Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022

@tkmru
October 28, 2022
Programming
0
69

Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022

- https://codeblue.jp/2022/en/talks/?content=talks_23
- https://github.com/aktsk/ipa-medit

@tkmru

October 28, 2022
Tweet

More Decks by @tkmru

See All by @tkmru
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
130
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
3.6k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
3.5k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
630
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
160
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
3.5k
めんどうくさいゲームセキュリティ
tkmru
20
10k
Linux Rootkit Internals
tkmru
1
1.6k
Unicornを用いたDead Code除去
tkmru
0
170

Other Decks in Programming

See All in Programming
ポケモンで学ぶiOS 16弾丸ツアー 🚅
giginet
PRO
1
620
(新米)エンジニアリングマネージャーのしごと #RSGT2023
murabayashi
9
5.9k
TokyoR#103_DataProcessing
kilometer
0
540
低レイヤーから始める GUI
fadis
18
9.4k
Cloudflare WorkersでGoを動かすライブラリを作っている話
syumai
1
320
Enumを自動で網羅的にテストしてみた
estie
0
1.3k
Micro Frontends with Module Federation @MicroFrontend Summit 2023
manfredsteyer
PRO
0
590
Amebaブログの会員画面システム刷新の道程
ryotasugawara
1
250
なぜRubyコミュニティにコミットするのか?
luccafort
0
320
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
42k
42tokyo-born2beroot-review
love42
0
110
Zynq MP SoC で楽しむエッジコンピューティング ~RTLプログラミングのススメ~
ryuz88
0
390

Featured

See All Featured
Thoughts on Productivity
jonyablonski
49
2.7k
Designing on Purpose - Digital PM Summit 2013
jponch
108
5.9k
Bash Introduction
62gerente
601
210k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
17k
Ruby is Unlike a Banana
tanoku
93
9.5k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
54k
Fashionably flexible responsive web design (full day workshop)
malarkey
396
63k
What's in a price? How to price your products and services
michaelherold
233
9.7k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.5k
YesSQL, Process and Tooling at Scale
rocio
159
12k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
Three Pipe Problems
jasonvnalue
89
8.9k

Transcript

  1. 1SFTFOUFECZ5BJDIJ,PUBLF 
 "LBUTVLJ(BNFT*OD4UFSSB4FDVSJUZ$P -UE *QBNFEJU.FNPSZNPEJGJDBUJPO UPPMGPSJ04BQQTXJUIPVU +BJMCSFBLJOH $0%&#-6&#MVFCPY&EJUJPO

  2. 8IP*BN w /BNF5BJDIJ,PUBLF w +PC w 4FDVSJUZ&OHJOFFS!"LBUTVLJ(BNFT*OD w $50$PGPVOEFS!4UFSSB4FDVSJUZ$P -UE

    w (JU)VCULNSV 

  3. .Z#PPLT 

  4. .Z$0%&#-6&)JTUPSZ w $0%&#-6&4UVEFOU4UB ff  w $0%&#-6&#MVFCPYl"QLNFEJUNFNPSZTFBSDIBOEQBUDI UPPMGPS"1,XJUIPVUSPPUBOESPJE/%,z w $0%&#-6&#MVFCPYl*QBNFEJU.FNPSZNPEJ

    fi DBUJPOUPPMGPS J04BQQTXJUIPVU+BJMCSFBLJOH 4FRVFMUPUIF QSFTFOUBUJPO 

  5. 5PEBZT5PQJD 
 4FDVSJUZUFTUJOH 
 GPSNPCJMFHBNFBQQT Photo by Shannon Potter on

    Unsplash

  6. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w 4FDVSJUZUFTUJOHPGXFCBQQMJDBUJPOTBOETJNQMFNPCJMFBQQTDBO fi OENPTUWVMOFSBCJMJUJFTCZVTJOHBQSPYZUPPMUP 
 NPEJGZUIFSFRVFTUTSFTQPOTFTUPUIFTFSWFS 

