Flutter逆向

yuhury發表於2024-03-29

環境配置(Blutter)及使用

參考 [原創]flutter逆向 ACTF native app-Android安全-看雪-安全社群|安全招聘|kanxue.com

其中在編譯過程中遇到

-- Configuring done (2.5s)
-- Generating done (0.0s)
-- Build files have been written to: E:/blutter/build/blutter_dartvm3.4.0-190.0.dev_android_arm64
[22/22] Linking CXX executable blutter_dartvm3.4.0-190.0.dev_android_arm64.exe
FAILED: blutter_dartvm3.4.0-190.0.dev_android_arm64.exe
C:\WINDOWS\system32\cmd.exe /C "cd . && D:\CMAKE\bin\cmake.exe -E vs_link_exe --intdir=CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir --rc=C:\PROGRA~2\WI3CF2~1\10\bin\100226~1.0\x64\rc.exe --mt=C:\PROGRA~2\WI3CF2~1\10\bin\100226~1.0\x64\mt.exe --manifests  -- D:\vsstudio\download\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\link.exe /nologo CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\cmake_pch.cxx.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\CodeAnalyzer.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\CodeAnalyzer_arm64.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartApp.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartClass.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartDumper.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartField.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartFunction.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartLibrary.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartLoader.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartStub.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartThreadInfo.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartTypes.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Disassembler.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Disassembler_arm64.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\ElfHelper.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\FridaWriter.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Util.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\VarValue.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\il.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\main.cpp.obj  /out:blutter_dartvm3.4.0-190.0.dev_android_arm64.exe /implib:blutter_dartvm3.4.0-190.0.dev_android_arm64.lib /pdb:blutter_dartvm3.4.0-190.0.dev_android_arm64.pdb /version:0.0 /machine:x64 /INCREMENTAL:NO /subsystem:console  /LTCG /OPT:REF /OPT:ICF  E:\blutter\packages\lib\dartvm3.4.0-190.0.dev_android_arm64.lib  E:\blutter\blutter\..\external\capstone\capstone_dll.lib  E:\blutter\external\icu-windows\lib64\icuuc.lib  kernel32.lib user32.lib gdi32.lib winspool.lib shell32.lib ole32.lib oleaut32.lib uuid.lib comdlg32.lib advapi32.lib && cd ."
LINK: command "D:\vsstudio\download\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\link.exe /nologo CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\cmake_pch.cxx.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\CodeAnalyzer.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\CodeAnalyzer_arm64.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartApp.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartClass.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartDumper.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartField.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartFunction.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartLibrary.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartLoader.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartStub.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartThreadInfo.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartTypes.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Disassembler.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Disassembler_arm64.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\ElfHelper.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\FridaWriter.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Util.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\VarValue.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\il.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\main.cpp.obj /out:blutter_dartvm3.4.0-190.0.dev_android_arm64.exe /implib:blutter_dartvm3.4.0-190.0.dev_android_arm64.lib /pdb:blutter_dartvm3.4.0-190.0.dev_android_arm64.pdb /version:0.0 /machine:x64 /INCREMENTAL:NO /subsystem:console /LTCG /OPT:REF /OPT:ICF E:\blutter\packages\lib\dartvm3.4.0-190.0.dev_android_arm64.lib E:\blutter\blutter\..\external\capstone\capstone_dll.lib E:\blutter\external\icu-windows\lib64\icuuc.lib kernel32.lib user32.lib gdi32.lib winspool.lib shell32.lib ole32.lib oleaut32.lib uuid.lib comdlg32.lib advapi32.lib /MANIFEST:EMBED,ID=1" failed (exit code 1120) with the following output:
dartvm3.4.0-190.0.dev_android_arm64.lib(unwinding_records_win.cc.obj) : error LNK2001: 無法解析的外部符號 __imp_RtlAddGrowableFunctionTable
dartvm3.4.0-190.0.dev_android_arm64.lib(unwinding_records_win.cc.obj) : error LNK2001: 無法解析的外部符號 __imp_RtlAddGrowableFunctionTable
dartvm3.4.0-190.0.dev_android_arm64.lib(unwinding_records_win.cc.obj) : error LNK2001: 無法解析的外部符號 __imp_RtlDeleteGrowableFunctionTable
dartvm3.4.0-190.0.dev_android_arm64.lib(unwinding_records_win.cc.obj) : error LNK2001: 無法解析的外部符號 __imp_RtlDeleteGrowableFunctionTable
blutter_dartvm3.4.0-190.0.dev_android_arm64.exe : fatal error LNK1120: 2 個無法解析的外部命令
ninja: build stopped: subcommand failed.
Traceback (most recent call last):
File "E:\blutter\blutter.py", line 168, in <module>
 main(args.indir, args.outdir, args.rebuild, args.vs_sln, args.no_analysis)
File "E:\blutter\blutter.py", line 149, in main
 cmake_blutter(blutter_name, dartlib_name, name_suffix, macros)
File "E:\blutter\blutter.py", line 92, in cmake_blutter
 subprocess.run([NINJA_CMD], cwd=builddir, check=True)
File "D:\anaconda\lib\subprocess.py", line 528, in run
 raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['ninja']' returned non-zero exit status 1.

根據提示是兩個"___imp_"找不到,查了下是ntdll.lib裡的,找到blutter根目錄下的blutter資料夾裡的cmakelists.txt,把裡面的target_link_libraries(${BINNAME} ${DARTLIB} capstone)修改成target_link_libraries(${BINNAME} ${DARTLIB} capstone -l ntdll)即可完成正常編譯。

Eznative——NKCTF

blutter用不了,恢復符號有限。考點是bindiff還原符號表。匯入後在Matched Functions裡全選之後右鍵選擇Import symbols/comments as external library,本題可發現此時恢復了很多函式的名字。根據名字摸到加密函式,發現0x9e377989常數和其他特徵,判斷是xxtea加密。在加密函式這裡下斷點,除錯可以獲得金鑰:17a389e9efdad7ce。除錯的時候注意出題人在這設定了下要先短按再長按提交按鈕才能執行加密判斷的邏輯。

金鑰在記憶體裡

之後就是順著加密函式找最後的判斷部分摸密文。貼下出題人的wp:

此處可以看到是判斷分支,在記憶體中可以找到密文:UAsFvs3tDyTxFPGb7WbyBYSm05VWrJxgjArj9mx490pfH1LO

xxtea解密即可,NKCTF{f1uTt3r_iS_s0_Easy_y3ah!}

TODO: Finish on Friday

參考:

[原創]flutter逆向 ACTF native app-Android安全-看雪-安全社群|安全招聘|kanxue.com

CTF題目模板 (yuque.com)

Docs (feishu.cn)