$30 off During Our Annual Pro Sale. View Details »

apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa

@tkmru
August 05, 2020

apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa

Apk-medit is a memory search and patch tool for debuggable APK without root & android NDK. It was created for mobile game security testing.
Demo Movie: https://github.com/aktsk/apk-medit

- https://github.com/aktsk/apk-medit
- https://www.blackhat.com/us-20/arsenal/schedule/index.html#apk-medit-memory-search-and-patch-tool-for-apk-without-root--android-ndk-21026

@tkmru

August 05, 2020
Tweet

More Decks by @tkmru

Other Decks in Programming

Transcript

  1. #BHUSA @BLACKHATEVENTS
    apk-medit
    memory search and patch tool for APK
    without root & android NDK
    Presented by Taichi Kotake

    Akatsuki Inc.

    View Slide

  2. #BHUSA @BLACKHATEVENTS
    Who I am
    • Name: Taichi Kotake
    • Country: Japan
    • Job: Security Engineer @ Akatsuki Inc.
    • GitHub: tkmru

    View Slide

  3. #BHUSA @BLACKHATEVENTS
    What is apk-medit?
    • Memory search and patch tool for debuggable APK
    • Works without root & the android NDK
    • For mobile security testing
    • https://github.com/aktsk/apk-medit

    View Slide

  4. #BHUSA @BLACKHATEVENTS
    What is memory modificationʁ
    • The easiest way to cheat in games
    • For Android games, there is a well known cheat tool called
    GameGuardian

    View Slide

  5. #BHUSA @BLACKHATEVENTS
    What are its advantages over other tools?
    • No root privileges are required for the operation
    • Therefore, there is no need to bypass root detection
    • Game apps often detect root
    • Works with colorful CUI
    • No competing tools that work with CUI for Android

    View Slide

  6. #BHUSA @BLACKHATEVENTS
    Demo Movie

    View Slide

  7. #BHUSA @BLACKHATEVENTS
    Usage (installation)
    • Download the binary from GitHub Releases
    • push the binary in /data/local/tmp/ on an Android device
    $ adb push medit /data/local/tmp/medit

    View Slide

  8. #BHUSA @BLACKHATEVENTS
    Usage (to launch)
    • Use the run-as command to read / write files used by the APK
    • To access the memory without requiring root privileges
    • So apk-medit can only be used with apps that have theɹ
    debuggable attribute enabled

    View Slide

  9. #BHUSA @BLACKHATEVENTS
    Usage (to launch)
    • To enable the debuggable attribute
    • open the AndroidManifest.xml and add the following xml
    attribute to the application xml node:
    android:debuggable="true"
    • Using apkutil, you can change the APK to be debuggable with
    a single command
    • https://github.com/aktsk/apkutil

    View Slide

  10. #BHUSA @BLACKHATEVENTS
    Usage (to launch)
    $ adb shell
    $ pm list packages # to check
    $ run-as
    $ cp /data/local/tmp/medit ./medit
    $ ./medit
    • After running the run-as command, directory is changed
    • Copy medit from /data/local/tmp/
    • Running medit launches an interactive prompt

    View Slide

  11. #BHUSA @BLACKHATEVENTS
    Usage (subcommands)
    • Many subcommands are available in the interactive prompt,
    but the three main ones are:
    • find - search the specified integer value in memory
    • filter - filter search results using the specified value
    • patch - write the specified value to the address
    found by the search

    View Slide

  12. #BHUSA @BLACKHATEVENTS
    The memory modification flow
    • Use the “find” command to search the value on the UI
    • If many results are displayed, change the value on the UI to
    “filter” the results
    • When there are fewer results, you can modify the memory by
    using the "patch" command

    View Slide

  13. #BHUSA @BLACKHATEVENTS
    How it works?
    • On Linux-based OSes, pseudo files are placed under /proc/ to
    access process information
    • The following paths are used:
    • /proc/[pid]/maps
    • /proc/[pid]/mem

    View Slide

  14. #BHUSA @BLACKHATEVENTS
    /proc/[pid]/maps
    • /proc/[pid]/maps contains the memory map information
    • The memory map indicates which part of the memory the
    process, specified by the “pid", has permissions to read and
    write to

    View Slide

  15. #BHUSA @BLACKHATEVENTS
    /proc/[pid]/maps
    sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps
    12c00000-12d40000 rw-p 00000000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted)
    6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@[email protected]
    6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@[email protected]
    6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@[email protected]
    6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@[email protected]
    6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@[email protected]
    6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@[email protected]
    6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@[email protected]
    6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@[email protected]
    6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@[email protected]
    ...

    View Slide

  16. #BHUSA @BLACKHATEVENTS
    /proc/[pid]/mem
    • Using /proc/[pid]/mem, it is possible to read the memory held
    by the process specified by the “pid”
    • system calls can be used to read the memory
    • open(), read(), lseek()

    View Slide

  17. #BHUSA @BLACKHATEVENTS
    How it works?
    • The Memory map tells us where we can read / write
    • It uses /proc/[pid]/mem to read the memory and search for the
    target value
    • When the target value is found, it uses /proc/[pid]/mem to patch
    the memory

    View Slide

  18. #BHUSA @BLACKHATEVENTS
    What are the benefits of implementing
    using Golang on android devices?
    • Easy to prepare ELF binaries for ARM
    • Easy to invoke system calls
    • Easy to find the target byte in a large byte sequence quickly
    • Easy to distribute binaries by using GitHub Actions and
    GoReleaser

    View Slide

  19. #BHUSA @BLACKHATEVENTS
    • Go compiler supports cross-compilation
    • GOOS, GOARCH environment variables are provided

    for specifying the OS and CPU
    Easy to prepare ELF binaries for ARM
    $ GOOS=linux GOARCH=arm64 GOARM=7 go build -o medit

    View Slide

  20. #BHUSA @BLACKHATEVENTS
    • unix package wraps the system calls nicely
    • easy to invoke the system calls
    Easy to invoke system calls

    View Slide

  21. #BHUSA @BLACKHATEVENTS
    • A fast string search algorithm called the Rabin-Karp is used
    inside bytes.Index()
    • Without implementing complex algorithms, I can quickly find
    data in the memory by simply using bytes.Index()
    Easy to find the target byte 

    in a large byte sequence quickly

    View Slide

  22. #BHUSA @BLACKHATEVENTS
    • GitHub Actions and GoReleaser make it easy to 

    develop with Golang
    • When a tagged commit is uploaded to GitHub, the build runs
    via GitHub Actions and GoReleaser automatically registers the
    binary to Github Releases
    Easy to distribute binaries
    by using GitHub Actions and GoReleaser

    View Slide

  23. #BHUSA @BLACKHATEVENTS
    Summary
    • apk-medit allows memory modifications without bypassing
    rooting detection
    • But there is a need to change the APK to be debuggable….
    • Golang is a useful language for building Android tools
    • I hope apk-medit will become the de facto standard 

    for security testing

    View Slide

  24. #BHUSA @BLACKHATEVENTS
    Thank You!!

    https://github.com/aktsk/apk-medit

    View Slide