最新的能很好反编译flutter程序的项目
1、安装- git clone https://github.com/worawit/blutter --depth=1
然后我直接将对应的两个压缩包下载下来(通过浏览器手动下载)
不再通过python的代码来下载,之前一直卡在这个地方。
如果读者可以正常运行init_env_win.py,手动这一步可以省略。- cd .\blutter\
- python .\scripts\init_env_win.py
再次运行就可以安装成功
[img=720,116.09756097560975]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353732.png[/img]
2、blutter反编译使用
[img=500,554.7730829420971]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353733.png[/img]
运行该工具,进入目标文件夹
提供libapp.so 和 libflutter.so 的目录
[img=720,169.8206896551724]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353734.png[/img]
[img=720,43.348017621145374]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353735.png[/img]- python blutter.py C:\Users\Le\Desktop\flutter\chall\lib\armeabi-v7a .\output
[img=720,170.7324147933285]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353737.png[/img]
但是问题不大,好像是我们的架构不支持,我们换一个
[img=720,184.29708222811672]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353738.png[/img]
再次运行,发现正在下载对应Dart版本的信息
[img=720,80.1713062098501]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353739.png[/img]
全程代理!
[img=720,262.7628865979381]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353740.png[/img]
要不然还会报错
正常情况下:
[img=720,102.63041880969875]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353741.png[/img]
安装完成后,再次运行命令:
[img=720,317.4494556765163]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353742.png[/img]
报错:0x22说明权限不够,使用管理员模式运行即可
反编译成功
【----帮助网安学习,以下所有学习资料免费领!加vx:yj009991,备注 “博客园” 获取!】
① 网安学习成长路径思维导图
② 60+网安经典常用工具包
③ 100+SRC漏洞分析报告
④ 150+网安攻防实战技术电子书
⑤ 最权威CISSP 认证考试指南+题库
⑥ 超1800页CTF实战技巧手册
⑦ 最新网安大厂面试题合集(含答案)
⑧ APP客户端安全检测指南(安卓+IOS)
查看文件目录:
到此,blutter模块反编译flutter成功!
3、IDA恢复libapp.so符号
[img=720,323.8905775075988]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353745.png[/img]
拖进IDA64
发现符号全无,不利于我们分析,此时blutter工具的用法就体现出来了
[img=720,680.1208459214502]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353746.png[/img]
运行生成的脚本:
见证奇迹的时刻到了
4、分析
[img=720,332.62672811059906]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353749.png[/img]
flutter中:onTap函数是按钮点击响应函数,CTF中以此作为入口进行分析
进入1DE500函数
[img=720,405.77910447761195]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353750.png[/img]
进入分析发现一堆代码
[img=720,426.69885334942666]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353751.png[/img]
目前不知道什么加密,因为“面目全非”(有256,%符号)
使用blutter生成的frida脚本,对该函数进行hook,观察其返回结果- frida -U -f com.example.flutter_application_1 -l blutter_frida.js
[img=720,466.3829787234043]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353754.png[/img]
hook目标函数
[img=720,288.3685220729367]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353755.png[/img]
然后发现没有触发
[img=720,474.48763250883394]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353756.png[/img]
猜测flag长度有限制,后面知道了原来是模拟器有bug,我换了真机才可以
[img=720,419.4424588992137]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353757.png[/img]
得到了比较的数组,也就是密文- Unhandle class id: 46, TypeArguments
- GrowableList@750038d0f1 = [
- 188698,
- 0,
- {
- "key": "Unhandle class id: 46, TypeArguments"
- },
- 34,
- {
- "key": [
- 184,
- 132,
- 137,
- 215,
- 146,
- 65,
- 86,
- 157,
- 123,
- 100,
- 179,
- 131,
- 112,
- 170,
- 97,
- 210,
- 163,
- 179,
- 17,
- 171,
- 245,
- 30,
- 194,
- 144,
- 37,
- 41,
- 235,
- 121,
- 146,
- 210,
- 174,
- 92,
- 204,
- 22
- ]
- },
- 0,
- 0,
- 0
- ]
接下来使用IDA进行so的一个动调
[img=720,66.85714285714286]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353758.png[/img]
[img=720,449.42139099941556]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353759.png[/img]
选择same
[img=720,351.2479740680713]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353760.png[/img]
找到module
[img=720,353.48721147847783]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353761.png[/img]
运行程序
[img=720,523.3867276887872]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353762.png[/img]
读者可以使用高级语言来看,为了理解更深刻,我这里采用了汇编来看
[img=720,258.71668311944717]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353763.png[/img]
可以看到比较256次
RC4的经典特征
[img=720,335.07882111034957]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353764.png[/img]
[img=720,351.4210061782877]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353765.png[/img]
在异或出添加输出断点:
[img=720,558.5793562708102]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353767.png[/img]
搜索指令[img=720,372.41379310344826]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353768.png[/img]- import idc
- print(idc.get_reg_value("X2"),",",end="")
[img=720,580.3604902667628]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202312111353770.png[/img]
拿到异或的所有值- xor = [14, 14, 68, 80, 29, 201, 241, 46, 197, 208, 123, 79, 187, 55, 234, 104, 40, 117, 133, 12, 67, 137, 91, 31, 136,
- 177, 64, 234, 24, 27, 26, 214, 122, 217]
-
这里使用了oacia师傅的脚本- final = [184, 132, 137, 215, 146, 65, 86, 157, 123, 100, 179, 131, 112, 170, 97, 210, 163, 179, 17, 171, 245, 30, 194, 144, 37, 41, 235, 121, 146, 210, 174, 92, 204, 22]xor = [14, 14, 68, 80, 29, 201, 241, 46, 197, 208, 123, 79, 187, 55, 234, 104, 40, 117, 133, 12, 67, 137, 91, 31, 136,
- 177, 64, 234, 24, 27, 26, 214, 122, 217]
- flag = [chr(xor[i]^final[i]^0xff) for i in range(len(final))]print(''.join(flag))
更多网安技能的在线实操练习,请点击这里>>
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
