Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox

20c5ddcad23304aed77ce8c3aa020562?s=47 @tkmru
October 30, 2020
Programming
0
150

apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox

https://github.com/aktsk/apk-medit
https://github.com/aktsk/apkutil

20c5ddcad23304aed77ce8c3aa020562?s=128

@tkmru

October 30, 2020
Tweet

More Decks by @tkmru

See All by @tkmru
LazyCSRF: A More Useful CSRF PoC Generator on BurpSuite@Black Hat EUROPE 2021 Arsenal/lazyCSRF-bh2021-europe
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
52
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
3.1k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
2.4k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
3
570
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
3.3k
めんどうくさいゲームセキュリティ
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
20
9.9k
Linux Rootkit Internals
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
1.5k
Unicornを用いたDead Code除去
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
0
160
古典的なStack Overflow から JIT-ROPまで
20c5ddcad23304aed77ce8c3aa020562?s=48 tkmru
1
260

Other Decks in Programming

See All in Programming
1時間半で克服するJavaScriptの非同期処理/async_javascript_kokufuku
338259af0e093b5d91e9dc7afbcdd0d5?s=48 marchin1989
2
610
Java初心者が知っておくべきプログラミングのこと - JJUG CCC 2022 Spring
9e840766611f942c7c0a9ad6987a5d78?s=48 kishida
5
540
実践エクストリームプログラミング / Extreme Programming in Practice
00cbada6669966805d91061d5a234d3b?s=48 enk
1
520
Chart実装が楽になりました。
622c25352cca9db43a10c0f3d4f73b75?s=48 keisukeyamagishi
0
110
IE Graduation Certificate
1ff811939fd0923df8321ec6d8bf9d4b?s=48 jxck
6
4.8k
Angular‘s Future without NgModules: Architectures with Standalone Components @enterJS
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
220
Baseline Profilesでアプリのパフォーマンスを向上させる / Improve app performance with Baseline Profiles
37618b4d60cf3d1f43f7196253264edc?s=48 numeroanddev
0
240
Angular-basierte Micro Frontends mit Module Federation @API Summit
15934fa2aa7b2ce21f091e9b7cffa856?s=48 manfredsteyer
PRO
0
100
#JJUG_CCC 「サポート」は製品開発? - JDBCライブラリ屋さんが実践する攻めのテクニカルサポートとJavaエンジニアのキャリアについて -
244963b5eab1dd775692490daea81a7f?s=48 cdataj
0
420
Oracle REST Data Service: APEX Office Hours
0ed10d1154c696886ca483fe827cb299?s=48 thatjeffsmith
0
740
IE Graduation (IE の功績を讃える)
1ff811939fd0923df8321ec6d8bf9d4b?s=48 jxck
20
12k
無限スクロールビューライブラリ 二つの設計思想比較
3a28fa31667698e364e367d5174934b9?s=48 harumak
0
200

Featured

See All Featured
Music & Morning Musume
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
4.2k
Support Driven Design
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
86
8.5k
Fireside Chat
864a009ac73600c7c02e1f26629dd989?s=48 paigeccino
12
1.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
7
1.1k
Unsuck your backbone
B83d5b590577969ee79a5ad845411a7d?s=48 ammeep
659
55k
How New CSS Is Changing Everything About Graphic Design on the Web
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
213
11k
Fashionably flexible responsive web design (full day workshop)
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
396
62k
Building Adaptive Systems
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
25
1.1k
Dealing with People You Can't Stand - Big Design 2015
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
351
21k
How GitHub (no longer) Works
78b475797a14c84799063c7cd073962f?s=48 holman
296
140k
How to name files
0a4f62e90c976eeb44d33add75cca5af?s=48 jennybc
40
61k
Build your cross-platform service in a week with App Engine
5f83ef806155b403c3393160ce51f955?s=48 jlugia
219
17k

