#BHUSA @BLACKHATEVENTS ipa-medit memory search and patch tool for IPA without Jailbreaking Presented by Taichi Kotake Akatsuki Inc.

#BHUSA @BLACKHATEVENTS Who I am • Name: Taichi Kotake • Country: Japan • Job: Security Engineer @ Akatsuki Inc. • GitHub: tkmru 2

5PEBZT5PQJD 4FDVSJUZUFTUJOH GPSNPCJMFHBNFBQQT Photo by Shannon Potter on Unsplash

#BHUSA @BLACKHATEVENTS • I also presented at Black Hat Arsenal USA last year • Last year, I talked about apk-medit • Memory modification tool for Android • This year, I'll be talking about the iOS version of apk-medit Were you here last year? 4

#BHUSA @BLACKHATEVENTS • Security testing of web applications and simple mobile apps can find most vulnerabilities by using a proxy tool to modify with the requests/responses to the server Security testing for mobile game apps

#BHUSA @BLACKHATEVENTS • Mobile game apps often implement the game and anti-cheat logic in their clients, and the clients need to take the time to check it Security testing for mobile game apps

#BHUSA @BLACKHATEVENTS What is memory modificationʁ • Security testing for mobile game apps is more difficult • Due to the perspective of reverse engineering • Decrypting requests/responses encryption • SSL pinning bypass • Root privileges detection bypass • Memory modification • etc 5PEBZ`TUPQJD 7

#BHUSA @BLACKHATEVENTS What is memory modificationʁ • The easiest way to cheat in games • For iOS games, there is a well known cheat tool called iGameGuardian, GamePlayer • For Android games, there is a well known cheat tool called GameGuardian 8

#BHUSA @BLACKHATEVENTS What is ipa-medit? • Memory search and patch tool for re-signed IPA without Jailbreaking • Works without Jailbreaking • For mobile security testing • https://github.com/aktsk/ipa-medit 9

#BHUSA @BLACKHATEVENTS What are its advantages over other tools? • No root privileges are required for the operation • Therefore, there is no need to bypass Jailbreaking detection • Game apps often detect Jailbreaking • Works with colorful CUI • No competing tools that work with CUI for iOS 10

#BHUSA @BLACKHATEVENTS Demo Movie 11

#BHUSA @BLACKHATEVENTS • macOS • You need to have a valid iOS Development certificate installed • Xcode • That's why the tool uses LLDB inside Xcode Requirements 12

#BHUSA @BLACKHATEVENTS • libimobiledevice/libimobiledevice • libimobiledevice/ideviceinstaller Requirements $ brew install --HEAD libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller 13

#BHUSA @BLACKHATEVENTS • The target IPA must be signed with a certificate installed on your PC • If you want to modify memory on third-party applications, you need to re-sign the IPA Re-sign 14

#BHUSA @BLACKHATEVENTS • If you use the ipautil I created, you can easily re-sign • https://github.com/aktsk/ipautil Re-sign $ ipautil decode tap1000000.ipa # unzip $ ipautil build Payload # re-sign 15

#BHUSA @BLACKHATEVENTS • Download the binary(ipa-medit) from GitHub Releases and drop it in your $PATH • Using Github Actions to build and distribute the binaries Usage (installation) 16

#BHUSA @BLACKHATEVENTS • To launch it, specify the executable file path contained in the IPA with the -bin and the bundle id with the -id Usage (to launch) $ ipa-medit -bin="./Payload/tap1000000.app/ tap1000000" -id="jp.hoge.tap1000000" 17

#BHUSA @BLACKHATEVENTS • Many subcommands are available via the interactive prompt, but the three main ones are: • find - search the specified integer value in memory • filter - filter search results using the specified value • patch - write the specified value to the address found by the previous search Usage (subcommands) 18

#BHUSA @BLACKHATEVENTS The memory modification flow • Use the “find” command to search for the value on the UI • If there are many results change the value on the UI to “filter” the results • When there are fewer results, you can modify the memory by using the "patch" command 19

)PXJUXPSLT Photo by Harrison Broadbent on Unsplash

#BHUSA @BLACKHATEVENTS • This tool uses libimobliedevice to interact with iOS devices • libimobliedevice is a famous library that communicates with iOS devices using native protocols • https://libimobiledevice.org/ How does it work? 21

#BHUSA @BLACKHATEVENTS • The LLDB Python API is used to read/write memory • It uses the mechanism that Xcode uses internally • LLDB is used inside Xcode How does it work? 22

#BHUSA @BLACKHATEVENTS • Ipa-medit binary is built using Go • But, because it uses the LLDB Python API, Python script is also embedded in the binary How does it work? The Go gopher was designed by Renee French. 
 (http://reneefrench.blogspot.com/) 23

8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOJ04EFWJDFT Photo by Nandhu Kumar on Unsplash

#BHUSA @BLACKHATEVENTS • libimobliedevice is implemented in C • The LLDB Python API requires Python • Why did I use Go for development? What are the benefits of implementing using Golang? The Go gopher was designed by Renee French. 
 (http://reneefrench.blogspot.com/) 25

#BHUSA @BLACKHATEVENTS • Inside the Go repository, there is a tool for debugging iOS libraries made using Go • https://github.com/golang/go/tree/master/misc/ios Go on iOS 26

#BHUSA @BLACKHATEVENTS • That is where I got the idea • That’s why ipa-medit is implemented in Go • Thanks to Golang!! Go on iOS 27

#BHUSA @BLACKHATEVENTS • Frida makes it possible to debug iOS apps by inserting a gadget into the debuggable app without Jailbreak • Frida is a dynamic instrumentation toolkit: https://frida.re/ • Memory modification is possible this way as well This is not the only way 28

#BHUSA @BLACKHATEVENTS • The LLDB Python API is slower than frida's approach… • But no need to patch the IPA, it's an advantage. • And it never gets caught by app modification detection • I may work on implementing this method in the future as well This is not the only way 29

#BHUSA @BLACKHATEVENTS Summary • ipa-medit allows memory modifications without bypassing Jailbreak detection • But there is a need to re-sign the IPA…. • I hope ipa-medit will become the de facto standard for security testing 30

#BHUSA @BLACKHATEVENTS Thank You!! https://github.com/aktsk/ipa-medit