Merge pull request #322 from Impact-I/rewrite/1.0

Rewrite/1.0
Impact-I · Jan 7, 2025 · f93ef1a · f93ef1a
2 parents 78a64f5 + 1e07439
commit f93ef1a
Show file tree

Hide file tree

Showing 15 changed files with 776 additions and 808 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   build-v2:
-    runs-on: macos-12
+    runs-on: macos-13
     steps:
       - name: Check out repository
         uses: actions/checkout@v2
@@ -21,30 +21,28 @@ jobs:
           echo "SNAPSHOT_HASH=$HASH" >> $GITHUB_ENV
       - name: Install tools
         run: |
-          brew install ninja libusbmuxd ideviceinstaller ios-deploy [email protected]
-          sudo rm -rf /usr/local/bin/python3
-          sudo ln -s /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 /usr/local/bin/python3
+          brew install ninja libusbmuxd ideviceinstaller ios-deploy
           python3 -m pip install wheel
           python3 -m pip install .
           git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
           git clone https://github.com/flutter/engine.git
       - name: gclient sync
         run: |
           ROOT_DIR=`pwd`
-          export PATH=$PATH:$ROOT_DIR/depot_tools:/Library/Frameworks/Python.framework/Versions/3.11/bin
+          export PATH=$PATH:$ROOT_DIR/depot_tools
           cd engine
           git config --global user.email "[email protected]" && git config --global user.name "reflutter"
-          git fetch origin $(reflutter ${{env.SNAPSHOT_HASH}} -l)
+          git fetch origin $(reflutter -b ${{env.SNAPSHOT_HASH}})
           git reset --hard FETCH_HEAD
-          reflutter ${{env.SNAPSHOT_HASH}} -l
+          reflutter -b ${{env.SNAPSHOT_HASH}}
           echo 'reflutter' > REFLUTTER
           git add . && git commit -am "reflutter"
           cd $ROOT_DIR
           mkdir customEngine
           cd customEngine
           echo 'solutions = [{"managed": False,"name": "src/flutter","url": "'$ROOT_DIR/engine'","custom_deps": {},"deps_file": "DEPS","safesync_url": "",},]' > .gclient
           gclient sync
-          reflutter ${{env.SNAPSHOT_HASH}} -l
+          reflutter -b ${{env.SNAPSHOT_HASH}}
       - name: ninja build Flutter.framework
         run: export PATH=$PATH:`pwd`/depot_tools && sudo xcode-select -s /Applications/Xcode.app && customEngine/src/flutter/tools/gn --no-goma --ios --runtime-mode=release && ninja -C customEngine/src/out/ios_release
       - name: ninja build libflutter_arm64
@@ -70,7 +68,7 @@ jobs:
             ./*.so
 
   build-v3:
-    runs-on: macos-12
+    runs-on: macos-13
     steps:
       - name: Check out repository
         uses: actions/checkout@v2
@@ -84,30 +82,28 @@ jobs:
           echo "SNAPSHOT_HASH=$HASH" >> $GITHUB_ENV
       - name: Install tools
         run: |
-          brew install ninja libusbmuxd ideviceinstaller ios-deploy [email protected]
-          sudo rm -rf /usr/local/bin/python3
-          sudo ln -s /Library/Frameworks/Python.framework/Versions/3.11/bin/python3 /usr/local/bin/python3
+          brew install ninja libusbmuxd ideviceinstaller ios-deploy
           python3 -m pip install wheel
           python3 -m pip install .
           git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
           git clone https://github.com/flutter/engine.git
       - name: gclient sync
         run: |
           ROOT_DIR=`pwd`
-          export PATH=$PATH:$ROOT_DIR/depot_tools:/Library/Frameworks/Python.framework/Versions/3.11/bin
+          export PATH=$PATH:$ROOT_DIR/depot_tools
           cd engine
           git config --global user.email "[email protected]" && git config --global user.name "reflutter"
-          git fetch origin $(reflutter ${{env.SNAPSHOT_HASH}} -l)
+          git fetch origin $(reflutter -b ${{env.SNAPSHOT_HASH}})
           git reset --hard FETCH_HEAD
-          reflutter ${{env.SNAPSHOT_HASH}} -l patchDump
+          reflutter -b ${{env.SNAPSHOT_HASH}} -p
           echo 'reflutter' > REFLUTTER
           git add . && git commit -am "reflutter"
           cd $ROOT_DIR
           mkdir customEngine
           cd customEngine
           echo 'solutions = [{"managed": False,"name": "src/flutter","url": "'$ROOT_DIR/engine'","custom_deps": {},"deps_file": "DEPS","safesync_url": "",},]' > .gclient
           gclient sync
-          reflutter ${{env.SNAPSHOT_HASH}} -l patchDump
+          reflutter -b ${{env.SNAPSHOT_HASH}} -p
       - name: ninja build Flutter.framework
         run: export PATH=$PATH:`pwd`/depot_tools && sudo xcode-select -s /Applications/Xcode.app && customEngine/src/flutter/tools/gn --no-goma --ios --runtime-mode=release && ninja -C customEngine/src/out/ios_release
       - name: ninja build libflutter_arm64
@@ -131,4 +127,3 @@ jobs:
           tag_name: android-v3-${{env.SNAPSHOT_HASH}}
           files: |
             ./*.so
-
diff --git a/Dockerfile b/Dockerfile
@@ -18,8 +18,8 @@ ENV HASH_PATCH=$HASH_PATCH
 ENV COMMIT=$COMMIT
 
