Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ipa-medit: Memory modification tool for iOS app...

@tkmru
October 28, 2022
Programming
0
160

Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022

- https://codeblue.jp/2022/en/talks/?content=talks_23
- https://github.com/aktsk/ipa-medit

@tkmru

October 28, 2022
Tweet

More Decks by @tkmru

See All by @tkmru
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
tkmru
2
1.1k
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
300
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
5.1k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
4.4k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
850
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
190
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
4.1k
めんどうくさいゲームセキュリティ
tkmru
20
11k
Linux Rootkit Internals
tkmru
1
2k

Other Decks in Programming

See All in Programming
Djangoアプリケーション 運用のリアル 〜問題発生から可視化、最適化への道〜 #pyconshizu
kashewnuts
1
250
Ruby on cygwin 2025-02
fd0
0
150
Java Webフレームワークの現状 / java web framework at burikaigi
kishida
9
2.2k
第3回 Snowflake 中部ユーザ会 - dbt × Snowflake ハンズオン
hoto17296
4
370
GitHub Actions × RAGでコードレビューの検証の結果
sho_000
0
270
Amazon S3 TablesとAmazon S3 Metadataを触ってみた / 20250201-jawsug-tochigi-s3tables-s3metadata
kasacchiful
0
170
Writing documentation can be fun with plugin system
okuramasafumi
0
120
ペアーズでの、Langfuseを中心とした評価ドリブンなリリースサイクルのご紹介
fukubaka0825
2
330
WebDriver BiDiとは何なのか
yotahada3
1
140
ソフトウェアエンジニアの成長
masuda220
PRO
11
1.5k
密集、ドキュメントのコロケーション with AWS Lambda
satoshi256kbyte
0
190
Bedrock Agentsレスポンス解析によるAgentのOps
licux
3
840

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.6k
Producing Creativity
orderedlist
PRO
344
39k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Thoughts on Productivity
jonyablonski
69
4.5k
How to Think Like a Performance Engineer
csswizardry
22
1.3k
Music & Morning Musume
bryan
46
6.3k
How GitHub (no longer) Works
holman
314
140k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
550
The Invisible Side of Design
smashingmag
299
50k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
46
2.3k
Why Our Code Smells
bkeepers
PRO
336
57k

Transcript

  1. 1SFTFOUFECZ5BJDIJ,PUBLF 
 "LBUTVLJ(BNFT*OD4UFSSB4FDVSJUZ$P -UE *QBNFEJU.FNPSZNPEJGJDBUJPO UPPMGPSJ04BQQTXJUIPVU +BJMCSFBLJOH $0%&#-6&#MVFCPY&EJUJPO

  2. 8IP*BN w /BNF5BJDIJ,PUBLF w +PC w 4FDVSJUZ&OHJOFFS!"LBUTVLJ(BNFT*OD w $50$PGPVOEFS!4UFSSB4FDVSJUZ$P -UE

    w (JU)VCULNSV 

  3. .Z#PPLT 

  4. .Z$0%&#-6&)JTUPSZ w $0%&#-6&4UVEFOU4UB ff  w $0%&#-6&#MVFCPYl"QLNFEJUNFNPSZTFBSDIBOEQBUDI UPPMGPS"1,XJUIPVUSPPUBOESPJE/%,z w $0%&#-6&#MVFCPYl*QBNFEJU.FNPSZNPEJ

    fi DBUJPOUPPMGPS J04BQQTXJUIPVU+BJMCSFBLJOH 4FRVFMUPUIF QSFTFOUBUJPO 

  5. 5PEBZT5PQJD 
 4FDVSJUZUFTUJOH 
 GPSNPCJMFHBNFBQQT Photo by Shannon Potter on

    Unsplash

  6. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w 4FDVSJUZUFTUJOHPGXFCBQQMJDBUJPOTBOETJNQMFNPCJMFBQQTDBO fi OENPTUWVMOFSBCJMJUJFTCZVTJOHBQSPYZUPPMUP 
 NPEJGZUIFSFRVFTUTSFTQPOTFTUPUIFTFSWFS 

