Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox

20c5ddcad23304aed77ce8c3aa020562?s=47 @tkmru
October 30, 2020
Programming
0
130

apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox

https://github.com/aktsk/apk-medit
https://github.com/aktsk/apkutil

20c5ddcad23304aed77ce8c3aa020562?s=128

@tkmru

October 30, 2020
Tweet

More Decks by @tkmru

See All by @tkmru
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
1.3k
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
150
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
3
480
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
3k
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
20
9.7k
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
1.3k
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
160
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
240
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
170

Other Decks in Programming

See All in Programming
6aaaf03c4f5c681d89c3078bd6070a6f?s=48 rumi_yamaguchi
0
1.5k
Fe1782174fa3f0a2d07011df414a1267?s=48 evils
0
240
Cb504213a5310e01faabbc0b3fca3d39?s=48 napple29
0
180
7166bc2cbc462ab5fd1987a76d0fe709?s=48 takahirom
1
220
265bcbb56e831266de7a9f9281aab57a?s=48 appleboy
0
160
89d1ae72e8683e44c744f4cab8d99f39?s=48 brainpadpr
1
1.6k
42a6a049ac8f5265f31858a9509217fb?s=48 uhooi
3
180
23e7f90fa36af44f13000c1229240984?s=48 uri
2
210
Ae7cc81ee2744719c66282681a219110?s=48 lnicolet
0
120
7a454a0e47136cf3f9a1048537e283db?s=48 fgiris
0
100
98df8bb11748bb59fef1aa1e474e8e02?s=48 komofr
0
130
E7526ec3e801f8ba99f6746498a154a6?s=48 rakyll
1
1.3k

Featured

See All Featured
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
36
2.5k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
105
11k
282d599b414022eba5096510f675b6e2?s=48 chrislema
174
14k
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
350
20k
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
43
4.9k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
122
16k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
15
720
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
324
54k
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
405
20k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
20k
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
45
2.5k
79acae287842acf29084005533a7fb3b?s=48 hursman
111
9.5k

Transcript

  1. $0%&#-6&#MVFCPY 1SFTFOUFECZ5BJDIJ,PUBLF "LBUTVLJ*OD BQLNFEJU NFNPSZTFBSDIBOEQBUDIUPPMGPS"1, XJUIPVUSPPUBOESPJE/%,

  2. 8IP*BN w /BNF5BJDIJ,PUBLF w $PVOUZ+BQBO w +PC4FDVSJUZ&OHJOFFS!"LBUTVLJ*OD w 'PDVT(BNF4FDVSJUZ /FUXPSL1FOUFTU

    w (JU)VCULNSV

  3. .Z#PPLT

  4. 5PEBZT5PQJD 4FDVSJUZUFTUJOH GPSNPCJMFHBNFBQQT Photo by Shannon Potter on Unsplash

  5. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w 4FDVSJUZUFTUJOHPGXFCBQQMJDBUJPOTBOETJNQMFNPCJMFBQQTDBOpOE NPTUWVMOFSBCJMJUJFTCZVTJOHBQSPYZUPPMUPNPEJGZXJUISFRVFTUT SFTQPOTFTUPUIFTFSWFS "QQT 4FSWFST &OHJOFFSTVTJOHBQSPYZUPPM .PEJpFE3FRVFTU 3FTQPOTF

    3FRVFTU .PEJpFE3FTQPOTF

  6. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w .PCJMFHBNFBQQTPGUFOJNQMFNFOUHBNFMPHJDBOEBOUJDIFBUMPHJDJOUIFJSDMJFOUT  BOEUIFDMJFOUTOFFEUPUBLFUIFUJNFUPDIFDLJU w 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQTJTNPSFEJ⒏DVMUUIBOBTJNQMFNPCJMFBQQ CFDBVTFPGUIFQFSTQFDUJWFPGSFWFSTFFOHJOFFSJOH w %FDSZQUJOHSFRVFTUTSFTQPOTFTFODSZQUJPO

    w 44-QJOOJOHCZQBTT w 3PPUQSJWJMFHFTEFUFDUJPOCZQBTT w .FNPSZNPEJpDBUJPO w FUD 5PEBZ`TUPQJD

  7. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 4FBSDIJOHGPSUIFWBMVFEJTQMBZFEPOUIF6*JOUIFEFWJDFTNFNPSZ BOENPEJGZJOHXJUIUIFWBMVFGPVOE w 5IFFBTJFTUXBZUPDIFBUJOHBNFT w 'PS"OESPJEHBNFT UIFSFJTBXFMMLOPXODIFBUUPPMDBMMFEɹɹ (BNF(VBSEJBO

  8. 8IBUJTBQLNFEJU w .FNPSZTFBSDIBOEQBUDIUPPMGPSEFCVHHBCMF"1, w 8PSLTXJUIPVUSPPUUIFBOESPJE/%, w *NQMFNFOUFEJO(PMBOH w 'PSNPCJMFTFDVSJUZUFTUJOH w

