使用Flutter搭建的APP如何着手逆向

使用Flutter搭建的APP如何着手逆向

1 Like

Reversing flutter apps is very complex.
This because even if you decrypt a flutter app with any tool (clutch, frida ipa dump, crackerXI, etc.) you still cannot analyze it in a disassembler like Hopper or IDA.
Why that? Because of how flutter works.

When you open a flutter app --> it gets opened the Flutter engine (the “Runner” executable) this is not the real application but only the flutter engine which is no interesting for reverse engineers. The flutter engine will the load the “App.framework” file which is THE ACTUAL application.

Unfortunately you cannot load into a Disassembler because it is not yet an executable, but it is rather a Dart snapshot which must be deserialized and put into the process memory by the “Runner” executable.

You basically have 2 chances here:

  1. either you modify the flutter engine (extremely complex) to deserialize the App.framework and export it through USB or somewhere so you can analyze
  2. dump the process memory after the deserialization is complete and try to load the process memory into IDA.

If you make any progress please let me know, I’m trying to reverse flutter app as well but with no success

5 Likes

如果要分析release下JIT打包的APP,那势必绕不开dart vm;而即使是AOT,在IDA中能看到的指令也不是简单类似java2c的native化,更像是把虚拟机和指令重新包了一层,还是很难分析 :sweat:
标记一下,期待后续进展

1 Like

如果不谈 Flutter 只谈 iOS 的话,防逆向最有效的策略就是包一层虚拟机;Flutter 刚好满足了这个条件。
不过硬要分析的话,动态调试应该有可能

目前来说,除了大佬,其他可以绕着走了。

先 mark 一下

看了英文大佬的回复总想整两句英文,奈何英文太poor还是中文吧。我没做过flutter逆向,之前写过几个flutter的oc插件,我感觉flutter和oc中间的桥接层可以找点突破口。

这一块属于盲区,研究的人也不多,只能靠自己
建议先从学习flutter开发开始,当学会开发并深入了解flutter原理之后,或许会有逆向的思路。