Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apk-medit: memory search and patch tool for deb...

Avatar for @tkmru @tkmru
October 30, 2020
Programming
0
200

apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox

https://github.com/aktsk/apk-medit
https://github.com/aktsk/apkutil
Avatar for @tkmru

@tkmru

October 30, 2020
Tweet

More Decks by @tkmru

See All by @tkmru
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
Avatar for @tkmru tkmru
2
1.4k
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
Avatar for @tkmru tkmru
0
330
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
Avatar for @tkmru tkmru
0
170
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
Avatar for @tkmru tkmru
0
5.4k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
Avatar for @tkmru tkmru
1
4.5k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
Avatar for @tkmru tkmru
3
890
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
Avatar for @tkmru tkmru
0
4.2k
めんどうくさいゲームセキュリティ
Avatar for @tkmru tkmru
20
11k
Linux Rootkit Internals
Avatar for @tkmru tkmru
1
2k

Other Decks in Programming

See All in Programming
つよそうにふるまい、つよい成果を出すのなら、つよいのかもしれない
Avatar for irof irof
1
300
WindowInsetsだってテストしたい
Avatar for RyuNen344 ryunen344
1
190
Julia という言語について (FP in Julia « SIDE: F ») for 関数型まつり2025
Avatar for GOTOH Shunsuke antimon2
3
970
Cline指示通りに動かない? AI小説エージェントで学ぶ指示書の書き方と自動アップデートの仕組み
Avatar for 葦沢かもめ kamomeashizawa
1
560
第9回 情シス転職ミートアップ 株式会社IVRy(アイブリー)の紹介
Avatar for 株式会社IVRy(社員登壇資料) ivry_presentationmaterials
1
190
Datadog RUM 本番導入までの道
Avatar for Shintaro Matsumoto shinter61
1
310
複数アプリケーションを育てていくための共通化戦略
Avatar for irof irof
10
4k
アンドパッドの Go 勉強会「 gopher 会」とその内容の紹介
Avatar for ANDPAD inc andpad
0
250
[初登壇@jAZUG]アプリ開発者が気になるGoogleCloud/Azure+wasm/wasi
Avatar for asaringo asaringo
0
130
DroidKnights 2025 - 다양한 스크롤 뷰에서의 영상 재생
Avatar for 이가은 gaeun5744
3
300
Railsアプリケーションと パフォーマンスチューニング ー 秒間5万リクエストの モバイルオーダーシステムを支える事例 ー Rubyセミナー 大阪
Avatar for Hayato OKUMOTO falcon8823
1
530
Spring gRPC で始める gRPC 入門 / Introduction to gRPC with Spring gRPC
Avatar for mackey0225 mackey0225
2
520

Featured

See All Featured
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
490
How GitHub (no longer) Works
Avatar for Zach Holman holman
314
140k
Docker and Python
Avatar for Tania Allard trallard
44
3.4k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
3.9k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
32
2.3k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
71
4.9k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.7k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
245
12k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
69
4.7k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
462
33k

Transcript

  1. $0%&#-6&#MVFCPY 1SFTFOUFECZ5BJDIJ,PUBLF "LBUTVLJ*OD BQLNFEJU NFNPSZTFBSDIBOEQBUDIUPPMGPS"1, XJUIPVUSPPUBOESPJE/%,

  2. 8IP*BN w /BNF5BJDIJ,PUBLF w $PVOUZ+BQBO w +PC4FDVSJUZ&OHJOFFS!"LBUTVLJ*OD w 'PDVT(BNF4FDVSJUZ /FUXPSL1FOUFTU

    w (JU)VCULNSV

  3. .Z#PPLT

  4. 5PEBZT5PQJD 4FDVSJUZUFTUJOH GPSNPCJMFHBNFBQQT Photo by Shannon Potter on Unsplash

  5. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w 4FDVSJUZUFTUJOHPGXFCBQQMJDBUJPOTBOETJNQMFNPCJMFBQQTDBOpOE NPTUWVMOFSBCJMJUJFTCZVTJOHBQSPYZUPPMUPNPEJGZXJUISFRVFTUT SFTQPOTFTUPUIFTFSWFS "QQT 4FSWFST &OHJOFFSTVTJOHBQSPYZUPPM .PEJpFE3FRVFTU 3FTQPOTF

