flutter reverse
### 0x1手把手带你逆向flutter。
如今flutter的逆向光靠使用reflutter已经有些不行了,在逛github的时候发现了一个项目 ((https://github.com/worawit/blutter))
根据作者的步骤来。
win,先把Visual Studio 2022 给安装上,配置好C/C++的开发环境。
期间因为需要访问github,所以最好使挂上代{过}{滤}理,注意将port替换为你代{过}{滤}理的端口
```
set HTTP_PROXY=http://127.0.0.1:port
set HTTPS_PROXY=http://127.0.0.1:port
```
克隆下来
```
git clone https://github.com/worawit/blutter.git
cd blutter
```
安装所需的库文件
```
python scripts\init_env_win.py
```
然后把flutter软件里的lib文件夹提出来,如arm64-v8a文件夹,注意两个文件都需要(libapp.so、libflutter.so)
在win的所有应用里面找到Visual Studio 2022 里面的 x64 Native Tools Command Prompt for VS 2022
在里面输入,注意在此终端仍建议挂上代{过}{滤}理(需下载很多),一定注意代{过}{滤}理
```
python blutter.py ./app/lib/arm64-v8a ./output
```
会有相当多的需要编译,cpu都给干烧了
```
C:\Users\jinchuan\Desktop\2\blutter>python blutter.py ./demo ./output
Dart version: 2.19.3, Snapshot: adb4292f3ec25074ca70abcd2d5c7251, Target: android arm64
Cloning into 'C:\Users\jinchuan\Desktop\2\blutter\dartsdk\v2.19.3'...
remote: Enumerating objects: 2361, done.
remote: Counting objects: 100% (2361/2361), done.
remote: Compressing objects: 100% (1912/1912), done.
remote: Total 2361 (delta 82), reused 1427 (delta 63), pack-reused 0
Receiving objects: 100% (2361/2361), 1.34 MiB | 197.00 KiB/s, done.
Resolving deltas: 100% (82/82), done.
remote: Enumerating objects: 23, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 23 (delta 0), reused 7 (delta 0), pack-reused 0
Receiving objects: 100% (23/23), 119.77 KiB | 257.00 KiB/s, done.
Updating files: 100% (23/23), done.
remote: Enumerating objects: 3424, done.
remote: Counting objects: 100% (3424/3424), done.
remote: Compressing objects: 100% (2343/2343), done.
remote: Total 3424 (delta 1159), reused 2165 (delta 1048), pack-reused 0
Receiving objects: 100% (3424/3424), 8.90 MiB | 4.09 MiB/s, done.
Resolving deltas: 100% (1159/1159), done.
Updating files: 100% (3886/3886), done.
-- Configuring done (4.8s)
-- Generating done (0.1s)
-- Build files have been written to: C:/Users/jinchuan/Desktop/2/blutter/build/dartvm2.19.3_android_arm64
Building CXX object CMakeFiles\dartvm2.19.3_android_arm64.dir\runtime\vm\profiler_service.cc.obj
C:\Users\jinchuan\Desktop\2\blutter\dartsdk\v2.19.3\runtime\vm/scope_timer.h(38): warning C4566: 由通用字符名称“\u00B5”表示的字符不能在当前代码页(936)中表示出来
Building CXX object CMakeFiles\dartvm2.19.3_android_arm64.dir\runtime\vm\regexp_assembler.cc.obj
C:\Users\jinchuan\Desktop\2\blutter\external\icu-windows\include\unicode/stringoptions.h(1): warning C4819: 该文件包含不能在当前代码页(936)中表示的字符。请将该文件保存为 Unicode格式以防止数据丢失
C:\Users\jinchuan\Desktop\2\blutter\external\icu-windows\include\unicode/uchar.h(3156): warning C4819: 该文件包含不能在当前代码页(936)中表示的字符。请将该文件保存为 Unicode 格式以防止数据丢失
//省略n多
C:\Users\jinchuan\Desktop\2\blutter\dartsdk\v2.19.3\runtime\vm/timer.h(156): warning C4566: 由通用字符名称“\u00B5”表示的字符不能在当前代码页(936)中表示出来
Linking CXX static library dartvm2.19.3_android_arm64.lib
-- Install configuration: "Release"
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/lib/dartvm2.19.3_android_arm64.lib
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/include
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/include/analyze_snapshot_api.h
//省略n多
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/platform/utils_win.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm/allocation.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm/app_snapshot.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm/base64.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm/base_isolate.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm/zone_text_buffer.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/lib/cmake/dartvm2.19.3_android_arm64/dartvmTarget.cmake
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/lib/cmake/dartvm2.19.3_android_arm64/dartvmTarget-release.cmake
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/lib/cmake/dartvm2.19.3_android_arm64/dartvm2.19.3_android_arm64Config.cmake
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/lib/cmake/dartvm2.19.3_android_arm64/dartvm2.19.3_android_arm64ConfigVersion.cmake
-- Configuring done (1.6s)
-- Generating done (0.0s)
-- Build files have been written to: C:/Users/jinchuan/Desktop/2/blutter/build/blutter_dartvm2.19.3_android_arm64
Linking CXX executable blutter_dartvm2.19.3_android_arm64.exe
-- Install configuration: "Release"
```
以上为编译成功
以上为解析
注意此项目仅适用与较新的flutter版本,3.0以上应该没问题,2.0可能会报错,此致可以尝试使用项目的分支(https://github.com/uni7corn/blutter)
当前作者更新速度极快,三天两头就有更新
### 0x2
我之前写的一个flutter,手法非常浅显
试了一下我的app,利用工具解出来的文件有
```
ouput
├─ asm//很多
├─ blutter_frida.js
├─ ida_script
│├─ addNames.py
│└─ ida_dart_struct.h
├─ objs.txt
└─ pp.txt
```
如果是aes的话,基本可以直接看到key,md5不是很容易看出来,ida也可以也可以批量重命名
当然不排除我的app太弱了,连我自己都觉得
### 0x3
在我实验成功后,马上上google找了几个色播来试试水,(糖心),一顿操作,发现lib里面只有32位的,这个项目现在名不能解析32为的flutter,原来色播永远领先我一步 希望大佬们能多多感谢,为flutter逆向事业添砖加瓦{:301_975:}
其实flutter还好 楼主努力学习,早点攻破flutter造福逆向圈 上面超连接写错了,地址https://github.com/worawit/blutter 逆向很多时候就是一个成本问题 这就是互联网吗,前两天正在为逆向 flutter 发愁,今天你就发帖教我:lol 感谢分享 感谢分享 大佬们厉害,都搞定f破解的难题了 手机termux可以操作不