-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathkill_flutter.py
More file actions
599 lines (489 loc) · 26 KB
/
Copy pathkill_flutter.py
File metadata and controls
599 lines (489 loc) · 26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
#!/usr/bin/env python3
# K!ll Fl!utter - Flutter SSL Pinning Bypass Tool
# By: f3rb
# Supports: Android (APK) + iOS (IPA)
# For authorized penetration testing only
import struct, re, sys, os, zipfile, subprocess, argparse
# ─────────────────────────────────────────────
# BOX HELPERS (keeps all boxes perfectly aligned)
# ─────────────────────────────────────────────
BOX_WIDTH = 54 # visible characters between the ║ borders
C_CYAN = "\033[96m"
C_YELLOW = "\033[93m"
C_GREEN = "\033[92m"
C_RED = "\033[91m"
C_GREY = "\033[90m"
C_PURPLE = "\033[95m"
C_RESET = "\033[0m"
def box_top():
return C_CYAN + "╔" + "═" * BOX_WIDTH + "╗" + C_RESET
def box_bottom():
return C_CYAN + "╚" + "═" * BOX_WIDTH + "╝" + C_RESET
def box_line(text, color=""):
"""text is the raw visible text (no ANSI). Pads to BOX_WIDTH and adds borders."""
padded = text.ljust(BOX_WIDTH)
return f"{C_CYAN}║{C_RESET}{color}{padded}{C_RESET}{C_CYAN}║{C_RESET}"
# ─────────────────────────────────────────────
# BANNER & HELP
# ─────────────────────────────────────────────
def print_banner():
print(C_CYAN + """
██╗ ██╗██╗██╗ ██╗
██║ ██╔╝██║██║ ██║
█████╔╝ ██║██║ ██║
██╔═██╗ ██║██║ ██║
██║ ██╗██║███████╗███████╗
╚═╝ ╚═╝╚═╝╚══════╝╚══════╝""" + C_PURPLE + """
███████╗██╗ ██╗ ██╗████████╗████████╗███████╗██████╗
██╔════╝██║ ██║ ██║╚══██╔══╝╚══██╔══╝██╔════╝██╔══██╗
█████╗ ██║ ██║ ██║ ██║ ██║ █████╗ ██████╔╝
██╔══╝ ██║ ██║ ██║ ██║ ██║ ██╔══╝ ██╔══██╗
██║ ███████╗╚██████╔╝ ██║ ██║ ███████╗██║ ██║
╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝""" + C_RESET)
print(box_top())
print(box_line(" K!ll Fl!utter — Flutter SSL Pinning Bypass", C_YELLOW))
print(box_line(" By: f3rb v2.0.0", C_GREEN))
print(box_line(" Android (APK) + iOS (IPA) Support", C_PURPLE))
print(box_line(" For authorized penetration testing only", C_PURPLE))
print(box_bottom())
print("")
def print_help():
print_banner()
print("""
\033[93mUSAGE:\033[0m
python3 kill_flutter.py <path_to_apk_or_ipa> [options]
\033[93mOPTIONS:\033[0m
\033[92m-h, --help\033[0m Show this help message
\033[92m-i, --ip\033[0m Your machine IP (for proxy/iptables commands)
\033[92m-p, --port\033[0m Burp Suite port (default: 8080)
\033[92m-o, --output\033[0m Output directory for generated files
\033[92m--platform\033[0m Force platform: android or ios (auto-detected from extension)
\033[93mEXAMPLES:\033[0m
\033[90m# Android APK\033[0m
python3 kill_flutter.py app.apk -i 192.168.1.10 -p 8080
\033[90m# iOS IPA\033[0m
python3 kill_flutter.py app.ipa -i 192.168.1.10 -p 8080
\033[90m# Force platform\033[0m
python3 kill_flutter.py app.apk --platform android -i 192.168.1.10
\033[93mWORKFLOW:\033[0m
\033[96m1.\033[0m Auto-detects platform from file extension
\033[96m2.\033[0m Extracts Flutter engine binary (libflutter.so / Flutter framework)
\033[96m3.\033[0m Scans for ssl_client/ssl_server string anchors
\033[96m4.\033[0m Parses ELF (Android) or Mach-O (iOS) segments
\033[96m5.\033[0m Finds ADRP+ADD instruction pairs referencing both strings
\033[96m6.\033[0m Walks back to function prologue to get exact hook offset
\033[96m7.\033[0m Generates ready-to-use Frida script
\033[96m8.\033[0m Prints copy-paste commands for your platform
\033[93mREQUIREMENTS:\033[0m
\033[92m- Python 3\033[0m
