Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox

20c5ddcad23304aed77ce8c3aa020562?s=47 @tkmru
October 30, 2020
Programming
0
110

apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox

https://github.com/aktsk/apk-medit
https://github.com/aktsk/apkutil

20c5ddcad23304aed77ce8c3aa020562?s=128

@tkmru

October 30, 2020
Tweet

More Decks by @tkmru

See All by @tkmru
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
2
390
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
2.6k
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
18
9.4k
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
1.2k
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
150
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
230
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
160
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
3
1.9k

Other Decks in Programming

See All in Programming
Ad2155c75c67c0100dd008ad10858de5?s=48 legalforce
PRO
0
640
3c86b5e68b972038efd6c5cd1553d46b?s=48 sters
2
140
9da5d5cc4b6a9f28058152e28364b02a?s=48 prof18
0
1.5k
877ac424e59bd3dd183859ef4cc9a08a?s=48 ryosukes
0
1.4k
E0e036f89c14b3e59640318eedf9670b?s=48 bkuhlmann
2
310
354271902cd8ba2762d05b251dfa0f84?s=48 pluu
0
410
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
140
Ad2155c75c67c0100dd008ad10858de5?s=48 legalforce
PRO
1
720
2c7f0a1020fbd01942166122190180f8?s=48 williln
0
230
27ec11888b9deb5c26ab4c85e97ec000?s=48 meemeelab
0
290
Dcbf2269af2483cabf43128ad1718c11?s=48 grapecity_dev
1
200
270b0c7883545117a9a618dc7ca7cc83?s=48 xrdnk
0
120

Featured

See All Featured
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
18
1.2k
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
38
2.3k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
779
240k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
321
53k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
192
8.8k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
188
14k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
93
14k
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
206
6.9k
Ba530e786553390f3fb271848485681c?s=48 3n
163
22k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
55
5.4k
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
73
7.5k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
112
10k

Transcript

  1. $0%&#-6&#MVFCPY 1SFTFOUFECZ5BJDIJ,PUBLF "LBUTVLJ*OD BQLNFEJU NFNPSZTFBSDIBOEQBUDIUPPMGPS"1, XJUIPVUSPPUBOESPJE/%,

  2. 8IP*BN w /BNF5BJDIJ,PUBLF w $PVOUZ+BQBO w +PC4FDVSJUZ&OHJOFFS!"LBUTVLJ*OD w 'PDVT(BNF4FDVSJUZ /FUXPSL1FOUFTU

    w (JU)VCULNSV

  3. .Z#PPLT

  4. 5PEBZT5PQJD 4FDVSJUZUFTUJOH GPSNPCJMFHBNFBQQT Photo by Shannon Potter on Unsplash

  5. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w 4FDVSJUZUFTUJOHPGXFCBQQMJDBUJPOTBOETJNQMFNPCJMFBQQTDBOpOE NPTUWVMOFSBCJMJUJFTCZVTJOHBQSPYZUPPMUPNPEJGZXJUISFRVFTUT SFTQPOTFTUPUIFTFSWFS "QQT 4FSWFST &OHJOFFSTVTJOHBQSPYZUPPM .PEJpFE3FRVFTU 3FTQPOTF

    3FRVFTU .PEJpFE3FTQPOTF

  6. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w .PCJMFHBNFBQQTPGUFOJNQMFNFOUHBNFMPHJDBOEBOUJDIFBUMPHJDJOUIFJSDMJFOUT  BOEUIFDMJFOUTOFFEUPUBLFUIFUJNFUPDIFDLJU w 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQTJTNPSFEJ⒏DVMUUIBOBTJNQMFNPCJMFBQQ CFDBVTFPGUIFQFSTQFDUJWFPGSFWFSTFFOHJOFFSJOH w %FDSZQUJOHSFRVFTUTSFTQPOTFTFODSZQUJPO

    w 44-QJOOJOHCZQBTT w 3PPUQSJWJMFHFTEFUFDUJPOCZQBTT w .FNPSZNPEJpDBUJPO w FUD 5PEBZ`TUPQJD

  7. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 4FBSDIJOHGPSUIFWBMVFEJTQMBZFEPOUIF6*JOUIFEFWJDFTNFNPSZ BOENPEJGZJOHXJUIUIFWBMVFGPVOE w 5IFFBTJFTUXBZUPDIFBUJOHBNFT w 'PS"OESPJEHBNFT UIFSFJTBXFMMLOPXODIFBUUPPMDBMMFEɹɹ (BNF(VBSEJBO

  8. 8IBUJTBQLNFEJU w .FNPSZTFBSDIBOEQBUDIUPPMGPSEFCVHHBCMF"1, w 8PSLTXJUIPVUSPPUUIFBOESPJE/%, w *NQMFNFOUFEJO(PMBOH w 'PSNPCJMFTFDVSJUZUFTUJOH w

