Home

Installation

Download the release and unzip it, or use:

git clone https://github.com/hackcatml/mlviewer
cd mlviewer

Run:

./mlviewer_macos.sh (for macOS)
.\mlviewer_wincon.bat (for Windows)

Attach

Run the frida-server on your device first.

Normal attach:
Launch the app and click the Attach button.
Remote attach:
If running frida-server in listening mode with a different port, check the Remote checkbox and click the Attach button.
Enter the IP address and port, then click "OK."
Spawn the app and attach:
Check the Spawn checkbox and click the Attach button.
Click the List button to display the app's package names.
Enter the package name and click the Spawn button.

If frida-server is running in remote mode, check both Remote and Spawn checkboxes, then click Attach.
Enter the IP address and port, then click the List button to display the package names.
PID attach:
Check the ListPid checkbox and click Attach.
Click the List button to view the PID list.
Enter the name of the app you want to attach to, then click Attach.
Gadget attach:
This is for Android only.
Click the Gadget button and read the instructions.
Starting from version 2.0.0, frida-portal is enabled by default.

Move to the Offset

Enter the offset you want to move to from the module base and press Enter or click the "GO" button.
Hexadecimal calculations (e.g., 69a4450 + 100) are supported.
This will display the memory at the offset of the specified module in the Name input.
You can change the module by entering a new name in the Name input and pressing Enter.

Move to the Address

Enter the address you want to move to and press Enter or click the "GO" button.
Hexadecimal calculations (e.g., 756966f550 + 100) are supported.
This will display the memory at the specified address.

Hex Edit

Click the HexEdit button or press F2 to begin editing the memory.
Edited memory values will be highlighted in red.
When finished, click the Done button or press F2 again.

Watch Memory

Check the Watch checkbox to enable memory refresh.
You can adjust the refresh interval by increasing or decreasing the number in the field next to the Watch checkbox.

Refresh Memory

Click the ↻ button or press F3 to refresh the memory at the current address.

Move Forward, Backward

Click the ◀︎ or ▶︎ button to navigate through previously visited addresses.

Read Memory

In the hex code viewer, right-click on a 0, 4, 8, or c position, then select the Read option.

The values for uint8, uint16, uint32, uint64, int, float, double, and pointer will be displayed.

Disassemble

Click the Disasm button to display the disassembled code for the current address.

History

Click the History button to view the addresses you've visited.
You can add comments in the Description column.
If functions or registers are being watched by the interceptor, they will be marked as Watch func or Watch regs in the Stat column.
Clicking an address in the history will navigate to that address.

To manually add an address, click Add to history on the desired address.

To remove an address, select it and press the Delete key.
If the Stat of that address is Watch func or Watch regs, it will also be detached.

Watch Function

Navigate to the function address first.
Right-click on the address to display the menu.
Select Set Watch Func to attach Frida's interceptor to that address.

When the function is called, it will appear in the Watch on Addr widget.
[+] indicates entering the function, while [-] indicates leaving it.
To adjust the number of arguments to monitor, move the slide bar.
To clear the widget, click the Clear button.
Closing the Watch on Addr widget will detach all interceptors.

Backtrace

Click the address, then right-click to display the menu.
Select the Backtrace option.

The backtrace information for that function will be displayed in the Backtrace widget.
Closing the Backtrace widget will cancel the backtrace for that function.

Argument Menu

To display the argument menu, click on the argument in the Watch on Addr widget, then right-click.

OnLeave

By checking the OnLeave checkbox, you can view the value of the argument when the function exits.

Hexdump

If the argument is a pointer and you want a hexdump of that address, select the hexdump option from the menu.
The hexdump result will be displayed in the Hexdump widget.

You can adjust the hexdump address by entering an offset from the argument's value or by specifying the address directly.
For example, if you enter 310 in the Offset field, the hexdump result for argument's value + 310 will be displayed each time the function is called.

Additionally, you can read values from the hexdump result by selecting the Read option.
The values for uint8, uint16, uint32, uint64, int, float, double, and pointer will be displayed.

Reset

Selecting the Reset menu will cancel any read options you've chosen, displaying the original argument value before any read option was applied.

Watch Registers

Navigate to the address first.
Right-click on the address to display the menu.
Select Set Watch Regs to attach Frida's interceptor to that address.

Register values will be displayed in the Watch on Addr widget.

Watchpoint

Ensure you are running frida-server version 16.5.0 or higher.
Navigate to the address, right-click, and select Set Watchpoint.
Currently, only one watchpoint can be set at a time.

Choose the size and type, then click Set.
If the address is accessed by others, the disassembled code will be displayed.
Clicking on the disassembled code will navigate to that address.

Memory Scan

In the Scan tab, first select a value type and enter a value to scan.
If you check the Hex checkbox, the value will be displayed in little-endian hex format.

Click First Scan in the Scan Result widget. The found results will be displayed.

Change the value and click Next Scan. This will scan the previously found addresses for the new value you entered.
If the value has changed at a found address, it will be displayed as * value.

Clicking Stop Scan while a scan is in progress will stop the scanning.
Clicking New Scan will clear the table, allowing you to start a new scan from First Scan.

If you enter a regex pattern in Exclude Path, scan ranges that include matching paths will be excluded.
For example, the regex pattern \/system\/|\/dev\/ will exclude any memory ranges with paths containing /system/ or /dev/.
The regex pattern \w+ will exclude any memory ranges with paths containing one or more word characters.

Memory Patch

In the Scan Result widget, right-click on the address and select the Patch option,

or, in the hex viewer, right-click on the address and select the Memory Patch option.

Select a type of value to write, enter the value, and click the Apply button. This will patch the memory with the specified value.

Module Dump

Go to the List IMG tab to display loaded modules.

Select the module you want to dump, then click the Dump button.

The dumped result will appear in red text, and the dumped file will be located in the dump directory.
Note: Android .so file needs to be fixed using SoFixer.

Il2cpp Dump

If the application is a unity game, check the Unity checkbox and click the Dump button.
The Il2cpp dump will be processed using frida-il2cpp-bridge.
The dumped .cs file will be located in the dump directory.

Drag and drop the dumped .cs file into the Parse Unity Dump File dialog, then press the Parse button.
The parsed Unity data table will be displayed.

If you click the method name on the table, then it will navigate to that address.

Binary Diff

If you are a modded app analyst, this feature can be quite useful.
You can compare two dumped binaries: one from the original app and the other from the modded app. (If it's a .so file, you need to fix it using SoFixer.)

Click "Diff" and provide the two files. Select sections to compare or check "All" (this will compare the entire dumped file, from start to end).

The differences between the two files will be displayed. If you want to stop the comparison process, click the "Stop" button.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!