Currently, most applications that use Flutter use add2App. The content related to Flutter in APP mainly includes FlutterEngine, APP products, and resource files. We can experiment with an application that connects to Flutter in the app market. Apk and IPA can be downloaded by installing Apple Configurator 2 on a MAC. The folders of flutter products in APK and IPA are as follows:
The iOS package file is ipA. After downloading it, rename it to zip and decompress it. After decompression, you can see the application folder Payload, where FlutterEngine, APP products, and resource files are located as follows:
XXX. App └ ─ ─ Frameworks ├ ─ ─ app. The framework │ ├ ─ ─ app (Dart app product) │ ├ ─ ─ the Info. The plist │ ├ ─ ─ SC_Info │ ├ ─ ─ _CodeSignature │ └ ─ ─ Flutter_assets │ ├─ Flutter_Assets │ ├─ AssetManifest.json │ ├─ FontManifest.json │ ├─ LICENSE │ ├─ Fonts │ ├─ Images │ ├ ─ ─ mtf_module_info │ └ ─ ─ packages └ ─ ─ Flutter. The framework ├ ─ ─ Flutter (FlutterEngine) ├ ─ ─ the Info. The plist ├ ─ ─ SC_Info ├ ─ ─ _CodeSignature └ ─ ─ icudtl. DatCopy the code
The Android package file is APk. After downloading it, rename it to zip and decompress it. The FlutterEngine, APP products and resource files are located as follows:
│ ├─ exercises - ├─ assetManifest. json │ ├─ exercises LICENSE │ ├ ─ ─ fonts │ ├ ─ ─ images │ ├ ─ ─ mtf_module_info │ └ ─ ─ packages └ ─ ─ lib └ ─ ─ armeabi ├ ─ ─ libapp. O (Dart APP product) └ ─ ─ Libflutter. So (FlutterEngine)Copy the code
All apps of FlutterEngine use the official or modify on the official basis. There are few differences, so we don’t care about the reverse of this part for the time being. Resource files are mostly pictures, fonts and other resources that can be viewed without reverse navigation. Our primary concern is the business logic written with Dart or some framework code that is in the APP artifacts. App.framework/App or armeabi/libapp.o are both dynamic libraries.
#Common binutils tools such as brew Update && Brew Install binutils can be installed~/Downloads > objdump -t App Mach -o-arm64 SYMBOL TABLE 0000000001697e60 g 0f SECT 02 0000 [.const] _kDartIsolateSnapshotData 000000000000b000 g 0f SECT 01 0000 [.text] _kDartIsolateSnapshotInstructions 0000000001690440 g 0f SECT 02 0000 [.const] _kDartVmSnapshotData 0000000000006000 g 0f SECT 01 0000 [.text] _kDartVmSnapshotInstructions ~/Downloads > greadelf -s Symbol table '.dynsym' contains 5 entries: Num: Value Size Type Bind Vis Ndx Name 0: 00000000 0 NOTYPE LOCAL DEFAULT UND 1: 00001000 12992 FUNC GLOBAL DEFAULT 1 _kDartVmSnapshot[...] 2: 00005000 0x127df60 FUNC GLOBAL DEFAULT 2 _kDartIsolateSna[...] 3: 01283000 22720 OBJECT GLOBAL DEFAULT 3 _kDartVmSnapshotData 4: 01289000 0x9fc858 OBJECT GLOBAL DEFAULT 4 _kDartIsolateSna[...]Copy the code
As you can see, the Dart App product for both Android and iOS contains four segments. (from…
‘_kDartVmSnapshotData’ : indicates the initial status of the Dart heap shared between the isolate. Helps to start the Dart ISOLATE faster, but does not contain any isolate-specific information.
‘_kDartVmSnapshotInstructions: includes all the Dart VM isolate Shared between the general routine of AOT instructions. Such snapshots are usually very small in size and often contain program stubs.
‘_kDartIsolateSnapshotData’ : indicates the initial status of the Dart heap and contains information about the ISOLATE.
‘_kDartIsolateSnapshotInstructions: contains the Dart isolate AOT code execution.
