Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apk-medit: memory search and patch tool for deb...

@tkmru
August 05, 2020
Programming
0
4.1k

apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa

Apk-medit is a memory search and patch tool for debuggable APK without root & android NDK. It was created for mobile game security testing.
Demo Movie: https://github.com/aktsk/apk-medit

- https://github.com/aktsk/apk-medit
- https://www.blackhat.com/us-20/arsenal/schedule/index.html#apk-medit-memory-search-and-patch-tool-for-apk-without-root--android-ndk-21026

@tkmru

August 05, 2020
Tweet

More Decks by @tkmru

See All by @tkmru
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
tkmru
2
1.2k
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
300
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
tkmru
0
160
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
5.2k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
4.4k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
860
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
190
めんどうくさいゲームセキュリティ
tkmru
20
11k
Linux Rootkit Internals
tkmru
1
2k

Other Decks in Programming

See All in Programming
From the Wild into the Clouds - Laravel Meetup Talk
neverything
0
170
Rubyで始める関数型ドメインモデリング
shogo_tksk
0
140
Serverless Rust: Your Low-Risk Entry Point to Rust in Production (and the benefits are huge)
lmammino
1
160
負債になりにくいCSSをデザイナとつくるには?
fsubal
10
2.6k
お前もAI鬼にならないか?👹Bolt & Cursor & Supabase & Vercelで人間をやめるぞ、ジョジョー!👺
taishiyade
7
4.2k
Rails 1.0 のコードで学ぶ find_by* と method_missing の仕組み / Learn how find_by_* and method_missing work in Rails 1.0 code
maimux2x
1
250
PRレビューのお供にDanger
stoticdev
1
240
仕様変更に耐えるための"今の"DRY原則を考える
mkmk884
9
3.2k
自力でTTSモデルを作った話
zgock999
0
110
15分で学ぶDuckDBの可愛い使い方 DuckDBの最近の更新
notrogue
3
540
Rubyと自由とAIと
yotii23
6
1.8k
Djangoにおける複数ユーザー種別認証の設計アプローチ@DjangoCongress JP 2025
delhi09
PRO
4
490

Featured

See All Featured
Gamification - CAS2011
davidbonilla
80
5.2k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k
Bootstrapping a Software Product
garrettdimon
PRO
306
110k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
The Language of Interfaces
destraynor
156
24k
The World Runs on Bad Software
bkeepers
PRO
67
11k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Designing for Performance
lara
604
68k
Unsuck your backbone
ammeep
669
57k
Building Flexible Design Systems
yeseniaperezcruz
328
38k

Transcript

  1. #BHUSA @BLACKHATEVENTS apk-medit memory search and patch tool for APK

    without root & android NDK Presented by Taichi Kotake
 Akatsuki Inc.

  2. #BHUSA @BLACKHATEVENTS Who I am • Name: Taichi Kotake •

    Country: Japan • Job: Security Engineer @ Akatsuki Inc. • GitHub: tkmru

  3. #BHUSA @BLACKHATEVENTS What is apk-medit? • Memory search and patch

    tool for debuggable APK • Works without root & the android NDK • For mobile security testing • https://github.com/aktsk/apk-medit

  4. #BHUSA @BLACKHATEVENTS What is memory modificationʁ • The easiest way

    to cheat in games • For Android games, there is a well known cheat tool called GameGuardian

  5. #BHUSA @BLACKHATEVENTS What are its advantages over other tools? •

    No root privileges are required for the operation • Therefore, there is no need to bypass root detection • Game apps often detect root • Works with colorful CUI • No competing tools that work with CUI for Android

  6. #BHUSA @BLACKHATEVENTS Demo Movie

  7. #BHUSA @BLACKHATEVENTS Usage (installation) • Download the binary from GitHub

    Releases • push the binary in /data/local/tmp/ on an Android device $ adb push medit /data/local/tmp/medit

  8. #BHUSA @BLACKHATEVENTS Usage (to launch) • Use the run-as command

    to read / write files used by the APK • To access the memory without requiring root privileges • So apk-medit can only be used with apps that have theɹ debuggable attribute enabled

