{"id":25406010,"url":"https://github.com/sterrasec/apk-medit","last_synced_at":"2025-10-31T01:31:54.907Z","repository":{"id":37326961,"uuid":"232519384","full_name":"sterrasec/apk-medit","owner":"sterrasec","description":"memory search and patch tool on debuggable apk without root \u0026 ndk","archived":false,"fork":false,"pushed_at":"2025-01-20T03:45:54.000Z","size":4413,"stargazers_count":374,"open_issues_count":2,"forks_count":52,"subscribers_count":29,"default_branch":"master","last_synced_at":"2025-01-31T02:11:06.570Z","etag":null,"topics":["android","android-security","arsenal","blackhat","mobile-app-security","mobile-security-testing","security-testing","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sterrasec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-08T08:48:58.000Z","updated_at":"2025-01-19T15:02:38.000Z","dependencies_parsed_at":"2024-06-20T16:21:21.955Z","dependency_job_id":"42252792-e225-491d-a4b9-bcd3038ddf12","html_url":"https://github.com/sterrasec/apk-medit","commit_stats":null,"previous_names":["aktsk/medit","aktsk/apk-medit"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sterrasec%2Fapk-medit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sterrasec%2Fapk-medit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sterrasec%2Fapk-medit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sterrasec%2Fapk-medit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sterrasec","download_url":"https://codeload.github.com/sterrasec/apk-medit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239088382,"owners_count":19579434,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","android-security","arsenal","blackhat","mobile-app-security","mobile-security-testing","security-testing","security-tools"],"created_at":"2025-02-16T05:04:43.417Z","updated_at":"2025-10-31T01:31:54.901Z","avatar_url":"https://github.com/sterrasec.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# apk-medit\n\n[![GitHub release](https://img.shields.io/github/v/release/sterrasec/apk-medit.svg)](https://github.com/sterrasec/apk-medit/releases/latest)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/sterrasec/apk-medit/blob/master/LICENSE)\n[![](https://img.shields.io/badge/Black%20Hat%20Arsenal-USA%202020-blue.svg)](https://www.blackhat.com/us-20/arsenal/schedule/index.html#apk-medit-memory-search-and-patch-tool-for-apk-without-root--android-ndk-21026)\n[![](https://img.shields.io/badge/CODE%20BLUE%20-Bluebox%202020-blue.svg)](https://archive.codeblue.jp/2020/talks/?content=talks_28)\n![](https://github.com/sterrasec/apk-medit/actions/workflows/test.yml/badge.svg?branch=master)\n![typos workflow](https://github.com/sterrasec/apk-medit/actions/workflows/typos.yml/badge.svg?branch=master)\n\nApk-medit is a memory search and patch tool for debuggable apk without root \u0026 ndk.\nIt was created for mobile game security testing.\nMany mobile games have rooting detection, but apk-medit does not require root privileges, so memory modification can be done without bypassing the rooting detection.\n\n## Motivation\n\nMemory modification is the easiest way to cheat in games, it is one of the items to be checked in the security test.\nThere are also cheat tools that can be used casually like GameGuardian.\nHowever, there were no tools available for non-root device and CUI. So I made it as a security testing tool.\nThe version that targets iOS apps is [sterrasec/ipa-medit](https://github.com/sterrasec/ipa-medit).\n\n## Demo\n\nThis is a demo that uses apk-medit to clear a game that requires one million taps to clear.\n\n\u003cimg src=\"screenshots/terminal.gif\" width=640px\u003e\u003cimg src=\"screenshots/demo-app.gif\" width=185px\u003e\n\n## Installation\n\nDownload the binary from [GitHub Releases](https://github.com/sterrasec/apk-medit/releases/), please push the binary in `/data/local/tmp/` on an android device.\n\n```\n$ adb push medit /data/local/tmp/medit\nmedit: 1 file pushed. 29.0 MB/s (3135769 bytes in 0.103s)\n```\n\n### How to Build\n\nYou can build with make command. It requires a go compiler.\nAfter the build is complete, if adb is connected, it pushes the built binary in `/data/local/tmp/` on an android device.\n\n```\n$ make\nGOOS=linux GOARCH=arm64 GOARM=7 go build -o medit\n/bin/sh -c \"adb push medit /data/local/tmp/medit\"\nmedit: 1 file pushed. 23.7 MB/s (3131205 bytes in 0.126s)\n```\n\n## Usage\n\nUse the `run-as` command to read files used by the target app, so apk-medit can only be used with apps that have the debuggable attribute enabled.\nTo enable the debuggable attribute, open `AndroidManifest.xml`, add the following xml attribute in application xml node:\n\n```\nandroid:debuggable=\"true\"\n```\n\nYou can also use [sterrasec/apkutil](https://github.com/sterrasec/apkutil) to easily enable the debuggable attribute without editing `AndroidManifest.xml`, it is useful.