There are currently only a few tools available for reverse engineering Flutter applications. Reading Dart snapshots, which are used to store all Dart objects, is a common problem because the format changes with each update. Updating the snapshot reader for each new release of the Flutter framework is a tedious task. Currently, “Reflutter” is the only tool that can get around this problem by patching and recompiling the flutter engine. However, recompiling an engine without a ready-made one takes time. To dump the metadata from snapshot, a Flutter application must be run.
In this talk, I will introduce a new methodology by using the Dart runtime source code directly. By using this method, we can reduce the compiling time of the Dart runtime by just choosing the necessary source files. Additionally, the Dart runtime can be used to extract metadata from a snapshot without launching a Flutter application. This presentation also covers what kind of information we can get and how to use it to aid the reverse engineering process.
I will also introduce a new developing opensource tool named B(l)utter to demonstrate the result of this new approach. Currently, the tool can:
- Automatically extract metadata from a Dart snapshot
- Analyze the compiled code to show symbols with mixed pseudo code and assembly
- Generate Frida functions to help writing Frida script for hooking and dumping data in a running Flutter application
