Unraveling the Challenges of Reverse Engineering Flutter Applications

Flutter, a popular cross-platform application development kit developed by Google, utilizes the Dart programming language. Dart is an object-oriented programming language with a C-style syntax and features like sound null safety. One of Flutter's key attractions is its ability to develop applications with a single codebase, which can be compiled for various mobile and non-mobile platforms.

While Flutter debug applications pose no difficulty to reverse, release applications are totally different: a nightmare. The challenges arise from several design choices: including default code obfuscation, the utilization of a virtual machine (VM), an evolving and undocumented executable format (Dart AOT snapshot), indirect access to objects and constants, dedicated registers, unique representation of Small Integers (SMI) and non-standard calling conventions.

In this talk, we delve into these challenges and provide techniques and analysis to overcome them. The centerpiece of the talk is a practical demonstration of reversing a Flutter CrackMe app. Initially, even strings remain elusive, and many disassemblers are completely lost. We work our way through the identification of significant functions, encryption loops, access to constants and disassembly of byte arrays. To accomplish this, we navigate between the code in the Dart SDK repository, Dart programs and the Flutter crackme app. We discover that Radare2 excels in recognizing function names (for Dart) and offering insightful assembly comments. JEB disassembler, on the other hand, proves invaluable in recovering the Object Pool, a Dart structure which provides access to objects and constants.