Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ipa-medit: Memory modification tool for iOS app...

Avatar for @tkmru @tkmru
October 28, 2022
Programming
240
0

Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022

- https://codeblue.jp/2022/en/talks/?content=talks_23
- https://github.com/aktsk/ipa-medit

Avatar for @tkmru

@tkmru

October 28, 2022

More Decks by @tkmru

See All by @tkmru
10分で知るゲームが「チートされる」仕組み/findy202603
Avatar for @tkmru tkmru
0
950
リバースエンジニアリング新時代へ!
GhidraとClaude DesktopをMCPで繋ぐ/findy202507
Avatar for @tkmru tkmru
8
2.6k
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
Avatar for @tkmru tkmru
2
1.9k
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
Avatar for @tkmru tkmru
0
420
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
Avatar for @tkmru tkmru
0
5.5k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
Avatar for @tkmru tkmru
1
4.8k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
Avatar for @tkmru tkmru
3
990
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
Avatar for @tkmru tkmru
0
250
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
Avatar for @tkmru tkmru
0
4.5k

Other Decks in Programming

See All in Programming
net-httpのHTTP/2対応について
Avatar for NARUSE, Yui naruse
0
440
代数的データ型って何が嬉しいの? #frontend_phpcon_do
Avatar for Takuma Kajikawa kajitack
8
3.2k
JavaDoc 再入門
Avatar for nagise nagise
0
280
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
Avatar for ギークプラス ソフトウェア事業部 geekplus_tech
0
300
並列実装の現場、2ヶ月間実務でAIを使い倒したAIもPCも私も限界が近い
Avatar for ming ming_ayami
0
110
Inside Stream API
Avatar for Yuichi.Sakuraba skrb
1
640
肥大化するレガシーコードに立ち向かうためのインターフェース分離と依存の逆転 / JJUG CCC 2026 Spring
Avatar for hirokuni-maeta hirokunimaeta
0
500
Swiftのレキシカルスコープ管理
Avatar for kntk kntkymt
0
210
権限チェックの一貫性を型で守る TypeScript による多層防御
Avatar for aster-mnch (kitagawa) mnch
4
1.1k
DynamoDBには集計系のクエリがないけどなんとかしたい
Avatar for 村上優稀 musan
1
130
OSもどきOS
Avatar for Sora Arakawa arkw
0
450
プロパティの順序で型推論が壊れる!? TypeScript6.0の修正からContext-Sensitivityの仕組みを追う
Avatar for おおいし bicstone
2
1.3k

Featured

See All Featured
Done Done
Avatar for chrislema chrislema
186
16k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
698
190k
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
191
11k
SEOcharity - Dark patterns in SEO and UX: How to avoid them and build a more ethical web
Avatar for Sara Fernández Carmona sarafernandez
0
200
Claude Code どこまでも/ Claude Code Everywhere
Avatar for nwiizo nwiizo
65
56k
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
3.5M
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
10k
The SEO Collaboration Effect
Avatar for Kristina Bergwall kristinabergwall1
1
480
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
304
22k
Marketing to machines
Avatar for Jono Alderson jonoalderson
1
5.4k
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
820

Transcript

  1. 1SFTFOUFECZ5BJDIJ,PUBLF 
 "LBUTVLJ(BNFT*OD4UFSSB4FDVSJUZ$P -UE *QBNFEJU.FNPSZNPEJGJDBUJPO UPPMGPSJ04BQQTXJUIPVU +BJMCSFBLJOH $0%&#-6&#MVFCPY&EJUJPO

  2. 8IP*BN w /BNF5BJDIJ,PUBLF w +PC w 4FDVSJUZ&OHJOFFS!"LBUTVLJ(BNFT*OD w $50$PGPVOEFS!4UFSSB4FDVSJUZ$P -UE

    w (JU)VCULNSV 

  3. .Z#PPLT 

  4. .Z$0%&#-6&)JTUPSZ w $0%&#-6&4UVEFOU4UB ff  w $0%&#-6&#MVFCPYl"QLNFEJUNFNPSZTFBSDIBOEQBUDI UPPMGPS"1,XJUIPVUSPPUBOESPJE/%,z w $0%&#-6&#MVFCPYl*QBNFEJU.FNPSZNPEJ

