Flutter Reverse Engineering Framework

Related tags

Security related resourcesreverse-engineeringbugbountymobile-securityssl-pinning
Overview

workflow

stars github_downloads

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization process that allow you perform dynamic analysis in a convenient way.

Key features:

  • socket.cc is patched for traffic monitoring and interception;
  • dart.cc is modified to print classes, functions and some fields;
  • contains minor changes for successfull compilation;
  • if you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Dockerfile

Supported engines

  • Android: arm64, arm32;
  • IOS: arm64 (Unstable);
  • Release: Stable, Beta

Install

# Linux, Windows, MacOS
pip install reflutter

pip3 install reflutter

Usage

[email protected]:~$ reflutter main.apk

Please enter your Burp Suite IP: 
   

SnapshotHash: 8ee4ef7a67df9845fba331734198a953
The resulting apk file: ./release.RE.apk
Please sign the apk file

Configure Proxy in Burp Suite -> *:8083
Request Handling -> Support Invisible Proxying -> true

[email protected]:~$ reflutter main.ipa

Traffic interception

You need to specify the IP of your Burp Suite relative to your local network on which the device with the flutter application is located. Next, you must configure the Proxy in BurpSuite -> Listener Proxy -> Options tab

  • Add port: 8083
  • Bind to address: All interfaces
  • Request handling: Support invisible proxying = True

You don't need to install any certificates. On an Android device, you don't need root access. This also bypasses some of the flutter certificate pinning implementations.

Usage on Android

The resulting apk must be aligned and signed. I am using uber-apk-signer java -jar uber-apk-signer.jar --allowResign -a release.RE.apk. To see what code is loaded through DartVM, you must run the application on the device. You need LogCat you can use Android Studio with reflutter keyword search or use adb logcat

Output Example

[email protected]:~$ adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt
code output 
Library:'package:anyapp/navigation/DeepLinkImpl.dart' Class: Navigation extends Object {  

String* DeepUrl = anyapp://evil.com/ ;

 Function 'Navigation.': constructor. (dynamic, dynamic, dynamic, dynamic) => NavigationInteractor { 
  
                   }
    
 Function 'initDeepLinkHandle':. (dynamic) => Future<void>* { 
  
                   }
    
 Function '[email protected]':. (dynamic, dynamic, {dynamic navigator}) => void { 

                   }
 
       }
 
Library:'package:anyapp/auth/navigation/AuthAccount.dart' Class: AuthAccount extends Account {

PlainNotificationToken* _instance = sentinel;
 
 Function 'getAuthToken':. (dynamic, dynamic, dynamic, dynamic) => Future<AccessToken*>* { 

                   }
  
 Function 'checkEmail':. (dynamic, dynamic) => Future<bool*>* { 
 
                   }

 Function 'validateRestoreCode':. (dynamic, dynamic, dynamic) => Future<bool*>* { 
 
                   }

 Function 'sendSmsRestorePassword':. (dynamic, dynamic) => Future<bool*>* { 

                   }
       }

Usage on IOS

stub

XCode

To Do

  • Display absolute code offset for functions;
  • Extract more strings and fields;
  • Add socket patch;
  • Extend engine support to Debug using Fork and Github Actions;
  • Improve detection of App.framework and libapp.so inside zip archive

Build Engine

The engines are built using reFlutter in Github Actions to build the desired version, commits and hash snapshots are used from this table. The hash of the snapshot is extracted from storage.googleapis.com/flutter_infra_release/flutter/ /android-arm64-release/linux-x64.zip

release

gif

Custom Build

If you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Docker

sudo docker pull ptswarm/reflutter

# Linux, Windows
EXAMPLE BUILD ANDROID ARM64:
    sudo docker run -e WAIT=300 -e x64=0 -e arm=0 -e HASH_PATCH=
   
     -e COMMIT=
    
      --rm -iv${PWD}:/t ptswarm/reflutter

FLAGS:
    -e x64=0                         
     
      
    -e arm=0                         
      
       
    -e WAIT=300                      
       
         -e HASH_PATCH=[Snapshot_Hash] 
        
          -e COMMIT=[Engine_commit]
Comments
  • What is Burp Suite IP?

    What is Burp Suite IP?

    Morning, trying to figure out the usage of your tool. I found it very useful and wish you all the best in further app improvements.

    Only one issue I've found is: The example usage of the tool is quite difficult to understand for the users that didn't work with Burp Suite.