  7. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w .PCJMFHBNFBQQTPGUFOJNQMFNFOUUIFHBNFBOEBOUJDIFBUMPHJDJO UIFJSDMJFOUT BOEUIFDMJFOUTOFFEUPJNQMFNFOUUIFMPHJDUPDIFDLJU 

  8. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQTJTNPSFEJ ff i DVMU w %VFUPUIFQFSTQFDUJWFPGSFWFSTFFOHJOFFSJOH w %FDSZQUJOHFODSZQUFESFRVFTUTSFTQPOTFT

    w #ZQBTTJOH44-1JOOJOH $FSUJ fi DBUF1JOOJOH  w #ZQBTTJOH+BJM#SFBL 3PPUQSJWJMFHFT EFUFDUJPO w .FNPSZNPEJ fi DBUJPO w FUD 5PEBZ`TUPQJD 

  9. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 5IFFBTJFTUXBZUPDIFBUJOHBNFT w 'PSJ04HBNFT UIFSFBSFXFMMLOPXODIFBUUPPMTTVDIBT J(BNF(VBSEJBOBOE(BNF1MBZFS w 'PS"OESPJEHBNFT UIFSFJTBXFMMLOPXODIFBUUPPMDBMMFE

    (BNF(VBSEJBO 

  10. 8IBUJTJQBNFEJU w "NFNPSZTFBSDIBOEQBUDIUPPMGPSSFTJHOFE*1" w 8PSLTXJUIPVU+BJMCSFBLJOH w 'PSNPCJMFTFDVSJUZUFTUJOH w IUUQTHJUIVCDPNBLUTLJQBNFEJU 

  11. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w /PSPPUQSJWJMFHFTBSFSFRVJSFEGPSUIFPQFSBUJPO w 5IFSFGPSF UIFSFJTOPOFFEUPCZQBTT+BJMCSFBLJOHEFUFDUJPO w (BNFBQQTPGUFOEFUFDU+BJMCSFBLJOH w 8PSLTXJUIDPMPSGVM56*

    w &BTZUPGPMMPXMPHT w /PDPNQFUJOHUPPMTUIBUXPSLXJUI56*GPSJ04 

  12. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w $MPTFETPVSDFDIFBUUPPMTBSFEJ ffi DVMUUPVTFGPSHBNFBQQTUIBUIBWF OPUCFFOSFMFBTFE w DPOTJEFSJOHUIFSJTLPGJOGPSNBUJPOMFBLBHFʜ w JQBNFEJUJTPQFOTPVSDFBOEBUPPMEFWFMPQFECZBHBNFDPNQBOZ

    w *UDBOCFVTFEGPSTFDVSJUZUFTUJOHXJUIDPO fi EFODF 

  13. 4 w .  %&.0.07*&

  14. 6QEBUFTBGUFS#MBDL)BU64""STFOBM w *BMTPQSFTFOUFEBUUIF#MBDL)BU64""STFOBM w "UUIBUUJNF JUDPVMEPOMZUBSHFUJ04BQQTSVOOJOHPOJ1IPOF w /PXJUTVQQPSUTJ04BQQTSVOOJOHPOUIF"QQMF4JMJDPO.BD w 5IF"QQMF4JMJDPO.BDXBTSFDFOUMZSFMFBTFEBOEBMMPXTZPVUPSVO

    J04BQQTPONBD04 

  15.  %&.0.07*&

  16. 3FRVJSFNFOUT w NBD04 w :PVOFFEUPIBWFBWBMJEJ04%FWFMPQNFOUDFSUJ fi DBUFJOTUBMMFE 

  17. 3FRVJSFNFOUT GPSJ04EFWJDFTPOMZ w 9DPEF w 4JODFUIFUPPMVTFT--%#JOTJEF9DPEF 
 

  18. 3FRVJSFNFOUT GPSJ04EFWJDFTPOMZ w MJCJNPCJMFEFWJDFMJCJNPCJMFEFWJDF w MJCJNPCJMFEFWJDFJEFWJDFJOTUBMMFS $ brew install --HEAD

    libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller 

  19. 3FTJHO w 5IFUBSHFU*1"NVTUCFTJHOFEXJUIBDFSUJ fi DBUFJOTUBMMFE 
 POZPVS1$ w *GZPVXBOUUPNPEJGZNFNPSZPOUIJSEQBSUZBQQMJDBUJPOT 