    "LBUTVLJTJOUFSOBMTFDVSJUZUFBNVTFTJUUPQFSGPSNTFDVSJUZUFTUTGPS NPCJMFHBNFBQQ w (JU)VCIUUQTHJUIVCDPNBLUTLBQLNFEJU

  9. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w /PSPPUQSJWJMFHFTBSFSFRVJSFEGPSUIFPQFSBUJPO w 5IFSFGPSF UIFSFJTOPOFFEUPCZQBTTSPPUEFUFDUJPO w (BNFBQQTPGUFOEFUFDUSPPU w 8PSLTXJUIDPMPSGVM$6*

    w /PDPNQFUJOHUPPMTUIBUXPSLXJUI$6*GPS"OESPJE

  10. 6TBHF %FNP.PWJF

  11. 6TBHF *OTUBMMBUJPO w %PXOMPBEUIFCJOBSZGSPN(JU)VC3FMFBTFT w QVTIUIFCJOBSZJOEBUBMPDBMUNQPOBO"OESPJEEFWJDF $ adb push medit

    /data/local/tmp/medit

  12. 6TBHF 5PMBVODI w 6TFUIFSVOBTDPNNBOEUPSFBEXSJUFpMFTVTFECZUIF"1, w 5PBDDFTTUIFNFNPSZXJUIPVUSFRVJSJOHSPPUQSJWJMFHFT w 4PBQLNFEJUDBOPOMZCFVTFEXJUIBQQTUIBUIBWF UIFEFCVHHBCMFBUUSJCVUFFOBCMFE

  13. 6TBHF 5PMBVODI w 5PFOBCMFUIFEFCVHHBCMFBUUSJCVUF w PQFOUIF"OESPJE.BOJGFTUYNMBOEBEEUIFGPMMPXJOHYNMBUUSJCVUF UPUIFBQQMJDBUJPOYNMOPEF android:debuggable="true"

  14. 6TBHF .BLFEFCVHHBCMFVTJOHBQLVUJM w 6TJOHBQLVUJM ZPVDBODIBOHFUIF"1,UPCFEFCVHHBCMF XJUIBTJOHMFDPNNBOE w "OPUIFSUPPM*DSFBUFE w IUUQTHJUIVCDPNBLUTLBQLVUJM

    $ pip install git+ssh://git@github.com/aktsk/apkutil.git $ apkutil debuggable <target-apk-name>

  15. 6TBHF "OPUIFSUPPM*DSFBUFE BQLVUJM w BQLVUJMJTBVTFGVMVUJMJUZGPSBOESPJEBQQTFDVSJUZUFTUJOH w 0UIFSVTFGVMGFBUVSFT w 5BLJOHTDSFFOTIPU NPWFUPDPOOFDUFE1$

    w 3FTJHOJOHUIF"1, w $IFDLJOH"OESPJE.BOJGFTUYNMXIFOEFDPEFUIF"1, w FUD

  16. 6TBHF 5PMBVODI w "GUFSSVOOJOHUIFSVOBTDPNNBOE EJSFDUPSZJTDIBOHFE w $PQZNFEJUGSPNEBUBMPDBMUNQ w 3VOOJOHNFEJUMBVODIFTBOJOUFSBDUJWFQSPNQU $

    adb shell $ pm list packages # to check <target-package-name> $ run-as <target-package-name> $ cp /data/local/tmp/medit ./medit $ ./medit

  17. 6TBHF 4VCDPNNBOET w .BOZTVCDPNNBOETBSFBWBJMBCMFJOUIFJOUFSBDUJWFQSPNQU CVUUIF UISFFNBJOPOFTBSF w pOEWBMVFTFBSDIUIFTQFDJpFEJOUFHFSWBMVFJONFNPSZ w pMUFSWBMVFpMUFSTFBSDISFTVMUTVTJOHUIFTQFDJpFEWBMVF

    w QBUDIWBMVFXSJUFUIFTQFDJpFEWBMVFUPUIFBEESFTTGPVOECZUIF TFBSDI

  18. 5IFNFNPSZNPEJGJDBUJPOGMPX w 6TFUIFlpOEzDPNNBOEUPTFBSDIUIFWBMVFPOUIF6* w *GNBOZSFTVMUTBSFEJTQMBZFE DIBOHFUIFWBMVFPOUIF6*UP lpMUFSzUIFSFTVMUT w 8IFOUIFSFBSFGFXFSSFTVMUT ZPVDBONPEJGZUIFNFNPSZ

