使用Flutter搭建的APP如何着手逆向

使用Flutter搭建的APP如何着手逆向

1 Like

Reversing flutter apps is very complex.
This because even if you decrypt a flutter app with any tool (clutch, frida ipa dump, crackerXI, etc.) you still cannot analyze it in a disassembler like Hopper or IDA.
Why that? Because of how flutter works.

When you open a flutter app --> it gets opened the Flutter engine (the “Runner” executable) this is not the real application but only the flutter engine which is no interesting for reverse engineers. The flutter engine will the load the “App.framework” file which is THE ACTUAL application.

Unfortunately you cannot load into a Disassembler because it is not yet an executable, but it is rather a Dart snapshot which must be deserialized and put into the process memory by the “Runner” executable.

You basically have 2 chances here:

  1. either you modify the flutter engine (extremely complex) to deserialize the App.framework and export it through USB or somewhere so you can analyze
  2. dump the process memory after the deserialization is complete and try to load the process memory into IDA.

If you make any progress please let me know, I’m trying to reverse flutter app as well but with no success

4 Likes

如果要分析release下JIT打包的APP,那势必绕不开dart vm;而即使是AOT,在IDA中能看到的指令也不是简单类似java2c的native化,更像是把虚拟机和指令重新包了一层,还是很难分析 :sweat:
标记一下,期待后续进展

1 Like

如果不谈 Flutter 只谈 iOS 的话,防逆向最有效的策略就是包一层虚拟机;Flutter 刚好满足了这个条件。
不过硬要分析的话,动态调试应该有可能

目前来说,除了大佬,其他可以绕着走了。