Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022

1SFTFOUFECZ5BJDIJ,PUBLF   "LBUTVLJ(BNFT*OD4UFSSB4FDVSJUZ$P -UE *QBNFEJU.FNPSZNPEJGJDBUJPO UPPMGPSJ04BQQTXJUIPVU +BJMCSFBLJOH $0%&#-6&#MVFCPY&EJUJPO

8IP*BN w /BNF5BJDIJ,PUBLF w +PC w 4FDVSJUZ&OHJOFFS!"LBUTVLJ(BNFT*OD w $50$PGPVOEFS!4UFSSB4FDVSJUZ$P -UE
w (JU)VCULNSV

.Z#PPLT

.Z$0%&#-6&)JTUPSZ w $0%&#-6&4UVEFOU4UB ff w $0%&#-6&#MVFCPYl"QLNFEJUNFNPSZTFBSDIBOEQBUDI UPPMGPS"1,XJUIPVUSPPUBOESPJE/%,z w $0%&#-6&#MVFCPYl*QBNFEJU.FNPSZNPEJ
fi DBUJPOUPPMGPS J04BQQTXJUIPVU+BJMCSFBLJOH 4FRVFMUPUIF QSFTFOUBUJPO

5PEBZT5PQJD   4FDVSJUZUFTUJOH   GPSNPCJMFHBNFBQQT Photo by Shannon Potter on
Unsplash

4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w 4FDVSJUZUFTUJOHPGXFCBQQMJDBUJPOTBOETJNQMFNPCJMFBQQTDBO fi OENPTUWVMOFSBCJMJUJFTCZVTJOHBQSPYZUPPMUP   NPEJGZUIFSFRVFTUTSFTQPOTFTUPUIFTFSWFS

4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w .PCJMFHBNFBQQTPGUFOJNQMFNFOUUIFHBNFBOEBOUJDIFBUMPHJDJO UIFJSDMJFOUT BOEUIFDMJFOUTOFFEUPJNQMFNFOUUIFMPHJDUPDIFDLJU

8IBUJTNFNPSZNPEJGJDBUJPOʁ w 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQTJTNPSFEJ ff i DVMU w %VFUPUIFQFSTQFDUJWFPGSFWFSTFFOHJOFFSJOH w %FDSZQUJOHFODSZQUFESFRVFTUTSFTQPOTFT
w #ZQBTTJOH44-1JOOJOH $FSUJ fi DBUF1JOOJOH w #ZQBTTJOH+BJM#SFBL 3PPUQSJWJMFHFT EFUFDUJPO w .FNPSZNPEJ fi DBUJPO w FUD 5PEBZ`TUPQJD

8IBUJTNFNPSZNPEJGJDBUJPOʁ w 5IFFBTJFTUXBZUPDIFBUJOHBNFT w 'PSJ04HBNFT UIFSFBSFXFMMLOPXODIFBUUPPMTTVDIBT J(BNF(VBSEJBOBOE(BNF1MBZFS w 'PS"OESPJEHBNFT UIFSFJTBXFMMLOPXODIFBUUPPMDBMMFE
(BNF(VBSEJBO

8IBUJTJQBNFEJU w "NFNPSZTFBSDIBOEQBUDIUPPMGPSSFTJHOFE*1" w 8PSLTXJUIPVU+BJMCSFBLJOH w 'PSNPCJMFTFDVSJUZUFTUJOH w IUUQTHJUIVCDPNBLUTLJQBNFEJU

8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w /PSPPUQSJWJMFHFTBSFSFRVJSFEGPSUIFPQFSBUJPO w 5IFSFGPSF UIFSFJTOPOFFEUPCZQBTT+BJMCSFBLJOHEFUFDUJPO w (BNFBQQTPGUFOEFUFDU+BJMCSFBLJOH w 8PSLTXJUIDPMPSGVM56*
w &BTZUPGPMMPXMPHT w /PDPNQFUJOHUPPMTUIBUXPSLXJUI56*GPSJ04

8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w $MPTFETPVSDFDIFBUUPPMTBSFEJ ffi DVMUUPVTFGPSHBNFBQQTUIBUIBWF OPUCFFOSFMFBTFE w DPOTJEFSJOHUIFSJTLPGJOGPSNBUJPOMFBLBHFʜ w JQBNFEJUJTPQFOTPVSDFBOEBUPPMEFWFMPQFECZBHBNFDPNQBOZ
w *UDBOCFVTFEGPSTFDVSJUZUFTUJOHXJUIDPO fi EFODF