  7. 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQT w .PCJMFHBNFBQQTPGUFOJNQMFNFOUUIFHBNFBOEBOUJDIFBUMPHJDJO UIFJSDMJFOUT BOEUIFDMJFOUTOFFEUPJNQMFNFOUUIFMPHJDUPDIFDLJU 

  8. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 4FDVSJUZUFTUJOHGPSNPCJMFHBNFBQQTJTNPSFEJ ff i DVMU w %VFUPUIFQFSTQFDUJWFPGSFWFSTFFOHJOFFSJOH w %FDSZQUJOHFODSZQUFESFRVFTUTSFTQPOTFT

    w #ZQBTTJOH44-1JOOJOH $FSUJ fi DBUF1JOOJOH  w #ZQBTTJOH+BJM#SFBL 3PPUQSJWJMFHFT EFUFDUJPO w .FNPSZNPEJ fi DBUJPO w FUD 5PEBZ`TUPQJD 

  9. 8IBUJTNFNPSZNPEJGJDBUJPOʁ w 5IFFBTJFTUXBZUPDIFBUJOHBNFT w 'PSJ04HBNFT UIFSFBSFXFMMLOPXODIFBUUPPMTTVDIBT J(BNF(VBSEJBOBOE(BNF1MBZFS w 'PS"OESPJEHBNFT UIFSFJTBXFMMLOPXODIFBUUPPMDBMMFE

    (BNF(VBSEJBO 

  10. 8IBUJTJQBNFEJU w "NFNPSZTFBSDIBOEQBUDIUPPMGPSSFTJHOFE*1" w 8PSLTXJUIPVU+BJMCSFBLJOH w 'PSNPCJMFTFDVSJUZUFTUJOH w IUUQTHJUIVCDPNBLUTLJQBNFEJU 

  11. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w /PSPPUQSJWJMFHFTBSFSFRVJSFEGPSUIFPQFSBUJPO w 5IFSFGPSF UIFSFJTOPOFFEUPCZQBTT+BJMCSFBLJOHEFUFDUJPO w (BNFBQQTPGUFOEFUFDU+BJMCSFBLJOH w 8PSLTXJUIDPMPSGVM56*

    w &BTZUPGPMMPXMPHT w /PDPNQFUJOHUPPMTUIBUXPSLXJUI56*GPSJ04 

  12. 8IBUBSFJUTBEWBOUBHFTPWFSPUIFSUPPMT w $MPTFETPVSDFDIFBUUPPMTBSFEJ ffi DVMUUPVTFGPSHBNFBQQTUIBUIBWF OPUCFFOSFMFBTFE w DPOTJEFSJOHUIFSJTLPGJOGPSNBUJPOMFBLBHFʜ w JQBNFEJUJTPQFOTPVSDFBOEBUPPMEFWFMPQFECZBHBNFDPNQBOZ

    w *UDBOCFVTFEGPSTFDVSJUZUFTUJOHXJUIDPO fi EFODF 

  13. 4 w .  %&.0.07*&

  14. 6QEBUFTBGUFS#MBDL)BU64""STFOBM w *BMTPQSFTFOUFEBUUIF#MBDL)BU64""STFOBM w "UUIBUUJNF JUDPVMEPOMZUBSHFUJ04BQQTSVOOJOHPOJ1IPOF w /PXJUTVQQPSUTJ04BQQTSVOOJOHPOUIF"QQMF4JMJDPO.BD w 5IF"QQMF4JMJDPO.BDXBTSFDFOUMZSFMFBTFEBOEBMMPXTZPVUPSVO

    J04BQQTPONBD04 

  15.  %&.0.07*&

  16. 3FRVJSFNFOUT w NBD04 w :PVOFFEUPIBWFBWBMJEJ04%FWFMPQNFOUDFSUJ fi DBUFJOTUBMMFE 

  17. 3FRVJSFNFOUT GPSJ04EFWJDFTPOMZ w 9DPEF w 4JODFUIFUPPMVTFT--%#JOTJEF9DPEF 
 

  18. 3FRVJSFNFOUT GPSJ04EFWJDFTPOMZ w MJCJNPCJMFEFWJDFMJCJNPCJMFEFWJDF w MJCJNPCJMFEFWJDFJEFWJDFJOTUBMMFS $ brew install --HEAD

    libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller 

  19. 3FTJHO w 5IFUBSHFU*1"NVTUCFTJHOFEXJUIBDFSUJ fi DBUFJOTUBMMFE 
 POZPVS1$ w *GZPVXBOUUPNPEJGZNFNPSZPOUIJSEQBSUZBQQMJDBUJPOT 

