reflutter does not detect snapshot hash in some ipa

[MrFatoni]

not working for some apps

i got error "Make sure there is arm64-v8a/libapp.so or App.framework/App file in the package"
the app is flutter and has App.framework/App

[MrFatoni]

App.framework/App inside Frameworks folder, so reFlutter not detecting App.framework/App

[Impact-I]

Hi @MrFatoni, You have the correct paths, this should work. Try it on a non-MacOS device.

To track the issue, find FlutterEngine, usually located in the Flutter.framework folder open Info.plist it contains the engine commit. Example:

#somepath/Flutter.framework/Info.plist

   <key> FlutterEngine </key>
   <string> b8752bbfff0419c8bf616b602bc59fd28f6a3d1b </string>

Please send it here.

or Unpack ipa and

c0de@c0de:~/repos/extracted_ipa$ grep -r "FlutterEngine" . -A 5
grep: ./Payload/Runner.app/Frameworks/Flutter.framework/Flutter: binary file matches
--
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist:  <key>FlutterEngine</key>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-  <string>b8752bbfff0419c8bf616b602bc59fd28f6a3d1b</string>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-  <key>ClangVersion</key>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-  <string>Apple clang version 11.0.0 (clang-1100.0.33.8)</string>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-</dict>
./Payload/Runner.app/Frameworks/Flutter.framework/Info.plist-</plist>

Make sure you have the latest version of reFlutter 0.4.9 installed
pip3 install reflutter==0.4.9

Thanks

[MrFatoni]

already update and still got error

./Frameworks/Flutter.framework/Info.plist:  <key>FlutterEngine</key>

./Frameworks/Flutter.framework/Info.plist-  <string>a9d88a4d182bdae23e3a4989abfb7ea25954aad1</string>

./Frameworks/Flutter.framework/Info.plist-  <key>ClangVersion</key>

./Frameworks/Flutter.framework/Info.plist-  <string>Apple clang version 11.0.3 (clang-1103.0.32.62)</string>

[Impact-I]

@MrFatoni , Ok, find Flutter Engine in /Frameworks/Flutter.framework/ folder and replace manually in archive with this https://github.com/ptswarm/reFlutter/releases/tag/ios-e4a09dbf2bb120fe4674e0576617a0dc
Note the ip of your BurpSuite must be 192.168.133.104 port 8083

I would really like to prevent users from encountering this error in the future.
Can you show the content of ./Frameworks/Flutter.framework/ ?

It would be cool if you share this amazing ipa
or
strings ./Frameworks/App.framework/App -n 32 | grep -e "^[0-9a-f]\{32\}"
Please send output it here.

Thanks

[MrFatoni]

sorry i can't share the ipa.
i run the command, but I am not getting anything as output.

.Frameworks/Flutter.framework/

[Impact-I]

@MrFatoni , I may have found a reason

How about
strings ./Frameworks/App.framework/App -n 32 | head -5

Thanks for the feedback

[MrFatoni]

[Impact-I]

@MrFatoni, I understood. Fine.
By the way, have you successfully replaced the library? Do you have traffic interception in BurpSuite?

[MrFatoni]

yes it works, thanks

[jayluxferro]

Hi @Impact-I, I'm experiencing the same issue with FlutterEngine - d3ea636dc5d16b56819f3266241e1f708979c233.

Running

strings ./Frameworks/App.framework/App -n 32 | grep -e "^[0-9a-f]\{32\}"

returns an empty response.

Any help? If you would require me to share the IPA, let me know. Thanks.

[Impact-I]

Hi @jayluxferro ,
Yes, it would be very cool if you could share the ipa file.

Thanks!

[jayluxferro]

Hi @Impact-I

So far these are the flutter engines I've come across whose snapshot hashes do not exist in the engine hash.
FlutterEngine

1. d3ea636dc5d16b56819f3266241e1f708979c233
2. 40a99c595137e4b2f5b2efa8ff343ea23c1e16b

Thanks.

[Impact-I]

@jayluxferro , Thanks for sharing

For hash d3ea636dc5d16b56819f3266241e1f708979c233 you can take
https://github.com/ptswarm/reFlutter/releases/tag/ios-9cf77f4405212c45daf608e1cd646852

For hash 40a99c595137e4b2f5b2efa8ff343ea23c1e16b8 you can take
https://github.com/ptswarm/reFlutter/releases/tag/ios-adf563436d12ba0d50ea5beb7f3be1bb

[jayluxferro]

Thanks @Impact-I. I used the suggested binaries, completed the process and signed the .ipa file. After successful installation, it can't launch. It seems to crash once launched. I hooked it to lldb and got an error "Cannot allocate memory".

[jayluxferro]

Hi @Impact-I, after several hours, I was able to determine why some snapshots don't get detected.

Most .ipa files are encrypted hence has to be decrypted. I used frida (https://github.com/AloneMonkey/frida-ios-dump) to dump a decrypted version of the IPA file.

Afterwards, I used reFlutter to generate the new IPA and signed it using iOS App Signer https://github.com/DanTheMan827/ios-app-signer) and it worked. I'm able to monitor/intercept the traffic now.

Thanks a lot for your tool.