Transcript

  1. $0%&#-6&#MVFCPY 1SFTFOUFECZ5BJDIJ,PUBLF "LBUTVLJ*OD BQLNFEJU NFNPSZTFBSDIBOEQBUDIUPPMGPS"1, XJUIPVUSPPUBOESPJE/%,

  2. 8IP*BN w /BNF5BJDIJ,PUBLF w $PVOUZ+BQBO w +PC4FDVSJUZ&OHJOFFS!"LBUTVLJ*OD w 'PDVT(BNF4FDVSJUZ /FUXPSL1FOUFTU

    w (JU)VCULNSV

  3. .Z#PPLT

  4. 5PEBZT5PQJD 4FDVSJUZUFTUJOH GPSNPCJMFHBNFBQQT Photo by Shannon Potter on Unsplash

  5. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w 4FDVSJUZUFTUJOHPGXFCBQQMJDBUJPOTBOETJNQMFNPCJMFBQQTDBOpOE NPTUWVMOFSBCJMJUJFTCZVTJOHBQSPYZUPPMUPNPEJGZXJUISFRVFTUT SFTQPOTFTUPUIFTFSWFS "QQT 4FSWFST &OHJOFFSTVTJOHBQSPYZUPPM .PEJpFE3FRVFTU 3FTQPOTF

    3FRVFTU .PEJpFE3FTQPOTF

  6. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w .PCJMFHBNFBQQTPGUFOJNQMFNFOUHBNFMPHJDBOEBOUJDIFBUMPHJDJOUIFJSDMJFOUT  BOEUIFDMJFOUTOFFEUPUBLFUIFUJNFUPDIFDLJU w 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQTJTNPSFEJ⒏DVMUUIBOBTJNQMFNPCJMFBQQ CFDBVTFPGUIFQFSTQFDUJWFPGSFWFSTFFOHJOFFSJOH w %FDSZQUJOHSFRVFTUTSFTQPOTFTFODSZQUJPO

    w 44-QJOOJOHCZQBTT w 3PPUQSJWJMFHFTEFUFDUJPOCZQBTT w .FNPSZNPEJpDBUJPO w FUD 5PEBZ`TUPQJD

  7. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 4FBSDIJOHGPSUIFWBMVFEJTQMBZFEPOUIF6*JOUIFEFWJDFTNFNPSZ BOENPEJGZJOHXJUIUIFWBMVFGPVOE w 5IFFBTJFTUXBZUPDIFBUJOHBNFT w 'PS"OESPJEHBNFT UIFSFJTBXFMMLOPXODIFBUUPPMDBMMFEɹɹ (BNF(VBSEJBO

  8. 8IBUJTBQLNFEJU w .FNPSZTFBSDIBOEQBUDIUPPMGPSEFCVHHBCMF"1, w 8PSLTXJUIPVUSPPUUIFBOESPJE/%, w *NQMFNFOUFEJO(PMBOH w 'PSNPCJMFTFDVSJUZUFTUJOH w

    "LBUTVLJTJOUFSOBMTFDVSJUZUFBNVTFTJUUPQFSGPSNTFDVSJUZUFTUTGPS NPCJMFHBNFBQQ w (JU)VCIUUQTHJUIVCDPNBLUTLBQLNFEJU

  9. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w /PSPPUQSJWJMFHFTBSFSFRVJSFEGPSUIFPQFSBUJPO w 5IFSFGPSF UIFSFJTOPOFFEUPCZQBTTSPPUEFUFDUJPO w (BNFBQQTPGUFOEFUFDUSPPU w 8PSLTXJUIDPMPSGVM$6*

    w /PDPNQFUJOHUPPMTUIBUXPSLXJUI$6*GPS"OESPJE

  10. 6TBHF %FNP.PWJF

  11. 6TBHF *OTUBMMBUJPO w %PXOMPBEUIFCJOBSZGSPN(JU)VC3FMFBTFT w QVTIUIFCJOBSZJOEBUBMPDBMUNQPOBO"OESPJEEFWJDF $ adb push medit

    /data/local/tmp/medit

  12. 6TBHF 5PMBVODI w 6TFUIFSVOBTDPNNBOEUPSFBEXSJUFpMFTVTFECZUIF"1, w 5PBDDFTTUIFNFNPSZXJUIPVUSFRVJSJOHSPPUQSJWJMFHFT w 4PBQLNFEJUDBOPOMZCFVTFEXJUIBQQTUIBUIBWF UIFEFCVHHBCMFBUUSJCVUFFOBCMFE