 RUN apt-get update && \
-    DEBIAN_FRONTEND="noninteractive" apt-get install -y git git-svn git-man wget curl software-properties-common unzip python3-pip python3 lsb-release sudo apt-transport-https tzdata python3-pkgconfig && \
-    mkdir t
+  DEBIAN_FRONTEND="noninteractive" apt-get install -y git git-svn git-man wget curl software-properties-common unzip python3-pip python3 lsb-release sudo apt-transport-https tzdata python3-pkgconfig && \
+  mkdir t
 
 ENTRYPOINT ["/bin/sh", "-c", "cd /t && pip3 install wheel && pip3 install . && rm -rf ${DEPOT_TOOLS_PATH} 2> /dev/null && git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git ${DEPOT_TOOLS_PATH} && rm -rf ${TEMP_ENGINE} 2> /dev/null && git clone https://github.com/flutter/engine.git ${TEMP_ENGINE} && rm -rf ${ENGINE_PATH} 2> /dev/null && mkdir -p ${ENGINE_PATH} && cd ${TEMP_ENGINE} && git config --global user.email \"[email protected]\" && git config --global user.name \"reflutter\" && git fetch origin ${COMMIT} && git reset --hard FETCH_HEAD && reflutter ${HASH_PATCH} -l && echo 'reflutter' > REFLUTTER && git add . && git commit -am \"reflutter\" && cd ${ENGINE_PATH} && echo 'solutions = [{\"managed\": False,\"name\": \"src/flutter\",\"url\": \"'${TEMP_ENGINE}'\",\"custom_deps\": {},\"deps_file\": \"DEPS\",\"safesync_url\": \"\",},]' > .gclient && gclient sync && reflutter ${HASH_PATCH} -l && echo \"Wait... Change the source code...\" && sleep $WAIT && if [ \"$arm64\" != \"0\" ]; then src/flutter/tools/gn --no-goma --android --android-cpu=arm64 --runtime-mode=release && ninja -C src/out/android_release_arm64 && cp src/out/android_release_arm64/lib.stripped/libflutter.so /libflutter_arm64.so ;fi && if [ \"$arm\" != \"0\" ]; then src/flutter/tools/gn --no-goma --android --android-cpu=arm --runtime-mode=release && ninja -C src/out/android_release && cp src/out/android_release/lib.stripped/libflutter.so /libflutter_arm.so ;fi && if [ \"$x64\" != \"0\" ]; then src/flutter/tools/gn --no-goma --android --android-cpu=x64 --runtime-mode=release && ninja -C src/out/android_release_x64 && cp src/out/android_release_x64/lib.stripped/libflutter.so /libflutter_x64.so; fi &&  cd .. && cp -va *.so /t/"]
 

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 <p align="center"><img src="https://user-images.githubusercontent.com/87244850/135659542-22bb8496-bf26-4e25-b7c1-ffd8fc0cea10.png" width="75%"/></p>
 
-**Read more on the blog:** https://swarm.ptsecurity.com/fork-bomb-for-flutter/
+**Read more on the blog:** <https://swarm.ptsecurity.com/fork-bomb-for-flutter/>
 
 This framework helps with Flutter apps reverse engineering using the patched version of the Flutter library which is already compiled and ready for app repacking. This library has snapshot deserialization process modified to allow you perform dynamic analysis in a convenient way.
 
