Thank you for the video. I suggest to put the links and resources that you used to understand and put this together. Maybe there are those who want to go further...
Wonderful video brother. Would appreciate if you let us know how to make a universal frida script to bypass all flutter based android apps as you said in the end of the video. Thank you once again.
very good one! i wonder if you are planning to make more videos on reverse engineering approaches for flutter. i'm currently focused on this, but unfortunately there isn't much content or tools available to learn from, so i just keep struggling with the low level operations and reading source code of dart sdk
Actually I watched this tutorial twice it is really hard, the hardest thing is that you are not using Radar2 I found it difficult to understand I hope you will repeat this tutorial using Radar2 I also think that the source code has been updated 😅
Excellent video and gained valuable insights. Please continue making these videos. Could you create a video on how to initiate the analysis of a Flutter APK before testing? In the case of Java and Kotlin, we can easily decompile and examine the code, but for Flutter, it's not as straightforward. How should we conduct reconnaissance on Flutter apps?
Very informative video. It would be great if you could speak a little slower as it was a little difficult to track. Frida gadget would also be a great topic to touch on
When I get to 7:13 after installing the cert, I can't load Google or any page - the HTTO hits appear in Burp Suite but never actually load on the device. What am I doing wrong? Also my device is not rooted, not sure if that makes a difference?
Excellent video. There seems to have been some code changes with boringssl, are you able to bypass with the new library? Appreciate the response. Thanks
So, currently i have an flutter based apk which does not has the lib/amd64/libapp.so file in it, now what can i do. The apk uses the firebase as the storage of api, in this scenario what are the other techniques i can perform.
Is there libflutter.so present in the applications lib directory? If not then this is not a flutter based app. For second question I don’t understand. You want to intercept storage api from firebase library or you are trying to intercept HTTPS requests made by firebase apis?
I went through all registers(sp, rcx, rbx,rsp,rbp,rsi,rdi,r9...15,rip) and libflutter.so is not called in any of these registers. Do you know what should I try now?
You want to figure out the base address of libflutter.so? Based on the register names you mentioned it seems you are working with armv7 architecture so the linker64 which I used will not work. You can use linker instead of linker64 if this is the case.
well done and perfect explanation, but can you please the other way in which we can change the library and compiling again? also will this work for ios devices? thanks!
Thanks for this video, as a newbie, I have some questions, is it essential to have a rooted device to use proxy apps ? if this is the case, what if I'm using a rooted device detection package in my app. would it be helpful to prevent app installation on those devices? Thanks a lot for sharing valuable information
Yes rooted device is required to run frida server or other such tools like a debugger. In case your app is detecting that the device is rooted then you have to first bypass root detections. There are various ways to detect root. I have made some videos about it as well you can check to get some idea.
@@fatalsec thanks for replying, I changed that value to linker and it worked but now I'm having trouble in getting offset value as in ghidra the vulnerable function is undefined and if I use the value(value looks like the address) just after the word undefined, I didn't get success. Please help me or is there any other way to contact you to get this problem solved. And second thing, I'm running android 11 on my device and not able to install/run proxy droid on my phone, that application keeps closing when I run. So is there any other way to use proxy droid on android 11 or any other application which is an alternative to proxy droid.
Great video, keep it up, there are very less videos on pentesting flutter apps, So, we have to reverse each app binary files for ssl bypass, it that right?
Hello brother, when I'm trying to load the js script file I'm getting the following error " cannot read property enumerateSymbols of null" , please help with this
@@deepamsinha3933 no, there are chances that you are using a device which is having ARMv7 architecture. Confirm this and if so then replace “linker64” with “linker”.
@fatalsec redirecting to android chrome web app and setting up entire architecture behind it is possible. Methods of redirecting , css, webhook, restful apis. ,weblisteners and automated push requests? What method would be most common and allowed by chrome browsers?
There are chances that the function you are hooking is not correct. If you are sure it’s the right function then it would be interesting to see. If you can share the apk with me I can have a look!
In my case also doesn't return 0x0 but some random number. I use you apk brother with x86_64 lib. It also just loading even though i don't pass it through proxy. Any Idea what's going on? please help with this. Thank you brother!
@@fatalsec I had successfully trap the API communication to burp, but when the application receive a response from the server. the application shows pop up error: '_X509CertificateImpl'. Is it possible that the server validate the http request when we are using burp certificate to communicate to the server?
console.log(`[+] libflutter is loaded at ${module.base}`); session_verify_cert_chain(ptr(results[0].address).add(0x1)); function session_verify_cert_chain(address){ console.log("ssl add: "+address); Interceptor.attach(address, {
onLeave: function(retval){ retval.replace(0x0); console.log(`[+] session_verify_cert_chain retval: ${retval}`); } }); } onleav not work
![Seungmin "그렇게, 천천히, 우리(As we are)" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/kAzmhLHePqU/mqdefault.jpg)
Woow this is so cool man i was looking for this for so long u did an amazing job explaining everything ❤
Thank you for the video. I suggest to put the links and resources that you used to understand and put this together. Maybe there are those who want to go further...
