apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox

Transcript

1. $0%&
   #-6&
   
   #MVFCPY
   1SFTFOUFE
   CZ
   5BJDIJ
   ,PUBLF
   "LBUTVLJ
   *OD BQLNFEJU NFNPSZ
   TFBSDI
   BOE
   QBUDI
   UPPM
   GPS
   "1,
   XJUIPVU
   SPPU
   
   BOESPJE
   /%,

2. 8IP
   *
   BN w /BNF
   
   
   
   
   5BJDIJ
   ,PUBLF
   w $PVOUZ
   
   
   +BQBO
   w +PC
   
   
   
   
   
   
   
   4FDVSJUZ
   &OHJOFFS
   !
   "LBUTVLJ
   *OD
   w 'PDVT
   (BNF
   4FDVSJUZ
   /FUXPSL
   1FOUFTU
   

   w (JU)VC
   
   
   ULNSV

3. .Z
   #PPLT

4. 5PEBZT
   5PQJD
   4FDVSJUZ
   UFTUJOH
   
   GPS
   NPCJMF
   HBNF
   BQQT Photo by Shannon Potter on Unsplash

5. 4FDVSJUZ
   UFTUJOH
   GPS
   NPCJMF
   HBNF
   BQQT w 4FDVSJUZ
   UFTUJOH
   PG
   XFC
   BQQMJDBUJPOT
   BOE
   TJNQMF
   NPCJMF
   BQQT
   DBO
   pOE
   NPTU
   WVMOFSBCJMJUJFT
   CZ
   VTJOH
   B
   QSPYZ
   UPPM
   UP
   NPEJGZ
   XJUI
   SFRVFTUT SFTQPOTFT
   UP
   UIF
   TFSWFS "QQT 4FSWFST &OHJOFFST
   VTJOH
   B
   QSPYZ
   UPPM .PEJpFE
   3FRVFTU 3FTQPOTF

   3FRVFTU .PEJpFE
   3FTQPOTF

6. 4FDVSJUZ
   UFTUJOH
   GPS
   NPCJMF
   HBNF
   BQQT w .PCJMF
   HBNF
   BQQT
   PGUFO
   JNQMFNFOU
   HBNF
   MPHJD
   BOE
   BOUJDIFBU
   MPHJD
   JO
   UIFJS
   DMJFOUT
   
   
   BOE
   UIF
   DMJFOUT
   OFFE
   UP
   UBLF
   UIF
   UJNF
   UP
   DIFDL
   JU
   w 4FDVSJUZ
   UFTUJOH
   GPS
   NPCJMF
   HBNF
   BQQT
   JT
   NPSF
   EJ⒏DVMU
   UIBO
   B
   TJNQMF
   NPCJMF
   BQQ
   
   
   CFDBVTF
   PG
   UIF
   QFSTQFDUJWF
   PG
   SFWFSTF
   FOHJOFFSJOH
   w %FDSZQUJOH
   SFRVFTUTSFTQPOTFT
   FODSZQUJPO
   

   w 44-
   QJOOJOH
   CZQBTT
   w 3PPU
   QSJWJMFHFT
   EFUFDUJPO
   CZQBTT
   w .FNPSZ
   NPEJpDBUJPO
   w FUD 5PEBZ`T
   UPQJD

7. 8IBU
   JT
   NFNPSZ
   NPEJGJDBUJPOʁ w 4FBSDIJOH
   GPS
   UIF
   WBMVF
   EJTQMBZFE
   PO
   UIF
   6*
   JO
   UIF
   EFWJDFT
   NFNPSZ
   BOE
   NPEJGZJOH
   XJUI
   UIF
   WBMVF
   GPVOE
   w 5IF
   FBTJFTU
   XBZ
   UP
   DIFBU
   JO
   HBNFT
   w 'PS
   "OESPJE
   HBNFT
   UIFSF
   JT
   B
   XFMM
   LOPXO
   DIFBU
   UPPM
   DBMMFE
   ɹɹ (BNF(VBSEJBO

8. 8IBU
   JT
   BQLNFEJU w .FNPSZ
   TFBSDI
   BOE
   QBUDI
   UPPM
   GPS
   EFCVHHBCMF
   "1,
   w 8PSLT
   XJUIPVU
   SPPU
   
