Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
@tkmru
October 28, 2022
Programming
0
69
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
-
https://codeblue.jp/2022/en/talks/?content=talks_23
-
https://github.com/aktsk/ipa-medit
@tkmru
October 28, 2022
Tweet
Share
More Decks by @tkmru
See All by @tkmru
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
130
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
3.6k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
3.5k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
630
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
160
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
3.5k
めんどうくさいゲームセキュリティ
tkmru
20
10k
Linux Rootkit Internals
tkmru
1
1.6k
Unicornを用いたDead Code除去
tkmru
0
170
Other Decks in Programming
See All in Programming
ポケモンで学ぶiOS 16弾丸ツアー 🚅
giginet
PRO
1
620
(新米)エンジニアリングマネージャーのしごと #RSGT2023
murabayashi
9
5.9k
TokyoR#103_DataProcessing
kilometer
0
540
低レイヤーから始める GUI
fadis
18
9.4k
Cloudflare WorkersでGoを動かすライブラリを作っている話
syumai
1
320
Enumを自動で網羅的にテストしてみた
estie
0
1.3k
Micro Frontends with Module Federation @MicroFrontend Summit 2023
manfredsteyer
PRO
0
590
Amebaブログの会員画面システム刷新の道程
ryotasugawara
1
250
なぜRubyコミュニティにコミットするのか?
luccafort
0
320
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
42k
42tokyo-born2beroot-review
love42
0
110
Zynq MP SoC で楽しむエッジコンピューティング ~RTLプログラミングのススメ~
ryuz88
0
390
Featured
See All Featured
Thoughts on Productivity
jonyablonski
49
2.7k
Designing on Purpose - Digital PM Summit 2013
jponch
108
5.9k
Bash Introduction
62gerente
601
210k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
17k
Ruby is Unlike a Banana
tanoku
93
9.5k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
54k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
63k
What's in a price? How to price your products and services
michaelherold
233
9.7k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.5k
YesSQL, Process and Tooling at Scale
rocio
159
12k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
Three Pipe Problems
jasonvnalue
89
8.9k
Transcript
1SFTFOUFECZ5BJDIJ,PUBLF "LBUTVLJ(BNFT*OD4UFSSB4FDVSJUZ$P -UE *QBNFEJU.FNPSZNPEJGJDBUJPO UPPMGPSJ04BQQTXJUIPVU +BJMCSFBLJOH $0%&#-6&#MVFCPY&EJUJPO
8IP*BN w /BNF5BJDIJ,PUBLF w +PC w 4FDVSJUZ&OHJOFFS!"LBUTVLJ(BNFT*OD w $50$PGPVOEFS!4UFSSB4FDVSJUZ$P -UE
w (JU)VCULNSV
.Z#PPLT
.Z$0%&#-6&)JTUPSZ w $0%&#-6&4UVEFOU4UB ff w $0%&#-6&#MVFCPYl"QLNFEJUNFNPSZTFBSDIBOEQBUDI UPPMGPS"1,XJUIPVUSPPUBOESPJE/%,z w $0%&#-6&#MVFCPYl*QBNFEJU.FNPSZNPEJ
fi DBUJPOUPPMGPS J04BQQTXJUIPVU+BJMCSFBLJOH 4FRVFMUPUIF QSFTFOUBUJPO
5PEBZT5PQJD 4FDVSJUZUFTUJOH GPSNPCJMFHBNFBQQT Photo by Shannon Potter on