\033[92m- Frida\033[0m pip install frida-tools
\033[92m- aapt\033[0m Android SDK build tools (Android only)
\033[92m- Rooted Android / Jailbroken iOS device\033[0m
\033[92m- Burp Suite\033[0m invisible proxy on all interfaces
\033[93mBURP SETUP:\033[0m
\033[96m-\033[0m Proxy → Listeners → Bind to 0.0.0.0:8080
\033[96m-\033[0m Request handling → Enable invisible proxying
\033[96m-\033[0m Intercept → OFF
\033[93mANDROID — REVERT IPTABLES:\033[0m
adb shell su -c "iptables -t nat -D OUTPUT -p tcp --dport 443 -j DNAT --to-destination <IP>:8080"
adb shell su -c "iptables -t nat -D OUTPUT -p tcp --dport 80 -j DNAT --to-destination <IP>:8080"
\033[90m# Or simply: adb reboot\033[0m
\033[93miOS — REVERT IPTABLES (via SSH):\033[0m
ssh root@<device-ip> "iptables -t nat -D OUTPUT -p tcp --dport 443 -j DNAT --to-destination <IP>:8080"
ssh root@<device-ip> "iptables -t nat -D OUTPUT -p tcp --dport 80 -j DNAT --to-destination <IP>:8080"
\033[90m# Or simply reboot the device\033[0m
""")
# ─────────────────────────────────────────────
# PLATFORM DETECTION
# ─────────────────────────────────────────────
def detect_platform(file_path, forced=None):
if forced:
return forced.lower()
ext = os.path.splitext(file_path)[1].lower()
if ext == '.apk':
return 'android'
elif ext == '.ipa':
return 'ios'
else:
print("\033[93m[!] Cannot detect platform from extension. Use --platform android or --platform ios\033[0m")
sys.exit(1)
# ─────────────────────────────────────────────
# ANDROID — PACKAGE NAME
# ─────────────────────────────────────────────
def get_package_name_android(apk_path):
try:
result = subprocess.run(
['aapt', 'dump', 'badging', apk_path],
capture_output=True, text=True
)
for line in result.stdout.splitlines():
if line.startswith("package:"):
for part in line.split():
if part.startswith("name="):
return part.split("'")[1]
except Exception as e:
print(f"\033[93m[!] aapt failed: {e}\033[0m")
return None
# ─────────────────────────────────────────────
# iOS — BUNDLE ID
# ─────────────────────────────────────────────
def get_bundle_id_ios(ipa_path):
try:
with zipfile.ZipFile(ipa_path, 'r') as z:
# Find Info.plist
for name in z.namelist():
if re.match(r'Payload/[^/]+\.app/Info\.plist$', name):
with z.open(name) as f:
content = f.read().decode('utf-8', errors='ignore')
# Simple regex parse for CFBundleIdentifier
m = re.search(r'CFBundleIdentifier.*?<string>(.*?)</string>', content, re.DOTALL)
if m:
return m.group(1).strip()
except Exception as e:
print(f"\033[93m[!] Could not parse Info.plist: {e}\033[0m")
return None
# ─────────────────────────────────────────────
# ANDROID — EXTRACT libflutter.so
# ─────────────────────────────────────────────
def extract_flutter_android(apk_path, out_dir):
so_path = os.path.join(out_dir, 'libflutter.so')
print(f"\033[96m[*]\033[0m Extracting libflutter.so from APK...")
with zipfile.ZipFile(apk_path, 'r') as z:
for name in z.namelist():
if 'arm64-v8a/libflutter.so' in name:
print(f"\033[92m[+]\033[0m Found: {name}")
with z.open(name) as src, open(so_path, 'wb') as dst:
dst.write(src.read())
return so_path
print("\033[91m[-] libflutter.so (arm64-v8a) not found — is this a Flutter APK?\033[0m")
return None
# ─────────────────────────────────────────────
# iOS — EXTRACT Flutter framework binary
# ─────────────────────────────────────────────
def extract_flutter_ios(ipa_path, out_dir):
fw_path = os.path.join(out_dir, 'Flutter')
print(f"\033[96m[*]\033[0m Extracting Flutter framework from IPA...")