   UIF
   BOESPJE
   /%,
   w *NQMFNFOUFE
   JO
   (PMBOH
   w 'PS
   NPCJMF
   TFDVSJUZ
   UFTUJOH
   w

   "LBUTVLJT
   JOUFSOBM
   TFDVSJUZ
   UFBN
   VTFT
   JU
   UP
   QFSGPSN
   TFDVSJUZ
   UFTUT
   GPS
   NPCJMF
   HBNF
   BQQ
   w (JU)VC
   IUUQTHJUIVCDPNBLUTLBQLNFEJU

9. 8IBU
   BSF
   JUT
   BEWBOUBHFT
   PWFS
   PUIFS
   UPPMT w /P
   SPPU
   QSJWJMFHFT
   BSF
   SFRVJSFE
   GPS
   UIF
   PQFSBUJPO
   w 5IFSFGPSF
   UIFSF
   JT
   OP
   OFFE
   UP
   CZQBTT
   SPPU
   EFUFDUJPO
   w (BNF
   BQQT
   PGUFO
   EFUFDU
   SPPU
   
   w 8PSLT
   XJUI
   DPMPSGVM
   $6*
   

   w /P
   DPNQFUJOH
   UPPMT
   UIBU
   XPSL
   XJUI
   $6*
   GPS
   "OESPJE

10. 6TBHF %FNP
    .PWJF

11. 6TBHF *OTUBMMBUJPO w %PXOMPBE
    UIF
    CJOBSZ
    GSPN
    (JU)VC
    3FMFBTFT
    w QVTI
    UIF
    CJOBSZ
    JO
    EBUBMPDBMUNQ
    PO
    BO
    "OESPJE
    EFWJDF $ adb push medit

    /data/local/tmp/medit

12. 6TBHF 5P
    MBVODI w 6TF
    UIF
    SVOBT
    DPNNBOE
    UP
    SFBE
    
    XSJUF
    pMFT
    VTFE
    CZ
    UIF
    "1,
    w 5P
    BDDFTT
    UIF
    NFNPSZ
    XJUIPVU
    SFRVJSJOH
    SPPU
    QSJWJMFHFT
    w 4P
    BQLNFEJU
    DBO
    POMZ
    CF
    VTFE
    XJUI
    BQQT
    UIBU
    IBWF
    
    UIF
    EFCVHHBCMF
    BUUSJCVUF
    FOBCMFE

13. 6TBHF 5P
    MBVODI w 5P
    FOBCMF
    UIF
    EFCVHHBCMF
    BUUSJCVUF
    w PQFO
    UIF
    "OESPJE.BOJGFTUYNM
    BOE
    BEE
    UIF
    GPMMPXJOH
    YNM
    BUUSJCVUF
    UP
    UIF
    BQQMJDBUJPO
    YNM
    OPEF android:debuggable="true"

14. 6TBHF .BLF
    EFCVHHBCMF
    VTJOH
    BQLVUJM w 6TJOH
    BQLVUJM
    ZPV
    DBO
    DIBOHF
    UIF
    "1,
    UP
    CF
    EFCVHHBCMF
    XJUI
    B
    TJOHMF
    DPNNBOE
    w "OPUIFS
    UPPM
    *
    DSFBUFE
    w IUUQTHJUIVCDPNBLUTLBQLVUJM

    $ pip install git+ssh://[email protected]/aktsk/apkutil.git $ apkutil debuggable <target-apk-name>

15. 6TBHF "OPUIFS
    UPPM
    *
    DSFBUFE
    BQLVUJM w BQLVUJM
    JT
    B
    VTFGVM
    VUJMJUZ
    GPS
    BOESPJE
    BQQ
    TFDVSJUZ
    UFTUJOH
    w 0UIFS
    VTFGVM
    GFBUVSFT
    w 5BLJOH
    TDSFFOTIPU
    NPWF
    UP
    DPOOFDUFE
    1$
    

    w 3FTJHOJOH
    UIF
    "1,
    w $IFDLJOH
    "OESPJE.BOJGFTUYNM
    XIFO
    EFDPEF
    UIF
    "1,
    w FUD

16. 6TBHF 5P
    MBVODI w "GUFS
    SVOOJOH
    UIF
    SVOBT
    DPNNBOE
    EJSFDUPSZ
    JT
    DIBOHFE
    w $PQZ
    NFEJU
    GSPN
    EBUBMPDBMUNQ
    w 3VOOJOH
    NFEJU
    MBVODIFT
    BO
    JOUFSBDUJWF
    QSPNQU $

    adb shell $ pm list packages # to check <target-package-name> $ run-as <target-package-name> $ cp /data/local/tmp/medit ./medit $ ./medit

