This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization process that allow you perform dynamic analysis in a convenient way.
Key features:
socket.ccis patched for traffic monitoring and interception;dart.ccis modified to print classes, functions and some fields;- contains minor changes for successfull compilation;
- if you would like to implement your own patches there is manual Flutter code change is supported using specially crafted
Dockerfile
Supported engines
- Android: arm64, arm32;
- IOS: arm64 (Unstable);
- Release: Stable, Beta
Install
# Linux, Windows, MacOS
pip install reflutter
pip3 install reflutter
Usage
[email protected]:~$ reflutter main.apk
Please enter your Burp Suite IP:
Traffic interception
You need to specify the IP of your Burp Suite relative to your local network on which the device with the flutter application is located. Next, you must configure the Proxy in BurpSuite -> Listener Proxy -> Options tab
- Add port:
8083 - Bind to address:
All interfaces - Request handling: Support invisible proxying =
True
You don't need to install any certificates. On an Android device, you don't need root access. This also bypasses some of the flutter certificate pinning implementations.
Usage on Android
The resulting apk must be aligned and signed. I am using uber-apk-signer java -jar uber-apk-signer.jar --allowResign -a release.RE.apk. To see what code is loaded through DartVM, you must run the application on the device. You need LogCat you can use Android Studio with reflutter keyword search or use adb logcat
Output Example
[email protected]:~$ adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt
code output
Library:'package:anyapp/navigation/DeepLinkImpl.dart' Class: Navigation extends Object {
String* DeepUrl = anyapp://evil.com/ ;
Function 'Navigation.': constructor. (dynamic, dynamic, dynamic, dynamic) => NavigationInteractor {
}
Function 'initDeepLinkHandle':. (dynamic) => Future<void>* {
}
Function '[email protected]':. (dynamic, dynamic, {dynamic navigator}) => void {
}
}
Library:'package:anyapp/auth/navigation/AuthAccount.dart' Class: AuthAccount extends Account {
PlainNotificationToken* _instance = sentinel;
Function 'getAuthToken':. (dynamic, dynamic, dynamic, dynamic) => Future<AccessToken*>* {
}
Function 'checkEmail':. (dynamic, dynamic) => Future<bool*>* {
}
Function 'validateRestoreCode':. (dynamic, dynamic, dynamic) => Future<bool*>* {
}
Function 'sendSmsRestorePassword':. (dynamic, dynamic) => Future<bool*>* {
}
}
Usage on IOS
stub
XCode
To Do
- Display absolute code offset for functions;
- Extract more strings and fields;
- Add socket patch;
- Extend engine support to Debug using Fork and Github Actions;
- Improve detection of
App.frameworkandlibapp.soinside zip archive
Build Engine
The engines are built using reFlutter in Github Actions to build the desired version, commits and hash snapshots are used from this table. The hash of the snapshot is extracted from storage.googleapis.com/flutter_infra_release/flutter/
release
Custom Build
If you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Docker
sudo docker pull ptswarm/reflutter
# Linux, Windows
EXAMPLE BUILD ANDROID ARM64:
sudo docker run -e WAIT=300 -e x64=0 -e arm=0 -e HASH_PATCH=
-e COMMIT=
--rm -iv${PWD}:/t ptswarm/reflutter
FLAGS:
-e x64=0
-e arm=0
-e WAIT=300
-e HASH_PATCH=[Snapshot_Hash]
-e COMMIT=[Engine_commit]
his is not working for me, & I don't know & or am not able to get steps to do this clearly.
9 Nov 09, 2022
3 Apr 09, 2022
52 Jul 16, 2022
14 Nov 26, 2022
12 Nov 09, 2022
2 Nov 29, 2021
171 Dec 25, 2022
22 Dec 29, 2022
118 Dec 24, 2022
25 Nov 09, 2022
19 Nov 15, 2022
8 Jun 29, 2022
33 Sep 28, 2022
16 Oct 12, 2022
24 Dec 10, 2021
3 Dec 06, 2021
4 Jun 03, 2022
7 Jul 14, 2022
148 Dec 22, 2022
6 Jul 24, 2022