ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe

Transcript

1. #BHEU @BlackHatEvents ipa-medit Memory search and patch tool for IPA

   without Jailbreaking 
 Black Hat Europe 2022 Arsenal Edition Presented by Taichi Kotake 
 Akatsuki Games Inc. & Sterra Security Co.,Ltd.

2. #BHEU @BlackHatEvents • Name: Taichi Kotake • Country: Japan •

   Job: • Security Engineer @ Akatsuki Games Inc. • CTO & Co-founder @ Sterra Security Co.,Ltd. • GitHub: tkmru Who I am

3. #BHEU @BlackHatEvents • Black Hat USA 2020 Arsenal “Apk-medit: memory

   search and patch tool for APK without root & android NDK” • Black Hat USA 2021 Arsenal “Ipa-medit: Memory modification tool for iOS apps without Jailbreaking” • Black Hat Europe 2022 Arsenal “Ipa-medit: Memory modification tool for iOS apps without Jailbreaking” My Black Hat History 4FRVFM
   UP
   UIF
   
   
   QSFTFOUBUJPO

4. 5PEBZT
   5PQJD 
 4FDVSJUZ
   UFTUJOH
   
 GPS
   NPCJMF
   HBNF
   BQQT Photo by Shannon Potter on

   Unsplash

5. #BHEU @BlackHatEvents Security testing for mobile game apps • Security

   testing of web applications and simple mobile apps can find most vulnerabilities by using a proxy tool to modify 
 the requests/responses to the server

6. #BHEU @BlackHatEvents • Mobile game apps often implement the game

   and anti-cheat logic in their clients, and the clients need to take the time to check it Security testing for mobile game apps

7. #BHEU @BlackHatEvents What is memory modificationʁ • Security testing for

   mobile game apps is more difficult • Due to the perspective of reverse engineering • Decrypting encrypted requests/responses • SSL pinning bypass • Root privileges detection bypass • Memory modification • etc 5PEBZ`T
   UPQJD

8. #BHEU @BlackHatEvents What is memory modificationʁ • The easiest way

   to cheat in games • For iOS games, there is a well known cheat tool called iGameGuardian, GamePlayer • For Android games, there is a well known cheat tool called GameGuardian

9. #BHEU @BlackHatEvents What is ipa-medit? • Memory search and patch

   tool for re-signed IPA without Jailbreaking • Works without Jailbreaking • For mobile security testing • https://github.com/aktsk/ipa-medit

10. #BHEU @BlackHatEvents What are its advantages over other tools? •

    No root privileges are required for the operation • Therefore, there is no need to bypass Jailbreaking detection • Game apps often detect Jailbreaking • Works with colorful TUI • Easy to follow logs • No competing tools that work with TUI for iOS

11. #BHEU @BlackHatEvents • Closed-source cheat tools are difficult to use

    for game apps that have not been released • considering the risk of information leakage… • ipa-medit is open source and a tool developed by a game company • It can be used for security testing with confidence What are its advantages over other tools?

12. #BHEU @BlackHatEvents

13. #BHEU @BlackHatEvents • I also presented at the Black Hat

    USA 2021 Arsenal. • At that time, it could only target iOS apps running on the iPhone. • However, it now supports iOS apps running on the Apple Silicon Mac as well. • The Apple Silicon Mac was recently released and allows you to run iOS apps on macOS. Updates after BlackHat USA 2021 Arsenal

14. #BHEU @BlackHatEvents

15. #BHEU @BlackHatEvents • macOS • You need to have a

    valid iOS Development certificate installed Requirements

16. #BHEU @BlackHatEvents • Xcode • Since the tool uses LLDB

    inside Xcode Requirements (for iOS devices only)

17. #BHEU @BlackHatEvents • libimobiledevice/libimobiledevice • libimobiledevice/ideviceinstaller Requirements (for iOS devices

    only) $ brew install --HEAD libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller

18. #BHEU @BlackHatEvents • The target IPA must be signed with

    a certificate installed 
 on your PC • If you want to modify memory on third-party applications, 
 you will need to re-sign the IPA Re-sign

19. #BHEU @BlackHatEvents • If you use the ipautil tool that

    I created, you can easily re-sign • https://github.com/aktsk/ipautil Re-sign $ ipautil decode tap1000000.ipa # unzip 
 $ ipautil build Payload # re-sign

20. #BHEU @BlackHatEvents • Download the binary(ipa-medit) from GitHub Releases 


    and drop it in your $PATH • Using GitHub Actions to build and distribute the binaries Usage (installation)

21. #BHEU @BlackHatEvents • Targeting the iOS app on the iPhone

    • Targeting the iOS app on the Apple Silicon Mac Usage (to launch) $ unzip tap1000000.ipa $ ipa-medit -bin=“./Payload/tap1000000.app/tap1000000" -id="jp.hoge.tap1000000" $ ipa-medit -name <process name>

22. #BHEU @BlackHatEvents Usage (subcommands) • Many subcommands are available via

    the interactive prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the previous search

23. #BHEU @BlackHatEvents • Use the “find” command to search for

    the value in the UI • If there are many results change the value in the UI to 
 “filter” the results • After filtering the results, you can modify the memory 
 by using the "patch" command The memory modification flow

24. )PX
    EPFT
    JU
    XPSL Photo by Harrison Broadbent on Unsplash

25. #BHEU @BlackHatEvents • Different memory modification mechanisms • Targeting iOS

    apps on iOS Devices • Targeting iOS apps on the Apple Silicon Mac How does it work?