Wonderful video brother. Would appreciate if you let us know how to make a universal frida script to bypass all flutter based android apps as you said in the end of the video. Thank you once again.
Yes sir, the video is very useful. I hope we watch the sequel.
Thanks bro
We enjoyed it ❤
Keep it up and make more advanced tutorials ❤
Thank you very much for this content. I had some issues with the script but i found a way around and I was finally able to bypass ssl pinning.
Glad to know that
awesome video once again keep it up. There is also an easy way of doing all this through reflutter but understanding the internals is always better.
Yes, but with new dart snapshots sometimes reflutter fails to parse it properly. So the goal of this video is to show how to do it manually.
@@fatalsec it is pleasure to learn complex topics in such a simple way. Please also consider too create a crash course on Frida and JS.
You are the best keep going 💪❤️
I think the linker64 will not work with emulator has x86_64 arch?
in this case, what should i do?
Thanks for the detailed video. Usage of Ghidra to calculating the offset. Writing own frida script.
very good one! i wonder if you are planning to make more videos on reverse engineering approaches for flutter. i'm currently focused on this, but unfortunately there isn't much content or tools available to learn from, so i just keep struggling with the low level operations and reading source code of dart sdk
Thanks! Yes I am planning to make more videos on flutter so stay tuned.
very detail!!! thank you!
If you don't mind, please make videos about intercepting xamarin apps
Actually I watched this tutorial twice it is really hard, the hardest thing is that you are not using Radar2 I found it difficult to understand I hope you will repeat this tutorial using Radar2 I also think that the source code has been updated 😅
Excellent video and gained valuable insights. Please continue making these videos. Could you create a video on how to initiate the analysis of a Flutter APK before testing? In the case of Java and Kotlin, we can easily decompile and examine the code, but for Flutter, it's not as straightforward. How should we conduct reconnaissance on Flutter apps?
Thanks. Sure I am already planning to make a video on this topic soon.
@@fatalsec Thanks a lot waiting for it.
Very informative video. It would be great if you could speak a little slower as it was a little difficult to track. Frida gadget would also be a great topic to touch on
Thanks for the suggestion.
yes sir, i want know that how to read .so file , please make dedicated video on that topic.
+1
perfect! im looking forward for your next videos!
Thanks
What's the flutter sdk version used in the demo app?
superb video bro.. thanks alot.
thank, it is exactly what I needed. Great content.
one thousand claps for this video, great tutorial!
When I get to 7:13 after installing the cert, I can't load Google or any page - the HTTO hits appear in Burp Suite but never actually load on the device. What am I doing wrong? Also my device is not rooted, not sure if that makes a difference?
Awesome content bro. , next video should on dart ♥️😃 and bro. explain about your setup also.
Thanks, Sure I will plan to create a dedicated video to explain about the setup.
Awesome content 👏
Excellent video. There seems to have been some code changes with boringssl, are you able to bypass with the new library?
Appreciate the response.
Thanks
No haven’t looked into the new one. But I guess you can apply the same logic until unless they have modified the whole structure of the function.
You are amazing, you are wonderful
Please share the script code in the video description so we can copy paste easily, thank you
So, currently i have an flutter based apk which does not has the lib/amd64/libapp.so file in it, now what can i do. The apk uses the firebase as the storage of api, in this scenario what are the other techniques i can perform.
Is there libflutter.so present in the applications lib directory? If not then this is not a flutter based app.
For second question I don’t understand. You want to intercept storage api from firebase library or you are trying to intercept HTTPS requests made by firebase apis?
I went through all registers(sp, rcx, rbx,rsp,rbp,rsi,rdi,r9...15,rip) and libflutter.so is not called in any of these registers. Do you know what should I try now?
You want to figure out the base address of libflutter.so? Based on the register names you mentioned it seems you are working with armv7 architecture so the linker64 which I used will not work. You can use linker instead of linker64 if this is the case.
well done and perfect explanation, but can you please the other way in which we can change the library and compiling again? also will this work for ios devices? thanks!
Sure, I will make a video on this
How to know which boringsll version is used for the app I am trying to reversing ?
Based on the dart version application is using you can figure out
Thanks for this video, as a newbie, I have some questions, is it essential to have a rooted device to use proxy apps ? if this is the case, what if I'm using a rooted device detection package in my app.
would it be helpful to prevent app installation on those devices?
Thanks a lot for sharing valuable information
Yes rooted device is required to run frida server or other such tools like a debugger. In case your app is detecting that the device is rooted then you have to first bypass root detections. There are various ways to detect root. I have made some videos about it as well you can check to get some idea.
TypeError: cannot read property 'readCString' of undefined help me out bro
This error means that the string that you are trying to read is not defined. Make sure that the address is valid.
While running the script I got the below mentioned error:
TypeError: cannot read property 'enumerateSymbols' of null
# I am running frida 16.1.4
You are trying to enumerate linker64 symbols? It might be possible that your device is armv7 based and not armv8. Try changing linker64 to linker.
