Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa

August 05, 2021

Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa

Ipa-medit is a memory search and patch tool for resigned ipa without jailbreaking. It was created for mobile game security testing.

Memory modification is the easiest way to cheat in games, it is one of the items to be checked in the security test. There are also cheat tools that can be used casually like GameGem and iGameGuardian on iOS. However, there were no tools available for un-jailbroken device. So I made it as a security testing tool.

There is an android version of the tool, apk-medit(https://github.com/aktsk/apk-medit), that I created.

Many mobile games have jailbreak detection, but ipa-medit does not require jailbreaking, so memory modification can be done without bypassing the jailbreak detection.

GitHub: https://github.com/aktsk/ipa-medit


August 05, 2021

More Decks by @tkmru

Other Decks in Programming


  1. #BHUSA @BLACKHATEVENTS ipa-medit memory search and patch tool for IPA

    without Jailbreaking Presented by Taichi Kotake Akatsuki Inc.
  2. #BHUSA @BLACKHATEVENTS Who I am • Name: Taichi Kotake •

    Country: Japan • Job: Security Engineer @ Akatsuki Inc. • GitHub: tkmru 2
  3. #BHUSA @BLACKHATEVENTS • I also presented at Black Hat Arsenal

    USA last year • Last year, I talked about apk-medit • Memory modification tool for Android • This year, I'll be talking about the iOS version of apk-medit Were you here last year? 4
  4. #BHUSA @BLACKHATEVENTS • Security testing of web applications and simple

    mobile apps can find most vulnerabilities by using a proxy tool to modify with the requests/responses to the server Security testing for mobile game apps
  5. #BHUSA @BLACKHATEVENTS • Mobile game apps often implement the game

    and anti-cheat logic in their clients, and the clients need to take the time to check it Security testing for mobile game apps
  6. #BHUSA @BLACKHATEVENTS What is memory modificationʁ • Security testing for

    mobile game apps is more difficult • Due to the perspective of reverse engineering • Decrypting requests/responses encryption • SSL pinning bypass • Root privileges detection bypass • Memory modification • etc 5PEBZ`TUPQJD 7
  7. #BHUSA @BLACKHATEVENTS What is memory modificationʁ • The easiest way

    to cheat in games • For iOS games, there is a well known cheat tool called iGameGuardian, GamePlayer • For Android games, there is a well known cheat tool called GameGuardian 8
  8. #BHUSA @BLACKHATEVENTS What is ipa-medit? • Memory search and patch

    tool for re-signed IPA without Jailbreaking • Works without Jailbreaking • For mobile security testing • https://github.com/aktsk/ipa-medit 9
  9. #BHUSA @BLACKHATEVENTS What are its advantages over other tools? •

    No root privileges are required for the operation • Therefore, there is no need to bypass Jailbreaking detection • Game apps often detect Jailbreaking • Works with colorful CUI • No competing tools that work with CUI for iOS 10
  10. #BHUSA @BLACKHATEVENTS • macOS • You need to have a

    valid iOS Development certificate installed • Xcode • That's why the tool uses LLDB inside Xcode Requirements 12
  11. #BHUSA @BLACKHATEVENTS • libimobiledevice/libimobiledevice • libimobiledevice/ideviceinstaller Requirements $ brew install

    --HEAD libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller 13
  12. #BHUSA @BLACKHATEVENTS • The target IPA must be signed with

    a certificate installed on your PC • If you want to modify memory on third-party applications, you need to re-sign the IPA Re-sign 14
  13. #BHUSA @BLACKHATEVENTS • If you use the ipautil I created,

    you can easily re-sign • https://github.com/aktsk/ipautil Re-sign $ ipautil decode tap1000000.ipa # unzip $ ipautil build Payload # re-sign 15
  14. #BHUSA @BLACKHATEVENTS • Download the binary(ipa-medit) from GitHub Releases and

    drop it in your $PATH • Using Github Actions to build and distribute the binaries Usage (installation) 16
  15. #BHUSA @BLACKHATEVENTS • To launch it, specify the executable file

    path contained in the IPA with the -bin and the bundle id with the -id Usage (to launch) $ ipa-medit -bin="./Payload/tap1000000.app/ tap1000000" -id="jp.hoge.tap1000000" 17
  16. #BHUSA @BLACKHATEVENTS • Many subcommands are available via the interactive

    prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the previous search Usage (subcommands) 18
  17. #BHUSA @BLACKHATEVENTS The memory modification flow • Use the “find”

    command to search for the value on the UI • If there are many results change the value on the UI to “filter” the results • When there are fewer results, you can modify the memory by using the "patch" command 19
  18. #BHUSA @BLACKHATEVENTS • This tool uses libimobliedevice to interact with

    iOS devices • libimobliedevice is a famous library that communicates with iOS devices using native protocols • https://libimobiledevice.org/ How does it work? 21
  19. #BHUSA @BLACKHATEVENTS • The LLDB Python API is used to

    read/write memory • It uses the mechanism that Xcode uses internally • LLDB is used inside Xcode How does it work? 22
  20. #BHUSA @BLACKHATEVENTS • Ipa-medit binary is built using Go •

    But, because it uses the LLDB Python API, Python script is also embedded in the binary How does it work? The Go gopher was designed by Renee French. 
 (http://reneefrench.blogspot.com/) 23
  21. #BHUSA @BLACKHATEVENTS • libimobliedevice is implemented in C • The

    LLDB Python API requires Python • Why did I use Go for development? What are the benefits of implementing using Golang? The Go gopher was designed by Renee French. 
 (http://reneefrench.blogspot.com/) 25
  22. #BHUSA @BLACKHATEVENTS • Inside the Go repository, there is a

    tool for debugging iOS libraries made using Go • https://github.com/golang/go/tree/master/misc/ios Go on iOS 26
  23. #BHUSA @BLACKHATEVENTS • That is where I got the idea

    • That’s why ipa-medit is implemented in Go • Thanks to Golang!! Go on iOS 27
  24. #BHUSA @BLACKHATEVENTS • Frida makes it possible to debug iOS

    apps by inserting a gadget into the debuggable app without Jailbreak • Frida is a dynamic instrumentation toolkit: https://frida.re/ • Memory modification is possible this way as well This is not the only way 28
  25. #BHUSA @BLACKHATEVENTS • The LLDB Python API is slower than

    frida's approach… • But no need to patch the IPA, it's an advantage. • And it never gets caught by app modification detection • I may work on implementing this method in the future as well This is not the only way 29
  26. #BHUSA @BLACKHATEVENTS Summary • ipa-medit allows memory modifications without bypassing

    Jailbreak detection • But there is a need to re-sign the IPA…. • I hope ipa-medit will become the de facto standard for security testing 30