Unsplash
4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w 4FDVSJUZUFTUJOHPGXFCBQQMJDBUJPOTBOETJNQMFNPCJMFBQQTDBO fi OENPTUWVMOFSBCJMJUJFTCZVTJOHBQSPYZUPPMUP NPEJGZUIFSFRVFTUTSFTQPOTFTUPUIFTFSWFS
4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w .PCJMFHBNFBQQTPGUFOJNQMFNFOUUIFHBNFBOEBOUJDIFBUMPHJDJO UIFJSDMJFOUT BOEUIFDMJFOUTOFFEUPJNQMFNFOUUIFMPHJDUPDIFDLJU
8IBUJTNFNPSZNPEJGJDBUJPOʁ w 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQTJTNPSFEJ ff i DVMU w %VFUPUIFQFSTQFDUJWFPGSFWFSTFFOHJOFFSJOH w %FDSZQUJOHFODSZQUFESFRVFTUTSFTQPOTFT
w #ZQBTTJOH44-1JOOJOH $FSUJ fi DBUF1JOOJOH w #ZQBTTJOH+BJM#SFBL 3PPUQSJWJMFHFT EFUFDUJPO w .FNPSZNPEJ fi DBUJPO w FUD 5PEBZ`TUPQJD
8IBUJTNFNPSZNPEJGJDBUJPOʁ w 5IFFBTJFTUXBZUPDIFBUJOHBNFT w 'PSJ04HBNFT UIFSFBSFXFMMLOPXODIFBUUPPMTTVDIBT J(BNF(VBSEJBOBOE(BNF1MBZFS w 'PS"OESPJEHBNFT UIFSFJTBXFMMLOPXODIFBUUPPMDBMMFE
(BNF(VBSEJBO
8IBUJTJQBNFEJU w "NFNPSZTFBSDIBOEQBUDIUPPMGPSSFTJHOFE*1" w 8PSLTXJUIPVU+BJMCSFBLJOH w 'PSNPCJMFTFDVSJUZUFTUJOH w IUUQTHJUIVCDPNBLUTLJQBNFEJU
8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w /PSPPUQSJWJMFHFTBSFSFRVJSFEGPSUIFPQFSBUJPO w 5IFSFGPSF UIFSFJTOPOFFEUPCZQBTT+BJMCSFBLJOHEFUFDUJPO w (BNFBQQTPGUFOEFUFDU+BJMCSFBLJOH w 8PSLTXJUIDPMPSGVM56*
w &BTZUPGPMMPXMPHT w /PDPNQFUJOHUPPMTUIBUXPSLXJUI56*GPSJ04
8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w $MPTFETPVSDFDIFBUUPPMTBSFEJ ffi DVMUUPVTFGPSHBNFBQQTUIBUIBWF OPUCFFOSFMFBTFE w DPOTJEFSJOHUIFSJTLPGJOGPSNBUJPOMFBLBHFʜ w JQBNFEJUJTPQFOTPVSDFBOEBUPPMEFWFMPQFECZBHBNFDPNQBOZ
w *UDBOCFVTFEGPSTFDVSJUZUFTUJOHXJUIDPO fi EFODF
4 w . %&.0.07*&
6QEBUFTBGUFS#MBDL)BU64""STFOBM w *BMTPQSFTFOUFEBUUIF#MBDL)BU64""STFOBM w "UUIBUUJNF JUDPVMEPOMZUBSHFUJ04BQQTSVOOJOHPOJ1IPOF w /PXJUTVQQPSUTJ04BQQTSVOOJOHPOUIF"QQMF4JMJDPO.BD w 5IF"QQMF4JMJDPO.BDXBTSFDFOUMZSFMFBTFEBOEBMMPXTZPVUPSVO
J04BQQTPONBD04
%&.0.07*&
3FRVJSFNFOUT w NBD04 w :PVOFFEUPIBWFBWBMJEJ04%FWFMPQNFOUDFSUJ fi DBUFJOTUBMMFE
3FRVJSFNFOUT GPSJ04EFWJDFTPOMZ w 9DPEF w 4JODFUIFUPPMVTFT--%#JOTJEF9DPEF
3FRVJSFNFOUT GPSJ04EFWJDFTPOMZ w MJCJNPCJMFEFWJDFMJCJNPCJMFEFWJDF w MJCJNPCJMFEFWJDFJEFWJDFJOTUBMMFS $ brew install --HEAD
libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller
3FTJHO w 5IFUBSHFU*1"NVTUCFTJHOFEXJUIBDFSUJ fi DBUFJOTUBMMFE POZPVS1$ w *GZPVXBOUUPNPEJGZNFNPSZPOUIJSEQBSUZBQQMJDBUJPOT
ZPVOFFEUPSFTJHOUIF*1"
3FTJHO w *GZPVVTFUIFJQBVUJM*DSFBUFE ZPVDBOFBTJMZSFTJHO w IUUQTHJUIVCDPNBLUTLJQBVUJM $ ipautil decode tap1000000.ipa
# unzip $ ipautil build Payload # re-sign
6TBHF JOTUBMMBUJPO w %PXOMPBEUIFCJOBSZ JQBNFEJU GSPN(JU)VC3FMFBTFT BOEESPQJUJOZPVS1"5) w 6TJOH(JU)VC"DUJPOTUPCVJMEBOEEJTUSJCVUFUIFCJOBSJFT
