reFlutter
This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.
Key features:
socket.ccis patched for traffic monitoring and interception;dart.ccis modified to print classes, functions and some fields;- contains minor changes for successfull compilation;
- if you would like to implement your own patches, there is manual Flutter code change is supported using specially crafted
Dockerfile
Supported engines
- Android: arm64, arm32;
- iOS: arm64;
- Release: Stable, Beta
Install
Linux, Windows or Mac OS
Traffic interception
You need to specify the IP of your Burp Suite Proxy Server located in the same network where the device with the flutter application is. Next, you should configure the Proxy in BurpSuite -> Listener Proxy -> Options tab
- Add port:
8083 - Bind to address:
All interfaces - Request handling: Support invisible proxying =
True
Usage on Android
The resulting apk must be aligned and signed. I use uber-apk-signer java -jar uber-apk-signer.jar --allowResign -a release.RE.apk. To see which code is loaded through DartVM, you need to run the application on the device. reFlutter prints its output in logcat with the reflutter tag
Usage on iOS
Use the IPA file created after the execution of reflutter main.ipa command. To see which code is loaded through DartVM, you need to run the application on the device. reFlutter prints its output in console logs in XCode with the reflutter tag.
Build Engine
The engines are built using reFlutter in Github Actions to build the desired version, commits and snapshot hashes are used from this table. The hash of the snapshot is extracted from
