Ipa-medit：针对重签名IPA的内存搜索和修复工具

关于Ipa-medit

Ipa-medit是一款针对重签名IPA的内存搜索和修复工具，该工具可以在不越狱的情况下使用，主要针对的是移动端游戏安全测试领域。

内存修改是游戏领域中最容易实现作弊的方法了，它也是安全测试中需要重点检查的项目之一。当然了，社区还有其他的一些作弊工具可以使用，比如说GameGem和iGameGuardian等等。但是，现在还没有支持未越狱设备并且带有CUI的工具，因此我们开发出了Ipa-medit，广大研究人员可以将其当作安全测试工具来使用。

工具要求

macOS：需要先安装好有效的iOS开发证书

Xcode

libimobiledevice/libimobiledevice

libimobiledevice/ideviceinstaller

相关依赖组件的安装命令如下：

$ brew install --HEAD libplist

$ brew install --HEAD usbmuxd

$ brew install --HEAD libimobiledevice

$ brew install --HEAD ideviceinstaller

工具安装

源码安装

广大研究人员可以直接从该项目的【Releases页面】下载源码，并将其存储至$PATH路径下。

手动构建

首先，我们需要在本地设备上安装并配置好Go编译器。然后运行下列命令：

$ go install github.com/aktsk/ipa-medit@latest

工具使用

在使用Ipa-medit时，我们需要指定包含.ipa文件的可执行文件路径（-bin），以及Bundle ID（-id）:

$ unzip tap1000000.ipa

$ ipa-medit -bin="./Payload/tap1000000.app/tap1000000" -id="jp.hoge.tap1000000"

目标.ipa文件必须使用本地设备已安装的证书进行有效签名，如果你想要修改第三方应用程序的内存，请使用ipautil之类的工具进行重新签名：

$ ipautil decode tap1000000.ipa # unzip

$ ipautil build Payload         # re-sign and generate .ipa file

工具可用命令

下面给出的是在交互终端中Ipa-medit支持的命令选项。

find

在内存中搜索指定的整型：

> find 999986

Success to halt process

Scanning: 0x00000001025e4000-0x00000001025e8000

Scanning: 0x00000001025f4000-0x00000001025fc000

Scanning: 0x0000000102604000-0x0000000102608000

....

Scanning: 0x000000016eb34000-0x000000016ebbc000

Scanning: 0x000000016ebc0000-0x000000016ebe8000

Scanning: 0x000000016ebec000-0x000000016ec74000

Scanning: 0x000000016ec78000-0x000000016ed00000

Found: 1!!

Address: 0x10a2feea0

默认配置下，只会搜索整数类型，如果你想要搜索字符串的话，请添加“all”参数并指定参数值：

> find all 999986

filter

如果之前的搜索结果能够匹配当前的搜索结果，则将其过滤掉：

> filter 999842

Success to halt process

Found: 1!!

Address: 0x1087beea0

patch

向搜索到的地址写入指定的值：

> patch 10

Successfully patched!

ps

获取关于目标进程的相关信息：

> ps

SBProcess: pid = 926, state = running, threads = 37, executable = tap1000000

State: Running

thread #1: tid = 0x545ee, 0x00000001bd6552d0 libsystem_kernel.dylib`mach_msg_trap + 8, queue = 'com.apple.main-thread'

thread #3: tid = 0x54619, 0x00000001bd67a184 libsystem_kernel.dylib`__workq_kernreturn + 8

thread #4: tid = 0x5461a, 0x00000001bd67a184 libsystem_kernel.dylib`__workq_kernreturn + 8

thread #5: tid = 0x5461b, 0x00000001bd67a184 libsystem_kernel.dylib`__workq_kernreturn + 8

thread #6: tid = 0x5461c, 0x00000001bd67a184 libsystem_kernel.dylib`__workq_kernreturn + 8

thread #7: tid = 0x5461d, 0x00000001bd6552d0 libsystem_kernel.dylib`mach_msg_trap + 8, name = 'com.apple.uikit.eventfetch-thread'

thread #8: tid = 0x5461e, 0x00000001bd6791ac libsystem_kernel.dylib`__psynch_cvwait + 8, name = 'GC Finalizer'

thread #9: tid = 0x5461f, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Job.Worker 0'

thread #10: tid = 0x54620, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Job.Worker 1'

thread #11: tid = 0x54621, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Job.Worker 2'

thread #12: tid = 0x54622, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Job.Worker 3'

thread #13: tid = 0x54623, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Job.Worker 4'

thread #14: tid = 0x54624, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 0'

thread #15: tid = 0x54625, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 1'

thread #16: tid = 0x54626, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 2'

thread #17: tid = 0x54627, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 3'

thread #18: tid = 0x54628, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 4'

thread #19: tid = 0x54629, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 5'

thread #20: tid = 0x5462a, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 6'

thread #21: tid = 0x5462b, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 7'

thread #22: tid = 0x5462c, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 8'

thread #23: tid = 0x5462d, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 9'

thread #24: tid = 0x5462e, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 10'

thread #25: tid = 0x5462f, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 11'

thread #26: tid = 0x54630, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 12'

thread #27: tid = 0x54631, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 13'

thread #28: tid = 0x54632, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 14'

thread #29: tid = 0x54633, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Background Job.Worker 15'

thread #30: tid = 0x54634, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'BatchDeleteObjects'

thread #31: tid = 0x54635, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Loading.AsyncRead'

thread #32: tid = 0x5463f, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'UnityGfxDeviceWorker'

thread #33: tid = 0x54641, 0x00000001bd6552d0 libsystem_kernel.dylib`mach_msg_trap + 8, name = 'AVAudioSession Notify Thread'

thread #34: tid = 0x54658, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8

thread #35: tid = 0x54659, 0x00000001bd6552d0 libsystem_kernel.dylib`mach_msg_trap + 8, name = 'AURemoteIO::IOThread'

thread #36: tid = 0x54662, 0x00000001bd679814 libsystem_kernel.dylib`__semwait_signal + 8

thread #37: tid = 0x54663, 0x00000001bd6552d0 libsystem_kernel.dylib`mach_msg_trap + 8, name = 'com.apple.CoreMotion.MotionThread'

thread #38: tid = 0x54664, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Loading.PreloadManager'