Flutter数字藏品App逆向分析教学文档<\/h1>

一、环境准备<\/h2>

测试设备：Pixel 2 (Android 10)<\/li>
目标App：某数字藏品App (版本信息经过编码处理)<\/li>

工具准备：

Frida (用于动态Hook)<\/li>
IDA Pro (用于静态分析)<\/li>
Burp Suite\/Charles (用于抓包)<\/li>
Blutter (Flutter逆向工具)<\/li>

wt-js_debug (RSA\/AES解密工具)<\/li> <\/ul> <\/li> <\/ul>

二、初步分析<\/h2>

1. 抓包分析<\/h3>

首次尝试抓包时发现HTTPS握手失败，表明App存在证书校验机制。可能原因：<\/p>

Java层或Native层添加了证书校验<\/li>

使用Flutter框架开发，其网络库自带证书校验<\/li> <\/ul>

2. Flutter特征确认<\/h3>

解包APK后发现以下Flutter特征文件：<\/p>

libapp.so<\/li>

libflutter.so<\/li> <\/ul>

确认App使用Flutter框架开发，因此证书校验可能来自Flutter的网络库。<\/p>

三、绕过Flutter证书校验<\/h2>

1. 定位关键函数<\/h3>
在libflutter.so中搜索字符串"ssl_client"，找到关键函数`session_verify_cert_chain<\/code>。<\/p>`

2. Frida Hook脚本<\/h3>
编写Frida脚本Hook该函数并修改返回值为true：<\/p>
function<\/span> hook_ssl_verify_result<\/span>(address<\/span>) {
<\/span><\/span>    Interceptor<\/span>.attach<\/span>(address<\/span>, {
<\/span><\/span>        onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) {
<\/span><\/span>            console<\/span>.log<\/span>("Original retval: "<\/span> +<\/span> retval<\/span>);
<\/span><\/span>            retval<\/span>.replace<\/span>(0x1<\/span>);
<\/span><\/span>            console<\/span>.log<\/span>("Modified retval: "<\/span> +<\/span> retval<\/span>);
<\/span><\/span>        }
<\/span><\/span>    });
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> hook_ssl<\/span>() {
<\/span><\/span>    var<\/span> m<\/span> =<\/span> Process<\/span>.getModuleByName<\/span>("libflutter.so"<\/span>);
<\/span><\/span>    var<\/span> exports<\/span> =<\/span> m<\/span>.enumerateExports<\/span>();
<\/span><\/span>    for<\/span> (var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> exports<\/span>.length<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>        if<\/span> (exports<\/span>[i<\/span>].name<\/span>.indexOf<\/span>("session_verify_cert_chain"<\/span>) !==<\/span> -<\/span>1<\/span>) {
<\/span><\/span>            console<\/span>.log<\/span>("Found session_verify_cert_chain at: "<\/span> +<\/span> exports<\/span>[i<\/span>].address<\/span>);
<\/span><\/span>            hook_ssl_verify_result<\/span>(exports<\/span>[i<\/span>].address<\/span>);
<\/span><\/span>            return<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>setTimeout<\/span>(hook_ssl<\/span>, 5000<\/span>);
<\/span><\/span><\/code><\/pre>使用spawn模式运行Frida，成功绕过证书校验后可以捕获到加密的API响应。<\/p>
四、加密响应分析<\/h2>
捕获到的响应格式：<\/p>
{
<\/span><\/span>    "data"<\/span>: "加密数据"<\/span>,
<\/span><\/span>    "encryptKey"<\/span>: "加密后的AES密钥"<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>加密流程推测<\/h3>

客户端和服务端各自生成RSA密钥对，交换公钥<\/li>
服务端生成随机AES密钥(key1)<\/li>
服务端使用key1加密数据得到data1<\/li>
服务端使用客户端公钥加密key1得到key2<\/li>
服务端发送{data1, key2}给客户端<\/li>
客户端使用私钥解密key2得到key1<\/li>
客户端使用key1解密data1得到明文<\/li>
<\/ol>
五、静态分析<\/h2>
1. 使用Blutter导出信息<\/h3>
使用Blutter工具导出Flutter App的信息表，帮助IDA识别函数名。<\/p>
2. RSA解密函数定位<\/h3>
在IDA中搜索"rsa"相关字符串，定位到疑似RSA解密的函数：