    
 ZPVOFFEUPSFTJHOUIF*1" 

  20. 3FTJHO w *GZPVVTFUIFJQBVUJM*DSFBUFE ZPVDBOFBTJMZSFTJHO w IUUQTHJUIVCDPNBLUTLJQBVUJM $ ipautil decode tap1000000.ipa

    # unzip 
 $ ipautil build Payload # re-sign 

  21. 6TBHF JOTUBMMBUJPO w %PXOMPBEUIFCJOBSZ JQBNFEJU GSPN(JU)VC3FMFBTFT 
 BOEESPQJUJOZPVS1"5) w 6TJOH(JU)VC"DUJPOTUPCVJMEBOEEJTUSJCVUFUIFCJOBSJFT

    

  22. 6TBHF UPMBVODI w 5BSHFUJOHUIFJ04BQQPOUIFJ1IPOF w 5BSHFUJOHUIFJ04BQQPOUIF"QQMF4JMJDPO.BD $ unzip tap1000000.ipa $

    ipa-medit -bin=“./Payload/tap1000000.app/tap1000000" -id="jp.hoge.tap1000000" $ ipa-medit -name <process name> 

  23. 6TBHF TVCDPNNBOET w .BOZTVCDPNNBOETBSFBWBJMBCMFWJBUIFJOUFSBDUJWFQSPNQU CVUUIF UISFFNBJOPOFTBSF w fi OEWBMVFTFBSDIUIFTQFDJ fi

    FEJOUFHFSWBMVFJONFNPSZ w fi MUFSWBMVF fi MUFSTFBSDISFTVMUTVTJOHUIFTQFDJ fi FEWBMVF w QBUDIWBMVFXSJUFUIFTQFDJ fi FEWBMVFUPUIFBEESFTTGPVOECZ UIFQSFWJPVTTFBSDI 

  24. 5IFNFNPSZNPEJGJDBUJPOGMPX w 6TFUIFl fi OEzDPNNBOEUPTFBSDIGPSUIFWBMVFJOUIF6* w *GUIFSFBSFNBOZSFTVMUTDIBOHFUIFWBMVFJOUIF6*UP 
 l fi

    MUFSzUIFSFTVMUT w 8IFOUIFSFBSFGFXFSSFTVMUT ZPVDBONPEJGZUIFNFNPSZ 
 CZVTJOHUIFQBUDIDPNNBOE 

  25. )PXEPFTJUXPSL Photo by Harrison Broadbent on Unsplash

  26. )PXEPFTJUXPSL w %J ff FSFOUNFNPSZNPEJ fi DBUJPONFDIBOJTNT w 5BSHFUJOHJ04BQQTPOJ04%FWJDFT w

    5BSHFUJOHJ04BQQTPOUIF"QQMF4JMJDPO.BD 

  27. )PXEPFTJUXPSL POJ04%FWJDFT w 6TFMJCJNPCMJFEFWJDFUPJOUFSBDUXJUIJ04EFWJDFT w MJCJNPCMJFEFWJDFJTBQPQVMBSMJCSBSZUIBUDPNNVOJDBUFTXJUIJ04 EFWJDFTVTJOHOBUJWFQSPUPDPMT w IUUQTMJCJNPCJMFEFWJDFPSH 