  13. 6TBHF 5PMBVODI w 5PFOBCMFUIFEFCVHHBCMFBUUSJCVUF w PQFOUIF"OESPJE.BOJGFTUYNMBOEBEEUIFGPMMPXJOHYNMBUUSJCVUF UPUIFBQQMJDBUJPOYNMOPEF android:debuggable="true"

  14. 6TBHF .BLFEFCVHHBCMFVTJOHBQLVUJM w 6TJOHBQLVUJM ZPVDBODIBOHFUIF"1,UPCFEFCVHHBCMF XJUIBTJOHMFDPNNBOE w "OPUIFSUPPM*DSFBUFE w IUUQTHJUIVCDPNBLUTLBQLVUJM

    $ pip install git+ssh://git@github.com/aktsk/apkutil.git $ apkutil debuggable <target-apk-name>

  15. 6TBHF "OPUIFSUPPM*DSFBUFE BQLVUJM w BQLVUJMJTBVTFGVMVUJMJUZGPSBOESPJEBQQTFDVSJUZUFTUJOH w 0UIFSVTFGVMGFBUVSFT w 5BLJOHTDSFFOTIPU NPWFUPDPOOFDUFE1$

    w 3FTJHOJOHUIF"1, w $IFDLJOH"OESPJE.BOJGFTUYNMXIFOEFDPEFUIF"1, w FUD

  16. 6TBHF 5PMBVODI w "GUFSSVOOJOHUIFSVOBTDPNNBOE EJSFDUPSZJTDIBOHFE w $PQZNFEJUGSPNEBUBMPDBMUNQ w 3VOOJOHNFEJUMBVODIFTBOJOUFSBDUJWFQSPNQU $

    adb shell $ pm list packages # to check <target-package-name> $ run-as <target-package-name> $ cp /data/local/tmp/medit ./medit $ ./medit

  17. 6TBHF 4VCDPNNBOET w .BOZTVCDPNNBOETBSFBWBJMBCMFJOUIFJOUFSBDUJWFQSPNQU CVUUIF UISFFNBJOPOFTBSF w pOEWBMVFTFBSDIUIFTQFDJpFEJOUFHFSWBMVFJONFNPSZ w pMUFSWBMVFpMUFSTFBSDISFTVMUTVTJOHUIFTQFDJpFEWBMVF

    w QBUDIWBMVFXSJUFUIFTQFDJpFEWBMVFUPUIFBEESFTTGPVOECZUIF TFBSDI

  18. 5IFNFNPSZNPEJGJDBUJPOGMPX w 6TFUIFlpOEzDPNNBOEUPTFBSDIUIFWBMVFPOUIF6* w *GNBOZSFTVMUTBSFEJTQMBZFE DIBOHFUIFWBMVFPOUIF6*UP lpMUFSzUIFSFTVMUT w 8IFOUIFSFBSFGFXFSSFTVMUT ZPVDBONPEJGZUIFNFNPSZ

    CZVTJOHUIFQBUDIDPNNBOE

  19. )PXJUXPSLT Photo by Harrison Broadbent on Unsplash

  20. )PXJUXPSLT  w 0O-JOVYCBTFE04FT QTFVEPpMFTBSFQMBDFEVOEFSQSPDUPBDDFTT QSPDFTTJOGPSNBUJPO w 5IFGPMMPXJOHQBUITBSFVTFE w QSPD<QJE>NBQT

    w QSPD<QJE>NFN

  21. QSPD<QJE>NBQT w QSPD<QJE>NBQTDPOUBJOTUIFNFNPSZNBQJOGPSNBUJPO w 5IFNFNPSZNBQJOEJDBUFTXIJDIQBSUPGUIFNFNPSZUIFQSPDFTT  TQFDJpFECZUIFlQJE IBTQFSNJTTJPOTUPSFBEBOEXSJUFUP

  22. QSPD<QJE>NBQT sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps 12c00000-12d40000 rw-p 00000000 00:05 23292

    /dev/ashmem/dalvik-main space (region space) (deleted) 12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@framework@boot.art 6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@framework@boot.art 6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@framework@boot-core-libart.art 6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@framework@boot-core-libart.art 6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@framework@boot-conscrypt.art 6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@framework@boot-conscrypt.art 6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@framework@boot-okhttp.art 6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@framework@boot-okhttp.art 6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@framework@boot-bouncycastle.art ...

