#BHUSA @BLACKHATEVENTS
apk-medit
memory search and patch tool for APK
without root & android NDK
Presented by Taichi Kotake
Akatsuki Inc.
Slide 2
Slide 2 text
#BHUSA @BLACKHATEVENTS
Who I am
• Name: Taichi Kotake
• Country: Japan
• Job: Security Engineer @ Akatsuki Inc.
• GitHub: tkmru
Slide 3
Slide 3 text
#BHUSA @BLACKHATEVENTS
What is apk-medit?
• Memory search and patch tool for debuggable APK
• Works without root & the android NDK
• For mobile security testing
• https://github.com/aktsk/apk-medit
Slide 4
Slide 4 text
#BHUSA @BLACKHATEVENTS
What is memory modificationʁ
• The easiest way to cheat in games
• For Android games, there is a well known cheat tool called
GameGuardian
Slide 5
Slide 5 text
#BHUSA @BLACKHATEVENTS
What are its advantages over other tools?
• No root privileges are required for the operation
• Therefore, there is no need to bypass root detection
• Game apps often detect root
• Works with colorful CUI
• No competing tools that work with CUI for Android
Slide 6
Slide 6 text
#BHUSA @BLACKHATEVENTS
Demo Movie
Slide 7
Slide 7 text
#BHUSA @BLACKHATEVENTS
Usage (installation)
• Download the binary from GitHub Releases
• push the binary in /data/local/tmp/ on an Android device
$ adb push medit /data/local/tmp/medit
Slide 8
Slide 8 text
#BHUSA @BLACKHATEVENTS
Usage (to launch)
• Use the run-as command to read / write files used by the APK
• To access the memory without requiring root privileges
• So apk-medit can only be used with apps that have theɹ
debuggable attribute enabled
Slide 9
Slide 9 text
#BHUSA @BLACKHATEVENTS
Usage (to launch)
• To enable the debuggable attribute
• open the AndroidManifest.xml and add the following xml
attribute to the application xml node:
android:debuggable="true"
• Using apkutil, you can change the APK to be debuggable with
a single command
• https://github.com/aktsk/apkutil
Slide 10
Slide 10 text
#BHUSA @BLACKHATEVENTS
Usage (to launch)
$ adb shell
$ pm list packages # to check
$ run-as
$ cp /data/local/tmp/medit ./medit
$ ./medit
• After running the run-as command, directory is changed
• Copy medit from /data/local/tmp/
• Running medit launches an interactive prompt
Slide 11
Slide 11 text
#BHUSA @BLACKHATEVENTS
Usage (subcommands)
• Many subcommands are available in the interactive prompt,
but the three main ones are:
• find - search the specified integer value in memory
• filter - filter search results using the specified value
• patch - write the specified value to the address
found by the search
Slide 12
Slide 12 text
#BHUSA @BLACKHATEVENTS
The memory modification flow
• Use the “find” command to search the value on the UI
• If many results are displayed, change the value on the UI to
“filter” the results
• When there are fewer results, you can modify the memory by
using the "patch" command
Slide 13
Slide 13 text
#BHUSA @BLACKHATEVENTS
How it works?
• On Linux-based OSes, pseudo files are placed under /proc/ to
access process information
• The following paths are used:
• /proc/[pid]/maps
• /proc/[pid]/mem
Slide 14
Slide 14 text
#BHUSA @BLACKHATEVENTS
/proc/[pid]/maps
• /proc/[pid]/maps contains the memory map information
• The memory map indicates which part of the memory the
process, specified by the “pid", has permissions to read and
write to
#BHUSA @BLACKHATEVENTS
/proc/[pid]/mem
• Using /proc/[pid]/mem, it is possible to read the memory held
by the process specified by the “pid”
• system calls can be used to read the memory
• open(), read(), lseek()
Slide 17
Slide 17 text
#BHUSA @BLACKHATEVENTS
How it works?
• The Memory map tells us where we can read / write
• It uses /proc/[pid]/mem to read the memory and search for the
target value
• When the target value is found, it uses /proc/[pid]/mem to patch
the memory
Slide 18
Slide 18 text
#BHUSA @BLACKHATEVENTS
What are the benefits of implementing
using Golang on android devices?
• Easy to prepare ELF binaries for ARM
• Easy to invoke system calls
• Easy to find the target byte in a large byte sequence quickly
• Easy to distribute binaries by using GitHub Actions and
GoReleaser
Slide 19
Slide 19 text
#BHUSA @BLACKHATEVENTS
• Go compiler supports cross-compilation
• GOOS, GOARCH environment variables are provided
for specifying the OS and CPU
Easy to prepare ELF binaries for ARM
$ GOOS=linux GOARCH=arm64 GOARM=7 go build -o medit
Slide 20
Slide 20 text
#BHUSA @BLACKHATEVENTS
• unix package wraps the system calls nicely
• easy to invoke the system calls
Easy to invoke system calls
Slide 21
Slide 21 text
#BHUSA @BLACKHATEVENTS
• A fast string search algorithm called the Rabin-Karp is used
inside bytes.Index()
• Without implementing complex algorithms, I can quickly find
data in the memory by simply using bytes.Index()
Easy to find the target byte
in a large byte sequence quickly
Slide 22
Slide 22 text
#BHUSA @BLACKHATEVENTS
• GitHub Actions and GoReleaser make it easy to
develop with Golang
• When a tagged commit is uploaded to GitHub, the build runs
via GitHub Actions and GoReleaser automatically registers the
binary to Github Releases
Easy to distribute binaries
by using GitHub Actions and GoReleaser
Slide 23
Slide 23 text
#BHUSA @BLACKHATEVENTS
Summary
• apk-medit allows memory modifications without bypassing
rooting detection
• But there is a need to change the APK to be debuggable….
• Golang is a useful language for building Android tools
• I hope apk-medit will become the de facto standard
for security testing