Peeking under the hood with Frida - Sam Rubenstein

so hi my name is Sam Rubenstein I'm a security analyst and hacker at the Cisco security threat analysis and reverse engineering center in Israel uh our Center performs security evaluations of Cisco and third party uh products including uh work for external customers uh we mostly evaluate the security of blackbox devices uh embedded blackbox devices using a blackbox model so we don't have access to source code or architecture documentation or anything like that we basically just get boxes and are told to hack them um let's start off today with a quick

demo what we're going to do is I have here on my desktop the Twitter application running okay and I'm going to run freit trace on the Twitter application and I'm going to tell it that I'm interested in all functions which begin with open it's going to tell me that it autogenerated handers for a bunch of different functions okay and then that it started tracing 27 functions if I now go to Twitter and pull down to refresh the list I see a whole bunch of opens there are different colors because each thread has a different color color coding so that you can easily pick out which uh function call happened on which thread we can see there's a whole bunch

of different open function calls

here what actually happened is that Freda generated a undor uncore handers directory okay within which there are the sub directories for each of the modules which we hooked and if we look at for example the lib system B dib we'll see that there are JavaScript files for each of the functions that were hooked by fre out so if we go and

edits if we edit the openjs Handler what we see is is that there's a JavaScript object here defined okay and there's a whole bunch of ments so that you can easily get started with this stuff but that's not really important at the moment what's important to note is there's an onenter function defined whiches log args and state and that on enter function just logs open with empty braces and there's also an on leave function which gets log rvel and States okay if we come here and say we know that the open posx call has a first argument which is the uh the file name with the file being opened so let's try and print that

information we can just go ARS zero okay to print the first argument we'll save that and one thing that's pretty cool about frda is that it automatically watches the files that you that it's generated so you don't have to worry about restarting the trace you can just pull down onto again to get it to refresh and we get new information we now get the pointer printed for each of the open calls pointers are great but they're not really that easy to understand so let's see if we can get the actual data for that pointer what we can do is is that we need to read the memory at that pointer we know that the pointer is a a pointer

to a utf8 string so we can use the memory. read utf8 string function to read the memory at ARC zero if we save this again and then pull down once more we now get the full path name of the files being opened we can already see that Twitter is using crash ltic for crash analysis and if we wait a bit we'll see uh here see caching of uh various uh images and stuff like that so we can immediately tell a whole bunch of stuff about our application just from hooking One open call and making a simple JavaScript change the the open Handler what's even cooler is that I have here an iPhone attached okay and if

I stop the tracing and instead of saying fre tw Twitter fre to trace Twitter a minus I open star which traces the Twitter application running on my desktop on my laptop if I add the minus U argument okay for USB it now traces the Twitter application running on my iPhone if I pull down here we'll see the same scripts being used on a completely different platform completely different application completely different platform

so what just happened what did we just see we saw that using Freeda we can trace and instrument arbitrary in functions in processes we can attach onenter and un leave handlers to functions on enter will occur before the the function runs and on leave will occur after the function's finished we can even completely replace a function with a function of our own a JavaScript function of of our own Freda actually lets us also instrument any function in the Target process using Fred Trace we can trace Objective C method functions uh methods functions class methods instance methods we can uh Trace functions by pattern like you saw we said open star and it globbed it so that you could trace by a

pattern or name you can even specify a module and an offset if you know the address of a function within module you can use module and offset to trace a function and in fact you can even get Freeda to trans to instrument arbitary function addresses sorry arbitary instruction addresses not just function boundaries our instrumentation code is in JavaScript this JavaScript actually runs within the content context of the target process so it has access full access to all the process resources like memory file descriptors sockets R loaded modules Etc having the instrumentation code in JavaScript lets us eliminate the comp compile load retry cycle that you need with most other tools for example techniques like LD preload you have to

