Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apk-medit: memory search and patch tool for deb...

Avatar for @tkmru @tkmru
October 30, 2020
Programming
0
200

apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox

https://github.com/aktsk/apk-medit
https://github.com/aktsk/apkutil
Avatar for @tkmru

@tkmru

October 30, 2020
Tweet

More Decks by @tkmru

See All by @tkmru
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
Avatar for @tkmru tkmru
2
1.5k
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
Avatar for @tkmru tkmru
0
330
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
Avatar for @tkmru tkmru
0
170
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
Avatar for @tkmru tkmru
0
5.4k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
Avatar for @tkmru tkmru
1
4.5k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
Avatar for @tkmru tkmru
3
890
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
Avatar for @tkmru tkmru
0
4.2k
めんどうくさいゲームセキュリティ
Avatar for @tkmru tkmru
20
11k
Linux Rootkit Internals
Avatar for @tkmru tkmru
1
2k

Other Decks in Programming

See All in Programming
Flutterで備える!Accessibility Nutrition Labels完全ガイド
Avatar for 野瀬田 裕樹 yuukiw00w
0
160
型で語るカタ
Avatar for irof irof
0
130
git worktree × Claude Code × MCP ~生成AI時代の並列開発フロー~
Avatar for hisuzuya hisuzuya
1
580
#QiitaBash MCPのセキュリティ
Avatar for Tommy(sigma) ryosukedtomita
1
1.4k
Node-RED を(HTTP で)つなげる MCP サーバーを作ってみた
Avatar for High U highu
0
120
Is Xcode slowly dying out in 2025?
Avatar for 上ちょ / uetyo uetyo
1
280
20250628_非エンジニアがバイブコーディングしてみた
Avatar for ponponmikan ponponmikankan
0
700
Deep Dive into ~/.claude/projects
Avatar for Yuya Hirayama hiragram
14
2.6k
明示と暗黙 ー PHPとGoの インターフェイスの違いを知る
Avatar for shimabox shimabox
2
520
プロダクト志向なエンジニアがもう一歩先の価値を目指すために意識したこと
Avatar for Nealle nealle
0
130
テストから始めるAgentic Coding 〜Claude Codeと共に行うTDD〜 / Agentic Coding starts with testing
Avatar for r-kagaya rkaga
13
4.7k
Goで作る、開発・CI環境
Avatar for Shinpei Mine sin392
0
240

Featured

See All Featured
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.3k
It's Worth the Effort
Avatar for 3n 3n
185
28k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.7k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
251
21k
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
184
22k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
740
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
23
3.5k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
8
690
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
PRO
20
1.3k

Transcript

  1. $0%&#-6&#MVFCPY 1SFTFOUFECZ5BJDIJ,PUBLF "LBUTVLJ*OD BQLNFEJU NFNPSZTFBSDIBOEQBUDIUPPMGPS"1, XJUIPVUSPPUBOESPJE/%,

  2. 8IP*BN w /BNF5BJDIJ,PUBLF w $PVOUZ+BQBO w +PC4FDVSJUZ&OHJOFFS!"LBUTVLJ*OD w 'PDVT(BNF4FDVSJUZ /FUXPSL1FOUFTU

    w (JU)VCULNSV

  3. .Z#PPLT

  4. 5PEBZT5PQJD 4FDVSJUZUFTUJOH GPSNPCJMFHBNFBQQT Photo by Shannon Potter on Unsplash

  5. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w 4FDVSJUZUFTUJOHPGXFCBQQMJDBUJPOTBOETJNQMFNPCJMFBQQTDBOpOE NPTUWVMOFSBCJMJUJFTCZVTJOHBQSPYZUPPMUPNPEJGZXJUISFRVFTUT SFTQPOTFTUPUIFTFSWFS "QQT 4FSWFST &OHJOFFSTVTJOHBQSPYZUPPM .PEJpFE3FRVFTU 3FTQPOTF

    3FRVFTU .PEJpFE3FTQPOTF

  6. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w .PCJMFHBNFBQQTPGUFOJNQMFNFOUHBNFMPHJDBOEBOUJDIFBUMPHJDJOUIFJSDMJFOUT  BOEUIFDMJFOUTOFFEUPUBLFUIFUJNFUPDIFDLJU w 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQTJTNPSFEJ⒏DVMUUIBOBTJNQMFNPCJMFBQQ CFDBVTFPGUIFQFSTQFDUJWFPGSFWFSTFFOHJOFFSJOH w %FDSZQUJOHSFRVFTUTSFTQPOTFTFODSZQUJPO

    w 44-QJOOJOHCZQBTT w 3PPUQSJWJMFHFTEFUFDUJPOCZQBTT w .FNPSZNPEJpDBUJPO w FUD 5PEBZ`TUPQJD

  7. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 4FBSDIJOHGPSUIFWBMVFEJTQMBZFEPOUIF6*JOUIFEFWJDFTNFNPSZ BOENPEJGZJOHXJUIUIFWBMVFGPVOE w 5IFFBTJFTUXBZUPDIFBUJOHBNFT w 'PS"OESPJEHBNFT UIFSFJTBXFMMLOPXODIFBUUPPMDBMMFEɹɹ (BNF(VBSEJBO

