Home

Table of Contents

• Installation
• Attach
• Move to the Offset
• Move to the Address
• Hex Edit
• Watch Memory
  • Refresh memory
  • Move forward, backward
• Disassemble
• History
• Watch Function
  • Backtrace
  • Argument menu
• Watch Registers
• Watchpoint
• Memory Scan
• Memory Patch
• Module Dump

Installation

Download the release and unzip it, or use:

git clone https://github.com/hackcatml/mlviewer
cd mlviewer

Run:

./mlviewer_macos.sh (for macOS)
.\mlviewer_wincon.bat (for Windows)

Attach

Run the frida-server on your device first.

• Normal attach:
  Launch the app and click the Attach button.

• Remote attach:
  If running frida-server in listening mode with a different port, check the Remote checkbox and click the Attach button.
  Enter the IP address and port, then click "OK."

• Spawn the app and attach:
  Check the Spawn checkbox and click the Attach button.
  Click the List button to display the app's package names.
  Enter the package name and click the Spawn button.

  If frida-server is running in remote mode, check both Remote and Spawn checkboxes, then click Attach.
  Enter the IP address and port, then click the List button to display the package names.

• PID attach:
  Check the ListPid checkbox and click Attach.
  Click the List button to view the PID list.
  Enter the name of the app you want to attach to, then click Attach.

• Gadget attach:
  This is for Android only.
  Click the Gadget button and read the instructions.
  Starting from version 2.0.0, frida-portal is enabled by default.

Move to the Offset

Enter the offset you want to move to from the module base and press Enter or click the "GO" button.
Hexadecimal calculations (e.g., 69a4450 + 100) are supported.
This will display the memory at the offset of the specified module in the Name input.
You can change the module by entering a new name in the Name input and pressing Enter.

Move to the Address

Enter the address you want to move to and press Enter or click the "GO" button.
Hexadecimal calculations (e.g., 756966f550 + 100) are supported.
This will display the memory at the specified address.

Hex Edit

Click the HexEdit button or press F2 to begin editing the memory.
Edited memory values will be highlighted in red.
When finished, click the Done button or press F2 again.

Watch Memory

Check the Watch checkbox to enable memory refresh.
You can adjust the refresh interval by increasing or decreasing the number in the field next to the Watch checkbox.

Refresh Memory

Click the ↻ button or press F3 to refresh the memory at the current address.

Move Forward, Backward

Click the ◀︎ or ▶︎ button to navigate through previously visited addresses.

Disassemble

Click the Disasm button to display the disassembled code for the current address.

History

Click the History button to view the addresses you've visited.
You can add comments in the Description column.
If functions or registers are being watched by the interceptor, they will be marked as Watch func or Watch regs in the Stat column.
Clicking an address in the history will navigate to that address.

To manually add an address, click Add to history on the desired address.

To remove an address, select it and press the Delete key.

Watch Function

Navigate to the function address first.
Right-click on the address to display the menu.
Select Set Watch Func to attach Frida's interceptor to that address.

When the function is called, it will appear in the Watch on Addr panel.
[+] indicates entering the function, while [-] indicates leaving it.
To adjust the number of arguments to monitor, move the slide bar.
To clear the panel, click the Clear button.

Backtrace

Click the address, then right-click to display the menu.
Select the Backtrace option.

The backtrace information for that function will be displayed in the Backtrace panel.
Closing the Backtrace panel will cancel the backtrace for that function.