Home Explore Project
Register Sign In
flutter
/
reflutter
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

replace githubusercontent

lqg 2 years ago
parent
8cc8217148
commit
bf977f98f8
2 changed files with 49 additions and 33 deletions
Unified View Show Diff Stats
  1. 47 31
      README.md
  2. 2 2
      src/__init__.py

+ 47 - 31
README.md
View File 

@@ -1,10 +1,4 @@
 
-[![Twitter](https://img.shields.io/twitter/follow/lmpact_l.svg?logo=twitter)](https://twitter.com/lmpact_l)
 
-
 
-[![stars](https://img.shields.io/github/stars/ptswarm/reFlutter)](https://github.com/ptswarm/reFlutter/stargazers) [![workflow](https://img.shields.io/github/workflow/status/ptswarm/reFlutter/Build)](https://github.com/ptswarm/reFlutter/actions)
 
-
 
-<p align="center"><img src="https://user-images.githubusercontent.com/87244850/135659542-22bb8496-bf26-4e25-b7c1-ffd8fc0cea10.png" width="75%"/></p>
 
-
 
-#
 
+# reflutter
 
 This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.
 
 This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.
 
 
 
 Key features:
 
 Key features:
 
@@ -22,7 +16,7 @@ Key features:
 
 pip3 install reflutter
 
 pip3 install reflutter
 
 ```
 
 ```
 
 ### Usage
 
 ### Usage
 
-```console
 
+```
 
 impact@f:~$ reflutter main.apk
 
 impact@f:~$ reflutter main.apk
 
 
 
 Please enter your Burp Suite IP: <input_ip>
 
 Please enter your Burp Suite IP: <input_ip>
 
@@ -50,12 +44,12 @@ You don't need to install any certificates. On an Android device, you don't need
 
 ### Usage on Android
 
 ### Usage on Android
 
 The resulting apk must be aligned and signed. I use [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer/releases/tag/v1.2.1)
 
 The resulting apk must be aligned and signed. I use [uber-apk-signer](https://github.com/patrickfav/uber-apk-signer/releases/tag/v1.2.1)
 
 ```java -jar uber-apk-signer.jar --allowResign -a release.RE.apk```.
 
 ```java -jar uber-apk-signer.jar --allowResign -a release.RE.apk```.
 
-To see which code is loaded through DartVM, you need to run the application on the device. Note that you must manually find what `_kDartIsolateSnapshotInstructions` (ex. 0xB000 ) equals to using a binary search. reFlutter writes the dump to the root folder of the application and sets `777` permissions to the file and folder. You can pull the file with adb command
 
-```console
 
-impact@f:~$ adb -d shell "cat /data/data/<PACKAGE_NAME>/dump.dart" > dump.dart
 
+To see which code is loaded through DartVM, you need to run the application on the device. reFlutter prints its output in logcat with the `reflutter` tag
 
+```
 
+impact@f:~$ adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt
 
 ```
 
 ```
 
 <details>
 
 <details>
 
-<summary>file contents</summary>
 
+<summary>code output</summary>
 
 
 
   
   
 ```dart
 
 ```dart
 
@@ -65,20 +59,14 @@ String* DeepUrl = anyapp://evil.com/ ;
 
 
 
  Function 'Navigation.': constructor. (dynamic, dynamic, dynamic, dynamic) => NavigationInteractor { 
  Function 'Navigation.': constructor. (dynamic, dynamic, dynamic, dynamic) => NavigationInteractor { 
   
   
-              Code Offset: _kDartIsolateSnapshotInstructions + 0x0000000000009270
 
-  
                    }
 
                    }
 
     
     
  Function 'initDeepLinkHandle':. (dynamic) => Future<void>* { 
  Function 'initDeepLinkHandle':. (dynamic) => Future<void>* { 
   
   
-              Code Offset: _kDartIsolateSnapshotInstructions + 0x0000000000412fe8
 
-  
                    }
 
                    }
 
     
     
  Function '_navigateDeepLink@547106886':. (dynamic, dynamic, {dynamic navigator}) => void { 
  Function '_navigateDeepLink@547106886':. (dynamic, dynamic, {dynamic navigator}) => void { 
-  
-              Code Offset: _kDartIsolateSnapshotInstructions + 0x0000000000002638
 
-  
+
 
                    }
 
                    }
 
  
  
        }
 
        }
 
@@ -88,27 +76,19 @@ Library:'package:anyapp/auth/navigation/AuthAccount.dart' Class: AuthAccount ext
 
 PlainNotificationToken* _instance = sentinel;
 
 PlainNotificationToken* _instance = sentinel;
 
  
  
  Function 'getAuthToken':. (dynamic, dynamic, dynamic, dynamic) => Future<AccessToken*>* { 
  Function 'getAuthToken':. (dynamic, dynamic, dynamic, dynamic) => Future<AccessToken*>* { 
-  
-               Code Offset: _kDartIsolateSnapshotInstructions + 0x00000000003ee548
 
-  
+
 
                    }
 
                    }
 
   
   
  Function 'checkEmail':. (dynamic, dynamic) => Future<bool*>* { 
  Function 'checkEmail':. (dynamic, dynamic) => Future<bool*>* { 
-  
-               Code Offset: _kDartIsolateSnapshotInstructions + 0x0000000000448a08
 
-   
+ 
                    }
 
                    }
 
 
 
  Function 'validateRestoreCode':. (dynamic, dynamic, dynamic) => Future<bool*>* { 
  Function 'validateRestoreCode':. (dynamic, dynamic, dynamic) => Future<bool*>* { 
-  
-               Code Offset: _kDartIsolateSnapshotInstructions + 0x0000000000412c34
 
