$30 off During Our Annual Pro Sale. View Details »

Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa

@tkmru
August 05, 2021

Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa

Ipa-medit is a memory search and patch tool for resigned ipa without jailbreaking. It was created for mobile game security testing.

Memory modification is the easiest way to cheat in games, it is one of the items to be checked in the security test. There are also cheat tools that can be used casually like GameGem and iGameGuardian on iOS. However, there were no tools available for un-jailbroken device. So I made it as a security testing tool.

There is an android version of the tool, apk-medit(https://github.com/aktsk/apk-medit), that I created.

Many mobile games have jailbreak detection, but ipa-medit does not require jailbreaking, so memory modification can be done without bypassing the jailbreak detection.

GitHub: https://github.com/aktsk/ipa-medit

@tkmru

August 05, 2021
Tweet

More Decks by @tkmru

Other Decks in Programming

Transcript

  1. #BHUSA @BLACKHATEVENTS
    ipa-medit
    memory search and patch tool for IPA
    without Jailbreaking
    Presented by Taichi Kotake
    Akatsuki Inc.

    View Slide

  2. #BHUSA @BLACKHATEVENTS
    Who I am
    • Name: Taichi Kotake
    • Country: Japan
    • Job: Security Engineer @ Akatsuki Inc.
    • GitHub: tkmru
    2

    View Slide

  3. 5PEBZT5PQJD
    4FDVSJUZUFTUJOH
    GPSNPCJMFHBNFBQQT
    Photo by Shannon Potter on Unsplash

    View Slide

  4. #BHUSA @BLACKHATEVENTS
    • I also presented at Black Hat Arsenal USA last year
    • Last year, I talked about apk-medit
    • Memory modification tool for Android
    • This year, I'll be talking about the iOS version of apk-medit
    Were you here last year?
    4

    View Slide

  5. #BHUSA @BLACKHATEVENTS
    • Security testing of web applications and simple mobile apps
    can find most vulnerabilities by using a proxy tool to modify with
    the requests/responses to the server
    Security testing for mobile game apps

    View Slide

  6. #BHUSA @BLACKHATEVENTS
    • Mobile game apps often implement the game and anti-cheat
    logic in their clients, and the clients need to take the time to
    check it
    Security testing for mobile game apps

    View Slide

  7. #BHUSA @BLACKHATEVENTS
    What is memory modificationʁ
    • Security testing for mobile game apps is more difficult
    • Due to the perspective of reverse engineering
    • Decrypting requests/responses encryption
    • SSL pinning bypass
    • Root privileges detection bypass
    • Memory modification
    • etc
    5PEBZ`TUPQJD
    7

    View Slide

  8. #BHUSA @BLACKHATEVENTS
    What is memory modificationʁ
    • The easiest way to cheat in games
    • For iOS games, there is a well known cheat tool called
    iGameGuardian, GamePlayer
    • For Android games, there is a well known cheat tool called
    GameGuardian
    8

    View Slide

  9. #BHUSA @BLACKHATEVENTS
    What is ipa-medit?
    • Memory search and patch tool for re-signed IPA without Jailbreaking
    • Works without Jailbreaking
    • For mobile security testing
    • https://github.com/aktsk/ipa-medit
    9

    View Slide

  10. #BHUSA @BLACKHATEVENTS
    What are its advantages over other tools?
    • No root privileges are required for the operation
    • Therefore, there is no need to bypass Jailbreaking detection
    • Game apps often detect Jailbreaking
    • Works with colorful CUI
    • No competing tools that work with CUI for iOS
    10

    View Slide

  11. #BHUSA @BLACKHATEVENTS
    Demo Movie
    11

    View Slide

  12. #BHUSA @BLACKHATEVENTS
    • macOS
    • You need to have a valid iOS Development certificate installed
    • Xcode
    • That's why the tool uses LLDB inside Xcode
    Requirements
    12

    View Slide

  13. #BHUSA @BLACKHATEVENTS
    • libimobiledevice/libimobiledevice
    • libimobiledevice/ideviceinstaller
    Requirements
    $ brew install --HEAD libplist
    $ brew install --HEAD usbmuxd
    $ brew install --HEAD libimobiledevice
    $ brew install --HEAD ideviceinstaller
    13

    View Slide

  14. #BHUSA @BLACKHATEVENTS
    • The target IPA must be signed with a certificate installed
    on your PC
    • If you want to modify memory on third-party applications,
    you need to re-sign the IPA
    Re-sign
    14