    3FRVFTU .PEJpFE3FTQPOTF

  6. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w .PCJMFHBNFBQQTPGUFOJNQMFNFOUHBNFMPHJDBOEBOUJDIFBUMPHJDJOUIFJSDMJFOUT  BOEUIFDMJFOUTOFFEUPUBLFUIFUJNFUPDIFDLJU w 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQTJTNPSFEJ⒏DVMUUIBOBTJNQMFNPCJMFBQQ CFDBVTFPGUIFQFSTQFDUJWFPGSFWFSTFFOHJOFFSJOH w %FDSZQUJOHSFRVFTUTSFTQPOTFTFODSZQUJPO

    w 44-QJOOJOHCZQBTT w 3PPUQSJWJMFHFTEFUFDUJPOCZQBTT w .FNPSZNPEJpDBUJPO w FUD 5PEBZ`TUPQJD

  7. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 4FBSDIJOHGPSUIFWBMVFEJTQMBZFEPOUIF6*JOUIFEFWJDFTNFNPSZ BOENPEJGZJOHXJUIUIFWBMVFGPVOE w 5IFFBTJFTUXBZUPDIFBUJOHBNFT w 'PS"OESPJEHBNFT UIFSFJTBXFMMLOPXODIFBUUPPMDBMMFEɹɹ (BNF(VBSEJBO

  8. 8IBUJTBQLNFEJU w .FNPSZTFBSDIBOEQBUDIUPPMGPSEFCVHHBCMF"1, w 8PSLTXJUIPVUSPPUUIFBOESPJE/%, w *NQMFNFOUFEJO(PMBOH w 'PSNPCJMFTFDVSJUZUFTUJOH w

    "LBUTVLJTJOUFSOBMTFDVSJUZUFBNVTFTJUUPQFSGPSNTFDVSJUZUFTUTGPS NPCJMFHBNFBQQ w (JU)VCIUUQTHJUIVCDPNBLUTLBQLNFEJU

  9. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w /PSPPUQSJWJMFHFTBSFSFRVJSFEGPSUIFPQFSBUJPO w 5IFSFGPSF UIFSFJTOPOFFEUPCZQBTTSPPUEFUFDUJPO w (BNFBQQTPGUFOEFUFDUSPPU w 8PSLTXJUIDPMPSGVM$6*

    w /PDPNQFUJOHUPPMTUIBUXPSLXJUI$6*GPS"OESPJE

  10. 6TBHF %FNP.PWJF

  11. 6TBHF *OTUBMMBUJPO w %PXOMPBEUIFCJOBSZGSPN(JU)VC3FMFBTFT w QVTIUIFCJOBSZJOEBUBMPDBMUNQPOBO"OESPJEEFWJDF $ adb push medit

    /data/local/tmp/medit

  12. 6TBHF 5PMBVODI w 6TFUIFSVOBTDPNNBOEUPSFBEXSJUFpMFTVTFECZUIF"1, w 5PBDDFTTUIFNFNPSZXJUIPVUSFRVJSJOHSPPUQSJWJMFHFT w 4PBQLNFEJUDBOPOMZCFVTFEXJUIBQQTUIBUIBWF UIFEFCVHHBCMFBUUSJCVUFFOBCMFE

  13. 6TBHF 5PMBVODI w 5PFOBCMFUIFEFCVHHBCMFBUUSJCVUF w PQFOUIF"OESPJE.BOJGFTUYNMBOEBEEUIFGPMMPXJOHYNMBUUSJCVUF UPUIFBQQMJDBUJPOYNMOPEF android:debuggable="true"

  14. 6TBHF .BLFEFCVHHBCMFVTJOHBQLVUJM w 6TJOHBQLVUJM ZPVDBODIBOHFUIF"1,UPCFEFCVHHBCMF XJUIBTJOHMFDPNNBOE w "OPUIFSUPPM*DSFBUFE w IUUQTHJUIVCDPNBLUTLBQLVUJM

    $ pip install git+ssh://[email protected]/aktsk/apkutil.git $ apkutil debuggable <target-apk-name>