compile your C code load the code and the target executable retry and every time you want to make a tiny change you have to go through that the whole process again you saw how quickly and easily it is to make changes to the trace Handler and we don't even have to restart the trace it will automatically be applied with fra also with the inprocess code written in JavaScript we can conceivably use the same in process script for different architectures and platforms like we saw with the iPhone and IO and and Mac OS we saw that we can live edit the handle scripts generated by Freeda Trace with Chang those scripts being immediately and automatically applied

without needing to start and restop the trace the further this further reduces the implementation or instrumentation cycle exploration cycle so what is fra exactly okay fre is like Grease Monkey for Native applications it's an inprocess binary instrumentation framework it's in process because the instrumentation code runs within the process unlike with GDB where you attach from outside and you're working from outside the process on the process with Freda your instrumentation and exploration scripts run within the process within the context of the process so you have access to all the process resources as a first class citizen you don't have to worry about permissions or anything like that it's binary because Freda works on compiled binaries without any need for

source code or compile time instrumentation it uses techniques like inline function hooking in order to implement this functionality feda provides tools and functionality for instrumentation and exploration of Target processes allowing for advanced Dynamic analysis and debugging with easy to use scripting lastly Freda is a framework it's intended to supply the necessary base functionality and tooling to allow you to build your own tools on top of Freda in fact Freda license expressly permits the development and distribution of tools be they open source or proprietary so even if you want to take frea and build your own proprietary applications on top of it that's great Frida is happy to have that happen Freda is multiplatform multi Arc

it lets you instrument processes on all the major platforms and architectures uh because the impr process code which actually runs within the process is in JavaScript it's very portable as well and you can use the same instrumentation scripts across multiple Target architectures and Target platforms like you can see we have Linux OSX Windows IOS and Android as well as Q andx we have good support on all the platforms where there is uh you know support for the platform itself there's just some windows you know I don't know if there's actually support for Windows on arm but uh uh just windows. an arm that isn't supported and Linux AR 64 because we haven't encountered that kind of Target

yet freeday is self-contained and does not require any modifications to the system that's running on in fact you can even use Freda on non-jailbroken iOS devices and unrooted Android devices Freda is fully open source with a very active Community uh led by the creator of the project Ali Andre Vadar ravas uh it is under constant development to provide both better platform specific support and new and improv functionality and uh apis the framework provides language B bindings for python C Swift and node.js so you can build your applications your debugging tools you can buold them on top of freay in the language of your choice more or less and you can use the language which is best suited for the

particular task in hand fre is built from modular components which can be used independently of one another this further enhances the uh functionality and the way that you can use Freeda to build your own tools so we've said that Freda is a framework or toolkit on which you can build your own tools but Fredo also comes out of the box with a bunch of utilities and tools to get you started instrumenting and exploring processes right from the first day most of those tools are written in Python we've already seen one of those tools fre the trace let's take a look at some of the other tools that are

available okay so the first tool that we're going to look at is Freda LS devices okay Freeda LS devices is a tool that lets you uh list the devices that frea knows about on which you will be able to attach to processes so what we have here is we have the local system which means that we can attach the processes running on this Mac we have a local TCP which is actually used to connect to remote uh hosts over TCP connection and we have an iPhone attached with the specific device ID you can use the minus D flag and device ID if you have multiple uh iPhones or Android devices attached you can use the

minus D flag on the other freedo tools in order to specify which uh device you want to connect to and to attach to um the next tool is that is Freda PS Freda PS lets you list the uh running processes on a Target device if we run it without any arguments it will list the process is running on the local system in this case my Mac you can see the processor's name and the pit for each process if we add the minus U flag we're we're asking Freda to use the USB and now when we list processes we're listing the processes running on my iPhone if we add the minus a for applications and minus I flag for

installed we'll list the applications which are installed on the iOS device with the PID if we're running already the name of the process and the application identifier so that you can uh identify which applications are running on your

