reFlutter – Flutter Reverse Engineering Framework

reFlutter Logo - Flutter Reverse Engineering Framework

reFlutter

This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.

Key features:

  • socket.cc is patched for traffic monitoring and interception;
  • dart.cc is modified to print classes, functions and some fields;
  • contains minor changes for successfull compilation;
  • if you would like to implement your own patches, there is manual Flutter code change is supported using specially crafted Dockerfile

Supported engines

  • Android: arm64, arm32;
  • iOS: arm64;
  • Release: Stable, Beta

Install

Linux, Windows or Mac OS

pip3 install reflutter

Traffic interception

You need to specify the IP of your Burp Suite Proxy Server located in the same network where the device with the flutter application is. Next, you should configure the Proxy in BurpSuite -> Listener Proxy -> Options tab

  • Add port: 8083
  • Bind to address: All interfaces
  • Request handling: Support invisible proxying = True
reFlutter - Traffic Interception with Burp Suite Reverse Engineering Framework

Usage on Android

The resulting apk must be aligned and signed. I use uber-apk-signer java -jar uber-apk-signer.jar --allowResign -a release.RE.apk. To see which code is loaded through DartVM, you need to run the application on the device. reFlutter prints its output in logcat with the reflutter tag

[email protected]:~$ adb logcat -e reflutter | sed ‘s/.*DartVM//’ >> reflutter.txt

Usage on iOS

Use the IPA file created after the execution of reflutter main.ipa command. To see which code is loaded through DartVM, you need to run the application on the device. reFlutter prints its output in console logs in XCode with the reflutter tag.

reFlutter - Reverse Engineering Framework on iOS

Build Engine

The engines are built using reFlutter in Github Actions to build the desired version, commits and snapshot hashes are used from this table. The hash of the snapshot is extracted from

storage.googleapis.com/flutter_infra_release/flutter//android-arm64-release/linux-x64.zip


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

14 + twenty =