Clutter
HardMobile Security
Overview
You found an Android app named Clutter and a companion data file containing an encrypted payload. Your objective is to recover the hidden plaintext by tracing how the app builds its secret and what fixed or predictable values it relies on. Focus on the app’s initialization and authentication flow to identify constants and reproducible inputs (including any time-related values) that feed into the encryption key material. Once you can reproduce the secret the app uses, apply it to the stored ciphertext to reveal the flag. flag format: flag{*******_*******_****_****_****-****_********}
Lab Details
Prerequisites & Requirements
- Technical Knowledge:
- Flutter & Dart Architecture: Understanding how Flutter apps differ from standard Android apps (Java/Kotlin), specifically how Dart code is AOT (Ahead-of-Time) compiled into shared libraries (
libapp.so). - ARM64 Assembly: Intermediate ability to read assembly instructions (bl, ldr, stur, cmp), understand register usage (x0-x30), and trace function calls without source code.
- Cryptographic Primitives: Familiarity with concepts like TOTP (Time-based One-Time Passwords), SHA-256 hashing, AES encryption (CBC mode), and Initialization Vectors (IV).
- Flutter & Dart Architecture: Understanding how Flutter apps differ from standard Android apps (Java/Kotlin), specifically how Dart code is AOT (Ahead-of-Time) compiled into shared libraries (
- System Requirements:
- Python
3.x: Required for running the Blutter tool and writing the final decryption script. - Linux Environment (Recommended): Tools like Blutter and standard CLI utilities (grep, strings) generally perform best in a Linux or WSL environment.
- Python
What will you learn?
- Reverse Engineer AOT-Compiled Flutter: Move beyond standard Java decompilation to analyze Dart VM snapshots and recover lost symbols from compiled binaries.
- Analyze Dart Object Pools: Learn how to search the Object Pool (PP) to find hardcoded strings, function names, and logic flaws that standard disassemblers might miss.
- Identify Logic Vulnerabilities: Detect implementation flaws in secure algorithms, such as a TOTP implementation relying on hardcoded timestamps and timezones.
- Replicate Custom Cryptography: Translate assembly logic back into a high-level language (Python) to decrypt secure data without running the application.
Tools
- Blutter :
- Description: A specialized reverse engineering tool for Dart & Flutter. It dissects the
libapp.sofile to recover the Object Pool, mapping obscure assembly offsets back to readable Dart function names and class structures. - Usage: Used to generate readable assembly code and symbol maps from the compiled Dart snapshot.
- Description: A specialized reverse engineering tool for Dart & Flutter. It dissects the
- Apktool :
- Description: A standard tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them.
- Usage: apktool d
clutter.apk(Used to unpack the APK and locate the lib directories).
- Python (pyotp, pycryptodome):
- Description: The scripting language used to automate the solution. We will use the pyotp library to generate the correct token and pycryptodome to handle the AES decryption.
- Grep / CLI Tools:
Job Positions
Mobile Security Engineer
Tags
Apk AnalysisAesAssemblyDynamic AnalysisStatic Analysis