Reverse Engineering Flutter: Patching armeabi-v7a
App Name: MuscleWiki
Version: 2.4.1(307)
Play Store Link:
https://play.google.com/store/apps/details?id=com.musclewiki.macro
Step 01:
Dump functions and classes using reFlutter:
https://github.com/Impact-I/reFlutter
👉 You can utilize it on your Termux of non-rooted device.
Step 02:
Go to dump.dart
and locate the method named isPremium:{"method_name":"isPremium","offset":"0x0000000000442ff4","library_url":"package:muscle_wiki\/feature\/iap\/repository\/iap_repository.dart","class_name":"IapRepository"}
Step 03:
Access libapp.so
with radare2 and note the offset of _kDartIsolateSnapshotInstruction:
0x005428c0 _kDartIsolateSnapshotInstruction
Step 04:
Combine the offsets of isPremium and _kDartIsolateSnapshotInstruction:
0x5428c0 + 0x442ff4 = 0x9858b4
👉 You can use rax2.
rax2 - radare base converter
https://book.rada.re/tools/rax2/intro.html
Step 05:
Navigate to the calculated offset of the isPremium method:0x9858b4
= isPremium
Step 06:
Go to offset 0x00985914
and apply the patch:
Original instructions:ldr r0, [sl, 0x3c]
= false
Revised Instructions:ldr r0, [sl, 0x38]
= true
👉 For the patch, refer to:
https://hottg.com/TDOhex_Discussion/19429
Step 07 (Extra):
Analyze xrefs of the isPremium method:aac @ 0x9858b4
axt @ 0x9858b4
Xrefs of the isPremium method:
fcn.00984640 0x984694 [CALL:--x] bl fcn.009858b4
fcn.009d38dc 0x9d3e4c [CALL:--x] bl fcn.009858b4
fcn.00ada3d4 0xada44c [CALL:--x] bl fcn.009858b4
fcn.00c5dba4 0xc5dc38 [CALL:--x] bl fcn.009858b4
fcn.00ca6cd0 0xca6d24 [CALL:--x] bl fcn.009858b4
👉 Flutter Examples to Reach Place to Patch Through revenuecat
https://hottg.com/TDOhex/439
👉 Advanced Guide to Reverse Engineering
https://hottg.com/TDOhex/440
💥💥💥💥💥💥💥💥💥💥
📚 Guide by @TDOhex
♻️ Join us for more Info
💥💥💥💥💥💥💥💥💥💥
>>Click here to continue<<