search

ptswarm / reFlutter

Flutter Reverse Engineering Framework
GNU General Public License v3.0
1.27k stars 177 forks source link

reflutter does not detect snapshot hash in some ipa #29

Open MrFatoni opened 2 years ago

MrFatoni commented 2 years ago

not working for some apps

i got error "Make sure there is arm64-v8a/libapp.so or App.framework/App file in the package" the app is flutter and has App.framework/App image

MrFatoni commented 2 years ago

App.framework/App inside Frameworks folder, so reFlutter not detecting App.framework/App

Impact-I commented 2 years ago

Hi @MrFatoni, You have the correct paths, this should work. Try it on a non-MacOS device.

To track the issue, find FlutterEngine, usually located in the Flutter.framework folder open Info.plist it contains the engine commit. Example:

#somepath/Flutter.framework/Info.plist

   <key> FlutterEngine </key>
   <string> b8752bbfff0419c8bf616b602bc59fd28f6a3d1b </string>

Please send it here.

or Unpack ipa and

c0de@c0de:~/repos/extracted_ipa$ grep -r "FlutterEngine" . -A 5
grep: ./Payload/Runner.app/Frameworks/Flutter.framework/Flutter: binary file matches
--
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist:  <key>FlutterEngine</key>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-  <string>b8752bbfff0419c8bf616b602bc59fd28f6a3d1b</string>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-  <key>ClangVersion</key>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-  <string>Apple clang version 11.0.0 (clang-1100.0.33.8)</string>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-</dict>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-</plist>

Make sure you have the latest version of reFlutter 0.4.9 installed pip3 install reflutter==0.4.9

Thanks

MrFatoni commented 2 years ago

already update and still got error

./Frameworks/Flutter.framework/Info.plist:  <key>FlutterEngine</key>

./Frameworks/Flutter.framework/Info.plist-  <string>a9d88a4d182bdae23e3a4989abfb7ea25954aad1</string>

./Frameworks/Flutter.framework/Info.plist-  <key>ClangVersion</key>

./Frameworks/Flutter.framework/Info.plist-  <string>Apple clang version 11.0.3 (clang-1103.0.32.62)</string>
Impact-I commented 2 years ago

@MrFatoni , Ok, find Flutter Engine in /Frameworks/Flutter.framework/ folder and replace manually in archive with this https://github.com/ptswarm/reFlutter/releases/tag/ios-e4a09dbf2bb120fe4674e0576617a0dc Note the ip of your BurpSuite must be 192.168.133.104 port 8083

I would really like to prevent users from encountering this error in the future. Can you show the content of ./Frameworks/Flutter.framework/ ?

It would be cool if you share this amazing ipa or strings ./Frameworks/App.framework/App -n 32 | grep -e "^[0-9a-f]\{32\}" Please send output it here.

Thanks

MrFatoni commented 2 years ago

sorry i can't share the ipa. i run the command, but I am not getting anything as output.

.Frameworks/Flutter.framework/

image

Impact-I commented 2 years ago

@MrFatoni , I may have found a reason

How about strings ./Frameworks/App.framework/App -n 32 | head -5

Thanks for the feedback

MrFatoni commented 2 years ago

image

Impact-I commented 2 years ago

@MrFatoni, I understood. Fine. By the way, have you successfully replaced the library? Do you have traffic interception in BurpSuite?

MrFatoni commented 2 years ago

yes it works, thanks

jayluxferro commented 2 years ago

Hi @Impact-I, I'm experiencing the same issue with FlutterEngine - d3ea636dc5d16b56819f3266241e1f708979c233.

Running 

strings ./Frameworks/App.framework/App -n 32 | grep -e "^[0-9a-f]\{32\}"

returns an empty response.

Any help? If you would require me to share the IPA, let me know. Thanks.

Impact-I commented 2 years ago

Hi @jayluxferro , Yes, it would be very cool if you could share the ipa file.

Thanks!

jayluxferro commented 2 years ago

Hi @Impact-I

So far these are the flutter engines I've come across whose snapshot hashes do not exist in the engine hash. FlutterEngine

  1. d3ea636dc5d16b56819f3266241e1f708979c233
  2. 40a99c595137e4b2f5b2efa8ff343ea23c1e16b

Thanks.

Impact-I commented 2 years ago

@jayluxferro , Thanks for sharing

For hash d3ea636dc5d16b56819f3266241e1f708979c233 you can take https://github.com/ptswarm/reFlutter/releases/tag/ios-9cf77f4405212c45daf608e1cd646852

For hash 40a99c595137e4b2f5b2efa8ff343ea23c1e16b8 you can take https://github.com/ptswarm/reFlutter/releases/tag/ios-adf563436d12ba0d50ea5beb7f3be1bb

jayluxferro commented 2 years ago

Thanks @Impact-I. I used the suggested binaries, completed the process and signed the .ipa file. After successful installation, it can't launch. It seems to crash once launched. I hooked it to lldb and got an error "Cannot allocate memory".

Screenshot 2022-01-20 at 9 49 06 PM

jayluxferro commented 2 years ago

Hi @Impact-I, after several hours, I was able to determine why some snapshots don't get detected.

Most .ipa files are encrypted hence has to be decrypted. I used frida (https://github.com/AloneMonkey/frida-ios-dump) to dump a decrypted version of the IPA file.

Afterwards, I used reFlutter to generate the new IPA and signed it using iOS App Signer https://github.com/DanTheMan827/ios-app-signer) and it worked. I'm able to monitor/intercept the traffic now.

Thanks a lot for your tool.