Flutter逆向

环境配置（Blutter）及使用

参考 [原创]flutter逆向 ACTF native app-Android安全-看雪-安全社区|安全招聘|kanxue.com

其中在编译过程中遇到

-- Configuring done (2.5s)
-- Generating done (0.0s)
-- Build files have been written to: E:/blutter/build/blutter_dartvm3.4.0-190.0.dev_android_arm64
[22/22] Linking CXX executable blutter_dartvm3.4.0-190.0.dev_android_arm64.exe
FAILED: blutter_dartvm3.4.0-190.0.dev_android_arm64.exe
C:\WINDOWS\system32\cmd.exe /C "cd . && D:\CMAKE\bin\cmake.exe -E vs_link_exe --intdir=CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir --rc=C:\PROGRA~2\WI3CF2~1\10\bin\100226~1.0\x64\rc.exe --mt=C:\PROGRA~2\WI3CF2~1\10\bin\100226~1.0\x64\mt.exe --manifests  -- D:\vsstudio\download\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\link.exe /nologo CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\cmake_pch.cxx.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\CodeAnalyzer.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\CodeAnalyzer_arm64.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartApp.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartClass.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartDumper.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartField.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartFunction.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartLibrary.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartLoader.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartStub.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartThreadInfo.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartTypes.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Disassembler.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Disassembler_arm64.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\ElfHelper.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\FridaWriter.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Util.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\VarValue.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\il.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\main.cpp.obj  /out:blutter_dartvm3.4.0-190.0.dev_android_arm64.exe /implib:blutter_dartvm3.4.0-190.0.dev_android_arm64.lib /pdb:blutter_dartvm3.4.0-190.0.dev_android_arm64.pdb /version:0.0 /machine:x64 /INCREMENTAL:NO /subsystem:console  /LTCG /OPT:REF /OPT:ICF  E:\blutter\packages\lib\dartvm3.4.0-190.0.dev_android_arm64.lib  E:\blutter\blutter\..\external\capstone\capstone_dll.lib  E:\blutter\external\icu-windows\lib64\icuuc.lib  kernel32.lib user32.lib gdi32.lib winspool.lib shell32.lib ole32.lib oleaut32.lib uuid.lib comdlg32.lib advapi32.lib && cd ."
LINK: command "D:\vsstudio\download\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\link.exe /nologo CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\cmake_pch.cxx.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\CodeAnalyzer.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\CodeAnalyzer_arm64.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartApp.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartClass.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartDumper.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartField.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartFunction.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartLibrary.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartLoader.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartStub.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartThreadInfo.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\DartTypes.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Disassembler.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Disassembler_arm64.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\ElfHelper.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\FridaWriter.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\Util.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\VarValue.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\il.cpp.obj CMakeFiles\blutter_dartvm3.4.0-190.0.dev_android_arm64.dir\src\main.cpp.obj /out:blutter_dartvm3.4.0-190.0.dev_android_arm64.exe /implib:blutter_dartvm3.4.0-190.0.dev_android_arm64.lib /pdb:blutter_dartvm3.4.0-190.0.dev_android_arm64.pdb /version:0.0 /machine:x64 /INCREMENTAL:NO /subsystem:console /LTCG /OPT:REF /OPT:ICF E:\blutter\packages\lib\dartvm3.4.0-190.0.dev_android_arm64.lib E:\blutter\blutter\..\external\capstone\capstone_dll.lib E:\blutter\external\icu-windows\lib64\icuuc.lib kernel32.lib user32.lib gdi32.lib winspool.lib shell32.lib ole32.lib oleaut32.lib uuid.lib comdlg32.lib advapi32.lib /MANIFEST:EMBED,ID=1" failed (exit code 1120) with the following output:
dartvm3.4.0-190.0.dev_android_arm64.lib(unwinding_records_win.cc.obj) : error LNK2001: 无法解析的外部符号 __imp_RtlAddGrowableFunctionTable
dartvm3.4.0-190.0.dev_android_arm64.lib(unwinding_records_win.cc.obj) : error LNK2001: 无法解析的外部符号 __imp_RtlAddGrowableFunctionTable
dartvm3.4.0-190.0.dev_android_arm64.lib(unwinding_records_win.cc.obj) : error LNK2001: 无法解析的外部符号 __imp_RtlDeleteGrowableFunctionTable
dartvm3.4.0-190.0.dev_android_arm64.lib(unwinding_records_win.cc.obj) : error LNK2001: 无法解析的外部符号 __imp_RtlDeleteGrowableFunctionTable
blutter_dartvm3.4.0-190.0.dev_android_arm64.exe : fatal error LNK1120: 2 个无法解析的外部命令
ninja: build stopped: subcommand failed.
Traceback (most recent call last):
File "E:\blutter\blutter.py", line 168, in <module>main(args.indir, args.outdir, args.rebuild, args.vs_sln, args.no_analysis)
File "E:\blutter\blutter.py", line 149, in maincmake_blutter(blutter_name, dartlib_name, name_suffix, macros)
File "E:\blutter\blutter.py", line 92, in cmake_bluttersubprocess.run([NINJA_CMD], cwd=builddir, check=True)
File "D:\anaconda\lib\subprocess.py", line 528, in runraise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['ninja']' returned non-zero exit status 1.

根据提示是两个"___imp_"找不到，查了下是ntdll.lib里的，找到blutter根目录下的blutter文件夹里的cmakelists.txt，把里面的target_link_libraries(${BINNAME} ${DARTLIB} capstone)修改成target_link_libraries(${BINNAME} ${DARTLIB} capstone -l ntdll)即可完成正常编译。

Eznative——NKCTF

blutter用不了，恢复符号有限。考点是bindiff还原符号表。导入后在Matched Functions里全选之后右键选择Import symbols/comments as external library，本题可发现此时恢复了很多函数的名字。根据名字摸到加密函数，发现0x9e377989常数和其他特征，判断是xxtea加密。在加密函数这里下断点，调试可以获得密钥：17a389e9efdad7ce。调试的时候注意出题人在这设置了下要先短按再长按提交按钮才能运行加密判断的逻辑。

密钥在内存里

之后就是顺着加密函数找最后的判断部分摸密文。贴下出题人的wp：

此处可以看到是判断分支，在内存中可以找到密文：UAsFvs3tDyTxFPGb7WbyBYSm05VWrJxgjArj9mx490pfH1LO

xxtea解密即可，NKCTF{f1uTt3r_iS_s0_Easy_y3ah!}

TODO: Finish on Friday

参考：

[原创]flutter逆向 ACTF native app-Android安全-看雪-安全社区|安全招聘|kanxue.com

CTF题目模板 (yuque.com)

Docs (feishu.cn)