    
 ZPVOFFEUPSFTJHOUIF*1" 

  20. 3FTJHO w *GZPVVTFUIFJQBVUJM*DSFBUFE ZPVDBOFBTJMZSFTJHO w IUUQTHJUIVCDPNBLUTLJQBVUJM $ ipautil decode tap1000000.ipa

    # unzip 
 $ ipautil build Payload # re-sign 

  21. 6TBHF JOTUBMMBUJPO w %PXOMPBEUIFCJOBSZ JQBNFEJU GSPN(JU)VC3FMFBTFT 
 BOEESPQJUJOZPVS1"5) w 6TJOH(JU)VC"DUJPOTUPCVJMEBOEEJTUSJCVUFUIFCJOBSJFT

    

  22. 6TBHF UPMBVODI w 5BSHFUJOHUIFJ04BQQPOUIFJ1IPOF w 5BSHFUJOHUIFJ04BQQPOUIF"QQMF4JMJDPO.BD $ unzip tap1000000.ipa $

    ipa-medit -bin=“./Payload/tap1000000.app/tap1000000" -id="jp.hoge.tap1000000" $ ipa-medit -name <process name> 

  23. 6TBHF TVCDPNNBOET w .BOZTVCDPNNBOETBSFBWBJMBCMFWJBUIFJOUFSBDUJWFQSPNQU CVUUIF UISFFNBJOPOFTBSF w fi OEWBMVFTFBSDIUIFTQFDJ fi

    FEJOUFHFSWBMVFJONFNPSZ w fi MUFSWBMVF fi MUFSTFBSDISFTVMUTVTJOHUIFTQFDJ fi FEWBMVF w QBUDIWBMVFXSJUFUIFTQFDJ fi FEWBMVFUPUIFBEESFTTGPVOECZ UIFQSFWJPVTTFBSDI 

  24. 5IFNFNPSZNPEJGJDBUJPOGMPX w 6TFUIFl fi OEzDPNNBOEUPTFBSDIGPSUIFWBMVFJOUIF6* w *GUIFSFBSFNBOZSFTVMUTDIBOHFUIFWBMVFJOUIF6*UP 
 l fi

    MUFSzUIFSFTVMUT w 8IFOUIFSFBSFGFXFSSFTVMUT ZPVDBONPEJGZUIFNFNPSZ 
 CZVTJOHUIFQBUDIDPNNBOE 

  25. )PXEPFTJUXPSL Photo by Harrison Broadbent on Unsplash

  26. )PXEPFTJUXPSL w %J ff FSFOUNFNPSZNPEJ fi DBUJPONFDIBOJTNT w 5BSHFUJOHJ04BQQTPOJ04%FWJDFT w

    5BSHFUJOHJ04BQQTPOUIF"QQMF4JMJDPO.BD 

  27. )PXEPFTJUXPSL POJ04%FWJDFT w 6TFMJCJNPCMJFEFWJDFUPJOUFSBDUXJUIJ04EFWJDFT w MJCJNPCMJFEFWJDFJTBQPQVMBSMJCSBSZUIBUDPNNVOJDBUFTXJUIJ04 EFWJDFTVTJOHOBUJWFQSPUPDPMT w IUUQTMJCJNPCJMFEFWJDFPSH 

