Plugin keypatch about ida pro
Source https://blog.csdn.net/fjh658/article/details/52268907
About ida pro's awesome plug-in keypatch
Usually ida is modifying the binary file, the built-in edit->patch program->assemble (Ilfak Guilfanov also mentioned in the forum, it is likely that the assembler-related functions will be completely removed in the future) You can modify x86, x64 but Can't modify arm, arm64, what should I do in reverse on the mobile terminal?
The ida-patcher http://thesprawl.org/projects/ida-patcher/ plugin can be used under arm before, but you must know the machine code corresponding to the arm command, which is still a bit troublesome to use. As shown in the
figure:
ida-patcher menu:
ida-patcher patch:
![ida-patcher patch2]](https://img-blog.csdn.net/20160821191421489)
edit selection:
![ida-patcher patch3]](https://img-blog.csdn.net/20160821191536749)
The artifact plug-in keypatch introduced today
Keypatch is confirmed to work on IDA Pro version 6.4, 6.6, 6.8, 6.9, 6.95,7.0
https://github.com/keystone-engine/keypatch
支持的CPU架构:
support Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (include 16/32/64bit).
支持的平台:
work everywhere that IDA works, which is on Windows, MacOS, Linux. Based on Python, so it is easy to install as no compilation is needed.- 1
- 2
- 3
- 4
- 5
- 6
- 7
keypatch relies on keystone-engine at the bottom
Install keystone-engine
32-bit ida on Windows (ida 6.8, 6.9, 6.95, 7.0_x86), install keystone-engine, pay attention to check the matching python32
Key steps
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win32.msi64-bit ida(>=7.0) on Windows, install keystone-engine, pay attention to check the matching python64
Key steps
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win64.msi
macOS installation
must have cmake, which is used to compile libkeystone.dylib (libkeystone.dylib, macOS python is universal binary)
Typical problems: https://github.com/keystone-engine/keypatch/issues/28
Quick start
Steps:
- install brew
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"- 1
- install cmake
brew install cmake- 1
- install keystone-engine
sudo pip install keystone-engine- 1
Default installation directory: /Library/Python/2.7/site-packages/keystone
Directory structure: 
Check method:
1. Print sys.path in ida's python console
2. Check the keystone directory environment
in the "print sys.path" result, if there is "/Library/Python/2.7/site-packages/keystone",
no need copy
sudo cp -r /Library/Python/2.7/site-packages/keystone /Applications/IDA\ Pro\ <version>/ida[q].app/Contents/MacOS/python- 1
Install keypatch
https://github.com/keystone-engine/keypatch.gitCopy keypatch.py to
/Applications/IDA\ Pro\ 7.0/ida.app/Contents/MacOS/pluginsreopen ida
Use keypatch shortcut ctrl+alt+k
arm assembly
keypatch interface
keypatch modification interface
Click patch, the modification is successful
After keypatch modifies the interface, pay attention to the comments on the right (keep the previous code)
![After keypatch modifies the interface]](https://img-blog.csdn.net/20160821192042897)
How to undo changes
ctrl+alt + p Right-click to revert the specified modification
or
How keypatch works
-
First understand the principle of the plug-in that comes with ida pro
- keypatch principle
- keypatch principle
keypatch depends on keystone, keystone as Assembler