  9. #BHUSA @BLACKHATEVENTS Usage (to launch) • To enable the debuggable

    attribute • open the AndroidManifest.xml and add the following xml attribute to the application xml node: android:debuggable="true" • Using apkutil, you can change the APK to be debuggable with a single command • https://github.com/aktsk/apkutil

  10. #BHUSA @BLACKHATEVENTS Usage (to launch) $ adb shell $ pm

    list packages # to check <target-package-name> $ run-as <target-package-name> $ cp /data/local/tmp/medit ./medit $ ./medit • After running the run-as command, directory is changed • Copy medit from /data/local/tmp/ • Running medit launches an interactive prompt

  11. #BHUSA @BLACKHATEVENTS Usage (subcommands) • Many subcommands are available in

    the interactive prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the search

  12. #BHUSA @BLACKHATEVENTS The memory modification flow • Use the “find”

    command to search the value on the UI • If many results are displayed, change the value on the UI to “filter” the results • When there are fewer results, you can modify the memory by using the "patch" command

  13. #BHUSA @BLACKHATEVENTS How it works? • On Linux-based OSes, pseudo

    files are placed under /proc/ to access process information • The following paths are used: • /proc/[pid]/maps • /proc/[pid]/mem

  14. #BHUSA @BLACKHATEVENTS /proc/[pid]/maps • /proc/[pid]/maps contains the memory map information

    • The memory map indicates which part of the memory the process, specified by the “pid", has permissions to read and write to

  15. #BHUSA @BLACKHATEVENTS /proc/[pid]/maps sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps 12c00000-12d40000 rw-p 00000000

    00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@framework@boot.art 6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@framework@boot.art 6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@framework@boot-core-libart.art 6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@framework@boot-core-libart.art 6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@framework@boot-conscrypt.art 6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@framework@boot-conscrypt.art 6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@framework@boot-okhttp.art 6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@framework@boot-okhttp.art 6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@framework@boot-bouncycastle.art ...

  16. #BHUSA @BLACKHATEVENTS /proc/[pid]/mem • Using /proc/[pid]/mem, it is possible to

    read the memory held by the process specified by the “pid” • system calls can be used to read the memory • open(), read(), lseek()

  17. #BHUSA @BLACKHATEVENTS How it works? • The Memory map tells

    us where we can read / write • It uses /proc/[pid]/mem to read the memory and search for the target value • When the target value is found, it uses /proc/[pid]/mem to patch the memory

  18. #BHUSA @BLACKHATEVENTS What are the benefits of implementing using Golang

    on android devices? • Easy to prepare ELF binaries for ARM • Easy to invoke system calls • Easy to find the target byte in a large byte sequence quickly • Easy to distribute binaries by using GitHub Actions and GoReleaser

  19. #BHUSA @BLACKHATEVENTS • Go compiler supports cross-compilation • GOOS, GOARCH

    environment variables are provided
 for specifying the OS and CPU Easy to prepare ELF binaries for ARM $ GOOS=linux GOARCH=arm64 GOARM=7 go build -o medit

  20. #BHUSA @BLACKHATEVENTS • unix package wraps the system calls nicely

    • easy to invoke the system calls Easy to invoke system calls

  21. #BHUSA @BLACKHATEVENTS • A fast string search algorithm called the

    Rabin-Karp is used inside bytes.Index() • Without implementing complex algorithms, I can quickly find data in the memory by simply using bytes.Index() Easy to find the target byte 
 in a large byte sequence quickly

  22. #BHUSA @BLACKHATEVENTS • GitHub Actions and GoReleaser make it easy

    to 
 develop with Golang • When a tagged commit is uploaded to GitHub, the build runs via GitHub Actions and GoReleaser automatically registers the binary to Github Releases Easy to distribute binaries by using GitHub Actions and GoReleaser

  23. #BHUSA @BLACKHATEVENTS Summary • apk-medit allows memory modifications without bypassing

    rooting detection • But there is a need to change the APK to be debuggable…. • Golang is a useful language for building Android tools • I hope apk-medit will become the de facto standard 
 for security testing

  24. #BHUSA @BLACKHATEVENTS Thank You!!
 https://github.com/aktsk/apk-medit