  15. 6TBHF "OPUIFSUPPM*DSFBUFE BQLVUJM w BQLVUJMJTBVTFGVMVUJMJUZGPSBOESPJEBQQTFDVSJUZUFTUJOH w 0UIFSVTFGVMGFBUVSFT w 5BLJOHTDSFFOTIPU NPWFUPDPOOFDUFE1$

    w 3FTJHOJOHUIF"1, w $IFDLJOH"OESPJE.BOJGFTUYNMXIFOEFDPEFUIF"1, w FUD

  16. 6TBHF 5PMBVODI w "GUFSSVOOJOHUIFSVOBTDPNNBOE EJSFDUPSZJTDIBOHFE w $PQZNFEJUGSPNEBUBMPDBMUNQ w 3VOOJOHNFEJUMBVODIFTBOJOUFSBDUJWFQSPNQU $

    adb shell $ pm list packages # to check <target-package-name> $ run-as <target-package-name> $ cp /data/local/tmp/medit ./medit $ ./medit

  17. 6TBHF 4VCDPNNBOET w .BOZTVCDPNNBOETBSFBWBJMBCMFJOUIFJOUFSBDUJWFQSPNQU CVUUIF UISFFNBJOPOFTBSF w pOEWBMVFTFBSDIUIFTQFDJpFEJOUFHFSWBMVFJONFNPSZ w pMUFSWBMVFpMUFSTFBSDISFTVMUTVTJOHUIFTQFDJpFEWBMVF

    w QBUDIWBMVFXSJUFUIFTQFDJpFEWBMVFUPUIFBEESFTTGPVOECZUIF TFBSDI

  18. 5IFNFNPSZNPEJGJDBUJPOGMPX w 6TFUIFlpOEzDPNNBOEUPTFBSDIUIFWBMVFPOUIF6* w *GNBOZSFTVMUTBSFEJTQMBZFE DIBOHFUIFWBMVFPOUIF6*UP lpMUFSzUIFSFTVMUT w 8IFOUIFSFBSFGFXFSSFTVMUT ZPVDBONPEJGZUIFNFNPSZ

    CZVTJOHUIFQBUDIDPNNBOE

  19. )PXJUXPSLT Photo by Harrison Broadbent on Unsplash

  20. )PXJUXPSLT  w 0O-JOVYCBTFE04FT QTFVEPpMFTBSFQMBDFEVOEFSQSPDUPBDDFTT QSPDFTTJOGPSNBUJPO w 5IFGPMMPXJOHQBUITBSFVTFE w QSPD<QJE>NBQT

    w QSPD<QJE>NFN

  21. QSPD<QJE>NBQT w QSPD<QJE>NBQTDPOUBJOTUIFNFNPSZNBQJOGPSNBUJPO w 5IFNFNPSZNBQJOEJDBUFTXIJDIQBSUPGUIFNFNPSZUIFQSPDFTT  TQFDJpFECZUIFlQJE IBTQFSNJTTJPOTUPSFBEBOEXSJUFUP

  22. QSPD<QJE>NBQT sargo:/data/data/jp.aktsk.tap1000000 $ cat /proc/11283/maps 12c00000-12d40000 rw-p 00000000 00:05 23292

    /dev/ashmem/dalvik-main space (region space) (deleted) 12d40000-133c0000 ---p 00140000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 133c0000-13700000 ---p 007c0000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13700000-13780000 rw-p 00b00000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 13780000-14140000 ---p 00b80000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 14140000-2ac00000 rw-p 01540000 00:05 23292 /dev/ashmem/dalvik-main space (region space) (deleted) 6f181000-6f3a6000 rw-p 00000000 fd:01 221 /data/dalvik-cache/arm/system@[email protected] 6f3a6000-6f3bc000 r--p 00225000 fd:01 221 /data/dalvik-cache/arm/system@[email protected] 6f3bc000-6f4b3000 rw-p 00000000 fd:01 229 /data/dalvik-cache/arm/system@[email protected] 6f4b3000-6f4c5000 r--p 000f7000 fd:01 229 /data/dalvik-cache/arm/system@[email protected] 6f4c5000-6f4f6000 rw-p 00000000 fd:01 232 /data/dalvik-cache/arm/system@[email protected] 6f4f6000-6f4f9000 r--p 00031000 fd:01 232 /data/dalvik-cache/arm/system@[email protected] 6f4f9000-6f526000 rw-p 00000000 fd:01 235 /data/dalvik-cache/arm/system@[email protected] 6f526000-6f529000 r--p 0002d000 fd:01 235 /data/dalvik-cache/arm/system@[email protected] 6f529000-6f57f000 rw-p 00000000 fd:01 240 /data/dalvik-cache/arm/system@[email protected] ...