6TBHF UPMBVODI w 5BSHFUJOHUIFJ04BQQPOUIFJ1IPOF w 5BSHFUJOHUIFJ04BQQPOUIF"QQMF4JMJDPO.BD $ unzip tap1000000.ipa $
ipa-medit -bin=“./Payload/tap1000000.app/tap1000000" -id="jp.hoge.tap1000000" $ ipa-medit -name <process name>
6TBHF TVCDPNNBOET w .BOZTVCDPNNBOETBSFBWBJMBCMFWJBUIFJOUFSBDUJWFQSPNQU CVUUIF UISFFNBJOPOFTBSF w fi OEWBMVFTFBSDIUIFTQFDJ fi
FEJOUFHFSWBMVFJONFNPSZ w fi MUFSWBMVF fi MUFSTFBSDISFTVMUTVTJOHUIFTQFDJ fi FEWBMVF w QBUDIWBMVFXSJUFUIFTQFDJ fi FEWBMVFUPUIFBEESFTTGPVOECZ UIFQSFWJPVTTFBSDI
5IFNFNPSZNPEJGJDBUJPOGMPX w 6TFUIFl fi OEzDPNNBOEUPTFBSDIGPSUIFWBMVFJOUIF6* w *GUIFSFBSFNBOZSFTVMUTDIBOHFUIFWBMVFJOUIF6*UP l fi
MUFSzUIFSFTVMUT w 8IFOUIFSFBSFGFXFSSFTVMUT ZPVDBONPEJGZUIFNFNPSZ CZVTJOHUIFQBUDIDPNNBOE
)PXEPFTJUXPSL Photo by Harrison Broadbent on Unsplash
)PXEPFTJUXPSL w %J ff FSFOUNFNPSZNPEJ fi DBUJPONFDIBOJTNT w 5BSHFUJOHJ04BQQTPOJ04%FWJDFT w
5BSHFUJOHJ04BQQTPOUIF"QQMF4JMJDPO.BD
)PXEPFTJUXPSL POJ04%FWJDFT w 6TFMJCJNPCMJFEFWJDFUPJOUFSBDUXJUIJ04EFWJDFT w MJCJNPCMJFEFWJDFJTBQPQVMBSMJCSBSZUIBUDPNNVOJDBUFTXJUIJ04 EFWJDFTVTJOHOBUJWFQSPUPDPMT w IUUQTMJCJNPCJMFEFWJDFPSH
)PXEPFTJUXPSL POJ04%FWJDFT w 5IF--%#1ZUIPO"1*JTVTFEUPSFBEXSJUFGSPNUPNFNPSZ w *UVTFTUIFTBNFNFDIBOJTNUIBU9DPEFVTFTJOUFSOBMMZ w --%#JTVTFEJOTJEF9DPEF w *QBNFEJUCJOBSZJTCVJMUVTJOH(P
w #VU CFDBVTFJUVTFTUIF--%#1ZUIPO"1* 1ZUIPOTDSJQUJTBMTP FNCFEEFEJOUIFCJOBSZ
8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOHVTJOH(PMBOH w MJCJNPCMJFEFWJDFJTJNQMFNFOUFEJO$ w 5IF--%#1ZUIPO"1*SFRVJSFT1ZUIPO w 8IZEJE*VTF(PGPSEFWFMPQNFOU
(PPOJ04 w *OTJEFUIF(PSFQPTJUPSZ UIFSFJTBUPPMGPSEFCVHHJOHJ04MJCSBSJFT NBEFVTJOH(P w GPSJ04EFWJDFTPOMZ w IUUQTHJUIVCDPNHPMBOHHPUSFFNBTUFSNJTDJPT w
5IBUJTXIFSF*HPUUIFJEFB w 5IBOLTUP(PMBOH
)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w *IBEQSFWJPVTMZDSFBUFEBNFNPSZNPEJ fi DBUJPOUPPMGPS"OESPJE DBMMFEBQLNFEJU!$0%&#-6&#MVFCPY w *UIPVHIUUIBUUIFTBNFMPHJDGSPNUIJTUPPMDPVMEBMTPCFVTFEGPS
UIF"QQMF4JMMJDPO.BD w #VUNBD04JTRVJUFEJ ff FSFOUGSPN-JOVY
)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IFNFNPSZNPEJ fi DBUJPOQSPDFTTPO-JOVY "OESPJE JTBTGPMMPXT 4FBSDISFBEBCMF NFNPSZBEESFTTFT
QSPDQJENBQT 3FBEUIFNFNPSZ QSPDQJENFN CZQUSBDF 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ QSPDQJENFN CZQUSBDF
)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IF.FNPSZNBQUFMMTVTXIFSFXFDBOSFBEXSJUF w #VUPONBD04 5IFSFJTOPQSPDQJENBQT w 5IFSFGPSF BTQFDJBMJ[FE"1*NVTUCFVTFEUPSFBEBNFNPSZNBQ
w 5PSFEVDFUIFJNQMFNFOUBUJPOF ff PSU JQBNFEJUJOUFSOBMMZVTFTUIF WNNBQDPNNBOEUPPCUBJOBNFNPSZNBQ
)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 0ONBD04 UIFSFJTOPQSPDQJENFNBOEOPNFNPSZSFBE XSJUFWJBQUSBDF w QUSBDFJTBTZTUFNDBMMPGUFOVTFEUPJNQMFNFOUEFCVHHFST w TXJUDIUIFPQFSBUJPOCZTQFDJGZJOHUIFSFRVFTUBTUIF