devices excuse [Applause] me the last tool that we look at is a rle okay we just have the Freda application itself which is a reppel a read evaluate print Loop uh utility which basically gives you a shell if we run Frida with Twitter we'll see that we attach to the local machine to the process named Twitter and we have here a shell okay if we hit tab we'll see all the apis and and uh uh objects that we can use to access uh freda's API this is just a JavaScript repple with added apis from Freda now every uh expression that you run on this rapple in this command line is actually executed within the process of the

target process that you're instrumenting if we for example uh want to look at the process and in New at the modules that are loaded into this process we can use the process enumerate module sync function and here we get a listing of all the modules that are loaded into this app process including the Base address name full path to the file and the size of the image we can also do things like module doind export by name which will find a exported function in a given module by the name that you provide so if we know that we want the lib system B DB module and we're interested in the open function if we do find

export by name we get the address of the open function as it's exported from uh the lib system B dib now if we don't know which uh module exports a given in uh function or we just are lazy we can uh just drop null in here as the first argument and then freed will go ahead and look at all the modules and we'll find your export in the module that uh that it is um there's also very powerful Objective C support reports you can for example go except objective c. classes and here we have a drop down of all the objective c classes that are known to the process I all Objective C classes that are loaded in this process if

we start with Twitter for example we'll see that there's a bunch of Twitter Objective C classes available here for us to explore an instrument we can also perform interceptor attaches okay Interceptor attach will actually inter intercept a given function and attach on enter on leave listeners to that function so we can say intercepted or attach memory dot not memory sorry module do find exports by name null we're interested in open okay and then we'll say say we want an onenter Handler which is a function which receives arguments and here we can print with console.log open C okay we've now implemented our interception if we go to Twitter and pull down we'll see a whole bunch of open

CS okay uh um now that's really awesome and it's very useful for exploration and a quick discovery of what's going on within an application but it's a little bit more painful to write longer expressions like the one that we just wrote on the rapple itself thankfully Freed's repple allows you to load from a script file so that's what we're going to do now we will write a file called explore. JS and and we'll drop the same Interceptor attach module do find export by

name and null cuz we're lazy and open and then we'll it's a lot easier to read it when it's like this we have an onenter function which has the arguments of the function call okay and here we can log open calls okay and now if we quit the the rapple and this time load it with minus L load the explore. jscript it attaches and runs our script and we can now see open called when the open is called

now one thing that's important to note is that Freda does not know anything about the function that's being intercepted it doesn't you don't have to specify the calling convention you don't have to specify the number of arguments you don't have to specify the number the type of arguments FR is completely agnostic to these things it doesn't care about them at all it performs inline function hooking and gives you access to the arguments via the ARs variable ARS parameter uh using this the given platform and architectures uh standard calling convention so on arm you have your first four regist arguments in registers and the rest are on the stack and x86 your reg your arguments are in on the stack

uh all that information is abstracted by Freeda and you can just access the arguments via arcs okay um if however you have a function which you know is doing something strange is using a non-standard calling convention or you just want to be able to access the processor registers at the time that the function is called you can access those things via the this. context object we can for example look at RDI which is the first argument on x86 64 if we console. log

that we get the oh

wait okay we get the pointer in RDI okay poter is not really that useful for us so let's once again print it with print the cont contents of the pointer instead of the pointer itself by performing memory. read utfa string on the pointer and here we'll reload and pull down and now we get the full path again now that's cool we can see what uh processes what uh files the process is opening but we'd like a little bit more context in that we can use a cool feature of Frida that's called thread. back trce what that will do is it will take the this context and it will generate a back Trace like you'd see in GDB for that

given for the point at which it was called which should call thread to back Trace okay so let's try that we'll pull down and now we get a list of pointers for each uh call that's the back trace the pointers but pointers are difficult to understand let's see if we can make it a little bit more simple the thread. back Trace function returns an array of pointers okay so what we can do is we can use a standard JavaScript map function to map the debug symbol do from address function onto each element in that array then we can just join that resulting array with new line and tab just to make it a little pretty we can reload

