0x1
手把手带你逆向flutter。
如今flutter的逆向光靠使用reflutter已经有些不行了,在逛github的时候发现了一个项目 blutter
根据作者的步骤来。
win,先把Visual Studio 2022 给安装上,配置好C/C++的开发环境。
期间因为需要访问github,所以最好使挂上代{过}{滤}理,注意将port替换为你代{过}{滤}理的端口
set HTTP_PROXY=http://127.0.0.1:port
set HTTPS_PROXY=http://127.0.0.1:port
克隆下来
git clone https://github.com/worawit/blutter.git
cd blutter
安装所需的库文件
python scripts\init_env_win.py
然后把flutter软件里的lib文件夹提出来,如arm64-v8a文件夹,注意两个文件都需要(libapp.so、libflutter.so)
在win的所有应用里面找到Visual Studio 2022 里面的 x64 Native Tools Command Prompt for VS 2022
在里面输入,注意在此终端仍建议挂上代{过}{滤}理(需下载很多),一定注意代{过}{滤}理
python blutter.py ./app/lib/arm64-v8a ./output
会有相当多的需要编译,cpu都给干烧了
C:\Users\jinchuan\Desktop\2\blutter>python blutter.py ./demo ./output
Dart version: 2.19.3, Snapshot: adb4292f3ec25074ca70abcd2d5c7251, Target: android arm64
Cloning into 'C:\Users\jinchuan\Desktop\2\blutter\dartsdk\v2.19.3'...
remote: Enumerating objects: 2361, done.
remote: Counting objects: 100% (2361/2361), done.
remote: Compressing objects: 100% (1912/1912), done.
remote: Total 2361 (delta 82), reused 1427 (delta 63), pack-reused 0
Receiving objects: 100% (2361/2361), 1.34 MiB | 197.00 KiB/s, done.
Resolving deltas: 100% (82/82), done.
remote: Enumerating objects: 23, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 23 (delta 0), reused 7 (delta 0), pack-reused 0
Receiving objects: 100% (23/23), 119.77 KiB | 257.00 KiB/s, done.
Updating files: 100% (23/23), done.
remote: Enumerating objects: 3424, done.
remote: Counting objects: 100% (3424/3424), done.
remote: Compressing objects: 100% (2343/2343), done.
remote: Total 3424 (delta 1159), reused 2165 (delta 1048), pack-reused 0
Receiving objects: 100% (3424/3424), 8.90 MiB | 4.09 MiB/s, done.
Resolving deltas: 100% (1159/1159), done.
Updating files: 100% (3886/3886), done.
-- Configuring done (4.8s)
-- Generating done (0.1s)
-- Build files have been written to: C:/Users/jinchuan/Desktop/2/blutter/build/dartvm2.19.3_android_arm64
[124/268] Building CXX object CMakeFiles\dartvm2.19.3_android_arm64.dir\runtime\vm\profiler_service.cc.obj
C:\Users\jinchuan\Desktop\2\blutter\dartsdk\v2.19.3\runtime\vm/scope_timer.h(38): warning C4566: 由通用字符名称“\u00B5”表示的字符不能在当前代码页(936)中表示出来
[133/268] Building CXX object CMakeFiles\dartvm2.19.3_android_arm64.dir\runtime\vm\regexp_assembler.cc.obj
C:\Users\jinchuan\Desktop\2\blutter\external\icu-windows\include\unicode/stringoptions.h(1): warning C4819: 该文件包含不能在当前代码页(936)中表示的字符。请将该文件保存为 Unicode 格式以防止数据丢失
C:\Users\jinchuan\Desktop\2\blutter\external\icu-windows\include\unicode/uchar.h(3156): warning C4819: 该文件包含不能在当前代码页(936)中表示的字符。请将该文件保存为 Unicode 格式以防止数据丢失
//省略n多
C:\Users\jinchuan\Desktop\2\blutter\dartsdk\v2.19.3\runtime\vm/timer.h(156): warning C4566: 由通用字符名称“\u00B5”表示的字符不能在当前代码页(936)中表示出来
[268/268] Linking CXX static library dartvm2.19.3_android_arm64.lib
-- Install configuration: "Release"
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/lib/dartvm2.19.3_android_arm64.lib
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/include
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/include/analyze_snapshot_api.h
//省略n多
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/platform/utils_win.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm/allocation.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm/app_snapshot.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm/base64.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm/base_isolate.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/include/dartvm2.19.3/vm/zone_text_buffer.h
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/lib/cmake/dartvm2.19.3_android_arm64/dartvmTarget.cmake
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/lib/cmake/dartvm2.19.3_android_arm64/dartvmTarget-release.cmake
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/lib/cmake/dartvm2.19.3_android_arm64/dartvm2.19.3_android_arm64Config.cmake
-- Installing: C:/Users/jinchuan/Desktop/2/blutter/dartsdk/v2.19.3/../../packages/lib/cmake/dartvm2.19.3_android_arm64/dartvm2.19.3_android_arm64ConfigVersion.cmake
-- Configuring done (1.6s)
-- Generating done (0.0s)
-- Build files have been written to: C:/Users/jinchuan/Desktop/2/blutter/build/blutter_dartvm2.19.3_android_arm64
[22/22] Linking CXX executable blutter_dartvm2.19.3_android_arm64.exe
-- Install configuration: "Release"
以上为编译成功
以上为解析
注意此项目仅适用与较新的flutter版本,3.0以上应该没问题,2.0可能会报错,此致可以尝试使用项目的分支GitHub - uni7corn/blutter: Flutter Mobile Application Reverse Engineering Tool
当前作者更新速度极快,三天两头就有更新
0x2
我之前写的一个flutter,手法非常浅显
试了一下我的app,利用工具解出来的文件有
ouput
├─ asm//很多
├─ blutter_frida.js
├─ ida_script
│ ├─ addNames.py
│ └─ ida_dart_struct.h
├─ objs.txt
└─ pp.txt
如果是aes的话,基本可以直接看到key,md5不是很容易看出来,ida也可以也可以批量重命名
当然不排除我的app太弱了,连我自己都觉得
0x3
在我实验成功后,马上上google找了几个色播来试试水,(糖心),一顿操作,发现lib里面只有32位的,这个项目现在名不能解析32为的flutter,原来色播永远领先我一步