$30 off During Our Annual Pro Sale. View Details »

ipa-medit: Memory search and patch tool for IPA...

@tkmru
December 25, 2022

ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe

@tkmru

December 25, 2022
Tweet

More Decks by @tkmru

Other Decks in Programming

Transcript

  1. #BHEU @BlackHatEvents ipa-medit Memory search and patch tool for IPA

    without Jailbreaking 
 Black Hat Europe 2022 Arsenal Edition Presented by Taichi Kotake 
 Akatsuki Games Inc. & Sterra Security Co.,Ltd.
  2. #BHEU @BlackHatEvents • Name: Taichi Kotake • Country: Japan •

    Job: • Security Engineer @ Akatsuki Games Inc. • CTO & Co-founder @ Sterra Security Co.,Ltd. • GitHub: tkmru Who I am
  3. #BHEU @BlackHatEvents • Black Hat USA 2020 Arsenal “Apk-medit: memory

    search and patch tool for APK without root & android NDK” • Black Hat USA 2021 Arsenal “Ipa-medit: Memory modification tool for iOS apps without Jailbreaking” • Black Hat Europe 2022 Arsenal “Ipa-medit: Memory modification tool for iOS apps without Jailbreaking” My Black Hat History 4FRVFMUPUIF QSFTFOUBUJPO
  4. #BHEU @BlackHatEvents Security testing for mobile game apps • Security

    testing of web applications and simple mobile apps can find most vulnerabilities by using a proxy tool to modify 
 the requests/responses to the server
  5. #BHEU @BlackHatEvents • Mobile game apps often implement the game

    and anti-cheat logic in their clients, and the clients need to take the time to check it Security testing for mobile game apps
  6. #BHEU @BlackHatEvents What is memory modificationʁ • Security testing for

    mobile game apps is more difficult • Due to the perspective of reverse engineering • Decrypting encrypted requests/responses • SSL pinning bypass • Root privileges detection bypass • Memory modification • etc 5PEBZ`TUPQJD
  7. #BHEU @BlackHatEvents What is memory modificationʁ • The easiest way

    to cheat in games • For iOS games, there is a well known cheat tool called iGameGuardian, GamePlayer • For Android games, there is a well known cheat tool called GameGuardian
  8. #BHEU @BlackHatEvents What is ipa-medit? • Memory search and patch

    tool for re-signed IPA without Jailbreaking • Works without Jailbreaking • For mobile security testing • https://github.com/aktsk/ipa-medit
  9. #BHEU @BlackHatEvents What are its advantages over other tools? •

    No root privileges are required for the operation • Therefore, there is no need to bypass Jailbreaking detection • Game apps often detect Jailbreaking • Works with colorful TUI • Easy to follow logs • No competing tools that work with TUI for iOS
  10. #BHEU @BlackHatEvents • Closed-source cheat tools are difficult to use

    for game apps that have not been released • considering the risk of information leakage… • ipa-medit is open source and a tool developed by a game company • It can be used for security testing with confidence What are its advantages over other tools?
  11. #BHEU @BlackHatEvents • I also presented at the Black Hat

    USA 2021 Arsenal. • At that time, it could only target iOS apps running on the iPhone. • However, it now supports iOS apps running on the Apple Silicon Mac as well. • The Apple Silicon Mac was recently released and allows you to run iOS apps on macOS. Updates after BlackHat USA 2021 Arsenal
  12. #BHEU @BlackHatEvents • macOS • You need to have a

    valid iOS Development certificate installed Requirements
  13. #BHEU @BlackHatEvents • Xcode • Since the tool uses LLDB

    inside Xcode Requirements (for iOS devices only)
  14. #BHEU @BlackHatEvents • libimobiledevice/libimobiledevice • libimobiledevice/ideviceinstaller Requirements (for iOS devices

    only) $ brew install --HEAD libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller
  15. #BHEU @BlackHatEvents • The target IPA must be signed with

    a certificate installed 
 on your PC • If you want to modify memory on third-party applications, 
 you will need to re-sign the IPA Re-sign
  16. #BHEU @BlackHatEvents • If you use the ipautil tool that

    I created, you can easily re-sign • https://github.com/aktsk/ipautil Re-sign $ ipautil decode tap1000000.ipa # unzip 
 $ ipautil build Payload # re-sign
  17. #BHEU @BlackHatEvents • Download the binary(ipa-medit) from GitHub Releases 


    and drop it in your $PATH • Using GitHub Actions to build and distribute the binaries Usage (installation)
  18. #BHEU @BlackHatEvents • Targeting the iOS app on the iPhone

    • Targeting the iOS app on the Apple Silicon Mac Usage (to launch) $ unzip tap1000000.ipa $ ipa-medit -bin=“./Payload/tap1000000.app/tap1000000" -id="jp.hoge.tap1000000" $ ipa-medit -name <process name>
  19. #BHEU @BlackHatEvents Usage (subcommands) • Many subcommands are available via

    the interactive prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the previous search
  20. #BHEU @BlackHatEvents • Use the “find” command to search for

    the value in the UI • If there are many results change the value in the UI to 
 “filter” the results • After filtering the results, you can modify the memory 
 by using the "patch" command The memory modification flow
  21. #BHEU @BlackHatEvents • Different memory modification mechanisms • Targeting iOS

    apps on iOS Devices • Targeting iOS apps on the Apple Silicon Mac How does it work?
  22. #BHEU @BlackHatEvents • Use libimobiledevice to interact with iOS devices