again and pull down takes a little bit more time this time just because it has to calculate the debug symbols and now you can see back traces that really give you a very good picture of where in an application or uh your opens are occurring so all these little tricks you saw how in a couple of minutes we've managed to get a lot of context about a given call which can be very useful for us understanding the process that we are targeting

while demoing the rapple we actually started looking at the very rich JavaScript API that fra makes available to your JavaScript instrumentation fun scripts that are running inside the target process this API lets you interact with and explore the application as it runs Fearless API is also memory safe so if you for example try to do memory. read utf8 string on a garbage pointer or zero or whatever it happens to be your process won't crash Fredo will catch that and handle it gracefully So you you're safe and you don't have to worry about your target process crashing so now we've got a fairly good idea of what we can do with Freda uh it's pretty cool but let's try

and do something real well let's try and uh make our understanding of fre concrete by performing a real task what we're going to do is we're going to intercept the network traffic of Twitter and we're going to Simply uppercase every tweet as it comes in so we're basically going to Shou toy Twitter okay or yellfy you might say here um and what we're doing is we're just modifying the network traffic as it comes in and because we're uh on modifying that Network traffic the Twitter application will see our tweets as

shied so first we have to work out how tweets are actually delivered to the Twitter application so let's start with Freda trace on the Twitter app now we have to think a second how is Twitter likely to be connecting to the network connecting to the Twitter API to download tweets now because it's a native o i OSX application it's almost certain that it's using the NS URL request NS URL connection classes uh to access HTP or uh https resources okay so what we're going to do is we're going to say minus M we're interested in an OBC toy methods okay we're interested in both class methods and instance methods so we'll put a star where the minus or

plus would be okay and then we can say we're interested in NS URL connection okay as the class and we're interested in every function we don't going to be very selective at this point we just want to see everything that's going on okay you can see again it's easy to glob easy to guess what the application is doing we'll attach again we see a whole bunch of handlers are generated 46 functions and now when we go here and pull down we'll see that we have the nsurl connection in in it with request and delegate okay and that furl Connection in withth request calls an internal inet withth request sorry and with request function with a delegate and some other

arguments and that is basically the uh uh mechanism that they're using in order to download the Tweet data so what we're going to do is we're going to go and look at this in it with request we'll look at the internal one so that we don't miss anything but we can't really understand what's going on here because we don't know what URLs then they're requesting so let's go ahead and try and work out what URL each of these NS URL requests nsurl connections is actually trying to connect to so what we'll do is we'll go here and we'll edit the handlers here we have NS URL connection underscore init with request once again we have the onenter

and on leave functions note that fra has made a guess for the names of the arguments in this function uh when in the log because in Objective C the function function argument names are part of the function prototype part of the function name so we know what they are so we can guess them and Freeda can output like it did here can output the arguments one after each other at the right place in the uh print notice that our arguments start here at ARS 2 that's because Objective C functions have the first argument is the self or this pointer and the second argument is the method selector which selects which method is actually being executed so we have to skip two in order

to get to the actual arguments to The Objective C function method so if we go and look at the NS URL Connection in it with request documentation

in it with request documentation okay we can see that the request parameter is an nsurl request object okay what we needed to do is we need to tell Freda that this first argument is an Objective C Class instance so what we do is we say Objective C doob on ARS 2 and what this does is it tells Freda that we want to treat this pointer as an Objective C instance then we can access the properties and methods of that instance by simply calling properties and methods on the Java on the JavaScript instance okay now in it with request receives an NSL request so let's click on nsurl request to get its documentation um we're interested in the

request properties so we're going to click on getting request properties we'll scroll down a bit and we'll see that there is a property called URL which gives us the requests URL which is exactly what we're interested in okay so we'll go here and we'll say dot do URL because we want the URL property okay the URL is an NS URL object instance okay so let's click on NSL to go to its documentation okay we're interested in the URL itself okay that's being used so we can click on accessing the parts of the URL okay and the first property here is something called absolute string which gives us the URL string for the receiver as an absolute URL okay which seems to

