Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa

Transcript

1. #BHUSA @BLACKHATEVENTS ipa-medit memory search and patch tool for IPA

   without Jailbreaking Presented by Taichi Kotake Akatsuki Inc.

2. #BHUSA @BLACKHATEVENTS Who I am • Name: Taichi Kotake •

   Country: Japan • Job: Security Engineer @ Akatsuki Inc. • GitHub: tkmru 2

3. 5PEBZT
   5PQJD
   4FDVSJUZ
   UFTUJOH
   
   GPS
   NPCJMF
   HBNF
   BQQT Photo by Shannon Potter on Unsplash

4. #BHUSA @BLACKHATEVENTS • I also presented at Black Hat Arsenal

   USA last year • Last year, I talked about apk-medit • Memory modification tool for Android • This year, I'll be talking about the iOS version of apk-medit Were you here last year? 4

5. #BHUSA @BLACKHATEVENTS • Security testing of web applications and simple

   mobile apps can find most vulnerabilities by using a proxy tool to modify with the requests/responses to the server Security testing for mobile game apps

6. #BHUSA @BLACKHATEVENTS • Mobile game apps often implement the game

   and anti-cheat logic in their clients, and the clients need to take the time to check it Security testing for mobile game apps

7. #BHUSA @BLACKHATEVENTS What is memory modificationʁ • Security testing for

   mobile game apps is more difficult • Due to the perspective of reverse engineering • Decrypting requests/responses encryption • SSL pinning bypass • Root privileges detection bypass • Memory modification • etc 5PEBZ`T
   UPQJD 7

8. #BHUSA @BLACKHATEVENTS What is memory modificationʁ • The easiest way

   to cheat in games • For iOS games, there is a well known cheat tool called iGameGuardian, GamePlayer • For Android games, there is a well known cheat tool called GameGuardian 8

9. #BHUSA @BLACKHATEVENTS What is ipa-medit? • Memory search and patch

   tool for re-signed IPA without Jailbreaking • Works without Jailbreaking • For mobile security testing • https://github.com/aktsk/ipa-medit 9

10. #BHUSA @BLACKHATEVENTS What are its advantages over other tools? •

    No root privileges are required for the operation • Therefore, there is no need to bypass Jailbreaking detection • Game apps often detect Jailbreaking • Works with colorful CUI • No competing tools that work with CUI for iOS 10

11. #BHUSA @BLACKHATEVENTS Demo Movie 11

12. #BHUSA @BLACKHATEVENTS • macOS • You need to have a

    valid iOS Development certificate installed • Xcode • That's why the tool uses LLDB inside Xcode Requirements 12

13. #BHUSA @BLACKHATEVENTS • libimobiledevice/libimobiledevice • libimobiledevice/ideviceinstaller Requirements $ brew install

    --HEAD libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller 13

14. #BHUSA @BLACKHATEVENTS • The target IPA must be signed with

    a certificate installed on your PC • If you want to modify memory on third-party applications, you need to re-sign the IPA Re-sign 14

15. #BHUSA @BLACKHATEVENTS • If you use the ipautil I created,

    you can easily re-sign • https://github.com/aktsk/ipautil Re-sign $ ipautil decode tap1000000.ipa # unzip $ ipautil build Payload # re-sign 15

16. #BHUSA @BLACKHATEVENTS • Download the binary(ipa-medit) from GitHub Releases and

    drop it in your $PATH • Using Github Actions to build and distribute the binaries Usage (installation) 16

17. #BHUSA @BLACKHATEVENTS • To launch it, specify the executable file

    path contained in the IPA with the -bin and the bundle id with the -id Usage (to launch) $ ipa-medit -bin="./Payload/tap1000000.app/ tap1000000" -id="jp.hoge.tap1000000" 17

18. #BHUSA @BLACKHATEVENTS • Many subcommands are available via the interactive

    prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the previous search Usage (subcommands) 18

19. #BHUSA @BLACKHATEVENTS The memory modification flow • Use the “find”

    command to search for the value on the UI • If there are many results change the value on the UI to “filter” the results • When there are fewer results, you can modify the memory by using the "patch" command 19

20. )PX
    JU
    XPSLT Photo by Harrison Broadbent on Unsplash

21. #BHUSA @BLACKHATEVENTS • This tool uses libimobliedevice to interact with

    iOS devices • libimobliedevice is a famous library that communicates with iOS devices using native protocols • https://libimobiledevice.org/ How does it work? 21

22. #BHUSA @BLACKHATEVENTS • The LLDB Python API is used to

    read/write memory • It uses the mechanism that Xcode uses internally • LLDB is used inside Xcode How does it work? 22

23. #BHUSA @BLACKHATEVENTS • Ipa-medit binary is built using Go •

    But, because it uses the LLDB Python API, Python script is also embedded in the binary How does it work? The Go gopher was designed by Renee French. 
 (http://reneefrench.blogspot.com/) 23

24. 8IBU
    BSF
    UIF
    CFOFGJUT
    PG
    JNQMFNFOUJOH
    
    VTJOH
    (PMBOH
    PO
    J04
    EFWJDFT Photo by Nandhu Kumar on Unsplash

25. #BHUSA @BLACKHATEVENTS • libimobliedevice is implemented in C • The

    LLDB Python API requires Python • Why did I use Go for development? What are the benefits of implementing using Golang? The Go gopher was designed by Renee French. 
 (http://reneefrench.blogspot.com/) 25

26. #BHUSA @BLACKHATEVENTS • Inside the Go repository, there is a

    tool for debugging iOS libraries made using Go • https://github.com/golang/go/tree/master/misc/ios Go on iOS 26

27. #BHUSA @BLACKHATEVENTS • That is where I got the idea

    • That’s why ipa-medit is implemented in Go • Thanks to Golang!! Go on iOS 27

28. #BHUSA @BLACKHATEVENTS • Frida makes it possible to debug iOS

    apps by inserting a gadget into the debuggable app without Jailbreak • Frida is a dynamic instrumentation toolkit: https://frida.re/ • Memory modification is possible this way as well This is not the only way 28

29. #BHUSA @BLACKHATEVENTS • The LLDB Python API is slower than

    frida's approach… • But no need to patch the IPA, it's an advantage. • And it never gets caught by app modification detection • I may work on implementing this method in the future as well This is not the only way 29

30. #BHUSA @BLACKHATEVENTS Summary • ipa-medit allows memory modifications without bypassing

    Jailbreak detection • But there is a need to re-sign the IPA…. • I hope ipa-medit will become the de facto standard for security testing 30

31. #BHUSA @BLACKHATEVENTS Thank You!! https://github.com/aktsk/ipa-medit