ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe

Slide 1

Slide 1 text

#BHEU @BlackHatEvents ipa-medit Memory search and patch tool for IPA without Jailbreaking   Black Hat Europe 2022 Arsenal Edition Presented by Taichi Kotake   Akatsuki Games Inc. & Sterra Security Co.,Ltd.

Slide 2

Slide 2 text

#BHEU @BlackHatEvents • Name: Taichi Kotake • Country: Japan • Job: • Security Engineer @ Akatsuki Games Inc. • CTO & Co-founder @ Sterra Security Co.,Ltd. • GitHub: tkmru Who I am

Slide 3

Slide 3 text

#BHEU @BlackHatEvents • Black Hat USA 2020 Arsenal “Apk-medit: memory search and patch tool for APK without root & android NDK” • Black Hat USA 2021 Arsenal “Ipa-medit: Memory modification tool for iOS apps without Jailbreaking” • Black Hat Europe 2022 Arsenal “Ipa-medit: Memory modification tool for iOS apps without Jailbreaking” My Black Hat History 4FRVFMUPUIF QSFTFOUBUJPO

Slide 4

Slide 4 text

5PEBZT5PQJD   4FDVSJUZUFTUJOH   GPSNPCJMFHBNFBQQT Photo by Shannon Potter on Unsplash

Slide 5

Slide 5 text

#BHEU @BlackHatEvents Security testing for mobile game apps • Security testing of web applications and simple mobile apps can find most vulnerabilities by using a proxy tool to modify   the requests/responses to the server

Slide 6

Slide 6 text

#BHEU @BlackHatEvents • Mobile game apps often implement the game and anti-cheat logic in their clients, and the clients need to take the time to check it Security testing for mobile game apps

Slide 7

Slide 7 text

#BHEU @BlackHatEvents What is memory modificationʁ • Security testing for mobile game apps is more difficult • Due to the perspective of reverse engineering • Decrypting encrypted requests/responses • SSL pinning bypass • Root privileges detection bypass • Memory modification • etc 5PEBZ`TUPQJD

Slide 8

Slide 8 text

#BHEU @BlackHatEvents What is memory modificationʁ • The easiest way to cheat in games • For iOS games, there is a well known cheat tool called iGameGuardian, GamePlayer • For Android games, there is a well known cheat tool called GameGuardian

Slide 9

Slide 9 text

#BHEU @BlackHatEvents What is ipa-medit? • Memory search and patch tool for re-signed IPA without Jailbreaking • Works without Jailbreaking • For mobile security testing • https://github.com/aktsk/ipa-medit

Slide 10

Slide 10 text

#BHEU @BlackHatEvents What are its advantages over other tools? • No root privileges are required for the operation • Therefore, there is no need to bypass Jailbreaking detection • Game apps often detect Jailbreaking • Works with colorful TUI • Easy to follow logs • No competing tools that work with TUI for iOS

Slide 11

Slide 11 text

#BHEU @BlackHatEvents • Closed-source cheat tools are difficult to use for game apps that have not been released • considering the risk of information leakage… • ipa-medit is open source and a tool developed by a game company • It can be used for security testing with confidence What are its advantages over other tools?

Slide 12

Slide 12 text

#BHEU @BlackHatEvents

Slide 13

Slide 13 text

#BHEU @BlackHatEvents • I also presented at the Black Hat USA 2021 Arsenal. • At that time, it could only target iOS apps running on the iPhone. • However, it now supports iOS apps running on the Apple Silicon Mac as well. • The Apple Silicon Mac was recently released and allows you to run iOS apps on macOS. Updates after BlackHat USA 2021 Arsenal

Slide 14

Slide 14 text

#BHEU @BlackHatEvents

Slide 15

Slide 15 text

#BHEU @BlackHatEvents • macOS • You need to have a valid iOS Development certificate installed Requirements

Slide 16

Slide 16 text

#BHEU @BlackHatEvents • Xcode • Since the tool uses LLDB inside Xcode Requirements (for iOS devices only)

