Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa

Transcript

1. #BHUSA @BLACKHATEVENTS
   ipa-medit
   memory search and patch tool for IPA
   without Jailbreaking
   Presented by Taichi Kotake
   Akatsuki Inc.
   

   View Slide

2. #BHUSA @BLACKHATEVENTS
   Who I am
   • Name: Taichi Kotake
   • Country: Japan
   • Job: Security Engineer @ Akatsuki Inc.
   • GitHub: tkmru
   2
   

   View Slide

3. 5PEBZT5PQJD
   4FDVSJUZUFTUJOH
   GPSNPCJMFHBNFBQQT
   Photo by Shannon Potter on Unsplash
   

   View Slide

4. #BHUSA @BLACKHATEVENTS
   • I also presented at Black Hat Arsenal USA last year
   • Last year, I talked about apk-medit
   • Memory modification tool for Android
   • This year, I'll be talking about the iOS version of apk-medit
   Were you here last year?
   4
   

   View Slide

5. #BHUSA @BLACKHATEVENTS
   • Security testing of web applications and simple mobile apps
   can find most vulnerabilities by using a proxy tool to modify with
   the requests/responses to the server
   Security testing for mobile game apps
   

   View Slide

6. #BHUSA @BLACKHATEVENTS
   • Mobile game apps often implement the game and anti-cheat
   logic in their clients, and the clients need to take the time to
   check it
   Security testing for mobile game apps
   

   View Slide

7. #BHUSA @BLACKHATEVENTS
   What is memory modificationʁ
   • Security testing for mobile game apps is more difficult
   • Due to the perspective of reverse engineering
   • Decrypting requests/responses encryption
   • SSL pinning bypass
   • Root privileges detection bypass
   • Memory modification
   • etc
   5PEBZ`TUPQJD
   7
   

   View Slide

8. #BHUSA @BLACKHATEVENTS
   What is memory modificationʁ
   • The easiest way to cheat in games
   • For iOS games, there is a well known cheat tool called
   iGameGuardian, GamePlayer
   • For Android games, there is a well known cheat tool called
   GameGuardian
   8
   

   View Slide

9. #BHUSA @BLACKHATEVENTS
   What is ipa-medit?
   • Memory search and patch tool for re-signed IPA without Jailbreaking
   • Works without Jailbreaking
   • For mobile security testing
   • https://github.com/aktsk/ipa-medit
   9
   

   View Slide

10. #BHUSA @BLACKHATEVENTS
    What are its advantages over other tools?
    • No root privileges are required for the operation
    • Therefore, there is no need to bypass Jailbreaking detection
    • Game apps often detect Jailbreaking
    • Works with colorful CUI
    • No competing tools that work with CUI for iOS
    10
    

    View Slide

11. #BHUSA @BLACKHATEVENTS
    Demo Movie
    11
    

    View Slide

12. #BHUSA @BLACKHATEVENTS
    • macOS
    • You need to have a valid iOS Development certificate installed
    • Xcode
    • That's why the tool uses LLDB inside Xcode
    Requirements
    12
    

    View Slide

13. #BHUSA @BLACKHATEVENTS
    • libimobiledevice/libimobiledevice
    • libimobiledevice/ideviceinstaller
    Requirements
    $ brew install --HEAD libplist
    $ brew install --HEAD usbmuxd
    $ brew install --HEAD libimobiledevice
    $ brew install --HEAD ideviceinstaller
    13
    

    View Slide

14. #BHUSA @BLACKHATEVENTS
    • The target IPA must be signed with a certificate installed
    on your PC
    • If you want to modify memory on third-party applications,
    you need to re-sign the IPA
    Re-sign
    14
    

    View Slide

15. #BHUSA @BLACKHATEVENTS
    • If you use the ipautil I created, you can easily re-sign
    • https://github.com/aktsk/ipautil
    Re-sign
    $ ipautil decode tap1000000.ipa # unzip
    $ ipautil build Payload # re-sign
    15
    