  8. 8IBUJTBQLNFEJU w .FNPSZTFBSDIBOEQBUDIUPPMGPSEFCVHHBCMF"1, w 8PSLTXJUIPVUSPPUUIFBOESPJE/%, w *NQMFNFOUFEJO(PMBOH w 'PSNPCJMFTFDVSJUZUFTUJOH w

    "LBUTVLJTJOUFSOBMTFDVSJUZUFBNVTFTJUUPQFSGPSNTFDVSJUZUFTUTGPS NPCJMFHBNFBQQ w (JU)VCIUUQTHJUIVCDPNBLUTLBQLNFEJU

  9. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w /PSPPUQSJWJMFHFTBSFSFRVJSFEGPSUIFPQFSBUJPO w 5IFSFGPSF UIFSFJTOPOFFEUPCZQBTTSPPUEFUFDUJPO w (BNFBQQTPGUFOEFUFDUSPPU w 8PSLTXJUIDPMPSGVM$6*

    w /PDPNQFUJOHUPPMTUIBUXPSLXJUI$6*GPS"OESPJE

  10. 6TBHF %FNP.PWJF

  11. 6TBHF *OTUBMMBUJPO w %PXOMPBEUIFCJOBSZGSPN(JU)VC3FMFBTFT w QVTIUIFCJOBSZJOEBUBMPDBMUNQPOBO"OESPJEEFWJDF $ adb push medit

    /data/local/tmp/medit

  12. 6TBHF 5PMBVODI w 6TFUIFSVOBTDPNNBOEUPSFBEXSJUFpMFTVTFECZUIF"1, w 5PBDDFTTUIFNFNPSZXJUIPVUSFRVJSJOHSPPUQSJWJMFHFT w 4PBQLNFEJUDBOPOMZCFVTFEXJUIBQQTUIBUIBWF UIFEFCVHHBCMFBUUSJCVUFFOBCMFE

  13. 6TBHF 5PMBVODI w 5PFOBCMFUIFEFCVHHBCMFBUUSJCVUF w PQFOUIF"OESPJE.BOJGFTUYNMBOEBEEUIFGPMMPXJOHYNMBUUSJCVUF UPUIFBQQMJDBUJPOYNMOPEF android:debuggable="true"

  14. 6TBHF .BLFEFCVHHBCMFVTJOHBQLVUJM w 6TJOHBQLVUJM ZPVDBODIBOHFUIF"1,UPCFEFCVHHBCMF XJUIBTJOHMFDPNNBOE w "OPUIFSUPPM*DSFBUFE w IUUQTHJUIVCDPNBLUTLBQLVUJM

    $ pip install git+ssh://[email protected]/aktsk/apkutil.git $ apkutil debuggable <target-apk-name>

  15. 6TBHF "OPUIFSUPPM*DSFBUFE BQLVUJM w BQLVUJMJTBVTFGVMVUJMJUZGPSBOESPJEBQQTFDVSJUZUFTUJOH w 0UIFSVTFGVMGFBUVSFT w 5BLJOHTDSFFOTIPU NPWFUPDPOOFDUFE1$

    w 3FTJHOJOHUIF"1, w $IFDLJOH"OESPJE.BOJGFTUYNMXIFOEFDPEFUIF"1, w FUD

  16. 6TBHF 5PMBVODI w "GUFSSVOOJOHUIFSVOBTDPNNBOE EJSFDUPSZJTDIBOHFE w $PQZNFEJUGSPNEBUBMPDBMUNQ w 3VOOJOHNFEJUMBVODIFTBOJOUFSBDUJWFQSPNQU $

    adb shell $ pm list packages # to check <target-package-name> $ run-as <target-package-name> $ cp /data/local/tmp/medit ./medit $ ./medit

  17. 6TBHF 4VCDPNNBOET w .BOZTVCDPNNBOETBSFBWBJMBCMFJOUIFJOUFSBDUJWFQSPNQU CVUUIF UISFFNBJOPOFTBSF w pOEWBMVFTFBSDIUIFTQFDJpFEJOUFHFSWBMVFJONFNPSZ w pMUFSWBMVFpMUFSTFBSDISFTVMUTVTJOHUIFTQFDJpFEWBMVF

    w QBUDIWBMVFXSJUFUIFTQFDJpFEWBMVFUPUIFBEESFTTGPVOECZUIF TFBSDI

  18. 5IFNFNPSZNPEJGJDBUJPOGMPX w 6TFUIFlpOEzDPNNBOEUPTFBSDIUIFWBMVFPOUIF6* w *GNBOZSFTVMUTBSFEJTQMBZFE DIBOHFUIFWBMVFPOUIF6*UP lpMUFSzUIFSFTVMUT w 8IFOUIFSFBSFGFXFSSFTVMUT ZPVDBONPEJGZUIFNFNPSZ