fi STUBSHVNFOU ptrace(int request, pid_t pid, caddr_t addr, int data);ɹ
)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w QUSBDFBMTPFYJTUTPONBD04 w )PXFWFS NFNPSZSFBEXSJUFJTOPUTVQQPSUFE w *UJTOPUQPTTJCMFUPTQFDJGZ153"$&@1&&,%"5"GPSSFBEJOHNFNPSZ PS153"$&@10,&%"5"GPSXSJUJOHUPNFNPSZBTUIF
fi STUBSHVNFOU ptrace(int request, pid_t pid, caddr_t addr, int data);
w NBD04BMTPIBTBTQFDJBMJ[FE"1*GPSSFBEJOHBOEXSJUJOHUPNFNPSZ w *UVTFT
[email protected]
@SFBE UPSFBEUIFNFNPSZ w 8IFOUIFUBSHFUWBMVFJTGPVOE JUVTFT
[email protected]
@XSJUF UPQBUDI UIFNFNPSZ
)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD
)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IFNFNPSZNPEJ fi DBUJPOQSPDFTTPONBD04JTBTGPMMPXT 4FBSDISFBEBCMF NFNPSZBEESFTTFT WNNBQ
3FBEUIFNFNPSZ
[email protected]
@SFBE 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ
[email protected]
@XSJUF
5IFTJHOJOHSFRVJSFNFOU w 0ONBD04 OPOTJHOFEQSPHSBNTDBOOPUCFVTFEBTEFCVHHFSTʜ w 5IFQSPHSBNNVTUCFVTFEBTBEFCVHHFSNVTUCFTJHOFE w 4QFDJGZJOUIFFOUJUMFNFOUTQMJTUUPFOBCMFUIFBUUSJCVUF DPNBQQMFTFDVSJUZDTEFCVHHFS
DPNBQQMFTFDVSJUZDTEFCVHHFS w 5IFFOUJUMFNFOUTQMJTUJTBTGPMMPXT <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD
PLIST 1.0//EN" “http://www.apple.com/ DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.debugger</key> <true/> </dict> </plist>
5IFQSPHSBNUPCFEFCVHHFENVTUBMTPCFTJHOFE w 5IFDPNBQQMFTFDVSJUZHFUUBTLBMMPXBUUSJCVUFNVTUCFFOBCMFEJO UIFBQQMJDBUJPOUPCFEFCVHHFE w *UBMMPXTBUUBDINFOUTCZUIFEFCVHHFS
DPNBQQMFTFDVSJUZHFUUBTLBMMPX w :PVDBODIFDLJGUIFDPNBQQMFTFDVSJUZHFUUBTLBMMPXBUUSJCVUFJT FOBCMFEVTJOHUIFDPEFTJHODPNNBOE $ codesign -d --entitlements :- 47071
Executable=/private/var/folders/hc/XXXXXXXXnsfn1_c9n20jxw40000gq/X/XXXXXXXX- XXXX-XXXX-XXXX-XXXXXXXXXXXX/d/Wrapper/tap1000000.app/tap1000000 <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> … <key>get-task-allow</key> <true/> … </dict> </plist>
5IFSFBSFPUIFSXBZTUPEPUIJT w 'SJEBNBLFTJUQPTTJCMFUPEFCVHJ04BQQTCZJOTFSUJOHBHBEHFUJOUP UIFEFCVHHBCMFBQQXJUIPVU+BJMCSFBLJOH w 'SJEBJTBEZOBNJDJOTUSVNFOUBUJPOUPPMLJU w IUUQTGSJEBSF w .FNPSZNPEJ
fi DBUJPOJTQPTTJCMFUIJTXBZBTXFMM
w 5IF--%#1ZUIPO"1*JTTMPXFSUIBOGSJEBTBQQSPBDIʜ w #VUUIFSFJTOPOFFEUPQBUDIUIF*1" XIJDIJTBOBEWBOUBHF w "OEJUOFWFSHFUTDBVHIUCZBQQNPEJ fi DBUJPOEFUFDUJPO w
*NBZXPSLPOJNQMFNFOUJOHUIJTNFUIPEJOUIFGVUVSFBTXFMM 5IFSFBSFPUIFSXBZTUPEPUIJT
4VNNBSZ w *QBNFEJUBMMPXTNFNPSZNPEJ fi DBUJPOTXJUIPVUCZQBTTJOH+BJMCSFBL EFUFDUJPO w #VUUIFSFJTBOFFEUPSFTJHOUIF*1"ʜ w *IPQFJQBNFEJUXJMMCFDPNFUIFEFGBDUPTUBOEBSE
GPSTFDVSJUZUFTUJOH
5IBOL:PV IUUQTHJUIVCDPNBLUTLJQBNFEJU