    For example: What IP should I insert here: Please enter your Burp Suite IP:

    I've tried:

    • 127.0.0.1
    • My Android Emulator's IP: 10.0.2.15
    • My Mac's Local IP: 192.168.*.*

    The reason why am I asking about that is: When I run: adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt and launch the signed apk file: release.RE-aligned-debugSigned.apk on my Emulator I don't see any logs in reflutter.txt;

    What did I do wrong?

    Thank you

    opened by KirillBorodin 7
  • This engine is currently not supported on some apk

    This engine is currently not supported on some apk

    Hello, I got this error when trying to run: reflutter app.apk

    Engine SnapshotHash: e7ad14f921786dbf76b9add4b0a5c950

 This engine is currently not supported.
 Most likely this flutter application uses the Debug version engine which you need to build manually using Docker at the moment.
 More details: https://github.com/ptswarm/reFlutter

    What can I do about this situation?

    opened by uzumaki258 3
  • Patching base64Decode https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart

    Patching base64Decode https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart

    hello and thank you for sharing your great work,

    Is it possible to change the code in base64Decode (https://github.com/dart-lang/sdk/blob/main/sdk/lib/convert/base64.dart) so it print the input ( string)?

    Can you please share steps to modify the code in the method base64Decode and re build the apk ?

    Regards

    opened by openadcenter 2
  • Missing build engine for this version 63ca99584a1aef79722b2a7c6414570b54416bab

    Missing build engine for this version 63ca99584a1aef79722b2a7c6414570b54416bab

    Example: (192.168.1.154) etc. Please enter your BurpSuite IP: 192.168.1.2 63ca99584a1aef79722b2a7c6414570b54416bab

    I got this message when try to reflutter file apk. Could you help me to check it? I believe that is missing build engine for this version.

    opened by leowilbur 1
  • App can't connect to Internet

    App can't connect to Internet

    Everythning seems to work, i reproduced the app using reflutter main.apk, and signed the apk.

    I can intercept the first request, but the app is stuck on the first screen (waiting for a response from server before continuing) I can see some code in the reflutter.txt file, but it's not enough since I can't access the rest of the app.

    opened by ilsx 1
  • NOT CLEAR

    NOT CLEAR

    hey,

    T Screenshot from 2021-10-12 09-30-32 his is not working for me, & I don't know & or am not able to get steps to do this clearly.

    please add steps to do from start.

    thankyou

    opened by stish834 1
Releases(ios-v2-f10776149bf76be288def3c2ca73bdc1)
Owner
PT SWARM
Positive Technologies Offensive Team
PT SWARM
GitHub Repository
JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you.

JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you. Although it may not work with high degrees of obfuscation, it's a pretty nice tool to help you even if it's j

Quatrecentquatre 3 May 01, 2022
A Docker based LDAP RCE exploit demo for CVE-2021-44228 Log4Shell

log4j-poc An LDAP RCE exploit for CVE-2021-44228 Log4Shell Description This demo Tomcat 8 server has a vulnerable app deployed on it and is also vulne

60 Dec 10, 2022
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE

CVE-2022-1388 CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE. POST /mgmt/tm/util/bash HTTP/1.1 Host: Accept-Encoding: gzip, deflate Accept: */

M4rtin Hsu 81 Dec 12, 2022
A honey token manager and alert system for AWS.

SpaceSiren SpaceSiren is a honey token manager and alert system for AWS. With this fully serverless application, you can create and manage honey token

287 Nov 09, 2022
An Advanced Local Network IP Scanner, made in python of course!

██╗██████╗    ██████╗ █████╗ █████╗ ███╗ ██╗███╗ ██╗███████╗██████╗ ██║██╔══██╗  ██╔════╝██╔══██╗██╔══██╗████╗ ██║████╗ ██║██╔════╝██╔══██

Polsulpicien 2 Dec 18, 2021
Sonoff NSPanel protocol and hacking information. Tasmota Berry driver for NSPanel

NSPanel Hacking Sonoff NSPanel protocol and hacking information and Tasmota Berry driver. NSPanel protocol manual Tasmota driver nspanel.be Installati

blakadder 98 Dec 26, 2022
ThePhish: an automated phishing email analysis tool

ThePhish ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and base

675 Jan 03, 2023
𝙾𝚙𝚎𝚗 𝚂𝚘𝚞𝚛𝚌𝚎 𝚂𝚌𝚛𝚒𝚙𝚝 - 𝙽𝚘 𝙲𝚘𝚙𝚢𝚛𝚒𝚐𝚑𝚝 - 𝚃𝚎𝚊𝚖 𝚆𝚘𝚛𝚔 - 𝚂𝚒𝚖𝚙𝚕𝚎 𝙿𝚢𝚝𝚑𝚘𝚗 𝙿𝚛𝚘𝚓𝚎𝚌𝚝 - 𝙲𝚛𝚎𝚊𝚝𝚎𝚍 𝙱𝚢 : 𝙰𝚕𝚕 𝚃𝚎𝚊𝚖 - 𝙲𝚘𝚙𝚢𝙿𝚊𝚜𝚝 𝙲𝚊𝚗 𝙽𝚘𝚝 𝙼𝚊𝚔𝚎 𝚈𝚘𝚞 𝚁𝚎𝚊𝚕 𝙿𝚛𝚘𝚐𝚛𝚊𝚖𝚖𝚎𝚛