with zipfile.ZipFile(ipa_path, 'r') as z:
for name in z.namelist():
if re.search(r'Payload/[^/]+\.app/Frameworks/Flutter\.framework/Flutter$', name):
print(f"\033[92m[+]\033[0m Found: {name}")
with z.open(name) as src, open(fw_path, 'wb') as dst:
dst.write(src.read())
return fw_path
print("\033[91m[-] Flutter.framework/Flutter not found — is this a Flutter IPA?\033[0m")
return None
# ─────────────────────────────────────────────
# ELF SEGMENT PARSER (Android ARM64)
# ─────────────────────────────────────────────
def parse_elf_segments(data):
"""Returns (code_foff, code_vaddr, code_filesz) for the executable segment."""
if data[:4] != b'\x7fELF':
return None, None, None
e_phoff = struct.unpack_from('<Q', data, 0x20)[0]
e_phentsize = struct.unpack_from('<H', data, 0x36)[0]
e_phnum = struct.unpack_from('<H', data, 0x38)[0]
code_foff = code_vaddr = code_filesz = None
for i in range(e_phnum):
ph = data[e_phoff + i*e_phentsize : e_phoff + (i+1)*e_phentsize]
p_type = struct.unpack_from('<I', ph, 0x00)[0]
p_flags = struct.unpack_from('<I', ph, 0x04)[0]
if p_type == 1 and (p_flags & 1): # PT_LOAD + PF_X
code_foff = struct.unpack_from('<Q', ph, 0x08)[0]
code_vaddr = struct.unpack_from('<Q', ph, 0x10)[0]
code_filesz = struct.unpack_from('<Q', ph, 0x20)[0]
print(f"\033[96m[*]\033[0m ELF code segment: file={hex(code_foff)} vaddr={hex(code_vaddr)} size={hex(code_filesz)}")
return code_foff, code_vaddr, code_filesz
# ─────────────────────────────────────────────
# MACH-O SEGMENT PARSER (iOS ARM64)
# ─────────────────────────────────────────────
def parse_macho_segments(data):
"""Returns (code_foff, code_vaddr, code_filesz, data) for __TEXT executable segment.
Always returns a 4-tuple; data may be a sliced arm64 view of a fat binary."""
MH_MAGIC_64 = 0xFEEDFACF # 64-bit little-endian
FAT_MAGIC = 0xCAFEBABE # Fat binary (big-endian)
LC_SEGMENT_64 = 0x19
magic = struct.unpack_from('<I', data, 0)[0]
# Handle fat binary — extract arm64 slice
if struct.unpack_from('>I', data, 0)[0] == FAT_MAGIC:
print(f"\033[96m[*]\033[0m Detected fat binary — extracting arm64 slice")
nfat = struct.unpack_from('>I', data, 4)[0]
for i in range(nfat):
off = 8 + i * 20
cputype = struct.unpack_from('>I', data, off)[0]
slice_offset = struct.unpack_from('>I', data, off + 8)[0]
slice_size = struct.unpack_from('>I', data, off + 12)[0]
# ARM64 cputype = 0x0100000C
if cputype == 0x0100000C:
print(f"\033[92m[+]\033[0m arm64 slice found at offset {hex(slice_offset)}")
data = data[slice_offset:slice_offset + slice_size]
magic = struct.unpack_from('<I', data, 0)[0]
break
if magic != MH_MAGIC_64:
print(f"\033[91m[-] Not a valid Mach-O 64-bit binary (magic={hex(magic)})\033[0m")
return None, None, None, data
ncmds = struct.unpack_from('<I', data, 16)[0]
cmd_off = 32 # sizeof mach_header_64
code_foff = code_vaddr = code_filesz = None
for _ in range(ncmds):
cmd = struct.unpack_from('<I', data, cmd_off)[0]
cmdsize = struct.unpack_from('<I', data, cmd_off + 4)[0]
if cmd == LC_SEGMENT_64:
# segname is 16 bytes at offset +8
segname = data[cmd_off + 8 : cmd_off + 24].rstrip(b'\x00').decode('utf-8', errors='ignore')
vmaddr = struct.unpack_from('<Q', data, cmd_off + 24)[0]
vmsize = struct.unpack_from('<Q', data, cmd_off + 32)[0]
fileoff = struct.unpack_from('<Q', data, cmd_off + 40)[0]
filesize = struct.unpack_from('<Q', data, cmd_off + 48)[0]