    "LBUTVLJTJOUFSOBMTFDVSJUZUFBNVTFTJUUPQFSGPSNTFDVSJUZUFTUTGPS NPCJMFHBNFBQQ w (JU)VCIUUQTHJUIVCDPNBLUTLBQLNFEJU

  9. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w /PSPPUQSJWJMFHFTBSFSFRVJSFEGPSUIFPQFSBUJPO w 5IFSFGPSF UIFSFJTOPOFFEUPCZQBTTSPPUEFUFDUJPO w (BNFBQQTPGUFOEFUFDUSPPU w 8PSLTXJUIDPMPSGVM$6*

    w /PDPNQFUJOHUPPMTUIBUXPSLXJUI$6*GPS"OESPJE

  10. 6TBHF %FNP.PWJF

  11. 6TBHF *OTUBMMBUJPO w %PXOMPBEUIFCJOBSZGSPN(JU)VC3FMFBTFT w QVTIUIFCJOBSZJOEBUBMPDBMUNQPOBO"OESPJEEFWJDF $ adb push medit

    /data/local/tmp/medit

  12. 6TBHF 5PMBVODI w 6TFUIFSVOBTDPNNBOEUPSFBEXSJUFpMFTVTFECZUIF"1, w 5PBDDFTTUIFNFNPSZXJUIPVUSFRVJSJOHSPPUQSJWJMFHFT w 4PBQLNFEJUDBOPOMZCFVTFEXJUIBQQTUIBUIBWF UIFEFCVHHBCMFBUUSJCVUFFOBCMFE

  13. 6TBHF 5PMBVODI w 5PFOBCMFUIFEFCVHHBCMFBUUSJCVUF w PQFOUIF"OESPJE.BOJGFTUYNMBOEBEEUIFGPMMPXJOHYNMBUUSJCVUF UPUIFBQQMJDBUJPOYNMOPEF android:debuggable="true"

  14. 6TBHF .BLFEFCVHHBCMFVTJOHBQLVUJM w 6TJOHBQLVUJM ZPVDBODIBOHFUIF"1,UPCFEFCVHHBCMF XJUIBTJOHMFDPNNBOE w "OPUIFSUPPM*DSFBUFE w IUUQTHJUIVCDPNBLUTLBQLVUJM

    $ pip install git+ssh://git@github.com/aktsk/apkutil.git $ apkutil debuggable <target-apk-name>

  15. 6TBHF "OPUIFSUPPM*DSFBUFE BQLVUJM w BQLVUJMJTBVTFGVMVUJMJUZGPSBOESPJEBQQTFDVSJUZUFTUJOH w 0UIFSVTFGVMGFBUVSFT w 5BLJOHTDSFFOTIPU NPWFUPDPOOFDUFE1$

    w 3FTJHOJOHUIF"1, w $IFDLJOH"OESPJE.BOJGFTUYNMXIFOEFDPEFUIF"1, w FUD

  16. 6TBHF 5PMBVODI w "GUFSSVOOJOHUIFSVOBTDPNNBOE EJSFDUPSZJTDIBOHFE w $PQZNFEJUGSPNEBUBMPDBMUNQ w 3VOOJOHNFEJUMBVODIFTBOJOUFSBDUJWFQSPNQU $

    adb shell $ pm list packages # to check <target-package-name> $ run-as <target-package-name> $ cp /data/local/tmp/medit ./medit $ ./medit

  17. 6TBHF 4VCDPNNBOET w .BOZTVCDPNNBOETBSFBWBJMBCMFJOUIFJOUFSBDUJWFQSPNQU CVUUIF UISFFNBJOPOFTBSF w pOEWBMVFTFBSDIUIFTQFDJpFEJOUFHFSWBMVFJONFNPSZ w pMUFSWBMVFpMUFSTFBSDISFTVMUTVTJOHUIFTQFDJpFEWBMVF

    w QBUDIWBMVFXSJUFUIFTQFDJpFEWBMVFUPUIFBEESFTTGPVOECZUIF TFBSDI

  18. 5IFNFNPSZNPEJGJDBUJPOGMPX w 6TFUIFlpOEzDPNNBOEUPTFBSDIUIFWBMVFPOUIF6* w *GNBOZSFTVMUTBSFEJTQMBZFE DIBOHFUIFWBMVFPOUIF6*UP lpMUFSzUIFSFTVMUT w 8IFOUIFSFBSFGFXFSSFTVMUT ZPVDBONPEJGZUIFNFNPSZ

