search

worawit / blutter

Flutter Mobile Application Reverse Engineering Tool
MIT License
767 stars 128 forks source link

Empty Output with Dart version `3.4.3` #83

Open DavidBuchanan314 opened 1 week ago

DavidBuchanan314 commented 1 week ago

I get the following output:

$ python3 blutter.py ../resources/lib/arm64-v8a/ ../blutter_out/
Dart version: 3.4.3, Snapshot: 2d6ccff4d71e7380c11969ebeb469078, Target: android arm64
flags: product no-code_comments no-dwarf_stack_traces_mode no-lazy_dispatchers dedup_instructions no-tsan no-asserts arm64 android compressed-pointers null-safety

My ../blutter_out/ directory is empty. Is there any sort of "verbose" mode I could use to debug this further?

DavidBuchanan314 commented 1 week ago

It's actually a segfault in blutter_dartvm3.4.3_android_arm64:

Program received signal SIGSEGV, Segmentation fault.
0x00000000005a82fc in dart::ClassDeserializationCluster::ReadAlloc(dart::Deserializer*) ()
Missing separate debuginfos, use: dnf debuginfo-install capstone-4.0.2-15.fc39.aarch64 glibc-2.38-18.fc39.aarch64 libgcc-13.3.1-1.fc39.aarch64 libicu-73.2-2.fc39.aarch64 libstdc++-13.3.1-1.fc39.aarch64
(gdb) bt
#0  0x00000000005a82fc in dart::ClassDeserializationCluster::ReadAlloc(dart::Deserializer*) ()
#1  0x00000000005b0c3c in dart::Deserializer::Deserialize(dart::DeserializationRoots*) ()
#2  0x00000000005b1324 in dart::FullSnapshotReader::ReadProgramSnapshot() ()
#3  0x00000000005bdd00 in dart::Dart::InitializeIsolateGroup(dart::Thread*, unsigned char const*, unsigned char const*, unsigned char const*, long) ()
#4  0x000000000059dee4 in dart::CreateIsolate(dart::IsolateGroup*, bool, char const*, void*, char**) ()
#5  0x000000000059e28c in Dart_CreateIsolateGroup ()
#6  0x000000000046c178 in DartLoader::Load(LibAppInfo&) ()
#7  0x0000000000440cb4 in DartApp::DartApp(char const*) ()
#8  0x00000000004123a8 in main ()
DavidBuchanan314 commented 1 week ago

symbolicated backtrace (nb, line numbers in app_snapshot.cc are slightly off since I've been adding debug printfs lol)

#0  0x00000000005a8908 in dart::ClassTable::At (cid=<optimized out>, this=0x736bb0)
    at /home/david/re/r1/blutter/dartsdk/v3.4.3/runtime/vm/class_table.h:366
#1  dart::ClassDeserializationCluster::ReadAlloc (this=0xfffff7fa7f38, d=0xffffffffd3a0)
    at /home/david/re/r1/blutter/dartsdk/v3.4.3/runtime/vm/app_snapshot.cc:1116
#2  0x00000000005b0d1c in dart::Deserializer::Deserialize (this=this@entry=0xffffffffd3a0, 
    roots=roots@entry=0xffffffffd338)
    at /home/david/re/r1/blutter/dartsdk/v3.4.3/runtime/vm/app_snapshot.cc:9520
#3  0x00000000005b1404 in dart::FullSnapshotReader::ReadProgramSnapshot (this=this@entry=0xffffffffd4c8)
    at /home/david/re/r1/blutter/dartsdk/v3.4.3/runtime/vm/app_snapshot.cc:10005
#4  0x00000000005bdde0 in dart::Dart::InitIsolateGroupFromSnapshot (kernel_buffer_size=<optimized out>, 
    kernel_buffer=0x0, snapshot_instructions=0xfffff4d73180 "`;Q", 
    snapshot_data=0xfffff4a701c0 "\365\365\334\334\3033&", T=0x73b610)
    at /home/david/re/r1/blutter/dartsdk/v3.4.3/runtime/vm/dart.cc:854
#5  dart::Dart::InitializeIsolateGroup (T=T@entry=0x73b610, 
    snapshot_data=0xfffff4a701c0 "\365\365\334\334\3033&", snapshot_instructions=0xfffff4d73180 "`;Q", 
    kernel_buffer=0x0, kernel_buffer_size=<optimized out>)
    at /home/david/re/r1/blutter/dartsdk/v3.4.3/runtime/vm/dart.cc:913
#6  0x000000000059df24 in dart::CreateIsolate (group=group@entry=0x734930, 
    is_new_group=is_new_group@entry=true, name=name@entry=0x6490a0 "isolate", 
    isolate_data=isolate_data@entry=0x0, error=error@entry=0xffffffffdc08)
    at /home/david/re/r1/blutter/dartsdk/v3.4.3/runtime/vm/dart_api_impl.cc:1264
#7  0x000000000059e2cc in dart::Dart_CreateIsolateGroup (script_uri=<optimized out>, name=<optimized out>, 
    snapshot_data=<optimized out>, snapshot_instructions=<optimized out>, flags=0xffffffffdc10, 
    isolate_group_data=0x0, isolate_data=0x0, error=0xffffffffdc08)
    at /home/david/re/r1/blutter/dartsdk/v3.4.3/runtime/vm/dart_api_impl.cc:1352
#8  0x000000000046c1b8 in load_isolate (isolate_snapshot_instructions=0xfffff4d73180 "`;Q", 
    isolate_snapshot_data=0xfffff4a701c0 "\365\365\334\334\3033&")
    at /home/david/re/r1/blutter/blutter/src/DartLoader.cpp:59
#9  DartLoader::Load (libInfo=...) at /home/david/re/r1/blutter/blutter/src/DartLoader.cpp:75
#10 0x0000000000440cf4 in DartApp::DartApp (this=this@entry=0xffffffffe308, path=<optimized out>)
    at /home/david/re/r1/blutter/blutter/src/DartApp.cpp:21
#11 0x00000000004123e8 in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/include/c++/13/bits/basic_string.h:222
DavidBuchanan314 commented 1 week ago

libapp_broken.zip (v3.4.3)

libapp_working.zip (from an earlier version of the same app, v3.3.3)

worawit commented 2 days ago

Your libapp_broken is not build from official flutter release sdk. The snapshot hash for Dart 3.4.3 is 'd20a1be77c3d3c41b2a5accaee1ce549'. But your libapp snapshot hash is '2d6ccff4d71e7380c11969ebeb469078'.

DavidBuchanan314 commented 1 day ago

Interesting, thank you