reFlutter icon indicating copy to clipboard operation
reFlutter copied to clipboard

Published 20 hours ago verified publisher icon Impact-I

a libapp.so has delete hash version

Open DarkLineX opened this issue 3 years ago • 17 comments

i found a libflutter.so delete version information. the version hash data is 0000000000

DarkLineX avatar Jul 28 '22 02:07 DarkLineX 

reflutter app-release.apk

 Choose an option:

 1. Traffic monitoring and interception
 2. Display absolute code offset for functions

 [1/2]? 2

 This mode is only for dump and offset output, slow application operation is possible (network patch is still left)

 Engine SnapshotHash: 00000000000000000000000000000000

 This engine is currently not supported.
 Most likely this flutter application uses the Debug version engine which you need to build manually using Docker at the moment.
 More details: https://github.com/Impact-I/reFlutter

DarkLineX avatar Jul 29 '22 09:07 DarkLineX

Hi @MiDuoKi ,

Can you share this apk? It would be cool if you know the commit for engine.

Impact-I avatar Jul 31 '22 07:07 Impact-I

i can build this apk for you. file src/third_party/dart/tools/make_version.py edit function MakeSnapshotHashString

def MakeSnapshotHashString():
    vmhash = hashlib.md5()
    for vmfilename in VM_SNAPSHOT_FILES:
        vmfilepath = os.path.join(utils.DART_DIR, 'runtime', 'vm', vmfilename)
        with open(vmfilepath, 'rb') as vmfile:
            vmhash.update(vmfile.read())
    return '00000000000000000000000000000000'
    #return vmhash.hexdigest()

DarkLineX avatar Jul 31 '22 07:07 DarkLineX

@MiDuoKi And what is the problem? I do not understand you. Why would you change the snapshot hash?

Impact-I avatar Jul 31 '22 07:07 Impact-I

Some flutter apps protect themselves by modifying the version hash. I simulated this version hash modification method

DarkLineX avatar Jul 31 '22 07:07 DarkLineX

@MiDuoKi This is an interesting solution. Thank you for reporting this. How did you determine which commit to compile?

Some flutter apps protect

Do you have an example of such an application?

Impact-I avatar Jul 31 '22 07:07 Impact-I

I'm an attacker on enterprise application security. My colleagues have such security protections, and I want to break through their defenses. This apk is a similar way to protect files,how do i send it to you

DarkLineX avatar Jul 31 '22 07:07 DarkLineX

@MiDuoKi您可以通过电子邮件将其发送给我)https://github.com/Impact-I/reFlutter/blob/main/setup.py#L31

Your email is judged as spam by the service provider of the recipient ([email protected]), and the other party will not accept it.

DarkLineX avatar Jul 31 '22 07:07 DarkLineX

@MiDuoKi temp-mail: [email protected]

Please use a file host.

https://github.com/MiDuoKi/FlutterReverse/raw/master/flutter_test_1.apk

DarkLineX avatar Jul 31 '22 08:07 DarkLineX

@MiDuoKi I got. Thank you! Engine SnapshotHash: 00000000000000000000000000000000

Wow

Impact-I avatar Jul 31 '22 08:07 Impact-I

@MiDuoKi How did you find the correct snapshot hash/commit to compile libflutter.so?

Did your colleagues tell you?

Impact-I avatar Jul 31 '22 08:07 Impact-I

I have no idea. As a red-blue confrontation, they wouldn't tell me this.

DarkLineX avatar Jul 31 '22 08:07 DarkLineX

You can see this post https://bbs.pediy.com/thread-273852.htm

vividmuse avatar Jul 31 '22 09:07 vividmuse

@MiDuoKi use this hash: 1441d6b13b8623fa7fbf61433abebd31 I did a raw analysis of the libflutter.so and the libapp.so. I realized the hex string that determines the hash has been replaced with 0000... What I did was to analyze the libflutter.so version and figure out one that has the same string as fd9c66e1803092e5fc6f9d6c4cad3d8c030bb860 and it was 1441d6b13b8623fa7fbf61433abebd31

jayluxferro avatar Jul 31 '22 09:07 jayluxferro

@MiDuoKi use this hash: 1441d6b13b8623fa7fbf61433abebd31 I did a raw analysis of the libflutter.so and the libapp.so. I realized the hex string that determines the hash has been replaced with 0000... What I did was to analyze the libflutter.so version and figure out one that has the same string as and it was fd9c66e1803092e5fc6f9d6c4cad3d8c030bb860``1441d6b13b8623fa7fbf61433abebd31

parse ELF comparison all string ? It sounds like a good idea, but there's no guarantee that the characters will be different in different versions.

DarkLineX avatar Jul 31 '22 09:07 DarkLineX

@MiDuoKi use this hash: 1441d6b13b8623fa7fbf61433abebd31 I did a raw analysis of the libflutter.so and the libapp.so. I realized the hex string that determines the hash has been replaced with 0000... What I did was to analyze the libflutter.so version and figure out one that has the same string as and it was fd9c66e1803092e5fc6f9d6c4cad3d8c030bb8601441d6b13b8623fa7fbf61433abebd31 ``

parse ELF comparison all string ? It sounds like a good idea, but there's no guarantee that the characters will be different in different versions.

jayluxferro avatar Jul 31 '22 09:07 jayluxferro

@MiDuoKi , Oh yeahhhh. There are several ways to figure out the hash. For instance, you can analyze the libflutter.so or Flutter framework (in the case of iOS) to determine the flutter version and cross check from https://github.com/Impact-I/reFlutter/blob/main/enginehash.csv to determine the possible hash.

Screen Shot 2022-07-31 at 9 53 06 AM Screen Shot 2022-07-31 at 9 53 00 AM

jayluxferro avatar Jul 31 '22 09:07 jayluxferro

hey, how can i bypass this?

reflutter app-release.apk

 Choose an option:

 1. Traffic monitoring and interception
 2. Display absolute code offset for functions

 [1/2]? 2

 This mode is only for dump and offset output, slow application operation is possible (network patch is still left)

 Engine SnapshotHash: 00000000000000000000000000000000

 This engine is currently not supported.
 Most likely this flutter application uses the Debug version engine which you need to build manually using Docker at the moment.
 More details: https://github.com/Impact-I/reFlutter

Vanessapo avatar Mar 13 '23 08:03 Vanessapo

There is currently no way, maybe you can exhaust all versions

DarkLineX avatar Mar 13 '23 08:03 DarkLineX