How do we get the function ```get_pointer_with_heap_bit``` - Githubissues

Guardsquare / flutter-re-demo

Experiments on the feasibility of Flutter application reverse engineering

144 stars 37 forks source link

How do we get the function ```get_pointer_with_heap_bit``` #5

Open hohohoho123 opened 7 months ago

hohohoho123 commented 7 months ago

As you mention in the website https://www.guardsquare.com/blog/how-classical-attacks-apply-to-flutter-apps

let OFFSET_APPLY_TILE_EFFECT = 0x458d10 let APPLY_TILE_EFFECT_ENTITY_PARAMETER_INDEX = 2; let ENTITY_TYPE_OFFSET = 1; let ENTITY_TYPE_CAT_VALUE = 1166; let ENTITY_POSITION_OFFSET = 7; let BOARD_POSITION_X_OFFSET = 7; let BOARD_POSITION_Y_OFFSET = 0xf;

function reset_cat_position(){ var base_address = Module.findBaseAddress("libapp.so"); Interceptor.attach(base_address.add(OFFSET_APPLY_TILE_EFFECT), { onEnter: function () { let entity = dart_get_arg(this.context, APPLY_TILE_EFFECT_ENTITY_PARAMETER_INDEX); let entity_type = entity.add(ENTITY_TYPE_OFFSET).readInt() * 2 if (entity_type == ENTITY_TYPE_CAT_VALUE){ let entity_position = get_pointer_with_heap_bit(entity, ENTITY_POSITION_OFFSET, this.context); let entity_position_x = entity_position.add(BOARD_POSITION_X_OFFSET).readInt(); let entity_position_y = entity_position.add(BOARD_POSITION_Y_OFFSET).readInt(); if ((entity_position_x > 1) || (entity_position_y > 1)){ console.log( Resetting position of cat (${entity}): (${entity_position_x}, ${entity_position_y}) ); entity_position.add(BOARD_POSITION_X_OFFSET).writeInt(0); entity_position.add(BOARD_POSITION_Y_OFFSET).writeInt(0); } } } }); }