  28. )PXEPFTJUXPSL POJ04%FWJDFT w 5IF--%#1ZUIPO"1*JTVTFEUPSFBEXSJUFGSPNUPNFNPSZ w *UVTFTUIFTBNFNFDIBOJTNUIBU9DPEFVTFTJOUFSOBMMZ w --%#JTVTFEJOTJEF9DPEF w *QBNFEJUCJOBSZJTCVJMUVTJOH(P

    w #VU CFDBVTFJUVTFTUIF--%#1ZUIPO"1* 1ZUIPOTDSJQUJTBMTP FNCFEEFEJOUIFCJOBSZ 

  29. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOHVTJOH(PMBOH w MJCJNPCMJFEFWJDFJTJNQMFNFOUFEJO$ w 5IF--%#1ZUIPO"1*SFRVJSFT1ZUIPO w 8IZEJE*VTF(PGPSEFWFMPQNFOU 

  30. (PPOJ04 w *OTJEFUIF(PSFQPTJUPSZ UIFSFJTBUPPMGPSEFCVHHJOHJ04MJCSBSJFT NBEFVTJOH(P w GPSJ04EFWJDFTPOMZ w IUUQTHJUIVCDPNHPMBOHHPUSFFNBTUFSNJTDJPT w

    5IBUJTXIFSF*HPUUIFJEFB w 5IBOLTUP(PMBOH 

  31. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w *IBEQSFWJPVTMZDSFBUFEBNFNPSZNPEJ fi DBUJPOUPPMGPS"OESPJE DBMMFEBQLNFEJU!$0%&#-6&#MVFCPY w *UIPVHIUUIBUUIFTBNFMPHJDGSPNUIJTUPPMDPVMEBMTPCFVTFEGPS 


    UIF"QQMF4JMMJDPO.BD w #VUNBD04JTRVJUFEJ ff FSFOUGSPN-JOVY 

  32. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IFNFNPSZNPEJ fi DBUJPOQSPDFTTPO-JOVY "OESPJE JTBTGPMMPXT 4FBSDISFBEBCMF NFNPSZBEESFTTFT

    
 QSPDQJENBQT 3FBEUIFNFNPSZ 
 QSPDQJENFN 
 CZQUSBDF 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ 
 QSPDQJENFN 
 CZQUSBDF 

  33. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IF.FNPSZNBQUFMMTVTXIFSFXFDBOSFBEXSJUF w #VUPONBD04 5IFSFJTOPQSPDQJENBQT w 5IFSFGPSF BTQFDJBMJ[FE"1*NVTUCFVTFEUPSFBEBNFNPSZNBQ

    w 5PSFEVDFUIFJNQMFNFOUBUJPOF ff PSU JQBNFEJUJOUFSOBMMZVTFTUIF WNNBQDPNNBOEUPPCUBJOBNFNPSZNBQ 

  34. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 0ONBD04 UIFSFJTOPQSPDQJENFNBOEOPNFNPSZSFBE XSJUFWJBQUSBDF w QUSBDFJTBTZTUFNDBMMPGUFOVTFEUPJNQMFNFOUEFCVHHFST w TXJUDIUIFPQFSBUJPOCZTQFDJGZJOHUIFSFRVFTUBTUIF

    fi STUBSHVNFOU ptrace(int request, pid_t pid, caddr_t addr, int data);ɹ 

  35. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w QUSBDFBMTPFYJTUTPONBD04 w )PXFWFS NFNPSZSFBEXSJUFJTOPUTVQQPSUFE w *UJTOPUQPTTJCMFUPTQFDJGZ153"$&@1&&,%"5"GPSSFBEJOHNFNPSZ PS153"$&@10,&%"5"GPSXSJUJOHUPNFNPSZBTUIF

    fi STUBSHVNFOU ptrace(int request, pid_t pid, caddr_t addr, int data); 

  36. w NBD04BMTPIBTBTQFDJBMJ[FE"1*GPSSFBEJOHBOEXSJUJOHUPNFNPSZ w *UVTFTNBDI@WN@SFBE UPSFBEUIFNFNPSZ w 8IFOUIFUBSHFUWBMVFJTGPVOE JUVTFTNBDI@WN@XSJUF UPQBUDI UIFNFNPSZ