    CZVTJOHUIFQBUDIDPNNBOE

  19. )PXJUXPSLT Photo by Harrison Broadbent on Unsplash

  20. )PXJUXPSLT  w 0O-JOVYCBTFE04FT QTFVEPpMFTBSFQMBDFEVOEFSQSPDUPBDDFTT QSPDFTTJOGPSNBUJPO w 5IFGPMMPXJOHQBUITBSFVTFE w QSPD<QJE>NBQT

    w QSPD<QJE>NFN

  21. QSPD<QJE>NBQT w QSPD<QJE>NBQTDPOUBJOTUIFNFNPSZNBQJOGPSNBUJPO w 5IFNFNPSZNBQJOEJDBUFTXIJDIQBSUPGUIFNFNPSZUIFQSPDFTT  TQFDJpFECZUIFlQJE IBTQFSNJTTJPOTUPSFBEBOEXSJUFUP

  22. QSPD<QJE>NBQT sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps 12c00000-12d40000 rw-p 00000000 00:05 23292

    /dev/ashmem/dalvik-main space (region space) (deleted) 12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@framework@boot.art 6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@framework@boot.art 6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@framework@boot-core-libart.art 6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@framework@boot-core-libart.art 6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@framework@boot-conscrypt.art 6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@framework@boot-conscrypt.art 6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@framework@boot-okhttp.art 6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@framework@boot-okhttp.art 6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@framework@boot-bouncycastle.art ...

  23. QSPD<QJE>NFN w 6TJOHQSPD<QJE>NFN JUJTQPTTJCMFUPSFBEUIFNFNPSZIFMECZUIF QSPDFTTTQFDJpFECZUIFlQJEz w TZTUFNDBMMTDBOCFVTFEUPSFBEUIFNFNPSZ w PQFO SFBE

    MTFFL

  24. )PXJUXPSLT  w 5IF.FNPSZNBQUFMMTVTXIFSFXFDBOSFBEXSJUF w *UVTFTQSPD<QJE>NFNUPSFBEUIFNFNPSZBOETFBSDIGPSUIF UBSHFUWBMVF w 8IFOUIFUBSHFUWBMVFJTGPVOE JUVTFTQSPD<QJE>NFNUPQBUDIUIF

    NFNPSZ

  25. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOBOESPJEEFWJDFT Photo by Nandhu Kumar on Unsplash

  26. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOBOESPJEEFWJDFT w &BTZUPQSFQBSF&-'CJOBSJFTGPS"3. w &BTZUPJOWPLFTZTUFNDBMMT w &BTZUPpOEUIFUBSHFUCZUFJOBMBSHFCZUFTFRVFODFRVJDLMZ w &BTZUPEJTUSJCVUFCJOBSJFTCZVTJOH(JU)VC"DUJPOTBOE(P3FMFBTFS

  27. &BTZUPQSFQBSF&-'CJOBSJFTGPS"3. w (PDPNQJMFSTVQQPSUTDSPTTDPNQJMBUJPO w (004 (0"3$)FOWJSPONFOUWBSJBCMFTBSFQSPWJEFEGPSTQFDJGZJOH UIF04BOE$16 $ GOOS=linux GOARCH=arm64

    GOARM=7 go build -o medit

  28. &BTZUPJOWPLFTZTUFNDBMMT w 6OJYQBDLBHFXSBQTUIFTZTUFNDBMMTOJDFMZ w &BTZUPJOWPLFUIFTZTUFNDBMMT

  29. &BTZUPGJOEUIFUBSHFUCZUF JOBMBSHFCZUFTFRVFODFRVJDLMZ w "GBTUTUSJOHTFBSDIBMHPSJUINDBMMFEUIF3BCJO,BSQJTVTFEJOTJEF CZUFT*OEFY  w 8JUIPVUJNQMFNFOUJOHDPNQMFYBMHPSJUINT *DBORVJDLMZpOEEBUBJO UIFNFNPSZCZTJNQMZVTJOHCZUFT*OEFY

  30. &BTZUPEJTUSJCVUFCJOBSJFT CZVTJOH(JU)VC"DUJPOTBOE(P3FMFBTFS w (JU)VC"DUJPOTBOE(P3FMFBTFSNBLFJUFBTZUP EFWFMPQXJUI(PMBOH w 8IFOBUBHHFEDPNNJUJTVQMPBEFEUP(JU)VC UIFCVJMESVOTWJB (JU)VC"DUJPOTBOE(P3FMFBTFSBVUPNBUJDBMMZSFHJTUFSTUIFCJOBSZUP (JUIVC3FMFBTFT

  31. 4VNNBSZ w BQLNFEJUBMMPXTNFNPSZNPEJpDBUJPOTXJUIPVUCZQBTTJOHSPPUJOH EFUFDUJPO w #VUUIFSFJTBOFFEUPDIBOHFUIF"1,UPCFEFCVHHBCMF w (PMBOHJTBVTFGVMMBOHVBHFGPSCVJMEJOH"OESPJEUPPMT w *IPQFBQLNFEJUXJMMCFDPNFUIFEFGBDUPTUBOEBSE

    GPSTFDVSJUZUFTUJOH

  32. 5IBOL:PV IUUQTHJUIVCDPNBLUTLBQLNFEJU