    fi DBUJPOUPPMGPS J04BQQTXJUIPVU+BJMCSFBLJOH 4FRVFMUPUIF QSFTFOUBUJPO 

  5. 5PEBZT5PQJD 
 4FDVSJUZUFTUJOH 
 GPSNPCJMFHBNFBQQT Photo by Shannon Potter on

    Unsplash

  6. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w 4FDVSJUZUFTUJOHPGXFCBQQMJDBUJPOTBOETJNQMFNPCJMFBQQTDBO fi OENPTUWVMOFSBCJMJUJFTCZVTJOHBQSPYZUPPMUP 
 NPEJGZUIFSFRVFTUTSFTQPOTFTUPUIFTFSWFS 

  7. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w .PCJMFHBNFBQQTPGUFOJNQMFNFOUUIFHBNFBOEBOUJDIFBUMPHJDJO UIFJSDMJFOUT BOEUIFDMJFOUTOFFEUPJNQMFNFOUUIFMPHJDUPDIFDLJU 

  8. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQTJTNPSFEJ ff i DVMU w %VFUPUIFQFSTQFDUJWFPGSFWFSTFFOHJOFFSJOH w %FDSZQUJOHFODSZQUFESFRVFTUTSFTQPOTFT

    w #ZQBTTJOH44-1JOOJOH $FSUJ fi DBUF1JOOJOH  w #ZQBTTJOH+BJM#SFBL 3PPUQSJWJMFHFT EFUFDUJPO w .FNPSZNPEJ fi DBUJPO w FUD 5PEBZ`TUPQJD 

  9. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 5IFFBTJFTUXBZUPDIFBUJOHBNFT w 'PSJ04HBNFT UIFSFBSFXFMMLOPXODIFBUUPPMTTVDIBT J(BNF(VBSEJBOBOE(BNF1MBZFS w 'PS"OESPJEHBNFT UIFSFJTBXFMMLOPXODIFBUUPPMDBMMFE

    (BNF(VBSEJBO 

  10. 8IBUJTJQBNFEJU w "NFNPSZTFBSDIBOEQBUDIUPPMGPSSFTJHOFE*1" w 8PSLTXJUIPVU+BJMCSFBLJOH w 'PSNPCJMFTFDVSJUZUFTUJOH w IUUQTHJUIVCDPNBLUTLJQBNFEJU 

  11. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w /PSPPUQSJWJMFHFTBSFSFRVJSFEGPSUIFPQFSBUJPO w 5IFSFGPSF UIFSFJTOPOFFEUPCZQBTT+BJMCSFBLJOHEFUFDUJPO w (BNFBQQTPGUFOEFUFDU+BJMCSFBLJOH w 8PSLTXJUIDPMPSGVM56*

    w &BTZUPGPMMPXMPHT w /PDPNQFUJOHUPPMTUIBUXPSLXJUI56*GPSJ04 

  12. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w $MPTFETPVSDFDIFBUUPPMTBSFEJ ffi DVMUUPVTFGPSHBNFBQQTUIBUIBWF OPUCFFOSFMFBTFE w DPOTJEFSJOHUIFSJTLPGJOGPSNBUJPOMFBLBHFʜ w JQBNFEJUJTPQFOTPVSDFBOEBUPPMEFWFMPQFECZBHBNFDPNQBOZ

    w *UDBOCFVTFEGPSTFDVSJUZUFTUJOHXJUIDPO fi EFODF 

  13. 4 w .  %&.0.07*&

  14. 6QEBUFTBGUFS#MBDL)BU64""STFOBM w *BMTPQSFTFOUFEBUUIF#MBDL)BU64""STFOBM w "UUIBUUJNF JUDPVMEPOMZUBSHFUJ04BQQTSVOOJOHPOJ1IPOF w /PXJUTVQQPSUTJ04BQQTSVOOJOHPOUIF"QQMF4JMJDPO.BD w 5IF"QQMF4JMJDPO.BDXBTSFDFOUMZSFMFBTFEBOEBMMPXTZPVUPSVO

