Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa

20c5ddcad23304aed77ce8c3aa020562?s=47 @tkmru
August 05, 2021

Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa

Ipa-medit is a memory search and patch tool for resigned ipa without jailbreaking. It was created for mobile game security testing.

Memory modification is the easiest way to cheat in games, it is one of the items to be checked in the security test. There are also cheat tools that can be used casually like GameGem and iGameGuardian on iOS. However, there were no tools available for un-jailbroken device. So I made it as a security testing tool.

There is an android version of the tool, apk-medit(https://github.com/aktsk/apk-medit), that I created.

Many mobile games have jailbreak detection, but ipa-medit does not require jailbreaking, so memory modification can be done without bypassing the jailbreak detection.

GitHub: https://github.com/aktsk/ipa-medit

20c5ddcad23304aed77ce8c3aa020562?s=128

@tkmru

August 05, 2021
Tweet

Transcript

  1. #BHUSA @BLACKHATEVENTS ipa-medit memory search and patch tool for IPA

    without Jailbreaking Presented by Taichi Kotake Akatsuki Inc.
  2. #BHUSA @BLACKHATEVENTS Who I am • Name: Taichi Kotake •

    Country: Japan • Job: Security Engineer @ Akatsuki Inc. • GitHub: tkmru 2
  3. 5PEBZT5PQJD 4FDVSJUZUFTUJOH GPSNPCJMFHBNFBQQT Photo by Shannon Potter on Unsplash

  4. #BHUSA @BLACKHATEVENTS • I also presented at Black Hat Arsenal

    USA last year • Last year, I talked about apk-medit • Memory modification tool for Android • This year, I'll be talking about the iOS version of apk-medit Were you here last year? 4
  5. #BHUSA @BLACKHATEVENTS • Security testing of web applications and simple

    mobile apps can find most vulnerabilities by using a proxy tool to modify with the requests/responses to the server Security testing for mobile game apps
  6. #BHUSA @BLACKHATEVENTS • Mobile game apps often implement the game

    and anti-cheat logic in their clients, and the clients need to take the time to check it Security testing for mobile game apps
  7. #BHUSA @BLACKHATEVENTS What is memory modificationʁ • Security testing for

    mobile game apps is more difficult • Due to the perspective of reverse engineering • Decrypting requests/responses encryption • SSL pinning bypass • Root privileges detection bypass • Memory modification • etc 5PEBZ`TUPQJD 7
  8. #BHUSA @BLACKHATEVENTS What is memory modificationʁ • The easiest way

    to cheat in games • For iOS games, there is a well known cheat tool called iGameGuardian, GamePlayer • For Android games, there is a well known cheat tool called GameGuardian 8
  9. #BHUSA @BLACKHATEVENTS What is ipa-medit? • Memory search and patch

    tool for re-signed IPA without Jailbreaking • Works without Jailbreaking • For mobile security testing • https://github.com/aktsk/ipa-medit 9
  10. #BHUSA @BLACKHATEVENTS What are its advantages over other tools? •

    No root privileges are required for the operation • Therefore, there is no need to bypass Jailbreaking detection • Game apps often detect Jailbreaking • Works with colorful CUI • No competing tools that work with CUI for iOS 10
  11. #BHUSA @BLACKHATEVENTS Demo Movie 11

  12. #BHUSA @BLACKHATEVENTS • macOS • You need to have a

    valid iOS Development certificate installed • Xcode • That's why the tool uses LLDB inside Xcode Requirements 12
  13. #BHUSA @BLACKHATEVENTS • libimobiledevice/libimobiledevice • libimobiledevice/ideviceinstaller Requirements $ brew install

    --HEAD libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller 13
  14. #BHUSA @BLACKHATEVENTS • The target IPA must be signed with

    a certificate installed on your PC • If you want to modify memory on third-party applications, you need to re-sign the IPA Re-sign 14
  15. #BHUSA @BLACKHATEVENTS • If you use the ipautil I created,

    you can easily re-sign • https://github.com/aktsk/ipautil Re-sign $ ipautil decode tap1000000.ipa # unzip $ ipautil build Payload # re-sign 15
  16. #BHUSA @BLACKHATEVENTS • Download the binary(ipa-medit) from GitHub Releases and

    drop it in your $PATH • Using Github Actions to build and distribute the binaries Usage (installation) 16
  17. #BHUSA @BLACKHATEVENTS • To launch it, specify the executable file

    path contained in the IPA with the -bin and the bundle id with the -id Usage (to launch) $ ipa-medit -bin="./Payload/tap1000000.app/ tap1000000" -id="jp.hoge.tap1000000" 17
  18. #BHUSA @BLACKHATEVENTS • Many subcommands are available via the interactive

    prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the previous search Usage (subcommands) 18
  19. #BHUSA @BLACKHATEVENTS The memory modification flow • Use the “find”

    command to search for the value on the UI • If there are many results change the value on the UI to “filter” the results • When there are fewer results, you can modify the memory by using the "patch" command 19
  20. )PXJUXPSLT Photo by Harrison Broadbent on Unsplash

  21. #BHUSA @BLACKHATEVENTS • This tool uses libimobliedevice to interact with

    iOS devices • libimobliedevice is a famous library that communicates with iOS devices using native protocols • https://libimobiledevice.org/ How does it work? 21
  22. #BHUSA @BLACKHATEVENTS • The LLDB Python API is used to

    read/write memory • It uses the mechanism that Xcode uses internally • LLDB is used inside Xcode How does it work? 22
  23. #BHUSA @BLACKHATEVENTS • Ipa-medit binary is built using Go •

    But, because it uses the LLDB Python API, Python script is also embedded in the binary How does it work? The Go gopher was designed by Renee French. 
 (http://reneefrench.blogspot.com/) 23
  24. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH VTJOH(PMBOHPOJ04EFWJDFT Photo by Nandhu Kumar on Unsplash

  25. #BHUSA @BLACKHATEVENTS • libimobliedevice is implemented in C • The

    LLDB Python API requires Python • Why did I use Go for development? What are the benefits of implementing using Golang? The Go gopher was designed by Renee French. 
 (http://reneefrench.blogspot.com/) 25
  26. #BHUSA @BLACKHATEVENTS • Inside the Go repository, there is a

    tool for debugging iOS libraries made using Go • https://github.com/golang/go/tree/master/misc/ios Go on iOS 26
  27. #BHUSA @BLACKHATEVENTS • That is where I got the idea

    • That’s why ipa-medit is implemented in Go • Thanks to Golang!! Go on iOS 27
  28. #BHUSA @BLACKHATEVENTS • Frida makes it possible to debug iOS

    apps by inserting a gadget into the debuggable app without Jailbreak • Frida is a dynamic instrumentation toolkit: https://frida.re/ • Memory modification is possible this way as well This is not the only way 28
  29. #BHUSA @BLACKHATEVENTS • The LLDB Python API is slower than

    frida's approach… • But no need to patch the IPA, it's an advantage. • And it never gets caught by app modification detection • I may work on implementing this method in the future as well This is not the only way 29
  30. #BHUSA @BLACKHATEVENTS Summary • ipa-medit allows memory modifications without bypassing

    Jailbreak detection • But there is a need to re-sign the IPA…. • I hope ipa-medit will become the de facto standard for security testing 30
  31. #BHUSA @BLACKHATEVENTS Thank You!! https://github.com/aktsk/ipa-medit