B(l)utter

Flutter Mobile Application Reverse Engineering Tool by Compiling Dart AOT Runtime.

Currently, the application supports only Android libapp.so. Also, the application currently works only against recent Dart versions.

Environment Setup

This application uses the C++20 Formatting Library. It requires a very recent C++ compiler, such as g++ >=13 or Clang >=15.

I recommend using Linux OS (only tested on Deiban SD) because it is easy to setup.

Debian Unstable (gcc 13)

• Install build tools and dependencies.

apt install python3-pyelftools python3-requests git cmake ninja-build \
    build-essential pkg-config libicu-dev libcapstone-dev

Windows

• Install latest Microsoft C/C++ Compiler with CMake tools
• Install required libraries (libcapstone and libicu4c)

python scripts\init_env_win.py

• Start x64 Developer Command Prompt

macOS Ventura (clang 15)

• Install XCode
• Install clang 15 and required tools

brew install llvm@15 cmake ninja pkg-config icu4c capstone
pip3 install pyelftools requests

Usage

Extract “lib” directory from apk file

python3 blutter.py path/to/app/lib/arm64-v8a out_dir

The blutter.py file will automatically detect the Dart version from the flutter engine and call the executable of blutter to get the information from libapp.so.

If the Blutter executable for the required Dart version does not exist, the script will automatically checkout the Dart source code and compile it.

Output Files

• asm/* libapp assemblies with symbols
• blutter_frida.js is the frida script template for the target application
• objs.txt: complete (nested) dump of objects from the object pool
• pp.txt contains all Dart objects in Object Pool

Directories

• bin contains blutter executables for each Dart version in “blutter_dartvm<ver><os><arch>” format
• Blutter contains source code. need to build against Dart VM library
• build contains building projects which can be deleted after finishing the build process
• dartsdk contains checkout of Dart Runtime which can be deleted after finishing the build process
• external contains third-party libraries for Windows only
• packages contain the static libraries of Dart Runtime
• scripts contain python scripts for getting or building Dart

Generating Visual Studio Solution for Development

I use Visual Studio to develop Blutter on Windows. --vs-sln Options can be used to generate a Visual Studio solution.

python blutter.py path\to\lib\arm64-v8a build\vs --vs-sln