首页
论坛
课程
招聘
[原创]flutter安全防护(1)-自定义编译flutter抹掉快照信息对抗reFlutter/JEB等快照分析工具
2022-7-29 10:25 4315

[原创]flutter安全防护(1)-自定义编译flutter抹掉快照信息对抗reFlutter/JEB等快照分析工具

2022-7-29 10:25
4315

前言

flutter安全分享系列的文章比较少,结合日常开发实战做个分享讨论。

 

核心思路就是对市面上逆向flutter的思路和工具进行对抗。

逆向工具对抗思路

目前市面上能做快照解析的有reFlutter/JEB等工具

 

原理不同

 

一个是基于静态解析
一个是基于重打包动态

 

这些工具在分析过程中,第一个需要确认的就是 flutter engine 版本,也就是快照的版本hash值。

 

我们用010edit就可以看到这段字符,如果我们自定义编译 flutter engine,抹掉这个hash信息,就会让前面的工具失效。

 

图片描述

 

当然针对 reFlutter 这种工具,我们还要增加重打包的对抗。

编译flutter

下载编译

我发现论坛已经有人写了,我直接贴过来链接

 

https://bbs.pediy.com/thread-272866.htm

 

我补充一些东西,如果是要build正式arm64 relese的apk文件对应的
需要修改编译命令为

1
./flutter/tools/gn --android --android-cpu=arm64 --runtime-mode=release
1
ninja -C out/android_release_arm64

这样 android_release_arm64 就是我们要的文件目录

使用out目录编译flutter

flutter build 提供了替换 engine 命令
需要指定

 

--local-engine-src-path
--local-engine

 

整体编译命令如下;

1
flutter build apk --target-platform android-arm64 --local-engine-src-path=/home/zzt/Desktop/work/flutter_sdk/engine_compile/src  --local-engine=android_release_arm64

为了方便开发我们编写一个build.sh 包含编译安装和启动

1
2
3
4
5
flutter build apk --target-platform android-arm64 --local-engine-src-path=/home/zzt/Desktop/work/flutter_sdk/engine_compile/src  --local-engine=android_release_arm64
 
adb install -r build/app/outputs/flutter-apk/app-release.apk
 
adb shell am start -W -n com.example.flutter_test_1/.MainActivity

测试使用:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
zzt@ubuntu:~/StudioProjects/flutter_test_1$ ./build.sh
 
 Building with sound null safety
 
Running Gradle task 'assembleRelease'...                           13.1s
✓  Built build/app/outputs/flutter-apk/app-release.apk (5.8MB).
* daemon not running; starting now at tcp:5037
* daemon started successfully
Performing Streamed Install
Success
Starting: Intent { cmp=com.example.flutter_test_1/.MainActivity }
Status: ok
Activity: com.example.flutter_test_1/.MainActivity
ThisTime: 433
TotalTime: 433
WaitTime: 512
Complete

现在已经可以方便的进行开发了,接下来要修改引擎的代码。

修改flutter engine源码

修改 1441d6b13b8623fa7fbf61433abebd31 这个需要找到生成函数

 

我在源代码里面搜索关键字 snapshot_hash

 

发现 src/third_party/dart/tools/make_version.py 和这个参数高度相关
现在我们来修改它。
函数 MakeSnapshotHashString
返回值改为 '00000000000000000000000000000000'

1
2
3
4
5
6
7
8
def MakeSnapshotHashString():
    vmhash = hashlib.md5()
    for vmfilename in VM_SNAPSHOT_FILES:
        vmfilepath = os.path.join(utils.DART_DIR, 'runtime', 'vm', vmfilename)
        with open(vmfilepath, 'rb') as vmfile:
            vmhash.update(vmfile.read())
    return '00000000000000000000000000000000'
    #return vmhash.hexdigest()

编译引擎

1
2
3
4
zzt@ubuntu:~/Desktop/work/flutter_sdk/engine_compile/src$ ninja -C out/android_release_arm64
ninja: Entering directory `out/android_release_arm64'
[0/1] Regenerating ninja files
[35/35] STAMP obj/default.stamp

然后就是编译apk

1
2
3
4
5
6
zzt@ubuntu:~/StudioProjects/flutter_test_1$ ./build.sh
 
 Building with sound null safety
 
Running Gradle task 'assembleRelease'...                           23.1s
✓  Built build/app/outputs/flutter-apk/app-release.apk (5.8MB).

再次用010edit打开libandroid.so

 

测试逆向工具

最后我们来测试逆向工具是否还能生效

1
pip install reflutter

直接报错

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
reflutter app-release.apk
 
 Choose an option:
 
 1. Traffic monitoring and interception
 2. Display absolute code offset for functions
 
 [1/2]? 2
 
 This mode is only for dump and offset output, slow application operation is possible (network patch is still left)
 
 Engine SnapshotHash: 00000000000000000000000000000000
 
 This engine is currently not supported.
 Most likely this flutter application uses the Debug version engine which you need to build manually using Docker at the moment.
 More details: https://github.com/Impact-I/reFlutter

无法识别hash


[2022冬季班]《安卓高级研修班(网课)》月薪三万班招生中~

最后于 2022-7-29 17:04 被天神李青编辑 ,原因:
收藏
点赞1
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回