    View Slide

  15. #BHUSA @BLACKHATEVENTS
    • If you use the ipautil I created, you can easily re-sign
    • https://github.com/aktsk/ipautil
    Re-sign
    $ ipautil decode tap1000000.ipa # unzip
    $ ipautil build Payload # re-sign
    15

    View Slide

  16. #BHUSA @BLACKHATEVENTS
    • Download the binary(ipa-medit) from GitHub Releases
    and drop it in your $PATH
    • Using Github Actions to build and distribute the binaries
    Usage (installation)
    16

    View Slide

  17. #BHUSA @BLACKHATEVENTS
    • To launch it, specify the executable file path contained
    in the IPA with the -bin and the bundle id with the -id
    Usage (to launch)
    $ ipa-medit -bin="./Payload/tap1000000.app/
    tap1000000" -id="jp.hoge.tap1000000"
    17

    View Slide

  18. #BHUSA @BLACKHATEVENTS
    • Many subcommands are available via the interactive prompt,
    but the three main ones are:
    • find - search the specified integer value in memory
    • filter - filter search results using the specified value
    • patch - write the specified value to the address
    found by the previous search
    Usage (subcommands)
    18

    View Slide

  19. #BHUSA @BLACKHATEVENTS
    The memory modification flow
    • Use the “find” command to search for the value on the UI
    • If there are many results change the value on the UI to
    “filter” the results
    • When there are fewer results, you can modify the memory
    by using the "patch" command
    19

    View Slide

  20. )PXJUXPSLT
    Photo by Harrison Broadbent on Unsplash

    View Slide

  21. #BHUSA @BLACKHATEVENTS
    • This tool uses libimobliedevice to interact with iOS devices
    • libimobliedevice is a famous library that communicates with
    iOS devices using native protocols
    • https://libimobiledevice.org/
    How does it work?
    21

    View Slide

  22. #BHUSA @BLACKHATEVENTS
    • The LLDB Python API is used to read/write memory
    • It uses the mechanism that Xcode uses internally
    • LLDB is used inside Xcode
    How does it work?
    22

    View Slide

  23. #BHUSA @BLACKHATEVENTS
    • Ipa-medit binary is built using Go
    • But, because it uses the LLDB Python API, Python script is also
    embedded in the binary
    How does it work?
    The Go gopher was designed by Renee French. 

    (http://reneefrench.blogspot.com/)
    23

    View Slide

  24. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOH
    VTJOH(PMBOHPOJ04EFWJDFT
    Photo by Nandhu Kumar on Unsplash

    View Slide

  25. #BHUSA @BLACKHATEVENTS
    • libimobliedevice is implemented in C
    • The LLDB Python API requires Python
    • Why did I use Go for development?
    What are the benefits of implementing
    using Golang?
    The Go gopher was designed by Renee French. 

    (http://reneefrench.blogspot.com/)
    25

    View Slide

  26. #BHUSA @BLACKHATEVENTS
    • Inside the Go repository, there is a tool for debugging iOS
    libraries made using Go
    • https://github.com/golang/go/tree/master/misc/ios
    Go on iOS
    26

    View Slide

  27. #BHUSA @BLACKHATEVENTS
    • That is where I got the idea
    • That’s why ipa-medit is implemented in Go
    • Thanks to Golang!!
    Go on iOS
    27

    View Slide

  28. #BHUSA @BLACKHATEVENTS
    • Frida makes it possible to debug iOS apps by inserting a
    gadget into the debuggable app without Jailbreak
    • Frida is a dynamic instrumentation toolkit: https://frida.re/
    • Memory modification is possible this way as well
    This is not the only way
    28

    View Slide

  29. #BHUSA @BLACKHATEVENTS
    • The LLDB Python API is slower than frida's approach…
    • But no need to patch the IPA, it's an advantage.
    • And it never gets caught by app modification detection
    • I may work on implementing this method in the future as well
    This is not the only way
    29

    View Slide

  30. #BHUSA @BLACKHATEVENTS
    Summary
    • ipa-medit allows memory modifications without bypassing
    Jailbreak detection
    • But there is a need to re-sign the IPA….
    • I hope ipa-medit will become the de facto standard
    for security testing
    30

    View Slide

  31. #BHUSA @BLACKHATEVENTS
    Thank You!!
    https://github.com/aktsk/ipa-medit

    View Slide