    View Slide

16. #BHUSA @BLACKHATEVENTS
    • Download the binary(ipa-medit) from GitHub Releases
    and drop it in your $PATH
    • Using Github Actions to build and distribute the binaries
    Usage (installation)
    16
    

    View Slide

17. #BHUSA @BLACKHATEVENTS
    • To launch it, specify the executable file path contained
    in the IPA with the -bin and the bundle id with the -id
    Usage (to launch)
    $ ipa-medit -bin="./Payload/tap1000000.app/
    tap1000000" -id="jp.hoge.tap1000000"
    17
    

    View Slide

18. #BHUSA @BLACKHATEVENTS
    • Many subcommands are available via the interactive prompt,
    but the three main ones are:
    • find - search the specified integer value in memory
    • filter - filter search results using the specified value
    • patch - write the specified value to the address
    found by the previous search
    Usage (subcommands)
    18
    

    View Slide

19. #BHUSA @BLACKHATEVENTS
    The memory modification flow
    • Use the “find” command to search for the value on the UI
    • If there are many results change the value on the UI to
    “filter” the results
    • When there are fewer results, you can modify the memory
    by using the "patch" command
    19
    

    View Slide

20. )PXJUXPSLT
    Photo by Harrison Broadbent on Unsplash
    

    View Slide

21. #BHUSA @BLACKHATEVENTS
    • This tool uses libimobliedevice to interact with iOS devices
    • libimobliedevice is a famous library that communicates with
    iOS devices using native protocols
    • https://libimobiledevice.org/
    How does it work?
    21
    

    View Slide

22. #BHUSA @BLACKHATEVENTS
    • The LLDB Python API is used to read/write memory
    • It uses the mechanism that Xcode uses internally
    • LLDB is used inside Xcode
    How does it work?
    22
    

    View Slide

23. #BHUSA @BLACKHATEVENTS
    • Ipa-medit binary is built using Go
    • But, because it uses the LLDB Python API, Python script is also
    embedded in the binary
    How does it work?
    The Go gopher was designed by Renee French. 

    (http://reneefrench.blogspot.com/)
    23
    

    View Slide

24. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH
    VTJOH(PMBOHPOJ04EFWJDFT
    Photo by Nandhu Kumar on Unsplash
    

    View Slide

25. #BHUSA @BLACKHATEVENTS
    • libimobliedevice is implemented in C
    • The LLDB Python API requires Python
    • Why did I use Go for development?
    What are the benefits of implementing
    using Golang?
    The Go gopher was designed by Renee French. 

    (http://reneefrench.blogspot.com/)
    25
    

    View Slide

26. #BHUSA @BLACKHATEVENTS
    • Inside the Go repository, there is a tool for debugging iOS
    libraries made using Go
    • https://github.com/golang/go/tree/master/misc/ios
    Go on iOS
    26
    

    View Slide

27. #BHUSA @BLACKHATEVENTS
    • That is where I got the idea
    • That’s why ipa-medit is implemented in Go
    • Thanks to Golang!!
    Go on iOS
    27
    

    View Slide

28. #BHUSA @BLACKHATEVENTS
    • Frida makes it possible to debug iOS apps by inserting a
    gadget into the debuggable app without Jailbreak
    • Frida is a dynamic instrumentation toolkit: https://frida.re/
    • Memory modification is possible this way as well
    This is not the only way
    28
    

    View Slide

29. #BHUSA @BLACKHATEVENTS
    • The LLDB Python API is slower than frida's approach…
    • But no need to patch the IPA, it's an advantage.
    • And it never gets caught by app modification detection
    • I may work on implementing this method in the future as well
    This is not the only way
    29
    

    View Slide

30. #BHUSA @BLACKHATEVENTS
    Summary
    • ipa-medit allows memory modifications without bypassing
    Jailbreak detection
    • But there is a need to re-sign the IPA….
    • I hope ipa-medit will become the de facto standard
    for security testing
    30
    

    View Slide

31. #BHUSA @BLACKHATEVENTS
    Thank You!!
    https://github.com/aktsk/ipa-medit
    

    View Slide