\n\n```\n$ apkutil debuggable \u003ctarget-apk-name\u003e.apk\n```\n\nAfter running the `run-as` command, directory is automatically changed. So copy `medit` from `/data/local/tmp/`.\nRunning `medit` launches an interactive prompt.\n\n```\n$ adb shell\n$ pm list packages # to check \u003ctarget-package-name\u003e\n$ run-as \u003ctarget-package-name\u003e\n$ cp /data/local/tmp/medit ./medit\n$ ./medit\n```\n\nYou can also choose not to use ptrace when writing to memory.\nThis avoids debugger detection by ptrace, but don't work on Android 10 or later due to SELinux.\n\n```\n$ ./medit -without-ptrace\n```\n\n### Commands\n\nHere are the commands available in an interactive prompt.\n\n#### find\n\nSearch the specified integer on memory.\n\n```\n\u003e find 999982\nSearch UTF-8 String...\nTarget Value: 999982([57 57 57 57 56 50])\nFound: 0!\n------------------------\nSearch Word...\nparsing 999982: value out of range\n------------------------\nSearch Double Word...\nTarget Value: 999982([46 66 15 0])\nFound: 1!\nAddress: 0xe7021f70\n```\n\nYou can also specify datatype such as string, word, dword, qword.\n\n```\n\u003e find dword 999996\nSearch Double Word...\nTarget Value: 999996([60 66 15 0])\nFound: 1!\nAddress: 0xe7021f70\n```\n\n#### filter\n\nFilter previous search results that match the current search results.\n\n```\n\u003e filter 993881\nCheck previous results of searching dword...\nTarget Value: 993881([89 42 15 0])\nFound: 1!\nAddress: 0xe7021f70\n```\n\n#### patch\n\nWrite the specified value on the address found by search.\n\n```\n\u003e patch 10\n...\nSuccessfully patched!\n```\n\n#### ps\n\nFind the target process and if there is only one, specify it as the target. `ps` runs automatically on startup.\n\n```\n\u003e ps\nPackage: jp.sterrasec.tap1000000, PID: 4398\nTarget PID has been set to 4398.\n```\n\n#### attach\n\nIf target pid set by `ps`, attach to the target process, stop all processes in the app by ptrace.\n\n```\n\u003e attach\nTarget PID: 4398\nAttached TID: 4398\nAttached TID: 4405\nAttached TID: 4407\nAttached TID: 4408\nAttached TID: 4410\nAttached TID: 4411\nAttached TID: 4412\nAttached TID: 4413\nAttached TID: 4414\nAttached TID: 4415\nAttached TID: 4418\nAttached TID: 4420\nAttached TID: 4424\nAttached TID: 4429\nAttached TID: 4430\nAttached TID: 4436\nAttached TID: 4437\nAttached TID: 4438\nAttached TID: 4439\nAttached TID: 4440\nAttached TID: 4441\nAttached TID: 4442\n```\n\nIf target pid is not set, it can be specified on the command line.\n\n```\n\u003e attach \u003cpid\u003e\n```\n\n#### detach\n\nDetach from the attached process.\n\n```\n\u003e detach\nDetached TID: 4398\nDetached TID: 4405\nDetached TID: 4407\nDetached TID: 4408\nDetached TID: 4410\nDetached TID: 4411\nDetached TID: 4412\nDetached TID: 4413\nDetached TID: 4414\nDetached TID: 4415\nDetached TID: 4418\nDetached TID: 4420\nDetached TID: 4424\nDetached TID: 4429\nDetached TID: 4430\nDetached TID: 4436\nDetached TID: 4437\nDetached TID: 4438\nDetached TID: 4439\nDetached TID: 4440\nDetached TID: 4441\nDetached TID: 4442\n```\n\n#### dump\n\nDisplay memory dump like hexdump.\n\n```\n\u003e dump 0xf0aee000 0xf0aee300\nAddress range: 0xf0aee000 - 0xf0aee300\n----------------------------------------------\n00000000  34 32 20 61 6e 73 77 65  72 20 28 74 6f 20 6c 69  |42 answer (to li|\n00000010  66 65 20 74 68 65 20 75  6e 69 76 65 72 73 65 20  |fe the universe |\n00000020  65 74 63 7c 33 29 0a 33  31 34 20 70 69 0a 31 30  |etc|3).314 pi.10|\n00000030  30 33 20 61 75 64 69 74  64 20 28 61 76 63 7c 33  |03 auditd (avc|3|\n00000040  29 0a 31 30 30 34 20 63  68 61 74 74 79 20 28 64  |).1004 chatty (d|\n00000050  72 6f 70 70 65 64 7c 33  29 0a 31 30 30 35 20 74  |ropped|3).1005 t|\n00000060  61 67 5f 64 65 66 20 28  74 61 67 7c 31 29 2c 28  |ag_def (tag|1),(|\n00000070  6e 61 6d 65 7c 33 29 2c  28 66 6f 72 6d 61 74 7c  |name|3),(format||\n00000080  33 29 0a 31 30 30 36 20  6c 69 62 6c 6f 67 20 28  |3).1006 liblog (|\n00000090  64 72 6f 70 70 65 64 7c  31 29 0a 32 37 31 38 20  |dropped|1).2718 |\n000000a0  65 0a 32 37 31 39 20 63  6f 6e 66 69 67 75 72 61  |e.2719 configura|\n000000b0  74 69 6f 6e 5f 63 68 61  6e 67 65 64 20 28 63 6f  |tion_changed (co|\n000000c0  6e 66 69 67 20 6d 61 73  6b 7c 31 7c 35 29 0a 32  |nfig mask|1|5).2|\n000000d0  37 32 30 20 73 79 6e 63  20 28 69 64 7c 33 29 2c  |720 sync (id|3),|\n000000e0  28 65 76 65 6e 74 7c 31  7c 35 29 2c 28 73 6f 75  |(event|1|5),(sou|\n000000f0  72 63 65 7c 31 7c 35 29  2c 28 61 63 63 6f 75 6e  |rce|1|5),(accoun|\n```\n\n#### exit\n\nTo exit medit, use the `exit` command or `Ctrl-D`.\n\n```\n\u003e exit\nBye!\n```\n\n## Test\n\nYou can run test codes with make command.\n\n```\n$ make test\n```\n\n## License\n\nMIT License\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsterrasec%2Fapk-medit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsterrasec%2Fapk-medit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsterrasec%2Fapk-medit/lists"}