search

Guardsquare / flutter-re-demo

Experiments on the feasibility of Flutter application reverse engineering
137 stars 36 forks source link

Using dump_flutter_memory.js dumping my apk, output too many files #3

Open Cui-xf opened 1 year ago

Cui-xf commented 1 year ago

frida script:

var FLUTTER_MEM_START = 0x7c00000000
var FLUTTER_MEM_END = 0x7d00000000
var FLUTTER_MEM_MASK = 0xff00000000
var MY_FUNCTION_OFFSET = 0x0000000000151904
var APP_DATA_DIR = "/data/data/com.example.flutter_demo/"

function dump_memory(start_address, end_address, dump_directory){
    let modules = Process.enumerateRanges("r--");
    let i, module;
    let module_file;

    module_file = new File(dump_directory + "ranges.json", "wb");
    module_file.write(JSON.stringify(modules, null, 2));
    module_file.close();
    for (i = 0; i < modules.length; i++) {
        try {
            module = modules[i];
            if ((module.base.compare(start_address) >= 0) && (module.base.compare(end_address) <= 0)) {
                console.log(`Dumping memory into ${dump_directory + module.base}`);
                module_file = new File(dump_directory + module.base, "wb");
                module_file.write(module.base.readByteArray(module.size));
                module_file.close();
            }
        } catch (ex) {
            console.log(ex);
            console.log(JSON.stringify(module, null, 2));
        }
    }
}

function hook_libapp() {
    var base_address = Module.findBaseAddress("libapp.so");
    console.log(`\nHooking libapp base_address: ${base_address} `);

    let kDartIsolateSnapshotInstructions = Module.findExportByName("libapp.so", "_kDartIsolateSnapshotInstructions")
    console.log('kDartIsolateSnapshotInstructions:', kDartIsolateSnapshotInstructions);
    var my_function = kDartIsolateSnapshotInstructions.add(MY_FUNCTION_OFFSET);
    console.log(`my_function: ${my_function} `);
    // var getInstance = base_address.add(SHARED_PREF_GET_INSTANCE_OFFSET)
    // console.log(`getInstance: ${getInstance} `);
    Interceptor.attach(my_function, {
        onEnter: function (args) {
            console.log(`SharedPreferences::getInstance() `);
            console.log(` X27: ${this.context.x27}`)
            if (this.context.x27.and(FLUTTER_MEM_MASK) == FLUTTER_MEM_START){
                dump_memory(FLUTTER_MEM_START, FLUTTER_MEM_END, APP_DATA_DIR)
            }else{
                console.error(`Default flutter memory ${ptr(FLUTTER_MEM_START)} seems incoherent with X27 ${this.context.x27}`)
                console.error(`Please modify FLUTTER_MEM_START, FLUTTER_MEM_END`)
            }
            console.log('done!')
        }
    });
}

var already_hooked = false;
function hook_dlopen(target_lib_name, lib_hook_callbacks) {
    Interceptor.attach(Module.findExportByName(null, "dlopen"), {
        onEnter: function (args) {
            let lib_name = args[0].readCString();
            this.do_hook = false;
            if (lib_name == target_lib_name) {
                if (!already_hooked) {
                    this.do_hook = true;
                    already_hooked = true;
                }
            }
        },
        onLeave: function (retval) {
            if (this.do_hook) {
                lib_hook_callbacks()
            }
        }
    });
}
hook_dlopen("libapp.so", hook_libapp)
// frida -U -f fr.carameldunes.nyanyarocket -l dump_flutter_memory.js --no-pause

============================= console output:

