any certificates. On an Android device, you don't need root access as well. reFlutter also allows to bypass some of the flutter certificate pinning implementations.

### Usage on Android

The resulting apk must be aligned and signed. I use [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer/releases/tag/v1.2.1)

```java -jar uber-apk-signer.jar --allowResign -a release.RE.apk```.

To see which code is loaded through DartVM, you need to run the application on the device. Note that you must manually find what `_kDartIsolateSnapshotInstructions` (ex. 0xB000 ) equals to using a binary search. reFlutter writes the dump to the root folder of the application and sets `777` permissions to the file and folder. You can pull the file with adb command

```console

impact@f:~$ adb -d shell "cat /data/data//dump.dart" > dump.dart

```

file contents

  

```dart

Library:'package:anyapp/navigation/DeepLinkImpl.dart' Class: Navigation extends Object {  

String* DeepUrl = anyapp://evil.com/ ;

 Function 'Navigation.': constructor. (dynamic, dynamic, dynamic, dynamic) => NavigationInteractor { 

  

              Code Offset: _kDartIsolateSnapshotInstructions + 0x0000000000009270

  

                   }

    

 Function 'initDeepLinkHandle':. (dynamic) => Future* { 

  

              Code Offset: _kDartIsolateSnapshotInstructions + 0x0000000000412fe8

  

                   }

    

 Function '_navigateDeepLink@547106886':. (dynamic, dynamic, {dynamic navigator}) => void { 

  

              Code Offset: _kDartIsolateSnapshotInstructions + 0x0000000000002638

  

                   }

 

       }

 

Library:'package:anyapp/auth/navigation/AuthAccount.dart' Class: AuthAccount extends Account {

PlainNotificationToken* _instance = sentinel;

 

 Function 'getAuthToken':. (dynamic, dynamic, dynamic, dynamic) => Future* { 

  

               Code Offset: _kDartIsolateSnapshotInstructions + 0x00000000003ee548

  

                   }

  

 Function 'checkEmail':. (dynamic, dynamic) => Future* { 

  

               Code Offset: _kDartIsolateSnapshotInstructions + 0x0000000000448a08

   

                   }

 Function 'validateRestoreCode':. (dynamic, dynamic, dynamic) => Future* { 

  

               Code Offset: _kDartIsolateSnapshotInstructions + 0x0000000000412c34

   

                   }

 Function 'sendSmsRestorePassword':. (dynamic, dynamic) => Future* { 

  

               Code Offset: _kDartIsolateSnapshotInstructions + 0x00000000003efb88

  

                   }

       }

```

### Usage on iOS

Use the IPA file created after the execution of `reflutter main.ipa` command. To see which code is loaded through DartVM, you need to run the application on the device. reFlutter prints its output in console logs in XCode with the `reflutter` tag.



### To Do

- [x] Display absolute code offset for functions;

- [ ] Extract more strings and fields;

- [x] Add socket patch;

- [ ] Extend engine support to Debug using Fork and Github Actions;

- [ ] Improve detection of `App.framework` and `libapp.so` inside zip archive

  

### Build Engine

The engines are built using [reFlutter](https://github.com/ptswarm/reFlutter/blob/main/.github/workflows/main.yml) in [Github Actions](https://github.com/ptswarm/reFlutter/actions) to build the desired version, commits and snapshot hashes are used from this [table](https://github.com/ptswarm/reFlutter/blob/main/enginehash.csv).

The hash of the snapshot is extracted from ```storage.googleapis.com/flutter_infra_release/flutter//android-arm64-release/linux-x64.zip```

release

  

[![gif](https://user-images.githubusercontent.com/87244850/135758767-47b7d51f-8b6c-40b5-85aa-a13c5a94423a.gif)](https://github.com/ptswarm/reFlutter/actions)

  

### Custom Build

If you would like to implement your own patches, manual Flutter code change is supported using specially crafted [Docker](https://hub.docker.com/r/ptswarm/reflutter)

```sudo docker pull ptswarm/reflutter```

```

# Linux, Windows

EXAMPLE BUILD ANDROID ARM64:

    sudo docker run -e WAIT=300 -e x64=0 -e arm=0 -e HASH_PATCH= -e COMMIT= --rm -iv${PWD}:/t ptswarm/reflutter

FLAGS:

    -e x64=0                         

    -e arm=0                         

    -e WAIT=300                      

    -e HASH_PATCH=[Snapshot_Hash]    

    -e COMMIT=[Engine_commit]        

```