  28. )PXEPFTJUXPSL POJ04%FWJDFT w 5IF--%#1ZUIPO"1*JTVTFEUPSFBEXSJUFGSPNUPNFNPSZ w *UVTFTUIFTBNFNFDIBOJTNUIBU9DPEFVTFTJOUFSOBMMZ w --%#JTVTFEJOTJEF9DPEF w *QBNFEJUCJOBSZJTCVJMUVTJOH(P

    w #VU CFDBVTFJUVTFTUIF--%#1ZUIPO"1* 1ZUIPOTDSJQUJTBMTP FNCFEEFEJOUIFCJOBSZ 

  29. 8IBUBSFUIFCFOFGJUTPGJNQMFNFOUJOHVTJOH(PMBOH w MJCJNPCMJFEFWJDFJTJNQMFNFOUFEJO$ w 5IF--%#1ZUIPO"1*SFRVJSFT1ZUIPO w 8IZEJE*VTF(PGPSEFWFMPQNFOU 

  30. (PPOJ04 w *OTJEFUIF(PSFQPTJUPSZ UIFSFJTBUPPMGPSEFCVHHJOHJ04MJCSBSJFT NBEFVTJOH(P w GPSJ04EFWJDFTPOMZ w IUUQTHJUIVCDPNHPMBOHHPUSFFNBTUFSNJTDJPT w

    5IBUJTXIFSF*HPUUIFJEFB w 5IBOLTUP(PMBOH 

  31. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w *IBEQSFWJPVTMZDSFBUFEBNFNPSZNPEJ fi DBUJPOUPPMGPS"OESPJE DBMMFEBQLNFEJU!$0%&#-6&#MVFCPY w *UIPVHIUUIBUUIFTBNFMPHJDGSPNUIJTUPPMDPVMEBMTPCFVTFEGPS 


    UIF"QQMF4JMMJDPO.BD w #VUNBD04JTRVJUFEJ ff FSFOUGSPN-JOVY 

  32. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IFNFNPSZNPEJ fi DBUJPOQSPDFTTPO-JOVY "OESPJE JTBTGPMMPXT 4FBSDISFBEBCMF NFNPSZBEESFTTFT

    
 QSPDQJENBQT 3FBEUIFNFNPSZ 
 QSPDQJENFN 
 CZQUSBDF 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ 
 QSPDQJENFN 
 CZQUSBDF 

  33. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IF.FNPSZNBQUFMMTVTXIFSFXFDBOSFBEXSJUF w #VUPONBD04 5IFSFJTOPQSPDQJENBQT w 5IFSFGPSF BTQFDJBMJ[FE"1*NVTUCFVTFEUPSFBEBNFNPSZNBQ

    w 5PSFEVDFUIFJNQMFNFOUBUJPOF ff PSU JQBNFEJUJOUFSOBMMZVTFTUIF WNNBQDPNNBOEUPPCUBJOBNFNPSZNBQ 

  34. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 0ONBD04 UIFSFJTOPQSPDQJENFNBOEOPNFNPSZSFBE XSJUFWJBQUSBDF w QUSBDFJTBTZTUFNDBMMPGUFOVTFEUPJNQMFNFOUEFCVHHFST w TXJUDIUIFPQFSBUJPOCZTQFDJGZJOHUIFSFRVFTUBTUIF

    fi STUBSHVNFOU ptrace(int request, pid_t pid, caddr_t addr, int data);ɹ 

  35. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w QUSBDFBMTPFYJTUTPONBD04 w )PXFWFS NFNPSZSFBEXSJUFJTOPUTVQQPSUFE w *UJTOPUQPTTJCMFUPTQFDJGZ153"$&@1&&,%"5"GPSSFBEJOHNFNPSZ PS153"$&@10,&%"5"GPSXSJUJOHUPNFNPSZBTUIF

    fi STUBSHVNFOU ptrace(int request, pid_t pid, caddr_t addr, int data); 

  36. w NBD04BMTPIBTBTQFDJBMJ[FE"1*GPSSFBEJOHBOEXSJUJOHUPNFNPSZ w *UVTFT[email protected]@SFBE UPSFBEUIFNFNPSZ w 8IFOUIFUBSHFUWBMVFJTGPVOE JUVTFT[email protected]@XSJUF UPQBUDI UIFNFNPSZ

