Patcher: this allows you to type in assembly to directly patch your binary.
Assembler: this interactive tool let you enter assembly & get back instruction encoding.
Keypatch is confirmed to work on IDA Pro version 6.4, 6.8 & 6.9, but should work flawlessly on older versions. If you find any issues, please report.
1. Why Keypatch?
Sometimes we want to patch the binary while analyzing it in IDA, but unfortunately the built-in asssembler of IDA Pro is not adequate.
Only X86 assembler is available. Support for all other architectures is totally missing.
The X86 assembler is buggy and fails to understand many modern Intel instructions.
This tool is not friendly and without many options that would make the life of reverser easier.
Keypatch was developed to solve this problem. Thanks to the power of Keystone, our plugin offers some nice features.
More friendly & easier to use.
Cross-architecture: support Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (include 16/32/64bit).
Cross-platform: work everywhere that IDA works, which is on Windows, MacOS, Linux.
Based on Python, so it is easy to install as no compilation is needed.
Open source under GPL v2.
Keypatch can be the missing piece in your toolset of reverse engineering.
2. Install
Keypatch requires Keystone, so you have to install Keystone core & Python binding for Python 2.7 from keystone-engine.org/download. Or follow the steps in the appendix section.
Copy file keypatch.py to IDA Plugin folder, then restart IDA Pro to use Keypatch.
On Windows, the folder is at C:\Program Files (x86)\IDA 6.9\plugins
On MacOS, the folder is at /Applications/IDA\ Pro\ 6.9/idaq.app/Contents/MacOS/plugins
On Linux, the folder may be at /opt/IDA/plugins/
NOTE - On Windows, if you get an error message from IDA about “fail to load the dynamic library”, then your machine may miss the VC++ runtime library. Fix that by downloading & installing it from https://www.microsoft.com/en-gb/download/details.aspx?id=40784 - On other *nix platforms, the above error message means you do not have 32-bit Keystone installed yet. See appendix section below for more instructions to fix this.
3. Usage
To patch your binary, press hotkey CTRL+ALT+K inside IDA to open Keypatch Patcher dialog.
The original assembly, encode & instruction size will be displayed in 3 controls at the top part of the form.
Choose the syntax, type new assembly instruction in the Assembly box (you can use IDA symbols).
Keypatch would automatically update the encoding in the Encode box while you are typing, without waiting for ENTER keystroke.
Note that you can type IDA symbols, and the raw assembly will be displayed in the Fixupcontrol.
Press ENTER or click Patch to overwrite the current instruction with the new code, thenautomatically advance to the the next instruction.
Note that when the new code is shorter than the original code, the extra bytes will be filled in with NOPs by default. Uncheck the choice Padding extra bytes with NOPs if this is not desired.
By default, the modification you made is only recorded in the IDA database. To apply these changes to the original binary (thus overwrite it), choose menu Edit | Patch program | Apply patches to input file.
To do some code assembling (without overwritting binary), open Keypatch Assembler from menuEdit | Keypatch | Assembler.
Choose the architecture, address, endian mode & syntax, then type assembly instruction in theAssembly box.
Keypatch would automatically update the encoding in the Encode box while you are typing, without waiting for ENTER keystroke.
For future update of Keypatch, follow our Twitter @keystone_engine for announcement.
Appendix. Install Keystone for IDA Pro
IDA Pro’s Python is 32-bit itself, so it can only loads 32-bit libraries. For this reason, we have to build & install Keystone 32-bit. This section details the steps towards that goal.
A1. Windows
It is easiest to just download & install Python 2.7 module for Windows from http://www.keystone-engine.org/download. Be sure to get the 32-bit version, regardless of your Windows edition.
If you prefer to compile from source, just use MSVC 32-bit & follow the instructions in Windows documentation to build keystone.dll. After that, install Python module as in Python documentation. Then copy keystone.dll to the directory of Keystone Python module.
A2. MacOS
Since version 0.9.1, by default Keystone is built in universal format, so you just need to follow the instruction in Unix documentation to compile & install it. After that, install Python module as in Python documentation.
In short, you can simply run the following commands in the source directory of Keystone to do all the above.
$ mkdir build$ cd build$ ../make-share.sh$ sudo make install$ cd bindings/python$ sudo make installA3. Linux
If your system is Linux 32-bit, you can do the same steps as in MacOS above.
In case you are on 64-bit Linux, you need to cross compile Keystone to 32-bit. Since version 0.9.1, Keystone supports lib32 option to make this easy. After building the core, install Python module as inPython documentation.
Note that to cross-compile on Linux, you need to install some multilib libraries. For example, on Ubuntu 14.04 64-bit, do this with:
发表于 2016-8-5 09:47
发表于 2016-8-5 13:29