    CZVTJOHUIFQBUDIDPNNBOE

  19. )PXJUXPSLT Photo by Harrison Broadbent on Unsplash

  20. )PXJUXPSLT  w 0O-JOVYCBTFE04FT QTFVEPpMFTBSFQMBDFEVOEFSQSPDUPBDDFTT QSPDFTTJOGPSNBUJPO w 5IFGPMMPXJOHQBUITBSFVTFE w QSPD<QJE>NBQT

    w QSPD<QJE>NFN

  21. QSPD<QJE>NBQT w QSPD<QJE>NBQTDPOUBJOTUIFNFNPSZNBQJOGPSNBUJPO w 5IFNFNPSZNBQJOEJDBUFTXIJDIQBSUPGUIFNFNPSZUIFQSPDFTT  TQFDJpFECZUIFlQJE IBTQFSNJTTJPOTUPSFBEBOEXSJUFUP

  22. QSPD<QJE>NBQT sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps 12c00000-12d40000 rw-p 00000000 00:05 23292

    /dev/ashmem/dalvik-main space (region space) (deleted) 12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@framework@boot.art 6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@framework@boot.art 6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@framework@boot-core-libart.art 6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@framework@boot-core-libart.art 6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@framework@boot-conscrypt.art 6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@framework@boot-conscrypt.art 6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@framework@boot-okhttp.art 6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@framework@boot-okhttp.art 6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@framework@boot-bouncycastle.art ...

  23. QSPD<QJE>NFN w 6TJOHQSPD<QJE>NFN JUJTQPTTJCMFUPSFBEUIFNFNPSZIFMECZUIF QSPDFTTTQFDJpFECZUIFlQJEz w TZTUFNDBMMTDBOCFVTFEUPSFBEUIFNFNPSZ w PQFO SFBE

    MTFFL

  24. )PXJUXPSLT  w 5IF.FNPSZNBQUFMMTVTXIFSFXFDBOSFBEXSJUF w *UVTFTQSPD<QJE>NFNUPSFBEUIFNFNPSZBOETFBSDIGPSUIF UBSHFUWBMVF w 8IFOUIFUBSHFUWBMVFJTGPVOE JUVTFTQSPD<QJE>NFNUPQBUDIUIF

    NFNPSZ

  25. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOBOESPJEEFWJDFT Photo by Nandhu Kumar on Unsplash

  26. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOBOESPJEEFWJDFT w &BTZUPQSFQBSF&-'CJOBSJFTGPS"3. w &BTZUPJOWPLFTZTUFNDBMMT w &BTZUPpOEUIFUBSHFUCZUFJOBMBSHFCZUFTFRVFODFRVJDLMZ w &BTZUPEJTUSJCVUFCJOBSJFTCZVTJOH(JU)VC"DUJPOTBOE(P3FMFBTFS

  27. &BTZUPQSFQBSF&-'CJOBSJFTGPS"3. w (PDPNQJMFSTVQQPSUTDSPTTDPNQJMBUJPO w (004 (0"3$)FOWJSPONFOUWBSJBCMFTBSFQSPWJEFEGPSTQFDJGZJOH UIF04BOE$16 $ GOOS=linux GOARCH=arm64

    GOARM=7 go build -o medit

  28. &BTZUPJOWPLFTZTUFNDBMMT w 6OJYQBDLBHFXSBQTUIFTZTUFNDBMMTOJDFMZ w &BTZUPJOWPLFUIFTZTUFNDBMMT

  29. &BTZUPGJOEUIFUBSHFUCZUF JOBMBSHFCZUFTFRVFODFRVJDLMZ w "GBTUTUSJOHTFBSDIBMHPSJUINDBMMFEUIF3BCJO,BSQJTVTFEJOTJEF CZUFT*OEFY  w 8JUIPVUJNQMFNFOUJOHDPNQMFYBMHPSJUINT *DBORVJDLMZpOEEBUBJO UIFNFNPSZCZTJNQMZVTJOHCZUFT*OEFY

  30. &BTZUPEJTUSJCVUFCJOBSJFT CZVTJOH(JU)VC"DUJPOTBOE(P3FMFBTFS w (JU)VC"DUJPOTBOE(P3FMFBTFSNBLFJUFBTZUP EFWFMPQXJUI(PMBOH w 8IFOBUBHHFEDPNNJUJTVQMPBEFEUP(JU)VC UIFCVJMESVOTWJB (JU)VC"DUJPOTBOE(P3FMFBTFSBVUPNBUJDBMMZSFHJTUFSTUIFCJOBSZUP (JUIVC3FMFBTFT

  31. 4VNNBSZ w BQLNFEJUBMMPXTNFNPSZNPEJpDBUJPOTXJUIPVUCZQBTTJOHSPPUJOH EFUFDUJPO w #VUUIFSFJTBOFFEUPDIBOHFUIF"1,UPCFEFCVHHBCMF w (PMBOHJTBVTFGVMMBOHVBHFGPSCVJMEJOH"OESPJEUPPMT w *IPQFBQLNFEJUXJMMCFDPNFUIFEFGBDUPTUBOEBSE

    GPSTFDVSJUZUFTUJOH

  32. 5IBOL:PV IUUQTHJUIVCDPNBLUTLBQLNFEJU