be ex what we want so we'll add absolute string okay now the absolute string is already an NS string object Fredo knows to automatically convert between NS strings and JavaScript strings so we're done we don't have to worry about retrieving the bytes from the NS string so if we go here and save our file and we go and we pull down on Twitter again no I didn't pull down okay pull down we now see that with in it with request prints the full URL that we're trying to

access so that's cool but we're actually interested in the payloads of these uh requests the data that's coming down from the server so we're going to move to uh Freda with a uh script now because it's easier for us to write more complex code more comp complex instrumentation code in a script file uh not within the fre Trace context because we're no longer going to be just tracing we want to actually perform uh some analysis of the uh class instances to get the data that's coming out of the system so we'll uh just start a new file called shy. C do JavaScript okay and the first thing that we want to do is we want to get the uh

handle to The Objective C method that we're interested in okay before we saw find export by name JavaScript uh methods are not necessarily export by the application so you can't just use find or export by name okay but The Objective C API in Freda lets you easily access those uh uh classes and methods so what we do is we say Objective C dot classes dot NS URL connection oops connection okay okay and we are interested in the internal in it with requests function prototype I'm just copying it from here okay and now we'll delete the argument values to get the method signature the reason I have to do this uh is because this is an undocumented internal

function internal method so Freda has no problem uh enumerating and accessing internal undocumented methods but we have to you know copy the uh data like this the name like this because it's not we can't just copy it from the Apple documentation

okay and we need to have here A minus because it's a class method okay we now have a method a method variable which is and pointed to the instance variable sorry to the class method uh in it with request delegate etc etc etc okay so now we want to intercept that method so we go Interceptor do attach and we'll go to the methods implementation okay and we want to hook the onenter function

okay and what we're going to do is we're just going to say console.log NS URL connection and we're going to once more have our objective c. ARS .ob args 2. url. absolute string

okay we'll save that and now we'll rerun Frida on Twitter with the shoty scripts we're attached let's pull down we pull down and we see our nsurl connection being hooked now the way that nsurl connection works is that it implements access to network resources asynchronously what happens is you pass to the function NS URL Connection in with request you pass a delegate object a delegate instance to that object and the uh Objective C fun class nsurl connection will call methods on that delegate object when data is received from the server for example okay the delegate needs to implement the nsurl connection data delegate protocol where and what we're going to do is what we want to do is we want to

implement a proxy object okay which will insert at nsurl connection creation time I with at the end with request delegate creation time call time we'll insert a proxy object which will sit between uh the original delegate and the nsurl connection implementation okay okay and that nsurl connection de data that proxy will implement the nsurl connection data delegates protocol okay it seems complicated but it's actually really simple and it's relatively easy to do in Freda as well because all we have to do is go VAR my delegat is equal to objective croxy do register

proxy okay and we want to tell it that we're interested in implementing these protocols the objective c. protocols which gives us a list of all the protocol that are available in this application nsurl connection data delegates okay we can obviously Implement more than one protocol that's why we have a list there okay if we save that okay and then come over here into our on enter of the method implementation and what we want to do is we want to switch the arguments for the delegates with with an instance of our new delegate proxy okay uh and so what we do is we say ars3 which is the delegate is equal to new my delegate and we'll wrap the original

args 3 we'll pass empty context okay now our instance will be sitting in between the nsurl connection class and the actual delegate the original applications delegate okay notice how we just use javascript's new instance call and behind the scenes it will automatically be transformed into the correct Objective C uh Magic that needs to happen in order to create an instance of our object our objective the object it's all transparent from our perspective okay let's reload and test it again again okay we see that nothing additional actually happens why because although we've implemented a proxy object and we've inserted it between the nurl connection class and the original application delegate we haven't actually done anything with any of the methods