    J04BQQTPONBD04 

  15.  %&.0.07*&

  16. 3FRVJSFNFOUT w NBD04 w :PVOFFEUPIBWFBWBMJEJ04%FWFMPQNFOUDFSUJ fi DBUFJOTUBMMFE 

  17. 3FRVJSFNFOUT GPSJ04EFWJDFTPOMZ w 9DPEF w 4JODFUIFUPPMVTFT--%#JOTJEF9DPEF 
 

  18. 3FRVJSFNFOUT GPSJ04EFWJDFTPOMZ w MJCJNPCJMFEFWJDFMJCJNPCJMFEFWJDF w MJCJNPCJMFEFWJDFJEFWJDFJOTUBMMFS $ brew install --HEAD

    libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller 

  19. 3FTJHO w 5IFUBSHFU*1"NVTUCFTJHOFEXJUIBDFSUJ fi DBUFJOTUBMMFE 
 POZPVS1$ w *GZPVXBOUUPNPEJGZNFNPSZPOUIJSEQBSUZBQQMJDBUJPOT 

    
 ZPVOFFEUPSFTJHOUIF*1" 

  20. 3FTJHO w *GZPVVTFUIFJQBVUJM*DSFBUFE ZPVDBOFBTJMZSFTJHO w IUUQTHJUIVCDPNBLUTLJQBVUJM $ ipautil decode tap1000000.ipa

    # unzip 
 $ ipautil build Payload # re-sign 

  21. 6TBHF JOTUBMMBUJPO w %PXOMPBEUIFCJOBSZ JQBNFEJU GSPN(JU)VC3FMFBTFT 
 BOEESPQJUJOZPVS1"5) w 6TJOH(JU)VC"DUJPOTUPCVJMEBOEEJTUSJCVUFUIFCJOBSJFT

    

  22. 6TBHF UPMBVODI w 5BSHFUJOHUIFJ04BQQPOUIFJ1IPOF w 5BSHFUJOHUIFJ04BQQPOUIF"QQMF4JMJDPO.BD $ unzip tap1000000.ipa $

    ipa-medit -bin=“./Payload/tap1000000.app/tap1000000" -id="jp.hoge.tap1000000" $ ipa-medit -name <process name> 

  23. 6TBHF TVCDPNNBOET w .BOZTVCDPNNBOETBSFBWBJMBCMFWJBUIFJOUFSBDUJWFQSPNQU CVUUIF UISFFNBJOPOFTBSF w fi OEWBMVFTFBSDIUIFTQFDJ fi

    FEJOUFHFSWBMVFJONFNPSZ w fi MUFSWBMVF fi MUFSTFBSDISFTVMUTVTJOHUIFTQFDJ fi FEWBMVF w QBUDIWBMVFXSJUFUIFTQFDJ fi FEWBMVFUPUIFBEESFTTGPVOECZ UIFQSFWJPVTTFBSDI 

  24. 5IFNFNPSZNPEJGJDBUJPOGMPX w 6TFUIFl fi OEzDPNNBOEUPTFBSDIGPSUIFWBMVFJOUIF6* w *GUIFSFBSFNBOZSFTVMUTDIBOHFUIFWBMVFJOUIF6*UP 
 l fi

    MUFSzUIFSFTVMUT w 8IFOUIFSFBSFGFXFSSFTVMUT ZPVDBONPEJGZUIFNFNPSZ 
 CZVTJOHUIFQBUDIDPNNBOE 

  25. )PXEPFTJUXPSL Photo by Harrison Broadbent on Unsplash

  26. )PXEPFTJUXPSL w %J ff FSFOUNFNPSZNPEJ fi DBUJPONFDIBOJTNT w 5BSHFUJOHJ04BQQTPOJ04%FWJDFT w

    5BSHFUJOHJ04BQQTPOUIF"QQMF4JMJDPO.BD 

  27. )PXEPFTJUXPSL POJ04%FWJDFT w 6TFMJCJNPCMJFEFWJDFUPJOUFSBDUXJUIJ04EFWJDFT w MJCJNPCMJFEFWJDFJTBQPQVMBSMJCSBSZUIBUDPNNVOJDBUFTXJUIJ04 EFWJDFTVTJOHOBUJWFQSPUPDPMT w IUUQTMJCJNPCJMFEFWJDFPSH 

