APK Medit | PDF Host

apk-medit memory search and patch tool for APK without root & android NDK What is apk-medit? • Memory search and patch tool for debuggable APK • Works without root & the android NDK • For mobile security testing • https://github.com/aktsk/apk-medit What is memory modification ？ • The easiest way to cheat in games • For Android games, there is a well known cheat tool called GameGuardian What are its advantages over other tools? • No root privileges are required for the operation • Therefore, there is no need to bypass root detection • Game apps often detect root • Works with colorful CUI • No competing tools that work with CUI for Android Usage (installation) • Download the binary from GitHub Releases • push the binary in /data/local/tmp/ on an Android device $ adb push medit /data/local/tmp/medit Usage (to launch) • Use the run-as command to read / write files used by the APK • To access the memory without requiring root privileges • So apk-medit can only be used with apps that have the debuggable attribute enabled Usage (to launch) • To enable the debuggable attribute • open the AndroidManifest.xml and add the following xml attribute to the application xml node: android:debuggable="true" • Using apkutil, you can change the APK to be debuggable with a single command • https://github.com/aktsk/apkutil Usage (to launch) $ adb shell $ pm list packages # to check <target-package-name> $ run-as <target-package-name> $ cp /data/local/tmp/medit ./medit $ ./medit • After running the run-as command, directory is changed • Copy medit from /data/local/tmp/ • Running medit launches an interactive prompt Usage (subcommands) • Many subcommands are available in the interactive prompt, but the three main ones are: • find <value> - search the specified integer value in memory • filter <value> - filter search results using the specified value • patch <value> - write the specified value to the address found by the search The memory modification flow • Use the “find” command to search the value on the UI • If many results are displayed, change the value on the UI to “filter” the results • When there are fewer results, you can modify the memory by using the "patch" command How it works? • On Linux-based OSes, pseudo files are placed under /proc/ to access process information • The following paths are used: • /proc/[pid]/maps • /proc/[pid]/mem /proc/[pid]/maps • /proc/[pid]/maps contains the memory map information • The memory map indicates which part of the memory the process, specified by the “pid", has permissions to read and write to /proc/[pid]/mem • Using /proc/[pid]/mem, it is possible to read the memory held by the process specified by the “pid” • system calls can be used to read the memory • open(), read(), lseek() How it works? • The Memory map tells us where we can read / write • It uses /proc/[pid]/mem to read the memory and search for the target value • When the target value is found, it uses /proc/[pid]/mem to patch the memory What are the benefits of implementing using Golang on android devices? • Easy to prepare ELF binaries for ARM • Easy to invoke system calls • Easy to find the target byte in a large byte sequence quickly • Easy to distribute binaries by using GitHub Actions and GoReleaser • Go compiler supports cross-compilation • GOOS , GOARCH environment variables are provided for specifying the OS and CPU Easy to prepare ELF binaries for ARM $ GOOS=linux GOARCH=arm64 GOARM=7 go build -o medit • unix package wraps the system calls nicely • easy to invoke the system calls Easy to invoke system calls • A fast string search algorithm called the Rabin-Karp is used inside bytes.Index() • Without implementing complex algorithms, I can quickly find data in the memory by simply using bytes.Index() Easy to find the target byte in a large byte sequence quickly • GitHub Actions and GoReleaser make it easy to develop with Golang • When a tagged commit is uploaded to GitHub, the build runs via GitHub Actions and GoReleaser automatically registers the binary to Github Releases Easy to distribute binaries by using GitHub Actions and GoReleaser Summary • apk-medit allows memory modifications without bypassing rooting detection • But there is a need to change the APK to be debuggable.... • Golang is a useful language for building Android tools • I hope apk-medit will become the de facto standard for security testing