关于ida pro的插件keypatch
来源 https://blog.csdn.net/fjh658/article/details/52268907
关于ida pro的牛逼插件keypatch
通常ida在修改二进制文件,自带的edit->patch program->assemble( Ilfak Guilfanov在论坛里也提到, 未来很可能会把assemble汇编器相关的功能彻底移除掉) 可以修改x86, x64 但是不能修改arm, arm64,移动端逆向该怎么办?
之前arm下可以使用ida-patcher http://thesprawl.org/projects/ida-patcher/ 这个插件,但是必须知道arm指令对应的机器码,使用还是有点麻烦.
如图:
ida-patcher 菜单:
ida-patcher patch:
![ida-patcher patch2]](https://img-blog.csdn.net/20160821191421489)
edit selection:
![ida-patcher patch3]](https://img-blog.csdn.net/20160821191536749)
今天介绍的这个神器插件keypatch
Keypatch is confirmed to work on IDA Pro version 6.4, 6.6, 6.8, 6.9, 6.95,7.0
https://github.com/keystone-engine/keypatch
支持的CPU架构:
support Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (include 16/32/64bit).
支持的平台:
work everywhere that IDA works, which is on Windows, MacOS, Linux.
Based on Python, so it is easy to install as no compilation is needed.- 1
- 2
- 3
- 4
- 5
- 6
- 7
keypatch底层依赖keystone-engine
安装keystone-engine
Windows上32位ida(ida 6.8, 6.9, 6.95, 7.0_x86), 安装keystone-engine, 注意 检查配套的python32
关键步骤
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win32.msiWindows上64位ida(>=7.0), 安装keystone-engine, 注意 检查配套的python64
关键步骤
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win64.msi
macOS 安装
必须要有cmake, 用来编译libkeystone.dylib (libkeystone.dylib, macOS python是universal binary)
典型问题: https://github.com/keystone-engine/keypatch/issues/28
Quick start
Steps:
- install brew
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"- 1
- install cmake
brew install cmake- 1
- install keystone-engine
sudo pip install keystone-engine- 1
默认安装目录: /Library/Python/2.7/site-packages/keystone
目录结构: 
检查方法:
1. 在ida的python 控制台 print sys.path
2. 检查下keystone目录环境
在”print sys.path”结果中, 如果存在 “/Library/Python/2.7/site-packages/keystone”
不需要 copy
sudo cp -r /Library/Python/2.7/site-packages/keystone /Applications/IDA Pro <version>/ida[q].app/Contents/MacOS/python- 1
安装keypatch
https://github.com/keystone-engine/keypatch.git将 keypatch.py 复制到
/Applications/IDA Pro 7.0/ida.app/Contents/MacOS/plugins重新打开ida
使用keypatch 快捷键ctrl+alt+k
arm汇编
keypatch界面
keypatch修改界面
点击patch, 修改成功
keypatch修改界面后,注意右边的注释(保留前面的代码)
![keypatch修改界面后]](https://img-blog.csdn.net/20160821192042897)
如何撤销修改
ctrl+alt + p 右击revert指定的修改
或者
keypatch工作原理
-
先了解下ida pro 自带的插件的原理
- keypatch 原理
- keypatch 原理
keypatch依赖keystone, keystone作为Assembler