    • libimobiledevice is a popular library that communicates with iOS devices using native protocols • https://libimobiledevice.org/ How does it work?(on iOS Devices)
  23. #BHEU @BlackHatEvents • The LLDB Python API is used to

    read/write from/to memory • It uses the same mechanism that Xcode uses internally • LLDB is used inside Xcode • Ipa-medit binary is built using Go • But, because it uses the LLDB Python API, Python script is also embedded in the binary How does it work?(on iOS Devices)
  24. #BHEU @BlackHatEvents • libimobiledevice is implemented in C • The

    LLDB Python API requires Python • Why did I use Go for development? What are the benefits of implementing using Golang?
  25. #BHEU @BlackHatEvents • Inside the Go repository, there is a

    tool for debugging iOS libraries made using Go • for iOS devices only • https://github.com/golang/go/tree/master/misc/ios • That is where I got the idea • Thanks to Golang!! Go on iOS
  26. #BHEU @BlackHatEvents • I had previously created a memory modification

    tool for Android called apk-medit@Black Hat USA 2020 Arsenal • I thought that the same logic from this tool could also be used for the Apple Sillicon Mac • But macOS is quite different from Linux. How does it work?(on Apple Sillicon Mac)
  27. #BHEU @BlackHatEvents • The memory modification process on Linux(Android) is

    as follows: How does it work?(on Apple Sillicon Mac) 4FBSDISFBEBCMFNFNPSZ BEESFTTFT 
 QSPDQJENBQT 3FBEUIFNFNPSZ 
 QSPDQJENFN 
 CZQUSBDF 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ 
 QSPDQJENFN 
 CZQUSBDF
  28. #BHEU @BlackHatEvents • The Memory map tells us where we

    can read / write • But on macOS, There is no /proc/$pid/maps • Therefore, a specialized API must be used to read a memory map • To reduce the implementation effort, ipa-medit internally uses the vmmap command to obtain a memory map How does it work?(on Apple Sillicon Mac)
  29. #BHEU @BlackHatEvents • On macOS, there is no /proc/$pid/mem and

    no memory read/write via ptrace • ptrace is a system call often used to implement debuggers • switch the operation by specifying the request as the first argument How does it work?(on Apple Sillicon Mac) ptrace(int request, pid_t pid, caddr_t addr, int data);ɹ
  30. #BHEU @BlackHatEvents • ptrace also exists on macOS • However,

    memory read/write is not supported • It is not possible to specify PTRACE_PEEKDATA for reading memory or PTRACE_POKEDATA for writing to memory as the first argument How does it work?(on Apple Sillicon Mac) ptrace(int request, pid_t pid, caddr_t addr, int data);
  31. #BHEU @BlackHatEvents • macOS also has a specialized API for

    reading and writing to memory • It uses mach_vm_read() to read the memory • When the target value is found, it uses mach_vm_write() to patch the memory How does it work?(on Apple Sillicon Mac)
  32. #BHEU @BlackHatEvents • The memory modification process on macOS is

    as follows: How does it work?(on Apple Sillicon Mac) 4FBSDISFBEBCMFNFNPSZ BEESFTTFT 
 CZWNNBQ 3FBEUIFNFNPSZ 
 NBDI@WN@SFBE 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ 
 NBDI@WN@XSJUF
  33. #BHEU @BlackHatEvents • On macOS, non-signed programs cannot be used

    as debuggers… • To use the program as a debugger it must be signed • Specify in the entitlements.plist to enable the attribute com.apple.security.cs.debugger The signing requirement...
  34. #BHEU @BlackHatEvents • The entitlements.plist is as follows: com.apple.security.cs.debugger <?xml

    version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.debugger</key> <true/> </dict> </plist>
  35. #BHEU @BlackHatEvents • The com.apple.security.get-task-allow attribute must be enabled in

    the application to be debugged • This allows it to be attached to by the debugger The program to be debugged must also be signed...
  36. #BHEU @BlackHatEvents • You can check if the com.apple.security.get-task-allow attribute

    is enabled using the codesign command: com.apple.security.get-task-allow $ codesign -d --entitlements :- 47071 
 Executable=/private/var/folders/hc/XXXXXXXXnsfn1_c9n20jxw40000gq/X/XXXXXXXX-XXXX-XXXX-XXXX- XXXXXXXXXXXX/d/Wrapper/tap1000000.app/tap1000000 <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> … <key>get-task-allow</key> <true/> … </dict> </plist>
  37. #BHEU @BlackHatEvents • Frida makes it possible to debug iOS

    apps by inserting a gadget into the debuggable app without Jailbreaking • Frida is a dynamic instrumentation toolkit • https://frida.re/ • Memory modification is possible this way as well There are other ways to do this
  38. #BHEU @BlackHatEvents • The LLDB Python API is slower than

    frida's approach… • But there is no need to patch the IPA, which is an advantage. • And it never gets caught by app modification detection • I may work on implementing this method in the future as well There are other ways to do this
  39. #BHEU @BlackHatEvents • Ipa-medit allows memory modifications without bypassing Jailbreak

    detection • But there is a need to re-sign the IPA… • I hope ipa-medit will become the de facto standard 
 for security testing Summary
  40. #BHEU @BlackHatEvents • The English for this presentation was checked

    by a native English-speaking teammate • Thanks to Shadab Ambat !! Acknowledgements