search and patch tool for APK without root & android NDK” • Black Hat USA 2021 Arsenal “Ipa-medit: Memory modification tool for iOS apps without Jailbreaking” • Black Hat Europe 2022 Arsenal “Ipa-medit: Memory modification tool for iOS apps without Jailbreaking” My Black Hat History 4FRVFMUPUIF QSFTFOUBUJPO
mobile game apps is more difficult • Due to the perspective of reverse engineering • Decrypting encrypted requests/responses • SSL pinning bypass • Root privileges detection bypass • Memory modification • etc 5PEBZ`TUPQJD
to cheat in games • For iOS games, there is a well known cheat tool called iGameGuardian, GamePlayer • For Android games, there is a well known cheat tool called GameGuardian
No root privileges are required for the operation • Therefore, there is no need to bypass Jailbreaking detection • Game apps often detect Jailbreaking • Works with colorful TUI • Easy to follow logs • No competing tools that work with TUI for iOS
for game apps that have not been released • considering the risk of information leakage… • ipa-medit is open source and a tool developed by a game company • It can be used for security testing with confidence What are its advantages over other tools?
USA 2021 Arsenal. • At that time, it could only target iOS apps running on the iPhone. • However, it now supports iOS apps running on the Apple Silicon Mac as well. • The Apple Silicon Mac was recently released and allows you to run iOS apps on macOS. Updates after BlackHat USA 2021 Arsenal
• Targeting the iOS app on the Apple Silicon Mac Usage (to launch) $ unzip tap1000000.ipa $ ipa-medit -bin=“./Payload/tap1000000.app/tap1000000" -id="jp.hoge.tap1000000" $ ipa-medit -name <process name>
the interactive prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the previous search
the value in the UI • If there are many results change the value in the UI to “filter” the results • After filtering the results, you can modify the memory by using the "patch" command The memory modification flow
• libimobiledevice is a popular library that communicates with iOS devices using native protocols • https://libimobiledevice.org/ How does it work?(on iOS Devices)
read/write from/to memory • It uses the same mechanism that Xcode uses internally • LLDB is used inside Xcode • Ipa-medit binary is built using Go • But, because it uses the LLDB Python API, Python script is also embedded in the binary How does it work?(on iOS Devices)
tool for debugging iOS libraries made using Go • for iOS devices only • https://github.com/golang/go/tree/master/misc/ios • That is where I got the idea • Thanks to Golang!! Go on iOS
tool for Android called [email protected] Hat USA 2020 Arsenal • I thought that the same logic from this tool could also be used for the Apple Sillicon Mac • But macOS is quite different from Linux. How does it work?(on Apple Sillicon Mac)
as follows: How does it work?(on Apple Sillicon Mac) 4FBSDISFBEBCMFNFNPSZ BEESFTTFT QSPDQJENBQT 3FBEUIFNFNPSZ QSPDQJENFN CZQUSBDF 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ QSPDQJENFN CZQUSBDF
can read / write • But on macOS, There is no /proc/$pid/maps • Therefore, a specialized API must be used to read a memory map • To reduce the implementation effort, ipa-medit internally uses the vmmap command to obtain a memory map How does it work?(on Apple Sillicon Mac)
no memory read/write via ptrace • ptrace is a system call often used to implement debuggers • switch the operation by specifying the request as the first argument How does it work?(on Apple Sillicon Mac) ptrace(int request, pid_t pid, caddr_t addr, int data);ɹ
memory read/write is not supported • It is not possible to specify PTRACE_PEEKDATA for reading memory or PTRACE_POKEDATA for writing to memory as the first argument How does it work?(on Apple Sillicon Mac) ptrace(int request, pid_t pid, caddr_t addr, int data);
reading and writing to memory • It uses mach_vm_read() to read the memory • When the target value is found, it uses mach_vm_write() to patch the memory How does it work?(on Apple Sillicon Mac)
as follows: How does it work?(on Apple Sillicon Mac) 4FBSDISFBEBCMFNFNPSZ BEESFTTFT CZWNNBQ 3FBEUIFNFNPSZ [email protected]@SFBE 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ [email protected]@XSJUF
as debuggers… • To use the program as a debugger it must be signed • Specify in the entitlements.plist to enable the attribute com.apple.security.cs.debugger The signing requirement...
apps by inserting a gadget into the debuggable app without Jailbreaking • Frida is a dynamic instrumentation toolkit • https://frida.re/ • Memory modification is possible this way as well There are other ways to do this
frida's approach… • But there is no need to patch the IPA, which is an advantage. • And it never gets caught by app modification detection • I may work on implementing this method in the future as well There are other ways to do this