{"id":25406008,"url":"https://github.com/sterrasec/ipa-medit","last_synced_at":"2025-10-31T01:31:55.717Z","repository":{"id":47324858,"uuid":"353543025","full_name":"sterrasec/ipa-medit","owner":"sterrasec","description":"Memory modification tool for re-signed ipa supports iOS apps running on iPhone and Apple Silicon Mac without jailbreaking.","archived":false,"fork":false,"pushed_at":"2025-01-19T07:19:03.000Z","size":47117,"stargazers_count":179,"open_issues_count":4,"forks_count":22,"subscribers_count":25,"default_branch":"main","last_synced_at":"2025-02-13T09:14:36.224Z","etag":null,"topics":["applesilicon","arsenal","blackhat","ios","ios-security","m1","mobile-app-security","mobile-security-testing","security-testing","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sterrasec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-01T01:59:31.000Z","updated_at":"2025-01-19T15:02:20.000Z","dependencies_parsed_at":"2025-01-17T10:24:40.984Z","dependency_job_id":"3b0693ee-3c24-473d-965d-6ef35a551627","html_url":"https://github.com/sterrasec/ipa-medit","commit_stats":null,"previous_names":["aktsk/ipa-medit"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sterrasec%2Fipa-medit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sterrasec%2Fipa-medit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sterrasec%2Fipa-medit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sterrasec%2Fipa-medit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sterrasec","download_url":"https://codeload.github.com/sterrasec/ipa-medit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239088382,"owners_count":19579434,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["applesilicon","arsenal","blackhat","ios","ios-security","m1","mobile-app-security","mobile-security-testing","security-testing","security-tools"],"created_at":"2025-02-16T05:04:28.454Z","updated_at":"2025-10-31T01:31:53.886Z","avatar_url":"https://github.com/sterrasec.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# ipa-medit\n\n[![GitHub release](https://img.shields.io/github/v/release/sterrasec/ipa-medit.svg)](https://github.com/sterrasec/ipa-medit/releases/latest)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/sterrasec/ipa-medit/blob/main/LICENSE)\n[![](https://img.shields.io/badge/Black%20Hat%20Arsenal-USA%202021-blue.svg)](https://www.blackhat.com/us-21/arsenal/schedule/index.html#ipa-medit-memory-search-and-patch-tool-for-ipa-without-jailbreaking-24072)\n![](https://github.com/sterrasec/ipa-medit/actions/workflows/test.yml/badge.svg?branch=main)\n\nIpa-medit is a memory search and patch tool for resigned ipa without jailbreaking. \nIt supports iOS apps running on iPhone and Apple Silicon Mac.\nIt was created for mobile game security testing.\nMany mobile games have jailbreak detection, but ipa-medit does not require jailbreaking, so memory modification can be done without bypassing the jailbreak detection.\n\n## Motivation\nMemory modification is the easiest way to cheat in games, it is one of the items to be checked in the security test.\nThere are also cheat tools that can be used casually like GameGem and iGameGuardian.\nHowever, there were no tools available for un-jailbroken device and CUI, Apple Silicon Mac.\nSo I made it as a security testing tool.\nAndroid version is [sterrasec/apk-medit](https://github.com/sterrasec/apk-medit).\n\n## Demo\n\u003cimg src=\"screenshots/desktop.gif\" width=850px\u003e\n\n## Requirements\n- macOS\n  - You need to have a valid iOS Development certificate installed.\n- Only when targeting iOS apps running on an iPhone.\n  - Xcode\n  - [libimobiledevice/libimobiledevice](https://github.com/libimobiledevice/libimobiledevice)\n  - [libimobiledevice/ideviceinstaller](https://github.com/libimobiledevice/ideviceinstaller)\n\n```\n$ brew install --HEAD libplist\n$ brew install --HEAD usbmuxd\n$ brew install --HEAD libimobiledevice\n$ brew install --HEAD ideviceinstaller\n```\n\n## Installation\n### Binary(Intell Mac Only)\nDownload the binary from [GitHub Releases](https://github.com/sterrasec/ipa-medit/releases/) and drop it in your $PATH.\n\n### Manually Build\nYou can build it by using the make command.\nGo compiler is required to build.\nIf you are targeting an iOS app that runs on an Apple Silicon Mac, you will need to sign it, but `script/codesign.sh` will be executed and signed automatically.\n\n```\n$ git clone git@github.com:sterrasec/ipa-medit.git\n$ cd ipa-medit\n$ make build\n```\n\n## Usage\n\nThe target .ipa file must be signed with a certificate installed on your computer. \nIf you want to modify memory on third-party applications, please use a tool such as [ipautil](https://github.com/sterrasec/ipautil) for re-signing.\n\n```\n$ ipautil decode tap1000000.ipa # unzip\n$ ipautil build Payload         # re-sign and generate .ipa file\n```\n\n### Targeting the iOS app on iPhone\n\nTo launch it, you need to specify the executable file path contained in the .ipa file with `-bin` and the bundle id with `-id`.