@@ -54,6 +54,7 @@ You need to specify the IP of your Burp Suite Proxy Server located in the same n
 - Add port: `8083`
 - Bind to address: `All interfaces`
 - Request handling: Support invisible proxying = `True`
+
 <p align="center"><img src="https://user-images.githubusercontent.com/87244850/135753172-20489ef9-0759-432f-b2fa-220607e896b8.png" width="84%"/></p>
 
 You don't need to install any certificates. On an Android device, you don't need root access as well. reFlutter also allows to bypass some of the flutter certificate pinning implementations.
@@ -185,6 +186,7 @@ docker run -it -v "$(pwd):/t" -e HASH_PATCH=aa64af18e7d086041ac127cc4bc50c5e -e
 # Linux, Windows
 
 EXAMPLE BUILD ANDROID ARM64:
+
 ```bash
 docker run -e WAIT=300 -e x64=0 -e arm=0 -e HASH_PATCH=<Snapshot_Hash> -e COMMIT=<Engine_commit> --rm -iv${PWD}:/t reflutter
 ```

diff --git a/SNAPSHOT_HASH b/SNAPSHOT_HASH
@@ -1 +1 @@
-80a49c7111088100a233b2ae788e1f48
+f956f595844a2f845a55707faaaa51e4
diff --git a/frida.js b/frida.js
@@ -1,62 +1,65 @@
 //frida -U -f <package> -l frida.js
 
 function hookFunc() {
-
-    var dumpOffset = '0x20801C' // _kDartIsolateSnapshotInstructions + code offset
-
-    var argBufferSize = 150
-
-    var address = Module.findBaseAddress('libapp.so') // libapp.so (Android) or App (IOS) 
-    console.log('\n\nbaseAddress: ' + address.toString())
-
-    var codeOffset = address.add(dumpOffset)
-    console.log('codeOffset: ' + codeOffset.toString())
-    console.log('')
-    console.log('Wait..... ')
-
-    Interceptor.attach(codeOffset, {
-        onEnter: function(args) {
-
-            console.log('')
-            console.log('--------------------------------------------|')
-            console.log('\n    Hook Function: ' + dumpOffset);
-            console.log('')
-            console.log('--------------------------------------------|')
-            console.log('')
-
-            for (var argStep = 0; argStep < 50; argStep++) {
-                try {
-                    dumpArgs(argStep, args[argStep], argBufferSize);
-                } catch (e) {
-
-                    break;
-                }
-
-            }
-
-        },
-        onLeave: function(retval) {
-            console.log('RETURN : ' + retval)
-            dumpArgs(0, retval, 150);
+  var dumpOffset = "0x20801C"; // _kDartIsolateSnapshotInstructions + code offset
+
+  var argBufferSize = 150;
+
+  var address = Module.findBaseAddress("libapp.so"); // libapp.so (Android) or App (IOS)
+  console.log("\n\nbaseAddress: " + address.toString());
+
+  var codeOffset = address.add(dumpOffset);
+  console.log("codeOffset: " + codeOffset.toString());
+  console.log("");
+  console.log("Wait..... ");
+
+  Interceptor.attach(codeOffset, {
+    onEnter: function (args) {
+      console.log("");
+      console.log("--------------------------------------------|");
+      console.log("\n    Hook Function: " + dumpOffset);
+      console.log("");
+      console.log("--------------------------------------------|");
+      console.log("");
+
+      for (var argStep = 0; argStep < 50; argStep++) {
+        try {
+          dumpArgs(argStep, args[argStep], argBufferSize);
+        } catch (e) {
+          break;
         }
-    });
-
+      }
+    },
+    onLeave: function (retval) {
+      console.log("RETURN : " + retval);
+      dumpArgs(0, retval, 150);
+    },
+  });
 }
 
 function dumpArgs(step, address, bufSize) {
-
-    var buf = Memory.readByteArray(address, bufSize)
-
-    console.log('Argument ' + step + ' address ' + address.toString() + ' ' + 'buffer: ' + bufSize.toString() + '\n\n Value:\n' +hexdump(buf, {
+  var buf = Memory.readByteArray(address, bufSize);
+
+  console.log(
+    "Argument " +
+      step +
+      " address " +
+      address.toString() +
+      " " +
+      "buffer: " +
+      bufSize.toString() +
+      "\n\n Value:\n" +
+      hexdump(buf, {
         offset: 0,
         length: bufSize,
         header: false,
-        ansi: false
-    }));
+        ansi: false,
+      }),
+  );
 
