ipa-medit memory search and patch tool for IPA without Jailbreaking • Security testing of web applications and simple mobile apps can find most vulnerabilities by using a proxy tool to modify with the requests/responses to the server Security testing for mobile game apps • Mobile game apps often implement the game and anti-cheat logic in their clients, and the clients need to take the time to check it Security testing for mobile game apps What is memory modification ? • Security testing for mobile game apps is more difficult • Due to the perspective of reverse engineering • Decrypting requests/responses encryption • SSL pinning bypass • Root privileges detection bypass • Memory modification • etc Today’s topic What is memory modification ? • The easiest way to cheat in games • For iOS games, there is a well known cheat tool called iGameGuardian, GamePlayer • For Android games, there is a well known cheat tool called GameGuardian What is ipa-medit? • Memory search and patch tool for re-signed IPA without Jailbreaking • Works without Jailbreaking • For mobile security testing • https://github.com/aktsk/ipa-medit What are its advantages over other tools? • No root privileges are required for the operation • Therefore, there is no need to bypass Jailbreaking detection • Game apps often detect Jailbreaking • Works with colorful CUI • No competing tools that work with CUI for iOS • macOS • You need to have a valid iOS Development certificate installed • Xcode • That's why the tool uses LLDB inside Xcode Requirements • libimobiledevice/libimobiledevice • libimobiledevice/ideviceinstaller Requirements $ brew install --HEAD libplist $ brew install --HEAD usbmuxd $ brew install --HEAD libimobiledevice $ brew install --HEAD ideviceinstaller • The target IPA must be signed with a certificate installed on your PC • If you want to modify memory on third-party applications, you need to re-sign the IPA Re-sign • If you use the ipautil I created, you can easily re-sign • https://github.com/aktsk/ipautil Re-sign $ ipautil decode tap1000000.ipa # unzip $ ipautil build Payload # re-sign • Download the binary(ipa-medit) from GitHub Releases and drop it in your $PATH • Using Github Actions to build and distribute the binaries Usage (installation) • To launch it, specify the executable file path contained in the IPA with the -bin and the bundle id with the -id Usage (to launch) $ ipa-medit -bin="./Payload/tap1000000.app/ tap1000000" -id="jp.hoge.tap1000000" • Many subcommands are available via the interactive prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the previous search Usage (subcommands) The memory modification flow • Use the “find” command to search for the value on the UI • If there are many results change the value on the UI to “filter” the results • When there are fewer results, you can modify the memory by using the "patch" command • This tool uses libimobliedevice to interact with iOS devices • libimobliedevice is a famous library that communicates with iOS devices using native protocols • https://libimobiledevice.org/ How does it work? • The LLDB Python API is used to read/write memory • It uses the mechanism that Xcode uses internally • LLDB is used inside Xcode How does it work? #BHUSA @BLACKHATEVENTS • Ipa-medit binary is built using Go • But, because it uses the LLDB Python API, Python script is also embedded in the binary How does it work? • libimobliedevice is implemented in C • The LLDB Python API requires Python • Why did I use Go for development? What are the benefits of implementing using Golang? • Inside the Go repository, there is a tool for debugging iOS libraries made using Go • https://github.com/golang/go/tree/master/misc/ios Go on iOS