  23. QSPD<QJE>NFN w 6TJOHQSPD<QJE>NFN JUJTQPTTJCMFUPSFBEUIFNFNPSZIFMECZUIF QSPDFTTTQFDJpFECZUIFlQJEz w TZTUFNDBMMTDBOCFVTFEUPSFBEUIFNFNPSZ w PQFO SFBE

    MTFFL

  24. )PXJUXPSLT  w 5IF.FNPSZNBQUFMMTVTXIFSFXFDBOSFBEXSJUF w *UVTFTQSPD<QJE>NFNUPSFBEUIFNFNPSZBOETFBSDIGPSUIF UBSHFUWBMVF w 8IFOUIFUBSHFUWBMVFJTGPVOE JUVTFTQSPD<QJE>NFNUPQBUDIUIF

    NFNPSZ

  25. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOBOESPJEEFWJDFT Photo by Nandhu Kumar on Unsplash

  26. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOBOESPJEEFWJDFT w &BTZUPQSFQBSF&-'CJOBSJFTGPS"3. w &BTZUPJOWPLFTZTUFNDBMMT w &BTZUPpOEUIFUBSHFUCZUFJOBMBSHFCZUFTFRVFODFRVJDLMZ w &BTZUPEJTUSJCVUFCJOBSJFTCZVTJOH(JU)VC"DUJPOTBOE(P3FMFBTFS

  27. &BTZUPQSFQBSF&-'CJOBSJFTGPS"3. w (PDPNQJMFSTVQQPSUTDSPTTDPNQJMBUJPO w (004 (0"3$)FOWJSPONFOUWBSJBCMFTBSFQSPWJEFEGPSTQFDJGZJOH UIF04BOE$16 $ GOOS=linux GOARCH=arm64

    GOARM=7 go build -o medit

  28. &BTZUPJOWPLFTZTUFNDBMMT w 6OJYQBDLBHFXSBQTUIFTZTUFNDBMMTOJDFMZ w &BTZUPJOWPLFUIFTZTUFNDBMMT

  29. &BTZUPGJOEUIFUBSHFUCZUF JOBMBSHFCZUFTFRVFODFRVJDLMZ w "GBTUTUSJOHTFBSDIBMHPSJUINDBMMFEUIF3BCJO,BSQJTVTFEJOTJEF CZUFT*OEFY  w 8JUIPVUJNQMFNFOUJOHDPNQMFYBMHPSJUINT *DBORVJDLMZpOEEBUBJO UIFNFNPSZCZTJNQMZVTJOHCZUFT*OEFY

  30. &BTZUPEJTUSJCVUFCJOBSJFT CZVTJOH(JU)VC"DUJPOTBOE(P3FMFBTFS w (JU)VC"DUJPOTBOE(P3FMFBTFSNBLFJUFBTZUP EFWFMPQXJUI(PMBOH w 8IFOBUBHHFEDPNNJUJTVQMPBEFEUP(JU)VC UIFCVJMESVOTWJB (JU)VC"DUJPOTBOE(P3FMFBTFSBVUPNBUJDBMMZSFHJTUFSTUIFCJOBSZUP (JUIVC3FMFBTFT

  31. 4VNNBSZ w BQLNFEJUBMMPXTNFNPSZNPEJpDBUJPOTXJUIPVUCZQBTTJOHSPPUJOH EFUFDUJPO w #VUUIFSFJTBOFFEUPDIBOHFUIF"1,UPCFEFCVHHBCMF w (PMBOHJTBVTFGVMMBOHVBHFGPSCVJMEJOH"OESPJEUPPMT w *IPQFBQLNFEJUXJMMCFDPNFUIFEFGBDUPTUBOEBSE

    GPSTFDVSJUZUFTUJOH

  32. 5IBOL:PV IUUQTHJUIVCDPNBLUTLBQLNFEJU