\n\n```\n$ unzip tap1000000.ipa\n$ ipa-medit -bin=\"./Payload/tap1000000.app/tap1000000\" -id=\"jp.hoge.tap1000000\"\n```\n\n### Targeting the iOS app on Apple Silicon Mac\n\nTo launch it, you need to specify the process name with `-name` or the pid with `-pid`. \nThe process name and pid of the iOS app can be checked in the Activity Monitor.\n\n```\n$ ipa-medit -name \u003cprocess name\u003e\n```\n\n### Commands\nHere are the commands available in an interactive prompt.\n\n#### find\nSearch the specified integer on memory.\n\n```\n\u003e find 999986\nSuccess to halt process\nScanning: 0x00000001025e4000-0x00000001025e8000\nScanning: 0x00000001025f4000-0x00000001025fc000\nScanning: 0x0000000102604000-0x0000000102608000\n....\nScanning: 0x000000016eb34000-0x000000016ebbc000\nScanning: 0x000000016ebc0000-0x000000016ebe8000\nScanning: 0x000000016ebec000-0x000000016ec74000\nScanning: 0x000000016ec78000-0x000000016ed00000\nFound: 1!!\nAddress: 0x10a2feea0\n```\n\nBy default, only integers are searched when targeting iOS apps running on iPhone, because the LLDB API is slow.\nWhen targeting an iOS app running on Apple Silicon Mac, strings will also be searched.\n\nYou can also specify datatype such as string, word, dword, qword.\n\n```\n\u003e find dword 999994\nSearch Double Word...\nTarget Value: 999994([58 66 15 0])\nFound: 1!!\nAddress: 0x11378aea0\n```\n\n#### filter\nFilter previous search results that match the current search results.\n\n```\n\u003e filter 999842\nSuccess to halt process\nFound: 1!!\nAddress: 0x1087beea0\n```\n\n#### patch\nWrite the specified value on the address found by search.\n\n```\n\u003e patch 10\nSuccessfully patched!\n```\n\n#### attach\nAttach to the target process.\n\n```\n\u003e attach\nSuccess to halt process\n```\n\n#### detach\nDetach from the attached process.\n\n```\n\u003e detach\nSuccess to continue process\n```\n\n#### ps\nGet information about the target process.\nIt will only work if you are targeting an iOS app running on an iPhone.\n\n```\n\u003e ps\nSBProcess: pid = 926, state = running, threads = 37, executable = tap1000000\nState: Running\nthread #1: tid = 0x545ee, 0x00000001bd6552d0 libsystem_kernel.dylib`mach_msg_trap + 8, queue = 'com.apple.main-thread'\nthread #3: tid = 0x54619, 0x00000001bd67a184 libsystem_kernel.dylib`__workq_kernreturn + 8\nthread #4: tid = 0x5461a, 0x00000001bd67a184 libsystem_kernel.dylib`__workq_kernreturn + 8\nthread #5: tid = 0x5461b, 0x00000001bd67a184 libsystem_kernel.dylib`__workq_kernreturn + 8\nthread #6: tid = 0x5461c, 0x00000001bd67a184 libsystem_kernel.dylib`__workq_kernreturn + 8\nthread #7: tid = 0x5461d, 0x00000001bd6552d0 libsystem_kernel.dylib`mach_msg_trap + 8, name = 'com.apple.uikit.eventfetch-thread'\nthread #8: tid = 0x5461e, 0x00000001bd6791ac libsystem_kernel.dylib`__psynch_cvwait + 8, name = 'GC Finalizer'\nthread #9: tid = 0x5461f, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Job.Worker 0'\nthread #10: tid = 0x54620, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Job.Worker 1'\nthread #11: tid = 0x54621, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Job.Worker 2'\n...\nthread #35: tid = 0x54659, 0x00000001bd6552d0 libsystem_kernel.dylib`mach_msg_trap + 8, name = 'AURemoteIO::IOThread'\nthread #36: tid = 0x54662, 0x00000001bd679814 libsystem_kernel.dylib`__semwait_signal + 8\nthread #37: tid = 0x54663, 0x00000001bd6552d0 libsystem_kernel.dylib`mach_msg_trap + 8, name = 'com.apple.CoreMotion.MotionThread'\nthread #38: tid = 0x54664, 0x00000001bd65530c libsystem_kernel.dylib`semaphore_wait_trap + 8, name = 'Loading.PreloadManager'\n```\n\n#### exit\nTo exit medit, use the `exit` command or `Ctrl-D`.\n\n```\n\u003e exit\nBye!\n```\n\n## Trouble shooting\n### Failed to get reply to handshake packet\nIf you get the error `/private/var/containers/Bundle/Application/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/hoge.app: error: failed to get reply to handshake packet` and can't communicate properly with iOS device and lldb, launch Xcode and build some app, and it will work.\n\n### Could not connect to lockdownd\nIf you get the error `Could not connect to lockdownd.` and can't communicate properly with iOS device and ideviceinstaller, launch Xcode and build some app, and it will work.\nIf this does not solve the problem, please update ideviceinstaller and libimobiledevice to the latest versions using the example of commands in the Requirements section.\n\n### Could not start com.apple.debugserver\nThis can be fixed by installing the latest unversioned code of libimobiledevice and ideviceinstaller by adding the `--HEAD` option when doing `brew install`.\n\n- Reference: [Could not start com.apple.debugserver! ios 14.1 xcode 12.2 MacOS 10.15.4 iphone12 · Issue #1104 · libimobiledevice/libimobiledevice](https://github.com/libimobiledevice/libimobiledevice/issues/1104)\n\n## License\nMIT License\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsterrasec%2Fipa-medit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsterrasec%2Fipa-medit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsterrasec%2Fipa-medit/lists"}