關於ida pro的牛逼外掛keypatch

通常ida在修改二進位制檔案，自帶的edit->patch program->assemble( Ilfak Guilfanov在論壇裡也提到, 未來很可能會把assemble彙編器相關的功能徹底移除掉) 可以修改x86, x64 但是不能修改arm, arm64，移動端逆向該怎麼辦？

ida-patcher 選單:

ida-patcher patch:

edit selection:

今天介紹的這個神器外掛keypatch Keypatch is confirmed to work on IDA Pro version 6.4, 6.6, 6.8, 6.9, 6.95,7.0

支援的CPU架構: support Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (include 16/32/64bit).

支援的平臺: work everywhere that IDA works, which is on Windows, MacOS, Linux.

Based on Python, so it is easy to install as no compilation is needed. 1 2 3 4 5 6 7 keypatch底層依賴keystone-engine

install brew /usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)” 1 install cmake brew install cmake 1 install keystone-engine sudo pip install keystone-engine 1 預設安裝目錄: /Library/Python/2.7/site-packages/keystone 目錄結構:

檢查方法:

1. 在ida的python 控制檯 print sys.path
2. 檢查下keystone目錄環境 在”print sys.path”結果中, 如果存在 “/Library/Python/2.7/site-packages/keystone” 不需要 copy

sudo cp -r /Library/Python/2.7/site-packages/keystone /Applications/IDA\ Pro\ /ida[q].app/Contents/MacOS/python 1 安裝keypatch https://github.com/keystone-engine/keypatch.git 將 keypatch.py 複製到 /Applications/IDA\ Pro\ 7.0/ida.app/Contents/MacOS/plugins 重新開啟ida 使用keypatch 快捷鍵ctrl+alt+k

arm彙編

keypatch介面

keypatch修改介面

點選patch, 修改成功

keypatch修改介面後，注意右邊的註釋(保留前面的程式碼)

如何撤銷修改

ctrl+alt + p 右擊revert指定的修改

或者

keypatch工作原理

先了解下ida pro 自帶的外掛的原理

keypatch 原理

keypatch依賴keystone, keystone作為Assembler