This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization process that allow you perform dynamic analysis in a convenient way.
Key features:
socket.ccis patched for traffic monitoring and interception;dart.ccis modified to print classes, functions and some fields;- contains minor changes for successfull compilation;
- if you would like to implement your own patches there is manual Flutter code change is supported using specially crafted
Dockerfile
Supported engines
- Android: arm64, arm32;
- IOS: arm64 (Unstable);
- Release: Stable, Beta
Install
# Linux, Windows, MacOS
pip install reflutter
pip3 install reflutter
Usage
[email protected]:~$ reflutter main.apk
Please enter your Burp Suite IP:
Traffic interception
You need to specify the IP of your Burp Suite relative to your local network on which the device with the flutter application is located. Next, you must configure the Proxy in BurpSuite -> Listener Proxy -> Options tab
- Add port:
8083 - Bind to address:
All interfaces - Request handling: Support invisible proxying =
True
You don't need to install any certificates. On an Android device, you don't need root access. This also bypasses some of the flutter certificate pinning implementations.
Usage on Android
The resulting apk must be aligned and signed. I am using uber-apk-signer java -jar uber-apk-signer.jar --allowResign -a release.RE.apk. To see what code is loaded through DartVM, you must run the application on the device. You need LogCat you can use Android Studio with reflutter keyword search or use adb logcat
Output Example
[email protected]:~$ adb logcat -e reflutter | sed 's/.*DartVM//' >> reflutter.txt
code output
Library:'package:anyapp/navigation/DeepLinkImpl.dart' Class: Navigation extends Object {
String* DeepUrl = anyapp://evil.com/ ;
Function 'Navigation.': constructor. (dynamic, dynamic, dynamic, dynamic) => NavigationInteractor {
}
Function 'initDeepLinkHandle':. (dynamic) => Future<void>* {
}
Function '[email protected]':. (dynamic, dynamic, {dynamic navigator}) => void {
}
}
Library:'package:anyapp/auth/navigation/AuthAccount.dart' Class: AuthAccount extends Account {
PlainNotificationToken* _instance = sentinel;
Function 'getAuthToken':. (dynamic, dynamic, dynamic, dynamic) => Future<AccessToken*>* {
}
Function 'checkEmail':. (dynamic, dynamic) => Future<bool*>* {
}
Function 'validateRestoreCode':. (dynamic, dynamic, dynamic) => Future<bool*>* {
}
Function 'sendSmsRestorePassword':. (dynamic, dynamic) => Future<bool*>* {
}
}
Usage on IOS
stub
XCode
To Do
- Display absolute code offset for functions;
- Extract more strings and fields;
- Add socket patch;
- Extend engine support to Debug using Fork and Github Actions;
- Improve detection of
App.frameworkandlibapp.soinside zip archive
Build Engine
The engines are built using reFlutter in Github Actions to build the desired version, commits and hash snapshots are used from this table. The hash of the snapshot is extracted from storage.googleapis.com/flutter_infra_release/flutter/
release
Custom Build
If you would like to implement your own patches there is manual Flutter code change is supported using specially crafted Docker
sudo docker pull ptswarm/reflutter
# Linux, Windows
EXAMPLE BUILD ANDROID ARM64:
sudo docker run -e WAIT=300 -e x64=0 -e arm=0 -e HASH_PATCH=
-e COMMIT=
--rm -iv${PWD}:/t ptswarm/reflutter
FLAGS:
-e x64=0
-e arm=0
-e WAIT=300
-e HASH_PATCH=[Snapshot_Hash]
-e COMMIT=[Engine_commit]
his is not working for me, & I don't know & or am not able to get steps to do this clearly.
1 Dec 08, 2021
16 Dec 18, 2022
14 Dec 28, 2022
109 Dec 28, 2022
1 Dec 05, 2021
2 Mar 23, 2022
9 Feb 15, 2022
144 Nov 19, 2022
243 Dec 27, 2022
15 Jul 11, 2022
430 Dec 27, 2022
291 Dec 28, 2022
376 Jan 01, 2023
26 Dec 26, 2022
14 Jun 24, 2022
82 Dec 28, 2022
2 Dec 02, 2022
1.4k Jan 01, 2023
3 Jan 03, 2023
214 Dec 19, 2022