apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal

20c5ddcad23304aed77ce8c3aa020562?s=47 @tkmru
August 05, 2020

apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal

Apk-medit is a memory search and patch tool for debuggable APK without root & android NDK. It was created for mobile game security testing.
Demo Movie: https://github.com/aktsk/apk-medit

- https://github.com/aktsk/apk-medit
- https://www.blackhat.com/us-20/arsenal/schedule/index.html#apk-medit-memory-search-and-patch-tool-for-apk-without-root--android-ndk-21026



August 05, 2020


  1. #BHUSA @BLACKHATEVENTS apk-medit memory search and patch tool for APK

    without root & android NDK Presented by Taichi Kotake
 Akatsuki Inc.
  2. #BHUSA @BLACKHATEVENTS Who I am • Name: Taichi Kotake •

    Country: Japan • Job: Security Engineer @ Akatsuki Inc. • GitHub: tkmru
  3. #BHUSA @BLACKHATEVENTS What is apk-medit? • Memory search and patch

    tool for debuggable APK • Works without root & the android NDK • For mobile security testing • https://github.com/aktsk/apk-medit
  4. #BHUSA @BLACKHATEVENTS What is memory modificationʁ • The easiest way

    to cheat in games • For Android games, there is a well known cheat tool called GameGuardian
  5. #BHUSA @BLACKHATEVENTS What are its advantages over other tools? •

    No root privileges are required for the operation • Therefore, there is no need to bypass root detection • Game apps often detect root • Works with colorful CUI • No competing tools that work with CUI for Android

  7. #BHUSA @BLACKHATEVENTS Usage (installation) • Download the binary from GitHub

    Releases • push the binary in /data/local/tmp/ on an Android device $ adb push medit /data/local/tmp/medit
  8. #BHUSA @BLACKHATEVENTS Usage (to launch) • Use the run-as command

    to read / write files used by the APK • To access the memory without requiring root privileges • So apk-medit can only be used with apps that have theɹ debuggable attribute enabled
  9. #BHUSA @BLACKHATEVENTS Usage (to launch) • To enable the debuggable

    attribute • open the AndroidManifest.xml and add the following xml attribute to the application xml node: android:debuggable="true" • Using apkutil, you can change the APK to be debuggable with a single command • https://github.com/aktsk/apkutil
  10. #BHUSA @BLACKHATEVENTS Usage (to launch) $ adb shell $ pm

    list packages # to check <target-package-name> $ run-as <target-package-name> $ cp /data/local/tmp/medit ./medit $ ./medit • After running the run-as command, directory is changed • Copy medit from /data/local/tmp/ • Running medit launches an interactive prompt
  11. #BHUSA @BLACKHATEVENTS Usage (subcommands) • Many subcommands are available in

    the interactive prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the search
  12. #BHUSA @BLACKHATEVENTS The memory modification flow • Use the “find”

    command to search the value on the UI • If many results are displayed, change the value on the UI to “filter” the results • When there are fewer results, you can modify the memory by using the "patch" command
  13. #BHUSA @BLACKHATEVENTS How it works? • On Linux-based OSes, pseudo

    files are placed under /proc/ to access process information • The following paths are used: • /proc/[pid]/maps • /proc/[pid]/mem
  14. #BHUSA @BLACKHATEVENTS /proc/[pid]/maps • /proc/[pid]/maps contains the memory map information

    • The memory map indicates which part of the memory the process, specified by the “pid", has permissions to read and write to
  15. #BHUSA @BLACKHATEVENTS /proc/[pid]/maps sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps 12c00000-12d40000 rw-p 00000000

    00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@framework@boot.art 6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@framework@boot.art 6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@framework@boot-core-libart.art 6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@framework@boot-core-libart.art 6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@framework@boot-conscrypt.art 6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@framework@boot-conscrypt.art 6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@framework@boot-okhttp.art 6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@framework@boot-okhttp.art 6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@framework@boot-bouncycastle.art ...
  16. #BHUSA @BLACKHATEVENTS /proc/[pid]/mem • Using /proc/[pid]/mem, it is possible to

    read the memory held by the process specified by the “pid” • system calls can be used to read the memory • open(), read(), lseek()
  17. #BHUSA @BLACKHATEVENTS How it works? • The Memory map tells

    us where we can read / write • It uses /proc/[pid]/mem to read the memory and search for the target value • When the target value is found, it uses /proc/[pid]/mem to patch the memory
  18. #BHUSA @BLACKHATEVENTS What are the benefits of implementing using Golang

    on android devices? • Easy to prepare ELF binaries for ARM • Easy to invoke system calls • Easy to find the target byte in a large byte sequence quickly • Easy to distribute binaries by using GitHub Actions and GoReleaser
  19. #BHUSA @BLACKHATEVENTS • Go compiler supports cross-compilation • GOOS, GOARCH

    environment variables are provided
 for specifying the OS and CPU Easy to prepare ELF binaries for ARM $ GOOS=linux GOARCH=arm64 GOARM=7 go build -o medit
  20. #BHUSA @BLACKHATEVENTS • unix package wraps the system calls nicely

    • easy to invoke the system calls Easy to invoke system calls
  21. #BHUSA @BLACKHATEVENTS • A fast string search algorithm called the

    Rabin-Karp is used inside bytes.Index() • Without implementing complex algorithms, I can quickly find data in the memory by simply using bytes.Index() Easy to find the target byte 
 in a large byte sequence quickly
  22. #BHUSA @BLACKHATEVENTS • GitHub Actions and GoReleaser make it easy

 develop with Golang • When a tagged commit is uploaded to GitHub, the build runs via GitHub Actions and GoReleaser automatically registers the binary to Github Releases Easy to distribute binaries by using GitHub Actions and GoReleaser
  23. #BHUSA @BLACKHATEVENTS Summary • apk-medit allows memory modifications without bypassing

    rooting detection • But there is a need to change the APK to be debuggable…. • Golang is a useful language for building Android tools • I hope apk-medit will become the de facto standard 
 for security testing