  23. QSPD<QJE>NFN w 6TJOHQSPD<QJE>NFN JUJTQPTTJCMFUPSFBEUIFNFNPSZIFMECZUIF QSPDFTTTQFDJpFECZUIFlQJEz w TZTUFNDBMMTDBOCFVTFEUPSFBEUIFNFNPSZ w PQFO SFBE

    MTFFL

  24. )PXJUXPSLT  w 5IF.FNPSZNBQUFMMTVTXIFSFXFDBOSFBEXSJUF w *UVTFTQSPD<QJE>NFNUPSFBEUIFNFNPSZBOETFBSDIGPSUIF UBSHFUWBMVF w 8IFOUIFUBSHFUWBMVFJTGPVOE JUVTFTQSPD<QJE>NFNUPQBUDIUIF

    NFNPSZ

  25. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOBOESPJEEFWJDFT Photo by Nandhu Kumar on Unsplash

  26. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOBOESPJEEFWJDFT w &BTZUPQSFQBSF&-'CJOBSJFTGPS"3. w &BTZUPJOWPLFTZTUFNDBMMT w &BTZUPpOEUIFUBSHFUCZUFJOBMBSHFCZUFTFRVFODFRVJDLMZ w &BTZUPEJTUSJCVUFCJOBSJFTCZVTJOH(JU)VC"DUJPOTBOE(P3FMFBTFS

  27. &BTZUPQSFQBSF&-'CJOBSJFTGPS"3. w (PDPNQJMFSTVQQPSUTDSPTTDPNQJMBUJPO w (004 (0"3$)FOWJSPONFOUWBSJBCMFTBSFQSPWJEFEGPSTQFDJGZJOH UIF04BOE$16 $ GOOS=linux GOARCH=arm64

    GOARM=7 go build -o medit

  28. &BTZUPJOWPLFTZTUFNDBMMT w 6OJYQBDLBHFXSBQTUIFTZTUFNDBMMTOJDFMZ w &BTZUPJOWPLFUIFTZTUFNDBMMT

  29. &BTZUPGJOEUIFUBSHFUCZUF JOBMBSHFCZUFTFRVFODFRVJDLMZ w "GBTUTUSJOHTFBSDIBMHPSJUINDBMMFEUIF3BCJO,BSQJTVTFEJOTJEF CZUFT*OEFY  w 8JUIPVUJNQMFNFOUJOHDPNQMFYBMHPSJUINT *DBORVJDLMZpOEEBUBJO UIFNFNPSZCZTJNQMZVTJOHCZUFT*OEFY

  30. &BTZUPEJTUSJCVUFCJOBSJFT CZVTJOH(JU)VC"DUJPOTBOE(P3FMFBTFS w (JU)VC"DUJPOTBOE(P3FMFBTFSNBLFJUFBTZUP EFWFMPQXJUI(PMBOH w 8IFOBUBHHFEDPNNJUJTVQMPBEFEUP(JU)VC UIFCVJMESVOTWJB (JU)VC"DUJPOTBOE(P3FMFBTFSBVUPNBUJDBMMZSFHJTUFSTUIFCJOBSZUP (JUIVC3FMFBTFT

  31. 4VNNBSZ w BQLNFEJUBMMPXTNFNPSZNPEJpDBUJPOTXJUIPVUCZQBTTJOHSPPUJOH EFUFDUJPO w #VUUIFSFJTBOFFEUPDIBOHFUIF"1,UPCFEFCVHHBCMF w (PMBOHJTBVTFGVMMBOHVBHFGPSCVJMEJOH"OESPJEUPPMT w *IPQFBQLNFEJUXJMMCFDPNFUIFEFGBDUPTUBOEBSE

    GPSTFDVSJUZUFTUJOH

  32. 5IBOL:PV IUUQTHJUIVCDPNBLUTLBQLNFEJU