Slide 17

Slide 17 text

#BHEU @BlackHatEvents • libimobiledevice/libimobiledevice • libimobiledevice/ideviceinstaller Requirements (for iOS devices only) $ brew install --HEAD libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller

Slide 18

Slide 18 text

#BHEU @BlackHatEvents • The target IPA must be signed with a certificate installed   on your PC • If you want to modify memory on third-party applications,   you will need to re-sign the IPA Re-sign

Slide 19

Slide 19 text

#BHEU @BlackHatEvents • If you use the ipautil tool that I created, you can easily re-sign • https://github.com/aktsk/ipautil Re-sign $ ipautil decode tap1000000.ipa # unzip   $ ipautil build Payload # re-sign

Slide 20

Slide 20 text

#BHEU @BlackHatEvents • Download the binary(ipa-medit) from GitHub Releases   and drop it in your $PATH • Using GitHub Actions to build and distribute the binaries Usage (installation)

Slide 21

Slide 21 text

#BHEU @BlackHatEvents • Targeting the iOS app on the iPhone • Targeting the iOS app on the Apple Silicon Mac Usage (to launch) $ unzip tap1000000.ipa $ ipa-medit -bin=“./Payload/tap1000000.app/tap1000000" -id="jp.hoge.tap1000000" $ ipa-medit -name

Slide 22

Slide 22 text

#BHEU @BlackHatEvents Usage (subcommands) • Many subcommands are available via the interactive prompt, but the three main ones are: • find - search the specified integer value in memory • filter - filter search results using the specified value • patch - write the specified value to the address found by the previous search

Slide 23

Slide 23 text

#BHEU @BlackHatEvents • Use the “find” command to search for the value in the UI • If there are many results change the value in the UI to   “filter” the results • After filtering the results, you can modify the memory   by using the "patch" command The memory modification flow

Slide 24

Slide 24 text

)PXEPFTJUXPSL Photo by Harrison Broadbent on Unsplash

Slide 25

Slide 25 text

#BHEU @BlackHatEvents • Different memory modification mechanisms • Targeting iOS apps on iOS Devices • Targeting iOS apps on the Apple Silicon Mac How does it work?

Slide 26

Slide 26 text

#BHEU @BlackHatEvents • Use libimobiledevice to interact with iOS devices • libimobiledevice is a popular library that communicates with iOS devices using native protocols • https://libimobiledevice.org/ How does it work?(on iOS Devices)

Slide 27

Slide 27 text

#BHEU @BlackHatEvents • The LLDB Python API is used to read/write from/to memory • It uses the same mechanism that Xcode uses internally • LLDB is used inside Xcode • Ipa-medit binary is built using Go • But, because it uses the LLDB Python API, Python script is also embedded in the binary How does it work?(on iOS Devices)

Slide 28

Slide 28 text

#BHEU @BlackHatEvents • libimobiledevice is implemented in C • The LLDB Python API requires Python • Why did I use Go for development? What are the benefits of implementing using Golang?

Slide 29

Slide 29 text

#BHEU @BlackHatEvents • Inside the Go repository, there is a tool for debugging iOS libraries made using Go • for iOS devices only • https://github.com/golang/go/tree/master/misc/ios • That is where I got the idea • Thanks to Golang!! Go on iOS

Slide 30

Slide 30 text

#BHEU @BlackHatEvents • I had previously created a memory modification tool for Android called apk-medit@Black Hat USA 2020 Arsenal • I thought that the same logic from this tool could also be used for the Apple Sillicon Mac • But macOS is quite different from Linux. How does it work?(on Apple Sillicon Mac)

Slide 31

Slide 31 text

#BHEU @BlackHatEvents • The memory modification process on Linux(Android) is as follows: How does it work?(on Apple Sillicon Mac) 4FBSDISFBEBCMFNFNPSZ BEESFTTFT   QSPDQJENBQT 3FBEUIFNFNPSZ   QSPDQJENFN   CZQUSBDF 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ   QSPDQJENFN   CZQUSBDF