  28. )PXEPFTJUXPSL POJ04%FWJDFT w 5IF--%#1ZUIPO"1*JTVTFEUPSFBEXSJUFGSPNUPNFNPSZ w *UVTFTUIFTBNFNFDIBOJTNUIBU9DPEFVTFTJOUFSOBMMZ w --%#JTVTFEJOTJEF9DPEF w *QBNFEJUCJOBSZJTCVJMUVTJOH(P

    w #VU CFDBVTFJUVTFTUIF--%#1ZUIPO"1* 1ZUIPOTDSJQUJTBMTP FNCFEEFEJOUIFCJOBSZ 

  29. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOHVTJOH(PMBOH w MJCJNPCMJFEFWJDFJTJNQMFNFOUFEJO$ w 5IF--%#1ZUIPO"1*SFRVJSFT1ZUIPO w 8IZEJE*VTF(PGPSEFWFMPQNFOU 

  30. (PPOJ04 w *OTJEFUIF(PSFQPTJUPSZ UIFSFJTBUPPMGPSEFCVHHJOHJ04MJCSBSJFT NBEFVTJOH(P w GPSJ04EFWJDFTPOMZ w IUUQTHJUIVCDPNHPMBOHHPUSFFNBTUFSNJTDJPT w

    5IBUJTXIFSF*HPUUIFJEFB w 5IBOLTUP(PMBOH 

  31. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w *IBEQSFWJPVTMZDSFBUFEBNFNPSZNPEJ fi DBUJPOUPPMGPS"OESPJE DBMMFEBQLNFEJU!$0%&#-6&#MVFCPY w *UIPVHIUUIBUUIFTBNFMPHJDGSPNUIJTUPPMDPVMEBMTPCFVTFEGPS 


    UIF"QQMF4JMMJDPO.BD w #VUNBD04JTRVJUFEJ ff FSFOUGSPN-JOVY 

  32. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IFNFNPSZNPEJ fi DBUJPOQSPDFTTPO-JOVY "OESPJE JTBTGPMMPXT 4FBSDISFBEBCMF NFNPSZBEESFTTFT

    
 QSPDQJENBQT 3FBEUIFNFNPSZ 
 QSPDQJENFN 
 CZQUSBDF 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ 
 QSPDQJENFN 
 CZQUSBDF 

  33. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IF.FNPSZNBQUFMMTVTXIFSFXFDBOSFBEXSJUF w #VUPONBD04 5IFSFJTOPQSPDQJENBQT w 5IFSFGPSF BTQFDJBMJ[FE"1*NVTUCFVTFEUPSFBEBNFNPSZNBQ

    w 5PSFEVDFUIFJNQMFNFOUBUJPOF ff PSU JQBNFEJUJOUFSOBMMZVTFTUIF WNNBQDPNNBOEUPPCUBJOBNFNPSZNBQ 

  34. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 0ONBD04 UIFSFJTOPQSPDQJENFNBOEOPNFNPSZSFBE XSJUFWJBQUSBDF w QUSBDFJTBTZTUFNDBMMPGUFOVTFEUPJNQMFNFOUEFCVHHFST w TXJUDIUIFPQFSBUJPOCZTQFDJGZJOHUIFSFRVFTUBTUIF

    fi STUBSHVNFOU ptrace(int request, pid_t pid, caddr_t addr, int data);ɹ 

  35. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w QUSBDFBMTPFYJTUTPONBD04 w )PXFWFS NFNPSZSFBEXSJUFJTOPUTVQQPSUFE w *UJTOPUQPTTJCMFUPTQFDJGZ153"$&@1&&,%"5"GPSSFBEJOHNFNPSZ PS153"$&@10,&%"5"GPSXSJUJOHUPNFNPSZBTUIF

    fi STUBSHVNFOU ptrace(int request, pid_t pid, caddr_t addr, int data); 