    CZVTJOHUIFQBUDIDPNNBOE

  19. )PXJUXPSLT Photo by Harrison Broadbent on Unsplash

  20. )PXJUXPSLT  w 0O-JOVYCBTFE04FT QTFVEPpMFTBSFQMBDFEVOEFSQSPDUPBDDFTT QSPDFTTJOGPSNBUJPO w 5IFGPMMPXJOHQBUITBSFVTFE w QSPD<QJE>NBQT

    w QSPD<QJE>NFN

  21. QSPD<QJE>NBQT w QSPD<QJE>NBQTDPOUBJOTUIFNFNPSZNBQJOGPSNBUJPO w 5IFNFNPSZNBQJOEJDBUFTXIJDIQBSUPGUIFNFNPSZUIFQSPDFTT  TQFDJpFECZUIFlQJE IBTQFSNJTTJPOTUPSFBEBOEXSJUFUP

  22. QSPD<QJE>NBQT sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps 12c00000-12d40000 rw-p 00000000 00:05 23292

    /dev/ashmem/dalvik-main space (region space) (deleted) 12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@[email protected] 6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@[email protected] 6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@[email protected] 6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@[email protected] 6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@[email protected] 6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@[email protected] 6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@[email protected] 6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@[email protected] 6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@[email protected] ...

  23. QSPD<QJE>NFN w 6TJOHQSPD<QJE>NFN JUJTQPTTJCMFUPSFBEUIFNFNPSZIFMECZUIF QSPDFTTTQFDJpFECZUIFlQJEz w TZTUFNDBMMTDBOCFVTFEUPSFBEUIFNFNPSZ w PQFO SFBE

    MTFFL

  24. )PXJUXPSLT  w 5IF.FNPSZNBQUFMMTVTXIFSFXFDBOSFBEXSJUF w *UVTFTQSPD<QJE>NFNUPSFBEUIFNFNPSZBOETFBSDIGPSUIF UBSHFUWBMVF w 8IFOUIFUBSHFUWBMVFJTGPVOE JUVTFTQSPD<QJE>NFNUPQBUDIUIF

    NFNPSZ

  25. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOBOESPJEEFWJDFT Photo by Nandhu Kumar on Unsplash

  26. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOBOESPJEEFWJDFT w &BTZUPQSFQBSF&-'CJOBSJFTGPS"3. w &BTZUPJOWPLFTZTUFNDBMMT w &BTZUPpOEUIFUBSHFUCZUFJOBMBSHFCZUFTFRVFODFRVJDLMZ w &BTZUPEJTUSJCVUFCJOBSJFTCZVTJOH(JU)VC"DUJPOTBOE(P3FMFBTFS

  27. &BTZUPQSFQBSF&-'CJOBSJFTGPS"3. w (PDPNQJMFSTVQQPSUTDSPTTDPNQJMBUJPO w (004 (0"3$)FOWJSPONFOUWBSJBCMFTBSFQSPWJEFEGPSTQFDJGZJOH UIF04BOE$16 $ GOOS=linux GOARCH=arm64

    GOARM=7 go build -o medit

  28. &BTZUPJOWPLFTZTUFNDBMMT w 6OJYQBDLBHFXSBQTUIFTZTUFNDBMMTOJDFMZ w &BTZUPJOWPLFUIFTZTUFNDBMMT

  29. &BTZUPGJOEUIFUBSHFUCZUF JOBMBSHFCZUFTFRVFODFRVJDLMZ w "GBTUTUSJOHTFBSDIBMHPSJUINDBMMFEUIF3BCJO,BSQJTVTFEJOTJEF CZUFT*OEFY  w 8JUIPVUJNQMFNFOUJOHDPNQMFYBMHPSJUINT *DBORVJDLMZpOEEBUBJO UIFNFNPSZCZTJNQMZVTJOHCZUFT*OEFY

  30. &BTZUPEJTUSJCVUFCJOBSJFT CZVTJOH(JU)VC"DUJPOTBOE(P3FMFBTFS w (JU)VC"DUJPOTBOE(P3FMFBTFSNBLFJUFBTZUP EFWFMPQXJUI(PMBOH w 8IFOBUBHHFEDPNNJUJTVQMPBEFEUP(JU)VC UIFCVJMESVOTWJB (JU)VC"DUJPOTBOE(P3FMFBTFSBVUPNBUJDBMMZSFHJTUFSTUIFCJOBSZUP (JUIVC3FMFBTFT

  31. 4VNNBSZ w BQLNFEJUBMMPXTNFNPSZNPEJpDBUJPOTXJUIPVUCZQBTTJOHSPPUJOH EFUFDUJPO w #VUUIFSFJTBOFFEUPDIBOHFUIF"1,UPCFEFCVHHBCMF w (PMBOHJTBVTFGVMMBOHVBHFGPSCVJMEJOH"OESPJEUPPMT w *IPQFBQLNFEJUXJMMCFDPNFUIFEFGBDUPTUBOEBSE

    GPSTFDVSJUZUFTUJOH

  32. 5IBOL:PV IUUQTHJUIVCDPNBLUTLBQLNFEJU