See the above may still be a face meng O ((⊙﹏⊙)) O, why is divided into four blocks, Data and Instructions, Vm and Isolate is what? Why is Snapshot named? A recommended blog on these issues is The concepts of Data and Instructions, Vm and Isolate are combined in pairs, which exactly correspond to the above four paragraphs. Namely VmData, VmInstructions, IsolateData, IsolateInstructions.
First, let’s talk about Data and Instructions. The first thing we know is that Flutter compilation runs on the APP in JIT and AOT mode. Online only AOT mode can be used. That is, DartVM introduced by Flutter contains the ability to execute AOT products. To be COMPATIBLE with JIT mode, DartVM takes what is called a snapshot approach, where the JIT runtime compiled base structure is the same as the AOT-compiled base structure. Class information, global variables, and function instructions are directly serialized on disk, called Snapshot.
Since the serialization format of the snapshot is designed specifically for the read rate, reading from the snapshot also greatly improves the loading speed of the code (creating the required class information, global data, etc., can be analogous to OC Runtime to start loading metaclass, class information, etc.). At the beginning, the snapshot did not contain machine code (that is, the execution logic inside the function body). Later, with the development of AOT mode, this part was added into the snapshot, and these laters were also the Instructions mentioned above.
What should be added here is that Instructions refer to executable assembly Instructions and must be placed in the text section of the.o file and marked as executable (otherwise iOS cannot load and execute it). Things like class information and global variables can be loaded on the data side as normal data. (Byte optimization of 50% package size is also based on this, you can read the article:…
Next, DartVmSnapshot and DartIsolateSnapshot. This involves how the Data virtual machine runs the business code. Virtualization is the vehicle where the Data code runs, and the logic that runs in the VM runs in an abstract entity called Isolate. You can think of the Isolate as a Thread with a Runloop in the OC (the relationship between them is another frustrating interview question, which won’t be discussed here). Briefly, the Isolate maintains stack variables, function call stack frames, child threads for auxiliary tasks such as GC, JIT, etc. The stack variables here are the things that are serialized to disk, namely IsolateSnapshot. In addition, global objects like NULL,true,false, etc. that dart presets are managed by VMIsolate, and these things need to be serialized by VmSnapshot.
Here is an overview of the structure in the product of Flutter APP. So how do you read them? We can start with the FullSnapshotReader:: function in Clustered_snapshot. cc to see how it deserializes.
void Deserializer::ReadIsolateSnapshot(ObjectStore* object_store) {
Array& refs = Array::Handle(a);Prepare(a); { NoSafepointScope no_safepoint;HeapLocker hl(thread(), heap_->old_space());
// N.B.: Skipping index 0 because ref 0 is illegal.
const Array& base_objects = Object::vm_isolate_snapshot_object_table(a);for (intptr_t i = 1; i < base_objects.Length(a); i++) {AddBaseObject(base_objects.At(i));
Deserialize(a);// Read roots.
RawObject** from = object_store->from(a); RawObject** to = object_store->to_snapshot(kind_);
for (RawObject** p = from; p <= to; p++) {
*p = ReadRef(a); }#if defined(DEBUG)
int32_t section_marker = Read<int32_t> ();ASSERT(section_marker == kSectionMarker);
refs = refs_;
refs_ = NULL;
thread() - >isolate() - >class_table() - >CopySizesFromClassObjects(a); heap_->old_space() - >EvaluateSnapshotLoad(a);#if defined(DEBUG)
Isolate* isolate = thread() - >isolate(a); isolate->ValidateClassTable(a); isolate->heap() - >Verify(a);#endif
for (intptr_t i = 0; i < num_clusters_; i++) {
clusters_[i]->PostLoad(refs, kind_, zone_);
// Setup native resolver for bootstrap impl.