maxprot = struct.unpack_from('<I', data, cmd_off + 56)[0]
# __TEXT segment with execute permission (VM_PROT_EXECUTE = 4)
if segname == '__TEXT' and (maxprot & 4):
code_foff = fileoff
code_vaddr = vmaddr
code_filesz = filesize
print(f"\033[96m[*]\033[0m Mach-O __TEXT segment: file={hex(fileoff)} vaddr={hex(vmaddr)} size={hex(filesize)}")
cmd_off += cmdsize
return code_foff, code_vaddr, code_filesz, data # return possibly-sliced data
# ─────────────────────────────────────────────
# CORE — FIND SSL OFFSET (shared for both platforms)
# ─────────────────────────────────────────────
def find_offset(binary_path, platform):
print(f"\033[96m[*]\033[0m Loading binary: {binary_path}")
with open(binary_path, 'rb') as f:
data = f.read()
# Find string anchors
ssl_client = [m.start() for m in re.finditer(b'ssl_client\x00', data)]
ssl_server = [m.start() for m in re.finditer(b'ssl_server\x00', data)]
if not ssl_client or not ssl_server:
print("\033[91m[-] ssl_client/ssl_server strings not found — may not be a Flutter binary\033[0m")
return None
print(f"\033[92m[+]\033[0m ssl_client @ {[hex(x) for x in ssl_client]}")
print(f"\033[92m[+]\033[0m ssl_server @ {[hex(x) for x in ssl_server]}")
# Parse segments based on platform
if platform == 'android':
code_foff, code_vaddr, code_filesz = parse_elf_segments(data)
else:
code_foff, code_vaddr, code_filesz, data = parse_macho_segments(data)
# Re-find strings in possibly-sliced data
ssl_client = [m.start() for m in re.finditer(b'ssl_client\x00', data)]
ssl_server = [m.start() for m in re.finditer(b'ssl_server\x00', data)]
if not ssl_client or not ssl_server:
print("\033[91m[-] ssl_client/ssl_server strings not found in arm64 slice\033[0m")
return None
if code_foff is None:
print("\033[91m[-] No executable segment found\033[0m")
return None
def foff_to_vaddr(fo):
return fo - code_foff + code_vaddr
def find_refs(target_va):
lo12 = target_va & 0xfff
refs = []
for fi in range(code_foff, code_foff + code_filesz - 4, 4):
instr = struct.unpack_from('<I', data, fi)[0]
if (instr & 0xffc00000) == 0x91000000 and ((instr >> 10) & 0xfff) == lo12:
if fi >= 4:
adrp = struct.unpack_from('<I', data, fi - 4)[0]
if (adrp & 0x9f000000) == 0x90000000:
immlo = (adrp >> 29) & 0x3
immhi = (adrp >> 5) & 0x7ffff
imm = ((immhi << 2) | immlo) << 12
if imm & (1 << 32):
imm -= (1 << 33)
pc_va = foff_to_vaddr(fi - 4)
if (pc_va & ~0xfff) + imm == (target_va & ~0xfff):
refs.append(fi)
return refs
print(f"\033[96m[*]\033[0m Scanning ADRP+ADD refs... (may take a moment)")
sc_refs = find_refs(ssl_client[0])
ss_refs = find_refs(ssl_server[0])
print(f"\033[96m[*]\033[0m ssl_client code refs: {[hex(x) for x in sc_refs]}")
print(f"\033[96m[*]\033[0m ssl_server code refs: {[hex(x) for x in ss_refs]}")
for a in sc_refs:
for b in ss_refs:
if abs(a - b) < 0x800:
start = min(a, b)
for i in range(start, max(code_foff, start - 0x300), -4):
instr = struct.unpack_from('<I', data, i)[0]
if (instr & 0xff8003ff) == 0xd10003ff or (instr & 0xffe07fff) == 0xa9007bfd:
vaddr = foff_to_vaddr(i)
print(f"\033[92m[+]\033[0m SSL verify offset: \033[93m{hex(vaddr)}\033[0m")
print(f"\033[92m[+]\033[0m First bytes: {data[i:i+16].hex(' ')}")
return vaddr
print("\033[91m[-] Could not find SSL verify function\033[0m")
return None
# ─────────────────────────────────────────────
# FRIDA SCRIPT GENERATOR
# ─────────────────────────────────────────────
def write_frida_script(offset, package, platform, out_path):