ibox_flutter_cores_util_code_encrypt_utils_EncryptUtils::rsaDecrypt_5c9f54<\/code><\/p>
3. 关键函数分析<\/h3>
发现自定义函数_transformPem<\/code>，其功能是将PEM格式密钥转换为适合解析的格式。<\/p>
函数偏移：0x5c0fd4<\/p>
六、动态Hook获取私钥<\/h2>
1. Frida Hook脚本<\/h3>
Hook _transformPem<\/code>函数获取私钥：<\/p>
var<\/span> base<\/span> =<\/span> Module<\/span>.getBaseAddress<\/span>("libapp.so"<\/span>);
<\/span><\/span>var<\/span> transformPem<\/span> =<\/span> base<\/span>.add<\/span>(0x5c0fd4<\/span>);
<\/span><\/span>
<\/span><\/span>Interceptor<\/span>.attach<\/span>(transformPem<\/span>, {
<\/span><\/span>    onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>("Private key: "<\/span> +<\/span> retval<\/span>.readUtf8String<\/span>());
<\/span><\/span>        var<\/span> file<\/span> =<\/span> new<\/span> File<\/span>("\/sdcard\/private_key.pem"<\/span>, "w"<\/span>);
<\/span><\/span>        file<\/span>.write<\/span>(retval<\/span>.readUtf8String<\/span>());
<\/span><\/span>        file<\/span>.flush<\/span>();
<\/span><\/span>        file<\/span>.close<\/span>();
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>2. 私钥提取<\/h3>
使用hexdump提取私钥：<\/p>
hexdump -C \/sdcard\/private_key.pem
<\/span><\/span><\/code><\/pre>七、数据解密<\/h2>
1. 解密encryptKey<\/h3>
使用获取的私钥和wt-js_debug工具解密encryptKey字段，得到AES密钥。<\/p>
命令示例：<\/p>
wt-js_debug -d -k private_key.pem -i encryptKey.bin -o aes_key.txt
<\/span><\/span><\/code><\/pre>2. 解密data<\/h3>
使用得到的AES密钥解密data字段，模式为ECB（因响应中无IV字段）。<\/p>
命令示例：<\/p>
openssl enc -d -aes-256-ecb -in data.bin -out plaintext.json -K $(<\/span>cat aes_key.txt | xxd -p -c 256)<\/span>
<\/span><\/span><\/code><\/pre>八、总结<\/h2>
关键点<\/h3>

证书校验绕过<\/strong>：Flutter应用通常通过session_verify_cert_chain<\/code>函数实现证书校验<\/li>
加密流程<\/strong>：典型的RSA+AES组合加密，RSA用于加密AES密钥，AES用于加密数据<\/li>
私钥获取<\/strong>：通过Hook PEM转换函数可以获取硬编码的私钥<\/li>
解密顺序<\/strong>：先RSA解密encryptKey，再用得到的AES密钥解密data<\/li>
<\/ol>
防御建议<\/h3>

避免在客户端硬编码私钥<\/li>
使用更复杂的密钥保护机制<\/li>
实现动态密钥交换协议<\/li>
增加代码混淆和反调试措施<\/li>
<\/ol>
附录：工具下载<\/h2>

Blutter: [GitHub仓库]<\/li>
wt-js_debug: https:\/\/52king.lanzouu.com\/iYFe5076yfmf<\/li>
Frida: https:\/\/frida.re\/<\/li>
<\/ul>

Flutter数字藏品App逆向分析教学文档<\/h1>

二、初步分析<\/h2>

三、绕过Flutter证书校验<\/h2>

1. 定位关键函数<\/h3> 在libflutter.so中搜索字符串"ssl_client"，找到关键函数session_verify_cert_chain<\/code>。<\/p>

五、静态分析<\/h2>

1. 使用Blutter导出信息<\/h3> 使用Blutter工具导出Flutter App的信息表，帮助IDA识别函数名。<\/p>

2. RSA解密函数定位<\/h3> 在IDA中搜索"rsa"相关字符串，定位到疑似RSA解密的函数： ibox_flutter_cores_util_code_encrypt_utils_EncryptUtils::rsaDecrypt_5c9f54<\/code><\/p>

七、数据解密<\/h2>

八、总结<\/h2>

附录：工具下载<\/h2> Blutter: [GitHub仓库]<\/li> wt-js_debug: https:\/\/52king.lanzouu.com\/iYFe5076yfmf<\/li> Frida: https:\/\/frida.re\/<\/li> <\/ul>

1. 定位关键函数<\/h3>
在libflutter.so中搜索字符串"ssl_client"，找到关键函数`session_verify_cert_chain<\/code>。<\/p>`

1. 使用Blutter导出信息<\/h3>
使用Blutter工具导出Flutter App的信息表，帮助IDA识别函数名。<\/p>

2. RSA解密函数定位<\/h3>
在IDA中搜索"rsa"相关字符串，定位到疑似RSA解密的函数：
`ibox_flutter_cores_util_code_encrypt_utils_EncryptUtils::rsaDecrypt_5c9f54<\/code><\/p>`

附录：工具下载<\/h2>

Blutter: [GitHub仓库]<\/li>
wt-js_debug: https:\/\/52king.lanzouu.com\/iYFe5076yfmf<\/li>
Frida: https:\/\/frida.re\/<\/li> <\/ul>