-    console.log('')
-    console.log('----------------------------------------------------')
-    console.log('')
+  console.log("");
+  console.log("----------------------------------------------------");
+  console.log("");
 }
 
-setTimeout(hookFunc, 1000)
+setTimeout(hookFunc, 1000);
diff --git a/resources/README.md b/resources/README.md
@@ -1,4 +1,5 @@
 ## Useful Resources
 
-1. https://swarm.ptsecurity.com/fork-bomb-for-flutter/
-2. https://medium.com/@ostorlab/flutter-reverse-engineering-and-security-analysis-41433f5671f3
+1. <https://swarm.ptsecurity.com/fork-bomb-for-flutter/>
+2. <https://medium.com/@ostorlab/flutter-reverse-engineering-and-security-analysis-41433f5671f3>
+
diff --git a/scripts/README.md b/scripts/README.md
@@ -1,5 +1,7 @@
 ### Helper Scripts
+
 1. `build-engine` -> Script to build custom flutter engine (macOS)
 2. `gen_enginehash.py` -> To dump all flutter engine and app hashes in a file.
 3. `get_flutter_engine.py` -> Get flutter engine hash from a Flutter engine binary.
-4. `get_snapshot_hash.py` -> Get app hash from `App` or `libapp.so` file.
+4. `get_snapshot_hash.py` -> Get app hash from `App` or `libapp.so` file.
+
diff --git a/scripts/build-engine b/scripts/build-engine
@@ -19,37 +19,35 @@ cd ..
 pip3 install wheel
 pip3 install .
 cd "$ROOT_DIR"
-if [ -d "depot_tools" ];then
+if [ -d "depot_tools" ]; then
   rm -rf depot_tools
 fi
 git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
 
-
-if [ -d "engine" ];then
+if [ -d "engine" ]; then
   rm -rf engine
 fi
 git clone https://github.com/flutter/engine.git
 
-
 export PATH=$PATH:$ROOT_DIR/depot_tools
 cd engine
 git fetch origin $(reflutter "$SNAPSHOT_HASH" -l)
 git reset --hard FETCH_HEAD
 reflutter "$SNAPSHOT_HASH" -l
-echo 'reflutter' > REFLUTTER
+echo 'reflutter' >REFLUTTER
 git add . && git commit -am "reflutter"
 cd "$ROOT_DIR"
 if [ -d "customEngine" ]; then
   rm -rf customEngine
 fi
 mkdir customEngine
 cd customEngine
-echo 'solutions = [{"managed": False,"name": "src/flutter","url": "'"$ROOT_DIR"/engine'","custom_deps": {},"deps_file": "DEPS","safesync_url": "",},]' > .gclient
+echo 'solutions = [{"managed": False,"name": "src/flutter","url": "'"$ROOT_DIR"/engine'","custom_deps": {},"deps_file": "DEPS","safesync_url": "",},]' >.gclient
 gclient sync
 reflutter "$SNAPSHOT_HASH" -l
 cd "$ROOT_DIR"
 export PATH=$PATH:$(pwd)/depot_tools && sudo xcode-select -s /Applications/Xcode.app && customEngine/src/flutter/tools/gn --ios --runtime-mode=release && ninja -C customEngine/src/out/ios_release
- cp customEngine/src/out/ios_release/Flutter.framework/Flutter Flutter
+cp customEngine/src/out/ios_release/Flutter.framework/Flutter Flutter
 cd "$ROOT_DIR"
 export PATH=$PATH:$(pwd)/depot_tools && customEngine/src/flutter/tools/gn --no-goma --android --android-cpu=arm64 --runtime-mode=release && ninja -C customEngine/src/out/android_release_arm64
 cd "$ROOT_DIR"