17. 6TBHF 4VCDPNNBOET w .BOZ
    TVCDPNNBOET
    BSF
    BWBJMBCMF
    JO
    UIF
    JOUFSBDUJWF
    QSPNQU
    CVU
    UIF
    UISFF
    NBJO
    POFT
    BSF
    w pOE
    WBMVF
    
    TFBSDI
    UIF
    TQFDJpFE
    JOUFHFS
    WBMVF
    JO
    NFNPSZ
    w pMUFS
    WBMVF
    
    pMUFS
    TFBSDI
    SFTVMUT
    VTJOH
    UIF
    TQFDJpFE
    WBMVF
    

    w QBUDI
    
    WBMVF
    
    XSJUF
    UIF
    TQFDJpFE
    WBMVF
    UP
    UIF
    BEESFTT
    GPVOE
    CZ
    UIF
    TFBSDI

18. 5IF
    NFNPSZ
    NPEJGJDBUJPO
    GMPX w 6TF
    UIF
    lpOEz
    DPNNBOE
    UP
    TFBSDI
    UIF
    WBMVF
    PO
    UIF
    6*
    w *G
    NBOZ
    SFTVMUT
    BSF
    EJTQMBZFE
    DIBOHF
    UIF
    WBMVF
    PO
    UIF
    6*
    UP
    
    lpMUFSz
    UIF
    SFTVMUT
    w 8IFO
    UIFSF
    BSF
    GFXFS
    SFTVMUT
    ZPV
    DBO
    NPEJGZ
    UIF
    NFNPSZ
    
    

    CZ
    VTJOH
    UIF
    QBUDI
    DPNNBOE

19. )PX
    JU
    XPSLT Photo by Harrison Broadbent on Unsplash

20. )PX
    JU
    XPSLT
    w 0O
    -JOVYCBTFE
    04FT
    QTFVEP
    pMFT
    BSF
    QMBDFE
    VOEFS
    QSPD
    UP
    BDDFTT
    QSPDFTT
    JOGPSNBUJPO
    w 5IF
    GPMMPXJOH
    QBUIT
    BSF
    VTFE
    w QSPD<QJE>NBQT
    

    w QSPD<QJE>NFN

21. QSPD<QJE>NBQT w QSPD<QJE>NBQT
    DPOUBJOT
    UIF
    NFNPSZ
    NBQ
    JOGPSNBUJPO
    w
    5IF
    NFNPSZ
    NBQ
    JOEJDBUFT
    XIJDI
    QBSU
    PG
    UIF
    NFNPSZ
    UIF
    QSPDFTT
    TQFDJpFE
    CZ
    UIF
    lQJE
    IBT
    QFSNJTTJPOT
    UP
    SFBE
    BOE
    XSJUF
    UP
    

22. QSPD<QJE>NBQT sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps 12c00000-12d40000 rw-p 00000000 00:05 23292

    /dev/ashmem/dalvik-main space (region space) (deleted) 12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@[email protected] 6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@[email protected] 6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@[email protected] 6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@[email protected] 6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@[email protected] 6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@[email protected] 6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@[email protected] 6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@[email protected] 6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@[email protected] ...

23. QSPD<QJE>NFN w 6TJOH
    QSPD<QJE>NFN
    JU
    JT
    QPTTJCMF
    UP
    SFBE
    UIF
    NFNPSZ
    IFME
    CZ
    UIF
    QSPDFTT
    TQFDJpFE
    CZ
    UIF
    lQJEz
    w TZTUFN
    DBMMT
    DBO
    CF
    VTFE
    UP
    SFBE
    UIF
    NFNPSZ
    w PQFO
    SFBE

    
    MTFFL

24. )PX
    JU
    XPSLT
    w 5IF
    .FNPSZ
    NBQ
    UFMMT
    VT
    XIFSF
    XF
    DBO
    SFBE
    
    XSJUF
    w
    *U
    VTFT
    QSPD<QJE>NFN
    UP
    SFBE
    UIF
    NFNPSZ
    BOE
    TFBSDI
    GPS
    UIF
    UBSHFU
    WBMVF
    w
    8IFO
    UIF
    UBSHFU
    WBMVF
    JT
    GPVOE
    JU
    VTFT
    QSPD<QJE>NFN
    UP
    QBUDI
    UIF
    