4 w . %&.0.07*&

6QEBUFTBGUFS#MBDL)BU64""STFOBM w *BMTPQSFTFOUFEBUUIF#MBDL)BU64""STFOBM w "UUIBUUJNF JUDPVMEPOMZUBSHFUJ04BQQTSVOOJOHPOJ1IPOF w /PXJUTVQQPSUTJ04BQQTSVOOJOHPOUIF"QQMF4JMJDPO.BD w 5IF"QQMF4JMJDPO.BDXBTSFDFOUMZSFMFBTFEBOEBMMPXTZPVUPSVO
J04BQQTPONBD04

%&.0.07*&

3FRVJSFNFOUT w NBD04 w :PVOFFEUPIBWFBWBMJEJ04%FWFMPQNFOUDFSUJ fi DBUFJOTUBMMFE

3FRVJSFNFOUT GPSJ04EFWJDFTPOMZ w 9DPEF w 4JODFUIFUPPMVTFT--%#JOTJEF9DPEF  

3FRVJSFNFOUT GPSJ04EFWJDFTPOMZ w MJCJNPCJMFEFWJDFMJCJNPCJMFEFWJDF w MJCJNPCJMFEFWJDFJEFWJDFJOTUBMMFS $ brew install --HEAD
libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller

3FTJHO w 5IFUBSHFU*1"NVTUCFTJHOFEXJUIBDFSUJ fi DBUFJOTUBMMFE   POZPVS1$ w *GZPVXBOUUPNPEJGZNFNPSZPOUIJSEQBSUZBQQMJDBUJPOT
  ZPVOFFEUPSFTJHOUIF*1"

3FTJHO w *GZPVVTFUIFJQBVUJM*DSFBUFE ZPVDBOFBTJMZSFTJHO w IUUQTHJUIVCDPNBLUTLJQBVUJM $ ipautil decode tap1000000.ipa
# unzip   $ ipautil build Payload # re-sign

6TBHF JOTUBMMBUJPO w %PXOMPBEUIFCJOBSZ JQBNFEJU GSPN(JU)VC3FMFBTFT   BOEESPQJUJOZPVS1"5) w 6TJOH(JU)VC"DUJPOTUPCVJMEBOEEJTUSJCVUFUIFCJOBSJFT

6TBHF UPMBVODI w 5BSHFUJOHUIFJ04BQQPOUIFJ1IPOF w 5BSHFUJOHUIFJ04BQQPOUIF"QQMF4JMJDPO.BD $ unzip tap1000000.ipa $
ipa-medit -bin=“./Payload/tap1000000.app/tap1000000" -id="jp.hoge.tap1000000" $ ipa-medit -name <process name>

6TBHF TVCDPNNBOET w .BOZTVCDPNNBOETBSFBWBJMBCMFWJBUIFJOUFSBDUJWFQSPNQU CVUUIF UISFFNBJOPOFTBSF w fi OEWBMVFTFBSDIUIFTQFDJ fi
FEJOUFHFSWBMVFJONFNPSZ w fi MUFSWBMVF fi MUFSTFBSDISFTVMUTVTJOHUIFTQFDJ fi FEWBMVF w QBUDIWBMVFXSJUFUIFTQFDJ fi FEWBMVFUPUIFBEESFTTGPVOECZ UIFQSFWJPVTTFBSDI

5IFNFNPSZNPEJGJDBUJPOGMPX w 6TFUIFl fi OEzDPNNBOEUPTFBSDIGPSUIFWBMVFJOUIF6* w *GUIFSFBSFNBOZSFTVMUTDIBOHFUIFWBMVFJOUIF6*UP   l fi
MUFSzUIFSFTVMUT w 8IFOUIFSFBSFGFXFSSFTVMUT ZPVDBONPEJGZUIFNFNPSZ   CZVTJOHUIFQBUDIDPNNBOE

)PXEPFTJUXPSL Photo by Harrison Broadbent on Unsplash

)PXEPFTJUXPSL w %J ff FSFOUNFNPSZNPEJ fi DBUJPONFDIBOJTNT w 5BSHFUJOHJ04BQQTPOJ04%FWJDFT w
5BSHFUJOHJ04BQQTPOUIF"QQMF4JMJDPO.BD