  36. w NBD04BMTPIBTBTQFDJBMJ[FE"1*GPSSFBEJOHBOEXSJUJOHUPNFNPSZ w *UVTFTNBDI@WN@SFBE UPSFBEUIFNFNPSZ w 8IFOUIFUBSHFUWBMVFJTGPVOE JUVTFTNBDI@WN@XSJUF UPQBUDI UIFNFNPSZ

    )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD 

  37. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IFNFNPSZNPEJ fi DBUJPOQSPDFTTPONBD04JTBTGPMMPXT 4FBSDISFBEBCMF NFNPSZBEESFTTFT 
 WNNBQ

    3FBEUIFNFNPSZ 
 NBDI@WN@SFBE 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ 
 NBDI@WN@XSJUF 

  38. 5IFTJHOJOHSFRVJSFNFOU w 0ONBD04 OPOTJHOFEQSPHSBNTDBOOPUCFVTFEBTEFCVHHFSTʜ w 5IFQSPHSBNNVTUCFVTFEBTBEFCVHHFSNVTUCFTJHOFE w 4QFDJGZJOUIFFOUJUMFNFOUTQMJTUUPFOBCMFUIFBUUSJCVUF DPNBQQMFTFDVSJUZDTEFCVHHFS 

  39. DPNBQQMFTFDVSJUZDTEFCVHHFS w 5IFFOUJUMFNFOUTQMJTUJTBTGPMMPXT <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD

    PLIST 1.0//EN" “http://www.apple.com/ DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.debugger</key> <true/> </dict> </plist> 

  40. 5IFQSPHSBNUPCFEFCVHHFENVTUBMTPCFTJHOFE w 5IFDPNBQQMFTFDVSJUZHFUUBTLBMMPXBUUSJCVUFNVTUCFFOBCMFEJO UIFBQQMJDBUJPOUPCFEFCVHHFE w *UBMMPXTBUUBDINFOUTCZUIFEFCVHHFS 

  41. DPNBQQMFTFDVSJUZHFUUBTLBMMPX w :PVDBODIFDLJGUIFDPNBQQMFTFDVSJUZHFUUBTLBMMPXBUUSJCVUFJT FOBCMFEVTJOHUIFDPEFTJHODPNNBOE $ codesign -d --entitlements :- 47071

    
 Executable=/private/var/folders/hc/XXXXXXXXnsfn1_c9n20jxw40000gq/X/XXXXXXXX- XXXX-XXXX-XXXX-XXXXXXXXXXXX/d/Wrapper/tap1000000.app/tap1000000 <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> … <key>get-task-allow</key> <true/> … </dict> </plist>

  42. 5IFSFBSFPUIFSXBZTUPEPUIJT w 'SJEBNBLFTJUQPTTJCMFUPEFCVHJ04BQQTCZJOTFSUJOHBHBEHFUJOUP UIFEFCVHHBCMFBQQXJUIPVU+BJMCSFBLJOH w 'SJEBJTBEZOBNJDJOTUSVNFOUBUJPOUPPMLJU w IUUQTGSJEBSF w .FNPSZNPEJ

    fi DBUJPOJTQPTTJCMFUIJTXBZBTXFMM 

  43. w 5IF--%#1ZUIPO"1*JTTMPXFSUIBOGSJEBTBQQSPBDIʜ w #VUUIFSFJTOPOFFEUPQBUDIUIF*1" XIJDIJTBOBEWBOUBHF w "OEJUOFWFSHFUTDBVHIUCZBQQNPEJ fi DBUJPOEFUFDUJPO w

    *NBZXPSLPOJNQMFNFOUJOHUIJTNFUIPEJOUIFGVUVSFBTXFMM 5IFSFBSFPUIFSXBZTUPEPUIJT 

  44. 4VNNBSZ w *QBNFEJUBMMPXTNFNPSZNPEJ fi DBUJPOTXJUIPVUCZQBTTJOH+BJMCSFBL EFUFDUJPO w #VUUIFSFJTBOFFEUPSFTJHOUIF*1"ʜ w *IPQFJQBNFEJUXJMMCFDPNFUIFEFGBDUPTUBOEBSE

    
 GPSTFDVSJUZUFTUJOH 

  45. 5IBOL:PV IUUQTHJUIVCDPNBLUTLJQBNFEJU