Slide 1

Slide 1 text

#BHUSA @BLACKHATEVENTS ipa-medit memory search and patch tool for IPA without Jailbreaking Presented by Taichi Kotake Akatsuki Inc.

Slide 2

Slide 2 text

#BHUSA @BLACKHATEVENTS Who I am • Name: Taichi Kotake • Country: Japan • Job: Security Engineer @ Akatsuki Inc. • GitHub: tkmru 2

Slide 3

Slide 3 text


Slide 4

Slide 4 text

#BHUSA @BLACKHATEVENTS • I also presented at Black Hat Arsenal USA last year • Last year, I talked about apk-medit • Memory modification tool for Android • This year, I'll be talking about the iOS version of apk-medit Were you here last year? 4

Slide 5

Slide 5 text

#BHUSA @BLACKHATEVENTS • Security testing of web applications and simple mobile apps can find most vulnerabilities by using a proxy tool to modify with the requests/responses to the server Security testing for mobile game apps

Slide 6

Slide 6 text

#BHUSA @BLACKHATEVENTS • Mobile game apps often implement the game and anti-cheat logic in their clients, and the clients need to take the time to check it Security testing for mobile game apps

Slide 7

Slide 7 text

#BHUSA @BLACKHATEVENTS What is memory modificationʁ • Security testing for mobile game apps is more difficult • Due to the perspective of reverse engineering • Decrypting requests/responses encryption • SSL pinning bypass • Root privileges detection bypass • Memory modification • etc 5PEBZ`TUPQJD 7

Slide 8

Slide 8 text

#BHUSA @BLACKHATEVENTS What is memory modificationʁ • The easiest way to cheat in games • For iOS games, there is a well known cheat tool called iGameGuardian, GamePlayer • For Android games, there is a well known cheat tool called GameGuardian 8

Slide 9

Slide 9 text

#BHUSA @BLACKHATEVENTS What is ipa-medit? • Memory search and patch tool for re-signed IPA without Jailbreaking • Works without Jailbreaking • For mobile security testing • 9

Slide 10

Slide 10 text

#BHUSA @BLACKHATEVENTS What are its advantages over other tools? • No root privileges are required for the operation • Therefore, there is no need to bypass Jailbreaking detection • Game apps often detect Jailbreaking • Works with colorful CUI • No competing tools that work with CUI for iOS 10

Slide 11

Slide 11 text


Slide 12

Slide 12 text

#BHUSA @BLACKHATEVENTS • macOS • You need to have a valid iOS Development certificate installed • Xcode • That's why the tool uses LLDB inside Xcode Requirements 12

Slide 13

Slide 13 text

#BHUSA @BLACKHATEVENTS • libimobiledevice/libimobiledevice • libimobiledevice/ideviceinstaller Requirements $ brew install --HEAD libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller 13

Slide 14

Slide 14 text

#BHUSA @BLACKHATEVENTS • The target IPA must be signed with a certificate installed on your PC • If you want to modify memory on third-party applications, you need to re-sign the IPA Re-sign 14

Slide 15

Slide 15 text

#BHUSA @BLACKHATEVENTS • If you use the ipautil I created, you can easily re-sign • Re-sign $ ipautil decode tap1000000.ipa # unzip $ ipautil build Payload # re-sign 15

Slide 16

Slide 16 text

#BHUSA @BLACKHATEVENTS • Download the binary(ipa-medit) from GitHub Releases and drop it in your $PATH • Using Github Actions to build and distribute the binaries Usage (installation) 16

Slide 17

Slide 17 text

#BHUSA @BLACKHATEVENTS • To launch it, specify the executable file path contained in the IPA with the -bin and the bundle id with the -id Usage (to launch) $ ipa-medit -bin="./Payload/ tap1000000" -id="jp.hoge.tap1000000" 17

Slide 18

Slide 18 text

#BHUSA @BLACKHATEVENTS • Many subcommands are available via the interactive prompt, but the three main ones are: • find - search the specified integer value in memory • filter - filter search results using the specified value • patch - write the specified value to the address found by the previous search Usage (subcommands) 18

Slide 19

Slide 19 text

#BHUSA @BLACKHATEVENTS The memory modification flow • Use the “find” command to search for the value on the UI • If there are many results change the value on the UI to “filter” the results • When there are fewer results, you can modify the memory by using the "patch" command 19

Slide 20

Slide 20 text

)PXJUXPSLT Photo by Harrison Broadbent on Unsplash

Slide 21

Slide 21 text

#BHUSA @BLACKHATEVENTS • This tool uses libimobliedevice to interact with iOS devices • libimobliedevice is a famous library that communicates with iOS devices using native protocols • How does it work? 21

Slide 22

Slide 22 text

#BHUSA @BLACKHATEVENTS • The LLDB Python API is used to read/write memory • It uses the mechanism that Xcode uses internally • LLDB is used inside Xcode How does it work? 22

Slide 23

Slide 23 text

#BHUSA @BLACKHATEVENTS • Ipa-medit binary is built using Go • But, because it uses the LLDB Python API, Python script is also embedded in the binary How does it work? The Go gopher was designed by Renee French. 
 ( 23

Slide 24

Slide 24 text


Slide 25

Slide 25 text

#BHUSA @BLACKHATEVENTS • libimobliedevice is implemented in C • The LLDB Python API requires Python • Why did I use Go for development? What are the benefits of implementing using Golang? The Go gopher was designed by Renee French. 
 ( 25

Slide 26

Slide 26 text

#BHUSA @BLACKHATEVENTS • Inside the Go repository, there is a tool for debugging iOS libraries made using Go • Go on iOS 26

Slide 27

Slide 27 text

#BHUSA @BLACKHATEVENTS • That is where I got the idea • That’s why ipa-medit is implemented in Go • Thanks to Golang!! Go on iOS 27

Slide 28

Slide 28 text

#BHUSA @BLACKHATEVENTS • Frida makes it possible to debug iOS apps by inserting a gadget into the debuggable app without Jailbreak • Frida is a dynamic instrumentation toolkit: • Memory modification is possible this way as well This is not the only way 28

Slide 29

Slide 29 text

#BHUSA @BLACKHATEVENTS • The LLDB Python API is slower than frida's approach… • But no need to patch the IPA, it's an advantage. • And it never gets caught by app modification detection • I may work on implementing this method in the future as well This is not the only way 29

Slide 30

Slide 30 text

#BHUSA @BLACKHATEVENTS Summary • ipa-medit allows memory modifications without bypassing Jailbreak detection • But there is a need to re-sign the IPA…. • I hope ipa-medit will become the de facto standard for security testing 30

Slide 31

Slide 31 text