Bootstrap::SetupNativeResolver(a); }Copy the code
This part is also very difficult to understand, another big god analysis article may give us a lot of enlightenment:…
We’re going to look at how do we read a RawObject
Each object starts with a uint32_t containing the following markup:
In principle, we can write our own reading program to analyze, but there is a Python written reading program on the web (only supports reading ELF files, i.e. only supports Android package analysis) :… Based on the API provided by this reading tool we can write a tool that exports and applies all class definitions.
from darter.file import parse_elf_snapshot, parse_appjit_snapshot
from darter.asm.base import populate_native_references
import re
from collections import defaultdict
import os
import shutil
def get_funciont(fun_index, s, span=False) :
spanStr = ' '
if span:
spanStr = ' '
fun_str = '\n'+spanStr+'// function index :' + '{0}'.format(fun_index)+'\n'
returnTypeStr = ' '
if '_class' in s.refs[fun_index].x['result_type'].x.keys():
returnTypeStr = s.refs[fun_index].x['result_type'].x['_class'].x['name'].x['value']
elif 'name' in s.refs[fun_index].x['result_type'].x.keys():
returnTypeStr = str(s.refs[fun_index].x['result_type'])
returnTypeStr = s.refs[fun_index].x['result_type'].x['value']
fun_str = fun_str+spanStr + returnTypeStr
fun_str = fun_str + ' ' + s.refs[fun_index].x['name'].x['value'] +'('
parameterCount = 0
if type(s.refs[fun_index].x['parameter_types'].x['value']) != type(' ') :for parameterName in s.refs[fun_index].x['parameter_names'].x['value']:
parType = ' '
if '_class' in s.refs[fun_index].x['parameter_types'].x['value'][parameterCount].x.keys():
parType = s.refs[fun_index].x['parameter_types'].x['value'][parameterCount].x['_class'].x['name'].x['value']
parType = s.refs[fun_index].x['parameter_types'].x['value'][parameterCount].x['value']
fun_str = fun_str + parType + ' '
fun_str = fun_str + parameterName.x['value'] + ', '
parameterCount = parameterCount + 1
fun_str = fun_str + ') \n'+spanStr+'{ \n'
for nrefsItem in s.refs[fun_index].x['code'].x['nrefs']:
fun_str = fun_str + spanStr + '{0}'.format(nrefsItem) + '\n'
fun_str = fun_str + spanStr+'} '
return fun_str
def get_classDis(clas_index, s) :
class_str = '\n// Class index :' + '{0}'.format(clas_index)+'search \n' with s.efs [XXXX].x
superName = ' '
if '_class' in s.refs[clas_index].x['super_type'].x.keys():
superName = s.refs[clas_index].x['super_type'].x['_class'].x['name'].x['value']
superName = s.refs[clas_index].x['super_type'].x['value']
class_str = class_str + \
'class {0} : {1} {2}\n'.format(
s.refs[clas_index].x['name'].x['value'], superName, '{')
if type(s.refs[clas_index].x['functions'].x['value']) != type(' ') :for fun in s.refs[clas_index].x['functions'].x['value']:
class_str = class_str+'\n'+get_funciont(fun.ref, s, True)
return class_str+'\n\n}'
def get_lob_class(lib, s) :
all_class = ' '
for item in lib.src:
if 'name' in item[0].x.keys():
all_class = all_class + get_classDis(item[0].ref, s) + '\n'
if 'Class index' in all_class:
return all_class
return 'No information obtained'
def show_lob_class(lib, s) :
print(get_lob_class(lib, s))
def writeStringInPackageFile(packageFile, content) :
packageFile = packageFile.replace('dart:'.'package:dart/')
filename = packageFile.replace('package:'.'out/')
filePath = filename[0:filename.rfind('/')]
content = '// {0} \n'.format(packageFile)+content
if os.path.exists(filePath) == False:
file = open(filename, 'w')
def getFiles(elfFile, filter) :
s = parse_elf_snapshot(elfFile)
allLibrary = sorted(s.getrefs('Library'),
key=lambda x: x.x['url'].x['value'])
for tempLibrary in allLibrary:
name = tempLibrary.x['url'].x['value']
if filter in name:
print(name + 'start generating.... ')
name, get_lob_class(s.strings[name].src[1] [0], s))
print(name + 'Generated successfully
# start execution
getFiles('samples/'.' ')
Copy the code
The script eventually extracts the source code for all specified files, with the result of exporting one of the classes in the peer app as follows:
It annotates the index of class objects and functions, which can be followed up on the console using s.efs [XXXXX].x.