关于ida pro的插件keypatch

关于ida pro的插件keypatch

来源 https://blog.csdn.net/fjh658/article/details/52268907

关于ida pro的牛逼插件keypatch

通常ida在修改二进制文件，自带的edit->patch program->assemble( Ilfak Guilfanov在论坛里也提到, 未来很可能会把assemble汇编器相关的功能彻底移除掉) 可以修改x86, x64 但是不能修改arm, arm64，移动端逆向该怎么办？ 

之前arm下可以使用ida-patcher http://thesprawl.org/projects/ida-patcher/ 这个插件，但是必须知道arm指令对应的机器码，使用还是有点麻烦. 
如图：

ida-patcher 菜单:

ida-patcher patch:

edit selection:

今天介绍的这个神器插件keypatch 
Keypatch is confirmed to work on IDA Pro version 6.4, 6.6, 6.8, 6.9, 6.95,7.0

https://github.com/keystone-engine/keypatch

支持的CPU架构: 
support Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (include 16/32/64bit).

支持的平台: 
work everywhere that IDA works, which is on Windows, MacOS, Linux.

Based on Python, so it is easy to install as no compilation is needed.

• 1
• 2
• 3
• 4
• 5
• 6
• 7

keypatch底层依赖keystone-engine

安装keystone-engine

Windows上32位ida(ida 6.8, 6.9, 6.95, 7.0_x86), 安装keystone-engine, 注意 检查配套的python32

关键步骤 
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win32.msi

Windows上64位ida(>=7.0), 安装keystone-engine, 注意 检查配套的python64

关键步骤 
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win64.msi

macOS 安装 
必须要有cmake, 用来编译libkeystone.dylib (libkeystone.dylib, macOS python是universal binary) 
典型问题: https://github.com/keystone-engine/keypatch/issues/28 
Quick start 
Steps:

• install brew

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

• 1

• install cmake

brew install cmake

• 1

• install keystone-engine

sudo pip install keystone-engine

• 1

默认安装目录: /Library/Python/2.7/site-packages/keystone 
目录结构: 

检查方法: 
1. 在ida的python 控制台 print sys.path 
2. 检查下keystone目录环境 
在”print sys.path”结果中, 如果存在 “/Library/Python/2.7/site-packages/keystone” 
不需要 copy

sudo cp -r /Library/Python/2.7/site-packages/keystone /Applications/IDA Pro <version>/ida[q].app/Contents/MacOS/python

• 1

---

安装keypatch 
https://github.com/keystone-engine/keypatch.git

将 keypatch.py 复制到 
/Applications/IDA Pro 7.0/ida.app/Contents/MacOS/plugins

重新打开ida

使用keypatch 快捷键ctrl+alt+k

arm汇编 

keypatch界面 

keypatch修改界面 

点击patch, 修改成功

keypatch修改界面后，注意右边的注释(保留前面的代码) 

如何撤销修改

ctrl+alt + p 右击revert指定的修改 

或者 

keypatch工作原理

• 先了解下ida pro 自带的插件的原理 
  

  • keypatch 原理 
    

keypatch依赖keystone, keystone作为Assembler