26. #BHEU @BlackHatEvents • Use libimobiledevice to interact with iOS devices

    • libimobiledevice is a popular library that communicates with iOS devices using native protocols • https://libimobiledevice.org/ How does it work?(on iOS Devices)

27. #BHEU @BlackHatEvents • The LLDB Python API is used to

    read/write from/to memory • It uses the same mechanism that Xcode uses internally • LLDB is used inside Xcode • Ipa-medit binary is built using Go • But, because it uses the LLDB Python API, Python script is also embedded in the binary How does it work?(on iOS Devices)

28. #BHEU @BlackHatEvents • libimobiledevice is implemented in C • The

    LLDB Python API requires Python • Why did I use Go for development? What are the benefits of implementing using Golang?

29. #BHEU @BlackHatEvents • Inside the Go repository, there is a

    tool for debugging iOS libraries made using Go • for iOS devices only • https://github.com/golang/go/tree/master/misc/ios • That is where I got the idea • Thanks to Golang!! Go on iOS

30. #BHEU @BlackHatEvents • I had previously created a memory modification

    tool for Android called apk-medit@Black Hat USA 2020 Arsenal • I thought that the same logic from this tool could also be used for the Apple Sillicon Mac • But macOS is quite different from Linux. How does it work?(on Apple Sillicon Mac)

31. #BHEU @BlackHatEvents • The memory modification process on Linux(Android) is

    as follows: How does it work?(on Apple Sillicon Mac) 4FBSDI
    SFBEBCMF
    NFNPSZ
    BEESFTTFT 
 QSPDQJENBQT 3FBE
    UIF
    NFNPSZ
    
 QSPDQJENFN
    
 CZ
    QUSBDF
    
    4FBSDI
    GPS
    UIF
    UBSHFU
    WBMVF
    1BUDI
    UIF
    NFNPSZ 
 QSPDQJENFN
    
 CZ
    QUSBDF
    

32. #BHEU @BlackHatEvents • The Memory map tells us where we

    can read / write • But on macOS, There is no /proc/$pid/maps • Therefore, a specialized API must be used to read a memory map • To reduce the implementation effort, ipa-medit internally uses the vmmap command to obtain a memory map How does it work?(on Apple Sillicon Mac)

33. #BHEU @BlackHatEvents • On macOS, there is no /proc/$pid/mem and

    no memory read/write via ptrace • ptrace is a system call often used to implement debuggers • switch the operation by specifying the request as the first argument How does it work?(on Apple Sillicon Mac) ptrace(int request, pid_t pid, caddr_t addr, int data);ɹ

34. #BHEU @BlackHatEvents • ptrace also exists on macOS • However,

    memory read/write is not supported • It is not possible to specify PTRACE_PEEKDATA for reading memory or PTRACE_POKEDATA for writing to memory as the first argument How does it work?(on Apple Sillicon Mac) ptrace(int request, pid_t pid, caddr_t addr, int data);

35. #BHEU @BlackHatEvents • macOS also has a specialized API for

    reading and writing to memory • It uses mach_vm_read() to read the memory • When the target value is found, it uses mach_vm_write() to patch the memory How does it work?(on Apple Sillicon Mac)

36. #BHEU @BlackHatEvents • The memory modification process on macOS is

    as follows: How does it work?(on Apple Sillicon Mac) 4FBSDI
    SFBEBCMF
    NFNPSZ
    BEESFTTFT 
 CZ
    WNNBQ 3FBE
    UIF
    NFNPSZ
    

    NBDI@WN@SFBE 4FBSDI
    GPS
    UIF
    UBSHFU
    WBMVF
    1BUDI
    UIF
    NFNPSZ 
 NBDI@WN@XSJUF

37. #BHEU @BlackHatEvents • On macOS, non-signed programs cannot be used

    as debuggers… • To use the program as a debugger it must be signed • Specify in the entitlements.plist to enable the attribute com.apple.security.cs.debugger The signing requirement...

38. #BHEU @BlackHatEvents • The entitlements.plist is as follows: com.apple.security.cs.debugger <?xml

    version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.debugger</key> <true/> </dict> </plist>

39. #BHEU @BlackHatEvents • The com.apple.security.get-task-allow attribute must be enabled in

    the application to be debugged • This allows it to be attached to by the debugger The program to be debugged must also be signed...

40. #BHEU @BlackHatEvents • You can check if the com.apple.security.get-task-allow attribute

    is enabled using the codesign command: com.apple.security.get-task-allow $ codesign -d --entitlements :- 47071 
 Executable=/private/var/folders/hc/XXXXXXXXnsfn1_c9n20jxw40000gq/X/XXXXXXXX-XXXX-XXXX-XXXX- XXXXXXXXXXXX/d/Wrapper/tap1000000.app/tap1000000 <?xml version="1.0" encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" “http://www.apple.com/DTDs/ PropertyList-1.0.dtd"> <plist version="1.0"> <dict> … <key>get-task-allow</key> <true/> … </dict> </plist>

41. #BHEU @BlackHatEvents • Frida makes it possible to debug iOS

    apps by inserting a gadget into the debuggable app without Jailbreaking • Frida is a dynamic instrumentation toolkit • https://frida.re/ • Memory modification is possible this way as well There are other ways to do this

42. #BHEU @BlackHatEvents • The LLDB Python API is slower than

    frida's approach… • But there is no need to patch the IPA, which is an advantage. • And it never gets caught by app modification detection • I may work on implementing this method in the future as well There are other ways to do this

43. #BHEU @BlackHatEvents • Ipa-medit allows memory modifications without bypassing Jailbreak

    detection • But there is a need to re-sign the IPA… • I hope ipa-medit will become the de facto standard 
 for security testing Summary

44. #BHEU @BlackHatEvents • The English for this presentation was checked

    by a native English-speaking teammate • Thanks to Shadab Ambat !! Acknowledgements

45. #BHEU @BlackHatEvents Thank You!! https://github.com/aktsk/ipa-medit