@@fatalsec thanks for replying, I changed that value to linker and it worked but now I'm having trouble in getting offset value as in ghidra the vulnerable function is undefined and if I use the value(value looks like the address) just after the word undefined, I didn't get success. Please help me or is there any other way to contact you to get this problem solved.
And second thing, I'm running android 11 on my device and not able to install/run proxy droid on my phone, that application keeps closing when I run. So is there any other way to use proxy droid on android 11 or any other application which is an alternative to proxy droid.
Please bypass app ssl for me...will do for me...only one app ??
Great video, keep it up, there are very less videos on pentesting flutter apps, So, we have to reverse each app binary files for ssl bypass, it that right?
Yes but the concept is more or less the same for every flutter app and if your app is using the same dart versions then same script can be used.
Bro amazing job 👌
Application is developed using flutter but while I'm extract apk the lib folder is not there and code is obfuscate what to do I'm stuck 🥺
This could happen if the application is obfuscated.Is there any other native library present?
@@fatalsec yes kotlin is there
@@fatalsec is there any way to read code ?
Hello brother, when I'm trying to load the js script file I'm getting the following error " cannot read property enumerateSymbols of null" , please help with this
Are you using the same script I have used in the video?
@@fatalsec yes, I'm using the same script. Does it need any specific library to be included through import keyword?
@@deepamsinha3933 no, there are chances that you are using a device which is having ARMv7 architecture. Confirm this and if so then replace “linker64” with “linker”.
Bro can you bypass Play Integrity API
Excellent
Can you bypass and reroute to your own server with another certificate?
With android app
Not sure about the certificate but redirecting the traffic to another server is possible.
@fatalsec redirecting to android chrome web app and setting up entire architecture behind it is possible.
Methods of redirecting , css, webhook, restful apis. ,weblisteners and automated push requests?
What method would be most common and allowed by chrome browsers?
Can we use objection instead of writing frida script..
Under the hood objection also uses frida scripts. I don’t know whether objection has updated their ssl pinning bypass script to en corporate flutter!
Really needed this
hey brother Can you please help me to intercept flutter app with burp in some easiest way ?
@@piyushnigam4916 the easiest way is to setup HTTP Toolkit
We want to know about those snapshots
Noted
how to bypass sign. no kill
I wish this concept can be true on my case
i found that function but it doesn't return 0x0 but 0xbde22301. I also have a hard time understanding :((
There are chances that the function you are hooking is not correct. If you are sure it’s the right function then it would be interesting to see. If you can share the apk with me I can have a look!
In my case also doesn't return 0x0 but some random number. I use you apk brother with x86_64 lib. It also just loading even though i don't pass it through proxy. Any Idea what's going on? please help with this. Thank you brother!
I have error message Expected pointer, what is it mean?
This means that the address you are trying to hook is not a valid address.
@@fatalsec I had successfully trap the API communication to burp, but when the application receive a response from the server. the application shows pop up error: '_X509CertificateImpl'. Is it possible that the server validate the http request when we are using burp certificate to communicate to the server?
what version android do you use?
Currently using Android 13.
Can you please make a course and train how to write own Frida script
Yes this is something I am going to start soon.
Can't we do this using http canary ??🤔
Yes you can try. But if there is certificate pinning applied then it won’t work.
@@fatalsec okay
Make a dedicated video on .so dart library file.
Noted
Brother can you please brief the main steps only, actually I was looking for the same content for 1 year.
Great video!
Hello MR want to connect with you can you suggest how to connect
You can join our telegram group and connect with us at t.me/SecFatal
@fatalsec is it possible to connect one to one
Bro like you ❤❤❤
Thank you man
This app is not working right now
Thanks for letting me know. I will check and update it if required.
request next tutorial how to bypass emulator detection in flutter
I can if you can share any sample app having emulator detection in flutter
@@fatalsechow can i contact you?
Hello bro how can I contact to you
You can join our telegram group: t.me/SecFatal
Advanced and great
Thanks
Useing only Android device
I'd be willing to pay for more
Hi, thanks for showing the interest. You can contribute here: www.buymeacoffee.com/secfatalz
Had to put this at -05 playback lol
Was it too fast?
cfbr!!
Внатуре хакер
const pattern = "55 41 57 41 56 41 55 41 54 53 48 83 ec 38 c6 02 50 48 8b af a8 00 00 00"
var module = Process.findModuleByName("libflutter.so");
var results = Memory.scanSync(module.base, module.size, pattern);
console.log(`[+] libflutter is loaded at ${module.base}`);
session_verify_cert_chain(ptr(results[0].address).add(0x1));
function session_verify_cert_chain(address){
console.log("ssl add: "+address);
Interceptor.attach(address, {
onLeave: function(retval){
retval.replace(0x0);
console.log(`[+] session_verify_cert_chain retval: ${retval}`);
}
});
}
onleav not work