    NFNPSZ

25. 8IBU
    BSF
    UIF
    CFOFGJUT
    PG
    JNQMFNFOUJOH
    
    VTJOH
    (PMBOH
    PO
    BOESPJE
    EFWJDFT Photo by Nandhu Kumar on Unsplash

26. 8IBU
    BSF
    UIF
    CFOFGJUT
    PG
    JNQMFNFOUJOH
    
    VTJOH
    (PMBOH
    PO
    BOESPJE
    EFWJDFT w &BTZ
    UP
    QSFQBSF
    &-'
    CJOBSJFT
    GPS
    "3.
    w &BTZ
    UP
    JOWPLF
    TZTUFN
    DBMMT
    w &BTZ
    UP
    pOE
    UIF
    UBSHFU
    CZUF
    JO
    B
    MBSHF
    CZUF
    TFRVFODF
    RVJDLMZ
    w &BTZ
    UP
    EJTUSJCVUF
    CJOBSJFT
    CZ
    VTJOH
    (JU)VC
    "DUJPOT
    BOE
    (P3FMFBTFS

27. &BTZ
    UP
    QSFQBSF
    &-'
    CJOBSJFT
    GPS
    "3. w (P
    DPNQJMFS
    TVQQPSUT
    DSPTTDPNQJMBUJPO
    w (004
    (0"3$)
    FOWJSPONFOU
    WBSJBCMFT
    BSF
    QSPWJEFE
    GPS
    TQFDJGZJOH
    UIF
    04
    BOE
    $16 $ GOOS=linux GOARCH=arm64

    GOARM=7 go build -o medit

28. &BTZ
    UP
    JOWPLF
    TZTUFN
    DBMMT w 6OJY
    QBDLBHF
    XSBQT
    UIF
    TZTUFN
    DBMMT
    OJDFMZ
    w &BTZ
    UP
    JOWPLF
    UIF
    TZTUFN
    DBMMT

29. &BTZ
    UP
    GJOE
    UIF
    UBSHFU
    CZUF
    
    JO
    B
    MBSHF
    CZUF
    TFRVFODF
    RVJDLMZ w "
    GBTU
    TUSJOH
    TFBSDI
    BMHPSJUIN
    DBMMFE
    UIF
    3BCJO,BSQ
    JT
    VTFE
    JOTJEF
    CZUFT*OEFY
    w 8JUIPVU
    JNQMFNFOUJOH
    DPNQMFY
    BMHPSJUINT
    *
    DBO
    RVJDLMZ
    pOE
    EBUB
    JO
    UIF
    NFNPSZ
    CZ
    TJNQMZ
    VTJOH
    CZUFT*OEFY

30. &BTZ
    UP
    EJTUSJCVUF
    CJOBSJFT
    CZ
    VTJOH
    (JU)VC
    "DUJPOT
    BOE
    (P3FMFBTFS w (JU)VC
    "DUJPOT
    BOE
    (P3FMFBTFS
    NBLF
    JU
    FBTZ
    UP
    
    EFWFMPQ
    XJUI
    (PMBOH
    w 8IFO
    B
    UBHHFE
    DPNNJU
    JT
    VQMPBEFE
    UP
    (JU)VC
    UIF
    CVJME
    SVOT
    WJB
    (JU)VC
    "DUJPOT
    BOE
    (P3FMFBTFS
    BVUPNBUJDBMMZ
    SFHJTUFST
    UIF
    CJOBSZ
    UP
    (JUIVC
    3FMFBTFT

31. 4VNNBSZ w BQLNFEJU
    BMMPXT
    NFNPSZ
    NPEJpDBUJPOT
    XJUIPVU
    CZQBTTJOH
    SPPUJOH
    EFUFDUJPO
    w #VU
    UIFSF
    JT
    B
    OFFE
    UP
    DIBOHF
    UIF
    "1,
    UP
    CF
    EFCVHHBCMF
    w (PMBOH
    JT
    B
    VTFGVM
    MBOHVBHF
    GPS
    CVJMEJOH
    "OESPJE
    UPPMT
    w *
    IPQF
    BQLNFEJU
    XJMM
    CFDPNF
    UIF
    EF
    GBDUP
    TUBOEBSE
    
    

    GPS
    TFDVSJUZ
    UFTUJOH

32. 5IBOL
    :PV
    IUUQTHJUIVCDPNBLUTLBQLNFEJU