apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa

Transcript

1. #BHUSA @BLACKHATEVENTS
   apk-medit
   memory search and patch tool for APK
   without root & android NDK
   Presented by Taichi Kotake

   Akatsuki Inc.
   

   View Slide

2. #BHUSA @BLACKHATEVENTS
   Who I am
   • Name: Taichi Kotake
   • Country: Japan
   • Job: Security Engineer @ Akatsuki Inc.
   • GitHub: tkmru
   

   View Slide

3. #BHUSA @BLACKHATEVENTS
   What is apk-medit?
   • Memory search and patch tool for debuggable APK
   • Works without root & the android NDK
   • For mobile security testing
   • https://github.com/aktsk/apk-medit
   

   View Slide

4. #BHUSA @BLACKHATEVENTS
   What is memory modificationʁ
   • The easiest way to cheat in games
   • For Android games, there is a well known cheat tool called
   GameGuardian
   

   View Slide

5. #BHUSA @BLACKHATEVENTS
   What are its advantages over other tools?
   • No root privileges are required for the operation
   • Therefore, there is no need to bypass root detection
   • Game apps often detect root
   • Works with colorful CUI
   • No competing tools that work with CUI for Android
   

   View Slide

6. #BHUSA @BLACKHATEVENTS
   Demo Movie
   

   View Slide

7. #BHUSA @BLACKHATEVENTS
   Usage (installation)
   • Download the binary from GitHub Releases
   • push the binary in /data/local/tmp/ on an Android device
   $ adb push medit /data/local/tmp/medit
   

   View Slide

8. #BHUSA @BLACKHATEVENTS
   Usage (to launch)
   • Use the run-as command to read / write files used by the APK
   • To access the memory without requiring root privileges
   • So apk-medit can only be used with apps that have theɹ
   debuggable attribute enabled
   

   View Slide

9. #BHUSA @BLACKHATEVENTS
   Usage (to launch)
   • To enable the debuggable attribute
   • open the AndroidManifest.xml and add the following xml
   attribute to the application xml node:
   android:debuggable="true"
   • Using apkutil, you can change the APK to be debuggable with
   a single command
   • https://github.com/aktsk/apkutil
   

   View Slide

10. #BHUSA @BLACKHATEVENTS
    Usage (to launch)
    $ adb shell
    $ pm list packages # to check
    $ run-as
    $ cp /data/local/tmp/medit ./medit
    $ ./medit
    • After running the run-as command, directory is changed
    • Copy medit from /data/local/tmp/
    • Running medit launches an interactive prompt
    

    View Slide

11. #BHUSA @BLACKHATEVENTS
    Usage (subcommands)
    • Many subcommands are available in the interactive prompt,
    but the three main ones are:
    • find - search the specified integer value in memory
    • filter - filter search results using the specified value
    • patch - write the specified value to the address
    found by the search
    

    View Slide

12. #BHUSA @BLACKHATEVENTS
    The memory modification flow
    • Use the “find” command to search the value on the UI
    • If many results are displayed, change the value on the UI to
    “filter” the results
    • When there are fewer results, you can modify the memory by
    using the "patch" command
    

    View Slide

13. #BHUSA @BLACKHATEVENTS
    How it works?
    • On Linux-based OSes, pseudo files are placed under /proc/ to
    access process information
    • The following paths are used:
    • /proc/[pid]/maps
    • /proc/[pid]/mem
    

    View Slide

14. #BHUSA @BLACKHATEVENTS
    /proc/[pid]/maps
    • /proc/[pid]/maps contains the memory map information
    • The memory map indicates which part of the memory the
    process, specified by the “pid", has permissions to read and
    write to
    

    View Slide

15. #BHUSA @BLACKHATEVENTS
    /proc/[pid]/maps
    sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps
    12c00000-12d40000 rw-p 00000000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@[email protected]
    6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@[email protected]
    6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@[email protected]
    6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@[email protected]
    6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@[email protected]
    6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@[email protected]
    6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@[email protected]
    6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@[email protected]
    6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@[email protected]
    ...
    

    View Slide

16. #BHUSA @BLACKHATEVENTS
    /proc/[pid]/mem
    • Using /proc/[pid]/mem, it is possible to read the memory held
    by the process specified by the “pid”
    • system calls can be used to read the memory
    • open(), read(), lseek()
    

    View Slide

17. #BHUSA @BLACKHATEVENTS
    How it works?
    • The Memory map tells us where we can read / write
    • It uses /proc/[pid]/mem to read the memory and search for the
    target value
    • When the target value is found, it uses /proc/[pid]/mem to patch
    the memory
    

    View Slide

18. #BHUSA @BLACKHATEVENTS
    What are the benefits of implementing
    using Golang on android devices?
    • Easy to prepare ELF binaries for ARM
    • Easy to invoke system calls
    • Easy to find the target byte in a large byte sequence quickly
    • Easy to distribute binaries by using GitHub Actions and
    GoReleaser
    

    View Slide

19. #BHUSA @BLACKHATEVENTS
    • Go compiler supports cross-compilation
    • GOOS, GOARCH environment variables are provided

    for specifying the OS and CPU
    Easy to prepare ELF binaries for ARM
    $ GOOS=linux GOARCH=arm64 GOARM=7 go build -o medit
    

    View Slide

20. #BHUSA @BLACKHATEVENTS
    • unix package wraps the system calls nicely
    • easy to invoke the system calls
    Easy to invoke system calls
    

    View Slide

21. #BHUSA @BLACKHATEVENTS
    • A fast string search algorithm called the Rabin-Karp is used
    inside bytes.Index()
    • Without implementing complex algorithms, I can quickly find
    data in the memory by simply using bytes.Index()
    Easy to find the target byte 

    in a large byte sequence quickly
    

    View Slide

22. #BHUSA @BLACKHATEVENTS
    • GitHub Actions and GoReleaser make it easy to 

    develop with Golang
    • When a tagged commit is uploaded to GitHub, the build runs
    via GitHub Actions and GoReleaser automatically registers the
    binary to Github Releases
    Easy to distribute binaries
    by using GitHub Actions and GoReleaser
    

    View Slide

23. #BHUSA @BLACKHATEVENTS
    Summary
    • apk-medit allows memory modifications without bypassing
    rooting detection
    • But there is a need to change the APK to be debuggable….
    • Golang is a useful language for building Android tools
    • I hope apk-medit will become the de facto standard 

    for security testing
    

    View Slide

24. #BHUSA @BLACKHATEVENTS
    Thank You!!

    https://github.com/aktsk/apk-medit
    

    View Slide