B(l)utter

Flutter Mobile Application Reverse Engineering Tool by Compiling Dart AOT Runtime.

Currently, the application supports only Android libapp.so. Also, the application currently works only against recent Dart versions.

Environment Setup

This application uses the C++20 Formatting Library. It requires a very recent C++ compiler, such as g++ >=13 or Clang >=15.

I recommend using Linux OS (only tested on Deiban SD) because it is easy to setup.

Debian Unstable (gcc 13)

Install build tools and dependencies.

apt install python3-pyelftools python3-requests git cmake ninja-build \
    build-essential pkg-config libicu-dev libcapstone-dev

Windows

Install latest Microsoft C/C++ Compiler with CMake tools
Install required libraries (libcapstone and libicu4c)

python scripts\init_env_win.py

Start x64 Developer Command Prompt

macOS Ventura (clang 15)

Install XCode
Install clang 15 and required tools

brew install llvm@15 cmake ninja pkg-config icu4c capstone
pip3 install pyelftools requests

Usage

Extract “lib” directory from apk file

python3 blutter.py path/to/app/lib/arm64-v8a out_dir

The blutter.py file will automatically detect the Dart version from the flutter engine and call the executable of blutter to get the information from libapp.so.

If the Blutter executable for the required Dart version does not exist, the script will automatically checkout the Dart source code and compile it.

Output Files

asm/* libapp assemblies with symbols
blutter_frida.js is the frida script template for the target application
objs.txt: complete (nested) dump of objects from the object pool
pp.txt contains all Dart objects in Object Pool

Directories

bin contains blutter executables for each Dart version in “blutter_dartvm<ver><os><arch>” format
Blutter contains source code. need to build against Dart VM library
build contains building projects which can be deleted after finishing the build process
dartsdk contains checkout of Dart Runtime which can be deleted after finishing the build process
external contains third-party libraries for Windows only
packages contain the static libraries of Dart Runtime
scripts contain python scripts for getting or building Dart

Generating Visual Studio Solution for Development

I use Visual Studio to develop Blutter on Windows. --vs-sln Options can be used to generate a Visual Studio solution.

python blutter.py path\to\lib\arm64-v8a build\vs --vs-sln

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.