前言
dGVj{deleteme}aC5lY{deleteme}2hvaW5nLm{deleteme}t1cmls
开始抓包
什么是flutter
怎么判定app是flutter开发的
反抓包分析
加密参数逆向
python代码还原+验证
from Crypto.PublicKey import RSA
from Crypto.Signature import PKCS1_v1_5
from Crypto.Hash import SHA256
import base64
import warnings
warnings.filterwarnings("ignore")
def RSA_sign(data, privateKey):
private_keyBytes = base64.b64decode(privateKey)
priKey = RSA.importKey(private_keyBytes)
signer = PKCS1_v1_5.new(priKey,)
hash_obj = SHA256.new(data.encode('utf-8'))
signature = base64.b64encode(signer.sign(hash_obj))
return signature
def main(startTime=None, endTime=None):
data = '/cactus-api/posts/by-tagtagIds%5B%5D=4&orderBy=updatedAt&offset=10&limit=101648403473200'
privateKey = '''自己用jadx打开放到这里吧,太长了,占篇幅'''
res_sign1 = RSA_sign(data, privateKey)
signature = res_sign1.decode('utf8')
print(signature)
if __name__ == '__main__':
startTime = 1648051200 # 有时间的接口这么用
endTime = 1648137599 # 有时间的接口这么用
main(startTime, endTime)
题外话
结语
参考链接
http://91fans.com.cn/post/fruittwo/
https://github.com/google/boringssl
https://rloura.wordpress.com/2020/12/04/reversing-flutter-for-android-wip/
https://github.com/rscloura/Doldrums
https://bbs.pediy.com/thread-261941.htm
https://mp.weixin.qq.com/s/Ad0v44Bxs1LFy93RT_brYQ
https://tinyhack.com/2021/03/07/reversing-a-flutter-app-by-recompiling-flutter-engine/
https://blog.tst.sh/reverse-engineering-flutter-apps-part-1/
https://blog.tst.sh/reverse-engineering-flutter-apps-part-2/
https://github.com/hellodword/xflutter/blob/main/snapshot-hash.csv
https://raphaeldenipotti.medium.com/bypassing-ssl-pinning-on-android-flutter-apps-with-ghidra-77b6e86b9476
https://github.com/G123N1NJ4/c2hack/blob/0f85a9b0208e9ee05dcbfb4fbcebd1c7babc4047/Mobile/flutter-ssl-bypass.md
https://github.com/ptswarm/reFlutter?msclkid=41b563c4ab7a11ecad34e0a8139bac19
https://github.com/mildsunrise/darter
flutter app的流量监控和逆向库
https://github.com/ptswarm/reFlutter
dart反编译,只能编译2018年前的
https://github.com/hdw09/darter
推荐阅读
Android和iOS逆向分析/安全检测/渗透测试框架(建议收藏)
原文始发于微信公众号(哆啦安全):对Flutter开发的某App逆向分析
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论