-   
+ 
                    }
 
                    }
 
 
 
  Function 'sendSmsRestorePassword':. (dynamic, dynamic) => Future<bool*>* { 
  Function 'sendSmsRestorePassword':. (dynamic, dynamic) => Future<bool*>* { 
-  
-               Code Offset: _kDartIsolateSnapshotInstructions + 0x00000000003efb88
 
-  
+
 
                    }
 
                    }
 
        }
 
        }
 
 ```
 
 ```
 
@@ -139,6 +119,7 @@ The hash of the snapshot is extracted from ```storage.googleapis.com/flutter_inf
 
 If you would like to implement your own patches, manual Flutter code change is supported using specially crafted [Docker](https://hub.docker.com/r/ptswarm/reflutter)
 
 If you would like to implement your own patches, manual Flutter code change is supported using specially crafted [Docker](https://hub.docker.com/r/ptswarm/reflutter)
 
 
 
 ```sudo docker pull ptswarm/reflutter```
 
 ```sudo docker pull ptswarm/reflutter```
 
+
 
 ```
 
 ```
 
 # Linux, Windows
 
 # Linux, Windows
 
 EXAMPLE BUILD ANDROID ARM64:
 
 EXAMPLE BUILD ANDROID ARM64:
 
@@ -150,4 +131,39 @@ FLAGS:
 
     -e WAIT=300                      <the amount of time in seconds you need to edit source code>
 
     -e WAIT=300                      <the amount of time in seconds you need to edit source code>
 
     -e HASH_PATCH=[Snapshot_Hash]    <here you need to specify snapshot hash which matches the engine_commit line of enginehash.csv table best. It is used for proper patch search in reFlutter and for successfull compilation>
 
     -e HASH_PATCH=[Snapshot_Hash]    <here you need to specify snapshot hash which matches the engine_commit line of enginehash.csv table best. It is used for proper patch search in reFlutter and for successfull compilation>
 
     -e COMMIT=[Engine_commit]        <here you specify commit for your engine version, take it from enginehash.csv table or from flutter/engine repo>
 
     -e COMMIT=[Engine_commit]        <here you specify commit for your engine version, take it from enginehash.csv table or from flutter/engine repo>
 
+    
+```
 
+```
 
+
 
+### flutter抓包
 
+
 
+flutter app和firefox一样,使用自带的ssl验证,所以普通抓包方法都是无效的。
 
+
 
+(1)root手机 + frida
 
+
 
+在安卓系统底层,添加钩子,跳过 flutter app 在 C++代码(libflutter.so文件)中的ssl验证。
 
+
 
+(2)reflutter项目
 
+
 
+reflutter项目提供修改后的 libflutter.so 文件下载,并使用签名对齐工具重新打包。
 
+
 
+```
 
+git clone https://github.com/ptswarm/reFlutter.git
 
+
 
+#替换 http://s.yoqi.me/enginehash.csv 链接
 
+
 
+python setup.py install
 
+
 
+reflutter main.apk
 
+reflutter main.ipa
 
+
 
+#https://github.com/patrickfav/uber-apk-signer/releases/tag/v1.2.1
 
+java -jar uber-apk-signer.jar --allowResign -a release.RE.apk
 
+
 
+#查看dart
 
+adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt
 
 ```
 
 ```
 
+
 
+
 
+配合burp suite抓包
 
+

+ 2 - 2
src/__init__.py
View File 

@@ -272,7 +272,7 @@ def checkHash():
 
     if libappHash=="":
 
     if libappHash=="":
 
         print("\nIs this really a Flutter app? \nThere was no libapp.so (Android) or App (iOS) found in the package.\n\n Make sure there is arm64-v8a/libapp.so or App.framework/App file in the package. If flutter library name differs you need to rename it properly before patching.\n")
 
         print("\nIs this really a Flutter app? \nThere was no libapp.so (Android) or App (iOS) found in the package.\n\n Make sure there is arm64-v8a/libapp.so or App.framework/App file in the package. If flutter library name differs you need to rename it properly before patching.\n")
 
         sys.exit()
 
         sys.exit()
 
-    resp = urlopen('https://raw.githubusercontent.com/ptswarm/reFlutter/main/enginehash.csv').read().decode('utf-8')
 
+    resp = urlopen('https://git.yoqi.me/flutter/reflutter/raw/master/enginehash.csv').read().decode('utf-8')
 
     if libappHash not in resp:
 
     if libappHash not in resp:
 
         # 删除文件夹
 
         # 删除文件夹
 
         shutil.rmtree('libappTmp')
 
         shutil.rmtree('libappTmp')
 
@@ -327,7 +327,7 @@ def main():
 
     libappHash = sys.argv[1]
 
     libappHash = sys.argv[1]
 
 
 
   if not os.path.exists("enginehash.csv"):
 
   if not os.path.exists("enginehash.csv"):
 
-    urlretrieve("https://raw.githubusercontent.com/ptswarm/reFlutter/main/enginehash.csv", "enginehash.csv")
 
+    urlretrieve("https://git.yoqi.me/flutter/reflutter/raw/master/enginehash.csv", "enginehash.csv")
 
 
 
   with open("enginehash.csv") as f_obj:
 
   with open("enginehash.csv") as f_obj:
 
    replaceFileText('src/src/flutter/BUILD.gn','  if (is_android) {\n    public_deps +=\n        [ "//flutter/shell/platform/android:flutter_shell_native_unittests" ]\n  }','')
 
    replaceFileText('src/src/flutter/BUILD.gn','  if (is_android) {\n    public_deps +=\n        [ "//flutter/shell/platform/android:flutter_shell_native_unittests" ]\n  }','')