    )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD 

  37. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IFNFNPSZNPEJ fi DBUJPOQSPDFTTPONBD04JTBTGPMMPXT 4FBSDISFBEBCMF NFNPSZBEESFTTFT 
 WNNBQ

    3FBEUIFNFNPSZ 
 NBDI@WN@SFBE 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ 
 NBDI@WN@XSJUF 

  38. 5IFTJHOJOHSFRVJSFNFOU w 0ONBD04 OPOTJHOFEQSPHSBNTDBOOPUCFVTFEBTEFCVHHFSTʜ w 5IFQSPHSBNNVTUCFVTFEBTBEFCVHHFSNVTUCFTJHOFE w 4QFDJGZJOUIFFOUJUMFNFOUTQMJTUUPFOBCMFUIFBUUSJCVUF DPNBQQMFTFDVSJUZDTEFCVHHFS 

  39. DPNBQQMFTFDVSJUZDTEFCVHHFS w 5IFFOUJUMFNFOUTQMJTUJTBTGPMMPXT <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD

    PLIST 1.0//EN" “http://www.apple.com/ DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.debugger</key> <true/> </dict> </plist> 

  40. 5IFQSPHSBNUPCFEFCVHHFENVTUBMTPCFTJHOFE w 5IFDPNBQQMFTFDVSJUZHFUUBTLBMMPXBUUSJCVUFNVTUCFFOBCMFEJO UIFBQQMJDBUJPOUPCFEFCVHHFE w *UBMMPXTBUUBDINFOUTCZUIFEFCVHHFS 

  41. DPNBQQMFTFDVSJUZHFUUBTLBMMPX w :PVDBODIFDLJGUIFDPNBQQMFTFDVSJUZHFUUBTLBMMPXBUUSJCVUFJT FOBCMFEVTJOHUIFDPEFTJHODPNNBOE $ codesign -d --entitlements :- 47071

    
 Executable=/private/var/folders/hc/XXXXXXXXnsfn1_c9n20jxw40000gq/X/XXXXXXXX- XXXX-XXXX-XXXX-XXXXXXXXXXXX/d/Wrapper/tap1000000.app/tap1000000 <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> … <key>get-task-allow</key> <true/> … </dict> </plist>

  42. 5IFSFBSFPUIFSXBZTUPEPUIJT w 'SJEBNBLFTJUQPTTJCMFUPEFCVHJ04BQQTCZJOTFSUJOHBHBEHFUJOUP UIFEFCVHHBCMFBQQXJUIPVU+BJMCSFBLJOH w 'SJEBJTBEZOBNJDJOTUSVNFOUBUJPOUPPMLJU w IUUQTGSJEBSF w .FNPSZNPEJ

    fi DBUJPOJTQPTTJCMFUIJTXBZBTXFMM 

  43. w 5IF--%#1ZUIPO"1*JTTMPXFSUIBOGSJEBTBQQSPBDIʜ w #VUUIFSFJTOPOFFEUPQBUDIUIF*1" XIJDIJTBOBEWBOUBHF w "OEJUOFWFSHFUTDBVHIUCZBQQNPEJ fi DBUJPOEFUFDUJPO w

    *NBZXPSLPOJNQMFNFOUJOHUIJTNFUIPEJOUIFGVUVSFBTXFMM 5IFSFBSFPUIFSXBZTUPEPUIJT 

  44. 4VNNBSZ w *QBNFEJUBMMPXTNFNPSZNPEJ fi DBUJPOTXJUIPVUCZQBTTJOH+BJMCSFBL EFUFDUJPO w #VUUIFSFJTBOFFEUPSFTJHOUIF*1"ʜ w *IPQFJQBNFEJUXJMMCFDPNFUIFEFGBDUPTUBOEBSE

    
 GPSTFDVSJUZUFTUJOH 

  45. 5IBOL:PV IUUQTHJUIVCDPNBLUTLJQBNFEJU