apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa

Transcript

1. #BHUSA @BLACKHATEVENTS apk-medit memory search and patch tool for APK

   without root & android NDK Presented by Taichi Kotake
 Akatsuki Inc.

2. #BHUSA @BLACKHATEVENTS Who I am • Name: Taichi Kotake •

   Country: Japan • Job: Security Engineer @ Akatsuki Inc. • GitHub: tkmru

3. #BHUSA @BLACKHATEVENTS What is apk-medit? • Memory search and patch

   tool for debuggable APK • Works without root & the android NDK • For mobile security testing • https://github.com/aktsk/apk-medit

4. #BHUSA @BLACKHATEVENTS What is memory modificationʁ • The easiest way

   to cheat in games • For Android games, there is a well known cheat tool called GameGuardian

5. #BHUSA @BLACKHATEVENTS What are its advantages over other tools? •

   No root privileges are required for the operation • Therefore, there is no need to bypass root detection • Game apps often detect root • Works with colorful CUI • No competing tools that work with CUI for Android

6. #BHUSA @BLACKHATEVENTS Demo Movie

7. #BHUSA @BLACKHATEVENTS Usage (installation) • Download the binary from GitHub

   Releases • push the binary in /data/local/tmp/ on an Android device $ adb push medit /data/local/tmp/medit

8. #BHUSA @BLACKHATEVENTS Usage (to launch) • Use the run-as command

   to read / write files used by the APK • To access the memory without requiring root privileges • So apk-medit can only be used with apps that have theɹ debuggable attribute enabled

9. #BHUSA @BLACKHATEVENTS Usage (to launch) • To enable the debuggable

   attribute • open the AndroidManifest.xml and add the following xml attribute to the application xml node: android:debuggable="true" • Using apkutil, you can change the APK to be debuggable with a single command • https://github.com/aktsk/apkutil

10. #BHUSA @BLACKHATEVENTS Usage (to launch) $ adb shell $ pm

    list packages # to check <target-package-name> $ run-as <target-package-name> $ cp /data/local/tmp/medit ./medit $ ./medit • After running the run-as command, directory is changed • Copy medit from /data/local/tmp/ • Running medit launches an interactive prompt

11. #BHUSA @BLACKHATEVENTS Usage (subcommands) • Many subcommands are available in

    the interactive prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the search

12. #BHUSA @BLACKHATEVENTS The memory modification flow • Use the “find”

    command to search the value on the UI • If many results are displayed, change the value on the UI to “filter” the results • When there are fewer results, you can modify the memory by using the "patch" command

13. #BHUSA @BLACKHATEVENTS How it works? • On Linux-based OSes, pseudo

    files are placed under /proc/ to access process information • The following paths are used: • /proc/[pid]/maps • /proc/[pid]/mem

14. #BHUSA @BLACKHATEVENTS /proc/[pid]/maps • /proc/[pid]/maps contains the memory map information

    • The memory map indicates which part of the memory the process, specified by the “pid", has permissions to read and write to

15. #BHUSA @BLACKHATEVENTS /proc/[pid]/maps sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps 12c00000-12d40000 rw-p 00000000

    00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@[email protected] 6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@[email protected] 6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@[email protected] 6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@[email protected] 6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@[email protected] 6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@[email protected] 6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@[email protected] 6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@[email protected] 6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@[email protected] ...

16. #BHUSA @BLACKHATEVENTS /proc/[pid]/mem • Using /proc/[pid]/mem, it is possible to

    read the memory held by the process specified by the “pid” • system calls can be used to read the memory • open(), read(), lseek()

17. #BHUSA @BLACKHATEVENTS How it works? • The Memory map tells

    us where we can read / write • It uses /proc/[pid]/mem to read the memory and search for the target value • When the target value is found, it uses /proc/[pid]/mem to patch the memory

18. #BHUSA @BLACKHATEVENTS What are the benefits of implementing using Golang

    on android devices? • Easy to prepare ELF binaries for ARM • Easy to invoke system calls • Easy to find the target byte in a large byte sequence quickly • Easy to distribute binaries by using GitHub Actions and GoReleaser

19. #BHUSA @BLACKHATEVENTS • Go compiler supports cross-compilation • GOOS, GOARCH

    environment variables are provided
 for specifying the OS and CPU Easy to prepare ELF binaries for ARM $ GOOS=linux GOARCH=arm64 GOARM=7 go build -o medit

20. #BHUSA @BLACKHATEVENTS • unix package wraps the system calls nicely

    • easy to invoke the system calls Easy to invoke system calls

21. #BHUSA @BLACKHATEVENTS • A fast string search algorithm called the

    Rabin-Karp is used inside bytes.Index() • Without implementing complex algorithms, I can quickly find data in the memory by simply using bytes.Index() Easy to find the target byte 
 in a large byte sequence quickly

22. #BHUSA @BLACKHATEVENTS • GitHub Actions and GoReleaser make it easy

    to 
 develop with Golang • When a tagged commit is uploaded to GitHub, the build runs via GitHub Actions and GoReleaser automatically registers the binary to Github Releases Easy to distribute binaries by using GitHub Actions and GoReleaser

23. #BHUSA @BLACKHATEVENTS Summary • apk-medit allows memory modifications without bypassing

    rooting detection • But there is a need to change the APK to be debuggable…. • Golang is a useful language for building Android tools • I hope apk-medit will become the de facto standard 
 for security testing

24. #BHUSA @BLACKHATEVENTS Thank You!!
 https://github.com/aktsk/apk-medit