𝙾𝚙𝚎𝚗 𝚂𝚘𝚞𝚛𝚌𝚎 𝚂𝚌𝚛𝚒𝚙𝚝 - 𝙽𝚘 𝙲𝚘𝚙𝚢𝚛𝚒𝚐𝚑𝚝 - 𝚃𝚎𝚊𝚖 𝚆𝚘𝚛𝚔 - 𝚂𝚒𝚖𝚙𝚕𝚎 𝙿𝚢𝚝𝚑𝚘𝚗 𝙿𝚛𝚘𝚓𝚎𝚌𝚝 - 𝙲𝚛𝚎𝚊𝚝𝚎𝚍 𝙱𝚢 : 𝙰𝚕𝚕 𝚃𝚎𝚊𝚖 - 𝙲𝚘𝚙𝚢𝙿𝚊𝚜𝚝 𝙲𝚊𝚗 𝙽𝚘𝚝 𝙼𝚊𝚔𝚎 𝚈𝚘𝚞 𝚁𝚎𝚊𝚕 𝙿𝚛𝚘𝚐𝚛𝚊𝚖𝚖𝚎𝚛

CodeX-ID 2 Oct 27, 2022
POC for CVE-2022-1388

CVE-2022-1388 POC for CVE-2022-1388 affecting multiple F5 products. Follow the Horizon3.ai Attack Team on Twitter for the latest security research: Ho

Horizon 3 AI Inc 231 Dec 07, 2022
Flutter Reverse Engineering Framework

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization p

PT SWARM 910 Jan 01, 2023
FTP-Exploits is a tool made in python that contains 4 diffrent types of ftp exploits that can be used in Penetration Testing.

FTP-exploits FTP-exploits is a tool which is used for Penetration Testing that can run many kinds of exploits on port 21(FTP) Commands and Exploits Ex

1 Dec 26, 2021
RedlineSpam - Python tool to spam Redline Infostealer panels with legit looking data

RedlineSpam Python tool to spam Redline Infostealer panels with legit looking da

4 Jan 27, 2022
Holehe OSINT - Email to Registered Accounts

holehe allows you to check if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password function.

Palenath 3.8k Jan 06, 2023
The Multi-Tool Web Vulnerability Scanner.

🟥 RapidScan v1.2 - The Multi-Tool Web Vulnerability Scanner RapidScan has been ported to Python3 i.e. v1.2. The Python2.7 codebase is available on v1

skavngr 1.3k Dec 31, 2022
Script checks provided domains for log4j vulnerability

log4j Script checks provided domains for log4j vulnerability. A token is created with canarytokens.org and passed as header at request for a single do

Matthias Nehls 2 Dec 12, 2021
OSINT Cybersecurity Tools

OSINT Cybersecurity Tools Welcome to the World of OSINT: An ongoing collection of awesome tools and frameworks, best security software practices, libr

Paul Veillard, P. Eng 7 Jul 01, 2022
Program that mathematically generates and validates CPF numbers

✔️ Gerador e Validador de CPF Programa que gera e valida números de CPF Requisitos • Como usar • Capturas de Tela Requisitos Antes de começar, você va

João Victor Vilela dos Santos 1 Nov 07, 2021
MITMSDR for INDIAN ARMY cybersecurity hackthon

There mainly three things here: MITMSDR spectrum Manual reverse shell MITMSDR Installation Clone the project and run the setup file: ./setup One of th

2 Jul 26, 2022
Delta Sharing: An Open Protocol for Secure Data Sharing

Delta Sharing: An Open Protocol for Secure Data Sharing Delta Sharing is an open protocol for secure real-time exchange of large datasets, which enabl

Delta Lake 497 Jan 02, 2023
A BurpSuite extension to parse 5GC NF OpenAPI 3.0 files to assess 5G core networks

5GC_API_parse Description 5GC API parse is a BurpSuite extension allowing to assess 5G core network functions, by parsing the OpenAPI 3.0 not supporte

PentHertz 57 Dec 16, 2022