)PXEPFTJUXPSL POJ04%FWJDFT w 6TFMJCJNPCMJFEFWJDFUPJOUFSBDUXJUIJ04EFWJDFT w MJCJNPCMJFEFWJDFJTBQPQVMBSMJCSBSZUIBUDPNNVOJDBUFTXJUIJ04 EFWJDFTVTJOHOBUJWFQSPUPDPMT w IUUQTMJCJNPCJMFEFWJDFPSH

)PXEPFTJUXPSL POJ04%FWJDFT w 5IF--%#1ZUIPO"1*JTVTFEUPSFBEXSJUFGSPNUPNFNPSZ w *UVTFTUIFTBNFNFDIBOJTNUIBU9DPEFVTFTJOUFSOBMMZ w --%#JTVTFEJOTJEF9DPEF w *QBNFEJUCJOBSZJTCVJMUVTJOH(P
w #VU CFDBVTFJUVTFTUIF--%#1ZUIPO"1* 1ZUIPOTDSJQUJTBMTP FNCFEEFEJOUIFCJOBSZ

8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOHVTJOH(PMBOH w MJCJNPCMJFEFWJDFJTJNQMFNFOUFEJO$ w 5IF--%#1ZUIPO"1*SFRVJSFT1ZUIPO w 8IZEJE*VTF(PGPSEFWFMPQNFOU

(PPOJ04 w *OTJEFUIF(PSFQPTJUPSZ UIFSFJTBUPPMGPSEFCVHHJOHJ04MJCSBSJFT NBEFVTJOH(P w GPSJ04EFWJDFTPOMZ w IUUQTHJUIVCDPNHPMBOHHPUSFFNBTUFSNJTDJPT w
5IBUJTXIFSF*HPUUIFJEFB w 5IBOLTUP(PMBOH

)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w *IBEQSFWJPVTMZDSFBUFEBNFNPSZNPEJ fi DBUJPOUPPMGPS"OESPJE DBMMFEBQLNFEJU!$0%&#-6&#MVFCPY w *UIPVHIUUIBUUIFTBNFMPHJDGSPNUIJTUPPMDPVMEBMTPCFVTFEGPS  
UIF"QQMF4JMMJDPO.BD w #VUNBD04JTRVJUFEJ ff FSFOUGSPN-JOVY

)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IFNFNPSZNPEJ fi DBUJPOQSPDFTTPO-JOVY "OESPJE JTBTGPMMPXT 4FBSDISFBEBCMF NFNPSZBEESFTTFT
  QSPDQJENBQT 3FBEUIFNFNPSZ   QSPDQJENFN   CZQUSBDF 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ   QSPDQJENFN   CZQUSBDF

)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IF.FNPSZNBQUFMMTVTXIFSFXFDBOSFBEXSJUF w #VUPONBD04 5IFSFJTOPQSPDQJENBQT w 5IFSFGPSF BTQFDJBMJ[FE"1*NVTUCFVTFEUPSFBEBNFNPSZNBQ
w 5PSFEVDFUIFJNQMFNFOUBUJPOF ff PSU JQBNFEJUJOUFSOBMMZVTFTUIF WNNBQDPNNBOEUPPCUBJOBNFNPSZNBQ

)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 0ONBD04 UIFSFJTOPQSPDQJENFNBOEOPNFNPSZSFBE XSJUFWJBQUSBDF w QUSBDFJTBTZTUFNDBMMPGUFOVTFEUPJNQMFNFOUEFCVHHFST w TXJUDIUIFPQFSBUJPOCZTQFDJGZJOHUIFSFRVFTUBTUIF
fi STUBSHVNFOU ptrace(int request, pid_t pid, caddr_t addr, int data);ɹ

)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w QUSBDFBMTPFYJTUTPONBD04 w )PXFWFS NFNPSZSFBEXSJUFJTOPUTVQQPSUFE w *UJTOPUQPTTJCMFUPTQFDJGZ153"$&@1&&,%"5"GPSSFBEJOHNFNPSZ PS153"$&@10,&%"5"GPSXSJUJOHUPNFNPSZBTUIF
fi STUBSHVNFOU ptrace(int request, pid_t pid, caddr_t addr, int data);

w NBD04BMTPIBTBTQFDJBMJ[FE"1*GPSSFBEJOHBOEXSJUJOHUPNFNPSZ w *UVTFTNBDI@WN@SFBE UPSFBEUIFNFNPSZ w 8IFOUIFUBSHFUWBMVFJTGPVOE JUVTFTNBDI@WN@XSJUF UPQBUDI UIFNFNPSZ
)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD

)PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IFNFNPSZNPEJ fi DBUJPOQSPDFTTPONBD04JTBTGPMMPXT 4FBSDISFBEBCMF NFNPSZBEESFTTFT   WNNBQ
3FBEUIFNFNPSZ   NBDI@WN@SFBE 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ   NBDI@WN@XSJUF

5IFTJHOJOHSFRVJSFNFOU w 0ONBD04 OPOTJHOFEQSPHSBNTDBOOPUCFVTFEBTEFCVHHFSTʜ w 5IFQSPHSBNNVTUCFVTFEBTBEFCVHHFSNVTUCFTJHOFE w 4QFDJGZJOUIFFOUJUMFNFOUTQMJTUUPFOBCMFUIFBUUSJCVUF DPNBQQMFTFDVSJUZDTEFCVHHFS

DPNBQQMFTFDVSJUZDTEFCVHHFS w 5IFFOUJUMFNFOUTQMJTUJTBTGPMMPXT <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD
PLIST 1.0//EN" “http://www.apple.com/ DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.debugger</key> <true/> </dict> </plist>

5IFQSPHSBNUPCFEFCVHHFENVTUBMTPCFTJHOFE w 5IFDPNBQQMFTFDVSJUZHFUUBTLBMMPXBUUSJCVUFNVTUCFFOBCMFEJO UIFBQQMJDBUJPOUPCFEFCVHHFE w *UBMMPXTBUUBDINFOUTCZUIFEFCVHHFS

DPNBQQMFTFDVSJUZHFUUBTLBMMPX w :PVDBODIFDLJGUIFDPNBQQMFTFDVSJUZHFUUBTLBMMPXBUUSJCVUFJT FOBCMFEVTJOHUIFDPEFTJHODPNNBOE $ codesign -d --entitlements :- 47071
  Executable=/private/var/folders/hc/XXXXXXXXnsfn1_c9n20jxw40000gq/X/XXXXXXXX- XXXX-XXXX-XXXX-XXXXXXXXXXXX/d/Wrapper/tap1000000.app/tap1000000 <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> … <key>get-task-allow</key> <true/> … </dict> </plist>

5IFSFBSFPUIFSXBZTUPEPUIJT w 'SJEBNBLFTJUQPTTJCMFUPEFCVHJ04BQQTCZJOTFSUJOHBHBEHFUJOUP UIFEFCVHHBCMFBQQXJUIPVU+BJMCSFBLJOH w 'SJEBJTBEZOBNJDJOTUSVNFOUBUJPOUPPMLJU w IUUQTGSJEBSF w .FNPSZNPEJ
fi DBUJPOJTQPTTJCMFUIJTXBZBTXFMM

w 5IF--%#1ZUIPO"1*JTTMPXFSUIBOGSJEBTBQQSPBDIʜ w #VUUIFSFJTOPOFFEUPQBUDIUIF*1" XIJDIJTBOBEWBOUBHF w "OEJUOFWFSHFUTDBVHIUCZBQQNPEJ fi DBUJPOEFUFDUJPO w
*NBZXPSLPOJNQMFNFOUJOHUIJTNFUIPEJOUIFGVUVSFBTXFMM 5IFSFBSFPUIFSXBZTUPEPUIJT

4VNNBSZ w *QBNFEJUBMMPXTNFNPSZNPEJ fi DBUJPOTXJUIPVUCZQBTTJOH+BJMCSFBL EFUFDUJPO w #VUUIFSFJTBOFFEUPSFTJHOUIF*1"ʜ w *IPQFJQBNFEJUXJMMCFDPNFUIFEFGBDUPTUBOEBSE
  GPSTFDVSJUZUFTUJOH

5IBOL:PV IUUQTHJUIVCDPNBLUTLJQBNFEJU  

Ipa-medit: Memory modification tool for iOS app...

Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022

More Decks by @tkmru

Other Decks in Programming

Featured

Transcript