okay we're interested in a method called

in a method called connection did receive data okay that's a call back that is called on the delegate when the uh n connection class receives data from the Upstream uh url url resource okay now what we do here is we say okay we want to handle the connection did receive data function we have two arguments the connection and the data okay so we'll say that this is a JavaScript function which receives a connection and data okay and the first thing that we're going to do is we're going to log console.log in connection did receive data okay and then what we're going to do is we want to now uh We've hooked the the method but we want to uh pass on the

connection and the data to the original delegate object as well okay so that the application will receive the data okay so what we do is we say this. dat. Target do connection did receive data and we pass on the connection and data to the original delegate instance okay if we reload and pull down oh I've made a mistake

yeah this is missing an S methods why didn't not anybody notice I'm disappointed um let's rerun Twitter okay and we'll restart fre that and we'll pull down okay now we we're receiving our incon C did receive data so now our mechanism is working we're able to hook the uh asynchronous callbacks that are sent by nsurl connection okay um because it's asynchronous we might get these in connection did receive data prints at any time and we don't know necessarily which nsurl connection which URL resource they're related to so let's print the URL that is related to the specific in connection receive uh connection did receive data uh call back okay again this is relatively simple we'll just

go console.log oh we'll save it in a variable because we need it later V URL is equal to the connections Uh current request which is a nsur request so we know we can do URL and we can go absolute string and now we want to actually force it to cast to a JavaScript string okay let's log

that and we'll save and we'll re reload and we'll pull down okay and now we get the URL of the particular in connection did received data let's look at the data itself that's what we're interested in right we don't know what format the data takes so what we'll do is we'll hex dump it so that we can see what it looks like so we'll just go Hexum of the data's byes which gives you uh from the NS data object instance that we have there it gives you the actual bite array in memory and we'll say that we're interested in the

length being DOA do length reload pull down and now we get a hick stump of the actual data being received now this just two bytes here and it looks like an empty array okay now this makes sense because if we look here at the uh uh URL that's being requested it says home timeline. Json okay so it's uh makes sense that we have here a Json RPC API okay or rest API I don't know if it's rest exactly but it's a Json based uh remote procedure call mechanism okay so we actually know that this data is going to be a string so we don't have to bother with the hex stump we can go right ahead and read it as a string so

let's do that instead of the hex stump we'll go VAR DOA in is equal to memory. read utf8 string on the doas bytes now because this is being delivered over the network and is has explicit length uh in the content length header of the uh HTTP request or response rather um it's not necessarily A null-terminated String so we have to tell the memory. read8 string function how long the string is otherwise it will depend garbage or we'll try to decode the garbage so we'll just go data. length

here and let's print it so we'll go console.log data in and DOA in save reload pull down and now we see the data in okay but at the moment we're only getting lank data in because there's no tweets coming to this account so let's send a tweet from an account which is followed by the account that we use to log into the application and see what an actual tweet looks like so I have a Twitter account here which is uh used for testing and we can say okay uh hi there besides right and and I'll just show you that when I tweet that it's immediately received by the Twitter application but there's no activity it's kind of strange what's

going on over here let's try a mention maybe mentions are treated differently so we'll go yo damy test 404 what up right and we'll send it immediately received by the application once more no data what's going on so if we think about it we and if we were Twitter we wouldn't actually want an to implement an API which have to do pulling of a server in order to retrieve tweets okay for two reasons first it means that there is a delay between the tweets being published and between and then being received by the client application and also if you have a polling mechanism that means that there are millions of users out there who are hammering your HTTP server all

the time in order to get new tweets so instead of doing that what they do is is they have a long lived connection they connect at the beginning of the application's lifetime to a given HTTP API endpoint and then what happens is is they they wait for new bytes to come down that pipe and that way the Twitter back ends can actually push data down the HTTP connection to the Twitter application okay even though there's no push channel in HTTP 1.1 they can use this long Liv connection mechanism in order to do uh to do this kind of behavior here so what we need to do is we need to hook the function uh nsurl connection in it with request at