Slide 32

Slide 32 text

#BHEU @BlackHatEvents • The Memory map tells us where we can read / write • But on macOS, There is no /proc/$pid/maps • Therefore, a specialized API must be used to read a memory map • To reduce the implementation effort, ipa-medit internally uses the vmmap command to obtain a memory map How does it work?(on Apple Sillicon Mac)

Slide 33

Slide 33 text

#BHEU @BlackHatEvents • On macOS, there is no /proc/$pid/mem and no memory read/write via ptrace • ptrace is a system call often used to implement debuggers • switch the operation by specifying the request as the first argument How does it work?(on Apple Sillicon Mac) ptrace(int request, pid_t pid, caddr_t addr, int data);ɹ

Slide 34

Slide 34 text

#BHEU @BlackHatEvents • ptrace also exists on macOS • However, memory read/write is not supported • It is not possible to specify PTRACE_PEEKDATA for reading memory or PTRACE_POKEDATA for writing to memory as the first argument How does it work?(on Apple Sillicon Mac) ptrace(int request, pid_t pid, caddr_t addr, int data);

Slide 35

Slide 35 text

#BHEU @BlackHatEvents • macOS also has a specialized API for reading and writing to memory • It uses mach_vm_read() to read the memory • When the target value is found, it uses mach_vm_write() to patch the memory How does it work?(on Apple Sillicon Mac)

Slide 36

Slide 36 text

#BHEU @BlackHatEvents • The memory modification process on macOS is as follows: How does it work?(on Apple Sillicon Mac) 4FBSDISFBEBCMFNFNPSZ BEESFTTFT   CZWNNBQ 3FBEUIFNFNPSZ   NBDI@WN@SFBE 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ   NBDI@WN@XSJUF

Slide 37

Slide 37 text

#BHEU @BlackHatEvents • On macOS, non-signed programs cannot be used as debuggers… • To use the program as a debugger it must be signed • Specify in the entitlements.plist to enable the attribute com.apple.security.cs.debugger The signing requirement...

Slide 38

Slide 38 text

#BHEU @BlackHatEvents • The entitlements.plist is as follows: com.apple.security.cs.debugger com.apple.security.cs.debugger

Slide 39

Slide 39 text

#BHEU @BlackHatEvents • The com.apple.security.get-task-allow attribute must be enabled in the application to be debugged • This allows it to be attached to by the debugger The program to be debugged must also be signed...

Slide 40

Slide 40 text

#BHEU @BlackHatEvents • You can check if the com.apple.security.get-task-allow attribute is enabled using the codesign command: com.apple.security.get-task-allow $ codesign -d --entitlements :- 47071   Executable=/private/var/folders/hc/XXXXXXXXnsfn1_c9n20jxw40000gq/X/XXXXXXXX-XXXX-XXXX-XXXX- XXXXXXXXXXXX/d/Wrapper/tap1000000.app/tap1000000 … get-task-allow …

Slide 41

Slide 41 text

#BHEU @BlackHatEvents • Frida makes it possible to debug iOS apps by inserting a gadget into the debuggable app without Jailbreaking • Frida is a dynamic instrumentation toolkit • https://frida.re/ • Memory modification is possible this way as well There are other ways to do this

Slide 42

Slide 42 text

#BHEU @BlackHatEvents • The LLDB Python API is slower than frida's approach… • But there is no need to patch the IPA, which is an advantage. • And it never gets caught by app modification detection • I may work on implementing this method in the future as well There are other ways to do this

Slide 43

Slide 43 text

#BHEU @BlackHatEvents • Ipa-medit allows memory modifications without bypassing Jailbreak detection • But there is a need to re-sign the IPA… • I hope ipa-medit will become the de facto standard   for security testing Summary

Slide 44

Slide 44 text

#BHEU @BlackHatEvents • The English for this presentation was checked by a native English-speaking teammate • Thanks to Shadab Ambat !! Acknowledgements

Slide 45

Slide 45 text

#BHEU @BlackHatEvents Thank You!! https://github.com/aktsk/ipa-medit