Hooking libapp base_address: 0x7cf7e96000 
kDartIsolateSnapshotInstructions: 0x7cf7ea5000
my_function: 0x7cf7ff6904
SharedPreferences::getInstance() 
 X27: 0x7ced4ab540
Dumping memory into /data/data/com.example.flutter_demo/0x7ce5e00000
Dumping memory into /data/data/com.example.flutter_demo/0x7ce6652000
Dumping memory into /data/data/com.example.flutter_demo/0x7ce76aa000
Dumping memory into /data/data/com.example.flutter_demo/0x7ce809c000
Dumping memory into /data/data/com.example.flutter_demo/0x7cea396000
Dumping memory into /data/data/com.example.flutter_demo/0x7cead84000
Dumping memory into /data/data/com.example.flutter_demo/0x7cec0e0000
Dumping memory into /data/data/com.example.flutter_demo/0x7cec400000
Dumping memory into /data/data/com.example.flutter_demo/0x7cec905000
Dumping memory into /data/data/com.example.flutter_demo/0x7ceca00000
Dumping memory into /data/data/com.example.flutter_demo/0x7cecc00000
Dumping memory into /data/data/com.example.flutter_demo/0x7ceccfc000
Dumping memory into /data/data/com.example.flutter_demo/0x7cece00000
Dumping memory into /data/data/com.example.flutter_demo/0x7ced07c000
Dumping memory into /data/data/com.example.flutter_demo/0x7ced185000
Dumping memory into /data/data/com.example.flutter_demo/0x7ced300000
Dumping memory into /data/data/com.example.flutter_demo/0x7ced400000
Dumping memory into /data/data/com.example.flutter_demo/0x7ced705000
Dumping memory into /data/data/com.example.flutter_demo/0x7ced800000
Dumping memory into /data/data/com.example.flutter_demo/0x7cede80000
Dumping memory into /data/data/com.example.flutter_demo/0x7cedf85000
Error: access violation accessing 0x7cedf86000
{
  "base": "0x7cedf85000",
  "size": 1040384,
  "protection": "r--",
  "file": {
    "path": "/dev/hwbinder",
    "offset": 0,
    "size": 0
  }
}
Dumping memory into /data/data/com.example.flutter_demo/0x7cee083000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee086000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee08a000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee08b000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee08c000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee08f000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee090000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee0da000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee0e3000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee0e4000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee0e5000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee100000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee1cb000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee246000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee417000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee419000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee41e000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee4f6000
Dumping memory into /data/data/com.example.flutter_demo/0x7cee4f7000
Dumping memory into /data/data/com.example.flutter_demo/0x7cef38c000
Dumping memory into /data/data/com.example.flutter_demo/0x7cefa8c000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf0532000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf0d24000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf1720000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf33f0000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf3637000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf3734000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf3e08000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf4e8e000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf5831000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf5e52000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf692e000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf705c000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7a2b000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7b28000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7c25000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7d22000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7e1e000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7e96000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7e98000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7e9d000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7ea5000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7ff6000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf7ff7000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf80a3000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf826a000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf8296000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf82a7000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf82e7000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf82e8000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf82e9000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf82ea000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf82eb000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf8e8c000
Dumping memory into /data/data/com.example.flutter_demo/0x7cf930b000
Dumping memory into /data/data/com.example.flutter_demo/0x7cfa196000
Dumping memory into /data/data/com.example.flutter_demo/0x7cfa408000
Dumping memory into /data/data/com.example.flutter_demo/0x7cfa7ec000
Dumping memory into /data/data/com.example.flutter_demo/0x7cfb505000
Dumping memory into /data/data/com.example.flutter_demo/0x7cfc70a000
Dumping memory into /data/data/com.example.flutter_demo/0x7cfc9b7000
Dumping memory into /data/data/com.example.flutter_demo/0x7cfce88000
Dumping memory into /data/data/com.example.flutter_demo/0x7cfced5000
Dumping memory into /data/data/com.example.flutter_demo/0x7cfcfa3000
Dumping memory into /data/data/com.example.flutter_demo/0x7cfe870000
Dumping memory into /data/data/com.example.flutter_demo/0x7cff100000
Dumping memory into /data/data/com.example.flutter_demo/0x7cff566000
done!