# Module name differs between platforms
module_name = 'libflutter.so' if platform == 'android' else 'Flutter'
script = f"""// ================================================
// K!ll Fl!utter - Auto-generated Frida Script
// By: f3rb
// Platform : {platform.upper()}
// Package : {package}
// Offset : {hex(offset)}
// Module : {module_name}
// ================================================
function hook_ssl_verify_result(address) {{
Interceptor.attach(address, {{
onEnter: function(args) {{
console.log("[+] ssl_verify hooked — killing cert validation");
}},
onLeave: function(retval) {{
console.log("[*] retval was: " + retval);
retval.replace(0x1);
console.log("[*] forced success");
}}
}});
}}
function disablePinning() {{
var m = Process.findModuleByName("{module_name}");
if (!m) {{
console.log("[-] {module_name} not found");
return;
}}
console.log("[+] {module_name} base: " + m.base);
var offset = {hex(offset)};
var addr = m.base.add(offset);
console.log("[+] Hooking at: " + addr);
hook_ssl_verify_result(addr);
}}
setTimeout(disablePinning, 1000);
"""
with open(out_path, 'w') as f:
f.write(script)
print(f"\033[92m[+]\033[0m Frida script saved: \033[93m{out_path}\033[0m")
# ─────────────────────────────────────────────
# PRINT FINAL COMMANDS
# ─────────────────────────────────────────────
def print_commands_android(package, proxy, script_path):
set_443 = f'adb shell su -c "iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination {proxy}"'
set_80 = f'adb shell su -c "iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination {proxy}"'
verify = 'adb shell su -c "iptables -t nat -L OUTPUT --line-numbers"'
frida_cmd = f'frida -U -f {package} -l "{script_path}"'
del_443 = f'adb shell su -c "iptables -t nat -D OUTPUT -p tcp --dport 443 -j DNAT --to-destination {proxy}"'
del_80 = f'adb shell su -c "iptables -t nat -D OUTPUT -p tcp --dport 80 -j DNAT --to-destination {proxy}"'
print("")
print(box_top())
print(box_line(" ANDROID — COPY PASTE COMMANDS", C_YELLOW))
print(box_bottom())
print("")
print("\033[93m[1] Set iptables on device:\033[0m")
print(" " + set_443)
print(" " + set_80)
print("")
print("\033[93m[2] Verify iptables rules:\033[0m")
print(" " + verify)
print("")
print("\033[93m[3] Launch Frida:\033[0m")
print("\033[92m " + frida_cmd + "\033[0m")
print("")
print("\033[93m[4] Revert when done:\033[0m")
print(" " + del_443)
print(" " + del_80)
print("\033[90m # or just: adb reboot\033[0m")
def print_commands_ios(package, proxy, script_path, device_ip):
frida_cmd = f'frida -U -f {package} -l "{script_path}"'
set_443 = f'ssh root@{device_ip} "iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination {proxy}"'
set_80 = f'ssh root@{device_ip} "iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination {proxy}"'
del_443 = f'ssh root@{device_ip} "iptables -t nat -D OUTPUT -p tcp --dport 443 -j DNAT --to-destination {proxy}"'
del_80 = f'ssh root@{device_ip} "iptables -t nat -D OUTPUT -p tcp --dport 80 -j DNAT --to-destination {proxy}"'
print("")
print(box_top())
print(box_line(" iOS — COPY PASTE COMMANDS", C_YELLOW))
print(box_bottom())
print("")
print("\033[93m[1] Set WiFi proxy on device:\033[0m")
print(f" Settings → WiFi → Your Network → HTTP Proxy → Manual")
print(f" Server: {proxy.split(':')[0]} Port: {proxy.split(':')[1]}")
print("")