the very beginning of the Twitter application's lifetime okay in order to be able to hook that uh intercept into instrument that long lived connection so what we want to do actually is instead of attaching to a running instance of Twitter we want to spawn Twitter on our own that's okay fra knows how to do that we'll stop the uh Frida rle and I'll just quit Twitter here and now we'll go Freda and we're interested in running the Twitter application but we have to specify that full path to the executable now okay and we're interested in loading a script called shifi okay and and we'll run that what what just happened we executed the Twitter app but we executed it in

suspend mode so the first instruction of the Twitter application has not yet been run okay what Freda has done is let run it in suspended mode and then given us control run our little script that shifi in the background and dropped us on the rapple so that we can make additional changes if we want to the environment before Twitter is actually started running what we have to do to get it to run is we have to use the resume command magic commands and once we hit resume the Twitter application will actually load we'll hit resume oh we see the Twitter application loaded if we look in our output we see a whole bunch of activity now okay but

let's now send our tweets hopefully we should see this okay received them immediately and this time I have to decrease the font a little bit sorry let's try that

again uh just miss just clipping off the side there okay here we can see the text with the Tweet text there so now we're seeing tweets awesome what are we trying to do again we're trying to shy O Okay um what we're trying to do is we're trying to shy the application so what we're going to do is very very quickly because I'm running out of time we're just going to use a uh we're going to say if the URL do if the url. index of user. Json I.E if we have the user Json in our URL string we will do VAR DOA out is equal to do in. replace and we'll use a regular

expression just to modify the text we're looking for text

colon not not star um

and we want to find all of those so we'll drop a minus G and what we do is we want to call a function whiches all a b and c sorry that I'm rushing this I'm just running out of time and what we'll do is we'll return a + b do 2 uppercase plus c okay we'll print our data

out okay if we then we have to restart fra and the Twitter application again because we've made modifications to that we'll run that we'll resume wait for it to finish loading initial loading okay tweet some garbage okay and now we see that the text is shifi but it's still not shied in the application why because we haven't passed that information on to the original delegates okay so what we need to do is we need to create an NS data object instance with that new data in order to uh pass it on to the to the override the original data so we'll say d is equal to uh objective c. classes. NS data and we're interested in we're going

to use the data with bytes length function to take the DOA outs and the data outs length okay now the thing is we can't actually just pass DOA out because DOA out is a JavaScript string we need to give this function a pointer to a C string or utf8 string so what we have to do is we have to actually allocate memory within the target process in order to pass this Pro the string on to the NS data Constructor that's not a problem all we need to do is go VAR a is equal to memory. alock utf8 string and we'll pass it our data out string and it will generate the utf8 string at a new

location in memory and now we can pass that on to the uh data with bytes we'll stop the Freda and Twitter rerun it resume and just over here we'll wait for to calm down a bit and we'll type this should be shifi and boom awesome right our entire script is what 20 something lines of JavaScript with all the dbag output okay

so that was pretty cool so just to summarize I hope that this short presentation which is really short just an hour has demonstrated the power of Freeda and the utility that it provides and the functionality that it provides in order to be able to instrument Target processes using relatively easy to write JavaScript functions okay uh it really does provide the capabilities to explore attack and build useful tools around uh uh processes obviously there's a lot more to Freda than what we've shown just now there's a lot more functionality we haven't shown the app running we could have used the same hooking mechanism on the uh uh iPhone app as well uh but there's plenty more to to learn Frida uh

I recommend that if you want to find more documentation or tutorials uh you can hit up freda's site fred. re or you can find us on GitHub at github.com uh if you want help getting started or you have encountered some difficulty or you're you think you found a bug because there there are bugs uh if you think you found a bug or whatever it is you can uh either contact us via issues on uh GitHub or we're uh very active in the Freeda uh channel on fre Noe IRC channel on freen node uh and we're happy to help anybody who who needs help there that's all I've got questions anyone excellent so thank you