Closed Tasfa closed 3 years ago
rscloura
commented
3 years ago Hi! The code responsible for finding the string SIGN is in the Cluster.py file. In Dart v2.12 (here), it is line 30:
snapshot.assignRef({ 'cid': self.cid, 'refId': x,'data': self.getObjectAt(snapshot) })The getObjectAt method is then defined in the same file at line 942: it obtains the actual string at the specified offset in the .rodata section of the ELF file. Hope it helped!
Tasfa
commented
3 years ago Thanks. But i want to know where i can find the code offset or location in which the string was used when you reverse a flutter app.
I can get the string at the specified offset in the .rodata section of the ELF file,but i can not find where the string was used in the .text section of the ELF file.
rscloura
commented
3 years ago That is an excellent question! Unfortunately, the answer is quite difficult, and that is why Doldrums does not currently have that feature. I hope to be able to introduce it to some degree in the next month or so, but it will likely make use of a Frida script that needs to be run on an emulator or rooted device with the app running. I cannot currently give you a complete answer, because... I myself do not know how to do it consistently.
Nevertheless, here's the idea, in case you want to explore it yourself:
x27 register (in ARM64-v8). This will be a pointer to a table of memory addresses. Let's call it the resource table.x27 + x, where x is some offset.This is by no means a trivial task, but it should get the job done if you're up for the challenge!
Tasfa
commented
3 years ago Thank you very much for your answer and the idea!
How do I find the code offset or location in which the string was used ?
such as:
{'cid': <ClassId.ONE_BYTE_STRING: 81>, 'refId': 124077, 'data': 'SIGN '}How do I find the code snippet that generated the SIGN?