print("\033[93m[2] Set iptables on device (jailbroken via SSH):\033[0m")
print(" " + set_443)
print(" " + set_80)
print("")
print("\033[93m[3] Launch Frida:\033[0m")
print("\033[92m " + frida_cmd + "\033[0m")
print("")
print("\033[93m[4] Revert when done:\033[0m")
print(" " + del_443)
print(" " + del_80)
print("\033[90m # or just reboot the device\033[0m")
def print_summary(package, offset, script_path, proxy, platform):
print("")
print(box_top())
print(box_line(f" Platform : {platform.upper()}", C_GREEN))
print(box_line(f" Package : {package}", C_GREEN))
print(box_line(f" Offset : {hex(offset)}", C_GREEN))
print(box_line(f" Script : {os.path.basename(script_path)}", C_GREEN))
print(box_line(f" Proxy : {proxy}", C_GREEN))
print(box_bottom())
print("")
# ─────────────────────────────────────────────
# MAIN
# ─────────────────────────────────────────────
def main():
if len(sys.argv) == 1 or '-h' in sys.argv or '--help' in sys.argv:
print_help()
sys.exit(0)
parser = argparse.ArgumentParser(add_help=False)
parser.add_argument('app', nargs='?', help='Path to APK or IPA')
parser.add_argument('-i', '--ip', default='<YOUR_IP>', help='Your machine IP')
parser.add_argument('-p', '--port', default='8080', help='Burp port')
parser.add_argument('-o', '--output', help='Output directory')
parser.add_argument('--platform', choices=['android', 'ios'], help='Force platform')
parser.add_argument('--device-ip', default='<DEVICE_IP>', help='iOS device IP (for SSH iptables)')
args = parser.parse_args()
print_banner()
app_path = args.app
if not app_path:
print("\033[91m[-] No APK/IPA provided. Use -h for help.\033[0m")
sys.exit(1)
if not os.path.exists(app_path):
print(f"\033[91m[-] File not found: {app_path}\033[0m")
sys.exit(1)
platform = detect_platform(app_path, args.platform)
out_dir = args.output or os.path.dirname(os.path.abspath(app_path))
os.makedirs(out_dir, exist_ok=True)
ip = args.ip
port = args.port
proxy = ip + ":" + port
device_ip = args.device_ip
print(f"\033[96m[*]\033[0m Platform : \033[93m{platform.upper()}\033[0m")
print(f"\033[96m[*]\033[0m App : {app_path}")
print(f"\033[96m[*]\033[0m Output : {out_dir}")
print(f"\033[96m[*]\033[0m Proxy : {proxy}")
# Step 1: Get identifier
if platform == 'android':
package = get_package_name_android(app_path)
if package:
print(f"\033[92m[+]\033[0m Package: \033[93m{package}\033[0m")
else:
package = input("\033[93m[?] Enter package name manually: \033[0m").strip()
else:
package = get_bundle_id_ios(app_path)
if package:
print(f"\033[92m[+]\033[0m Bundle ID: \033[93m{package}\033[0m")
else:
package = input("\033[93m[?] Enter bundle ID manually (e.g. com.example.app): \033[0m").strip()
# Step 2: Extract Flutter binary
if platform == 'android':
binary_path = extract_flutter_android(app_path, out_dir)
else:
binary_path = extract_flutter_ios(app_path, out_dir)
if not binary_path:
sys.exit(1)
# Step 3: Find SSL offset
offset = find_offset(binary_path, platform)
if offset is None:
sys.exit(1)
# Step 4: Write Frida script
script_path = os.path.join(out_dir, 'flutter_bypass.js')
write_frida_script(offset, package, platform, script_path)
# Step 5: Print commands
if platform == 'android':
print_commands_android(package, proxy, script_path)
else:
print_commands_ios(package, proxy, script_path, device_ip)
print_summary(package, offset, script_path, proxy, platform)
if __name__ == '__main__':
main()