diff --git a/scripts/enginehash.tmp.csv b/scripts/enginehash.tmp.csv
@@ -1,4 +1,11 @@
 version,Engine_commit,Snapshot_Hash
+3.27.1,cb4b5fff73850b2e42bd4de7cb9a4310a78ac40d,f956f595844a2f845a55707faaaa51e4
+3.28.0-0.1.pre,2ba456fd7fd03d7348f9fa0952493030c85f15ae,97f52ee782b130538ba1dca8de3ad8b2
+3.27.0,83bacfc52569459a4a654727cad2546820cb0d6a,f956f595844a2f845a55707faaaa51e4
+3.27.0-0.2.pre,397deba30fcb592f17dfb31b4e9e31e17fbfae9a,f956f595844a2f845a55707faaaa51e4
+3.24.5,a18df97ca57a249df5d8d68cd0820600223ce262,80a49c7111088100a233b2ae788e1f48
+3.24.4,db49896cf25ceabc44096d5f088d86414e05a7aa,80a49c7111088100a233b2ae788e1f48
+3.27.0-0.1.pre,af0f0d559c8a87d912a20971bbd84afc80a54b0f,f956f595844a2f845a55707faaaa51e4
 3.24.3,36335019a8eab588c3c2ea783c618d90505be233,80a49c7111088100a233b2ae788e1f48
 3.26.0-0.1.pre,059e4e6d8ff6de39c29441c53e949bfb0bf17972,8d97f46f9e092e886d13bfafe3fc7004
 3.24.2,a6bd3f1de158bb61090e0c8053df93a10cb548e1,80a49c7111088100a233b2ae788e1f48
@@ -123,6 +130,7 @@ version,Engine_commit,Snapshot_Hash
 3.3.0-0.3.pre,f16e757d5d68c164d084b61d84e3b7cd14eacba9,b0e899ec5a90e4661501f0b69e9dd70f
 3.3.0-0.2.pre,d1e7dc18bf272f7f2be1c9094307fa0462787ff2,b0e899ec5a90e4661501f0b69e9dd70f
 3.3.0-0.1.pre,fd131c385ee2a2d0484c49ed859911798e4e177b,b0e899ec5a90e4661501f0b69e9dd70f
+3.3.0-0.0.pre,1388adb442192ce155630eeb6806b74db07dd15e,b0e899ec5a90e4661501f0b69e9dd70f
 3.0.5,e85ea0e79c6d894c120cda4ee8ee10fe6745e187,1441d6b13b8623fa7fbf61433abebd31
 3.0.4,6ba2af10bb05c88a2731482cedf2cfd11cf5af0b,1441d6b13b8623fa7fbf61433abebd31
 3.0.3,ffe7b86a1e5b5cb63c8385ae1adc759e372ee8f4,1441d6b13b8623fa7fbf61433abebd31
@@ -524,6 +532,7 @@ v0.11.8,1baf081343530dbaa8bec378fe1ce26b4897c23f,8343f188ada07642f47c56e518f1307
 v0.11.8,1baf081343530dbaa8bec378fe1ce26b4897c23f,8343f188ada07642f47c56e518f1307c
 v0.11.7,2e06da3df9cb370795f49747fdfd295b8168c133,8343f188ada07642f47c56e518f1307c
 v0.11.7,2e06da3df9cb370795f49747fdfd295b8168c133,8343f188ada07642f47c56e518f1307c
+v0.11.6,114d33d3caa24d260f15529e1f3f50783cbccd9a,8343f188ada07642f47c56e518f1307c
 v0.11.5,4959b71d6a1b1473911970428b16ac02397d930b,d124ce50a30741a188e41c52c424c127
 v0.11.4,5646e86a6f442dc6f4158ae7010ab13d72a0b356,d124ce50a30741a188e41c52c424c127
 v0.11.3,5646e86a6f442dc6f4158ae7010ab13d72a0b356,d124ce50a30741a188e41c52c424c127
@@ -574,6 +583,7 @@ v0.5.2,a83b37d35acd8afd82be3f567a4b7231d5bdb928,fd5b7e46645767083d8f2b8433d7f761
 v0.5.1,1ed25ca7b7e3e3e8047df050bba4174074c9b336,04cb98b58e7d69109004454c20b492f7
 v0.5.0,2b1f3dbe25894d7614587f494a25b40fdb344f4a,129c1a9917052c59c17229d1d019a956
 v0.4.4,06afdfe54ebef9168a90ca00a6721c2d36e6aafa,1b155eedbb3a2640a88d2e54d2f2d204
+v0.4.4,06afdfe54ebef9168a90ca00a6721c2d36e6aafa,1b155eedbb3a2640a88d2e54d2f2d204
 v0.4.3,9ae10ef702e76585ea498bdfb2b40181017623ad,e005a87ed1e2a5f982744b8074199787
 v0.4.2,e976be13c51448f89107d082ec81e2b6731671fa,e005a87ed1e2a5f982744b8074199787
 v0.4.1,e976be13c51448f89107d082ec81e2b6731671fa,e005a87ed1e2a5f982744b8074199787
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		80a49c7111088100a233b2ae788e1f48
		f956f595844a2f845a55707faaaa51e4