reFlutter icon indicating copy to clipboard operation
reFlutter copied to clipboard

Published 20 hours ago verified publisher icon ptswarm

reflutter does not detect snapshot hash in some ipa

Open MrFatoni opened this issue 4 years ago • 15 comments

not working for some apps

i got error "Make sure there is arm64-v8a/libapp.so or App.framework/App file in the package" the app is flutter and has App.framework/App image

MrFatoni avatar Oct 14 '21 10:10 MrFatoni

App.framework/App inside Frameworks folder, so reFlutter not detecting App.framework/App

MrFatoni avatar Oct 14 '21 11:10 MrFatoni

Hi @MrFatoni, You have the correct paths, this should work. Try it on a non-MacOS device.

To track the issue, find FlutterEngine, usually located in the Flutter.framework folder open Info.plist it contains the engine commit. Example:

#somepath/Flutter.framework/Info.plist

   <key> FlutterEngine </key>
   <string> b8752bbfff0419c8bf616b602bc59fd28f6a3d1b </string>

Please send it here.

or Unpack ipa and

c0de@c0de:~/repos/extracted_ipa$ grep -r "FlutterEngine" . -A 5
grep: ./Payload/Runner.app/Frameworks/Flutter.framework/Flutter: binary file matches
--
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist:  <key>FlutterEngine</key>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-  <string>b8752bbfff0419c8bf616b602bc59fd28f6a3d1b</string>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-  <key>ClangVersion</key>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-  <string>Apple clang version 11.0.0 (clang-1100.0.33.8)</string>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-</dict>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-</plist>

Make sure you have the latest version of reFlutter 0.4.9 installed pip3 install reflutter==0.4.9

Thanks

Impact-I avatar Oct 14 '21 14:10 Impact-I

already update and still got error

./Frameworks/Flutter.framework/Info.plist:  <key>FlutterEngine</key>

./Frameworks/Flutter.framework/Info.plist-  <string>a9d88a4d182bdae23e3a4989abfb7ea25954aad1</string>

./Frameworks/Flutter.framework/Info.plist-  <key>ClangVersion</key>

./Frameworks/Flutter.framework/Info.plist-  <string>Apple clang version 11.0.3 (clang-1103.0.32.62)</string>

MrFatoni avatar Oct 14 '21 15:10 MrFatoni

@MrFatoni , Ok, find Flutter Engine in /Frameworks/Flutter.framework/ folder and replace manually in archive with this https://github.com/ptswarm/reFlutter/releases/tag/ios-e4a09dbf2bb120fe4674e0576617a0dc Note the ip of your BurpSuite must be 192.168.133.104 port 8083

I would really like to prevent users from encountering this error in the future. Can you show the content of ./Frameworks/Flutter.framework/ ?

It would be cool if you share this amazing ipa or strings ./Frameworks/App.framework/App -n 32 | grep -e "^[0-9a-f]\{32\}" Please send output it here.

Thanks

Impact-I avatar Oct 14 '21 15:10 Impact-I

sorry i can't share the ipa. i run the command, but I am not getting anything as output.

.Frameworks/Flutter.framework/

image

MrFatoni avatar Oct 14 '21 17:10 MrFatoni

@MrFatoni , I may have found a reason

How about strings ./Frameworks/App.framework/App -n 32 | head -5

Thanks for the feedback

Impact-I avatar Oct 14 '21 17:10 Impact-I

image

MrFatoni avatar Oct 14 '21 17:10 MrFatoni

@MrFatoni, I understood. Fine. By the way, have you successfully replaced the library? Do you have traffic interception in BurpSuite?

Impact-I avatar Oct 14 '21 17:10 Impact-I

yes it works, thanks

MrFatoni avatar Oct 14 '21 17:10 MrFatoni

Hi @Impact-I, I'm experiencing the same issue with FlutterEngine - d3ea636dc5d16b56819f3266241e1f708979c233.

Running

strings ./Frameworks/App.framework/App -n 32 | grep -e "^[0-9a-f]\{32\}"

returns an empty response.

Any help? If you would require me to share the IPA, let me know. Thanks.

jayluxferro avatar Jan 17 '22 00:01 jayluxferro

Hi @jayluxferro , Yes, it would be very cool if you could share the ipa file.

Thanks!

Impact-I avatar Jan 17 '22 23:01 Impact-I

Hi @Impact-I

So far these are the flutter engines I've come across whose snapshot hashes do not exist in the engine hash. FlutterEngine

  1. d3ea636dc5d16b56819f3266241e1f708979c233
  2. 40a99c595137e4b2f5b2efa8ff343ea23c1e16b

Thanks.

jayluxferro avatar Jan 17 '22 23:01 jayluxferro

@jayluxferro , Thanks for sharing

For hash d3ea636dc5d16b56819f3266241e1f708979c233 you can take https://github.com/ptswarm/reFlutter/releases/tag/ios-9cf77f4405212c45daf608e1cd646852

For hash 40a99c595137e4b2f5b2efa8ff343ea23c1e16b8 you can take https://github.com/ptswarm/reFlutter/releases/tag/ios-adf563436d12ba0d50ea5beb7f3be1bb

Impact-I avatar Jan 18 '22 02:01 Impact-I

Thanks @Impact-I. I used the suggested binaries, completed the process and signed the .ipa file. After successful installation, it can't launch. It seems to crash once launched. I hooked it to lldb and got an error "Cannot allocate memory".

Screenshot 2022-01-20 at 9 49 06 PM

jayluxferro avatar Jan 20 '22 21:01 jayluxferro

Hi @Impact-I, after several hours, I was able to determine why some snapshots don't get detected.

Most .ipa files are encrypted hence has to be decrypted. I used frida (https://github.com/AloneMonkey/frida-ios-dump) to dump a decrypted version of the IPA file.

Afterwards, I used reFlutter to generate the new IPA and signed it using iOS App Signer https://github.com/DanTheMan827/ios-app-signer) and it worked. I'm able to monitor/intercept the traffic now.

Thanks a lot for your tool.

jayluxferro avatar Jan 20 '22 23:01 jayluxferro