Graphical analysis
This tab shows a tree representation of the target application binary populated with data obtained by the analyzed application during runtime, with a subtree containing imports and exports of all libraries used by the binary and a specific subtree (Java for Android and Objective-C for iOS) containing all the Java/Objective-C classes and methods of the binary.
To see this representation, you have to click on the “Load tree” button:
If we double-click with the mouse on a class, we obtain all the methods of that class (the screenshot shows an Android environment but the same thing applies in an iOS environment):
The second subtree, named "Modules", contains all the libraries used by the target application. If we double-click on a library with the mouse, we obtain a list of all imports and exports of that library:
At the bottom of the pane containing the subtree we have a "Search" form that can be used to search in all Objective-C classes and methods and in all the imports and exports of the libraries used by target application. Unfortunately, at the moment in Android it is only possible to search the imports and the exports of the libraries and not the Java classes and methods. This is due to a limitation of "API Resolver", the component of Frida that implements this functionality. The same operation on Android could potentially be executed also without the "API Resolver", but it is a time and resource consuming task that can crash the application in some situations and consequently we did not add it.
From the "Analyze binary" tab, it is possible to graphically add inspection hooks to the Objective-C/Java methods of the target binary or to the exported functions of the loaded libraries. What do we mean for inspection hook? It is a block of code that is dynamically executed when the target method is executed on the device and that prints the arguments and the return value of that method.
Graphically inspecting a method is very simple with Brida. It is enough to click with the right button on an Objective-C/Java method or an exported function of a library and click "Inspect".
With "Inspect with backtrace", when the target function is called in the binary the current backtrace (a list of the function calls that are currently active in the thread) will be printed in addition to the arguments and the return value in the Brida console.
It is also possible to "Inspect" or "Inspect with backtrace" an entire Objective-C or Java class, by right-clicking directly on a class instead of on a method. In this case an inspection hook is added to every method of the target class. It is NOT possible to add an inspection hook to all the exported functions of a library (this is by choice, as too many hooks may crash the target application).
In the Analysis tab you can also add tamper hooks. If you click with the right button on an Objective-C/Java method or on an exported function of a library, you can select the option "Change return value" in order to add a tamper hook that dynamically changes the return value of that function every time it's called by the target binary.
The purpose of this functionality is to make the bypass of some security features very quick! Let's consider for example a security feature implemented in the binary that stops the target application if it is running on a jaibroken/rooted device. After some reversing work we find a boolean function named "isRooted" that returns "true" if the device is rooted (and then the application stops for security reasons). In this situation to bypass this security check we can simply click with the right button on the "isRooted" function, select "Change return value", then "boolean" (or "int" depending on the particular function we are hooking) and select "False" (or '0').
From the tab "Graphical hooks" it is possible to see all the functions currently hooked from the "Graphical analysis" tab (your own hooks defined in the Frida JS file are not shown here).
From this tab you can enable/disable the graphical hooks or remove them. Graphical hooks in fact are automatically reloaded after re-spawing/re-attaching target application if they are not disabled or removed from this tab. Disabling/removing hooks is possible only if the application is not attached. At the moment it is not possible to detach hooks one-by-one while application is attached.
By pressing the "Remove all" button it is possible to remove all graphical hooks (only if the application is not attached).