    )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD 

  37. )PXEPFTJUXPSL PO"QQMF4JMMJDPO.BD w 5IFNFNPSZNPEJ fi DBUJPOQSPDFTTPONBD04JTBTGPMMPXT 4FBSDISFBEBCMF NFNPSZBEESFTTFT 
 WNNBQ

    3FBEUIFNFNPSZ 
 [email protected]@SFBE 4FBSDIGPSUIFUBSHFU WBMVF 1BUDIUIFNFNPSZ 
 [email protected]@XSJUF 

  38. 5IFTJHOJOHSFRVJSFNFOU w 0ONBD04 OPOTJHOFEQSPHSBNTDBOOPUCFVTFEBTEFCVHHFSTʜ w 5IFQSPHSBNNVTUCFVTFEBTBEFCVHHFSNVTUCFTJHOFE w 4QFDJGZJOUIFFOUJUMFNFOUTQMJTUUPFOBCMFUIFBUUSJCVUF DPNBQQMFTFDVSJUZDTEFCVHHFS 

  39. DPNBQQMFTFDVSJUZDTEFCVHHFS w 5IFFOUJUMFNFOUTQMJTUJTBTGPMMPXT <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD

    PLIST 1.0//EN" “http://www.apple.com/ DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.debugger</key> <true/> </dict> </plist> 

  40. 5IFQSPHSBNUPCFEFCVHHFENVTUBMTPCFTJHOFE w 5IFDPNBQQMFTFDVSJUZHFUUBTLBMMPXBUUSJCVUFNVTUCFFOBCMFEJO UIFBQQMJDBUJPOUPCFEFCVHHFE w *UBMMPXTBUUBDINFOUTCZUIFEFCVHHFS 

  41. DPNBQQMFTFDVSJUZHFUUBTLBMMPX w :PVDBODIFDLJGUIFDPNBQQMFTFDVSJUZHFUUBTLBMMPXBUUSJCVUFJT FOBCMFEVTJOHUIFDPEFTJHODPNNBOE $ codesign -d --entitlements :- 47071

    
 Executable=/private/var/folders/hc/XXXXXXXXnsfn1_c9n20jxw40000gq/X/XXXXXXXX- XXXX-XXXX-XXXX-XXXXXXXXXXXX/d/Wrapper/tap1000000.app/tap1000000 <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> … <key>get-task-allow</key> <true/> … </dict> </plist>

  42. 5IFSFBSFPUIFSXBZTUPEPUIJT w 'SJEBNBLFTJUQPTTJCMFUPEFCVHJ04BQQTCZJOTFSUJOHBHBEHFUJOUP UIFEFCVHHBCMFBQQXJUIPVU+BJMCSFBLJOH w 'SJEBJTBEZOBNJDJOTUSVNFOUBUJPOUPPMLJU w IUUQTGSJEBSF w .FNPSZNPEJ

    fi DBUJPOJTQPTTJCMFUIJTXBZBTXFMM 

  43. w 5IF--%#1ZUIPO"1*JTTMPXFSUIBOGSJEBTBQQSPBDIʜ w #VUUIFSFJTOPOFFEUPQBUDIUIF*1" XIJDIJTBOBEWBOUBHF w "OEJUOFWFSHFUTDBVHIUCZBQQNPEJ fi DBUJPOEFUFDUJPO w

    *NBZXPSLPOJNQMFNFOUJOHUIJTNFUIPEJOUIFGVUVSFBTXFMM 5IFSFBSFPUIFSXBZTUPEPUIJT 

  44. 4VNNBSZ w *QBNFEJUBMMPXTNFNPSZNPEJ fi DBUJPOTXJUIPVUCZQBTTJOH+BJMCSFBL EFUFDUJPO w #VUUIFSFJTBOFFEUPSFTJHOUIF*1"ʜ w *IPQFJQBNFEJUXJMMCFDPNFUIFEFGBDUPTUBOEBSE

    
 GPSTFDVSJUZUFTUJOH 

  45. 5IBOL:PV IUUQTHJUIVCDPNBLUTLJQBNFEJU