zoukankan      html  css  js  c++  java

  • 关于ida pro的插件keypatch

    关于ida pro的插件keypatch

    来源 https://blog.csdn.net/fjh658/article/details/52268907

    关于ida pro的牛逼插件keypatch

    通常ida在修改二进制文件,自带的edit->patch program->assemble( Ilfak Guilfanov在论坛里也提到, 未来很可能会把assemble汇编器相关的功能彻底移除掉) 可以修改x86, x64 但是不能修改arm, arm64,移动端逆向该怎么办? 
    这里写图片描述

    之前arm下可以使用ida-patcher http://thesprawl.org/projects/ida-patcher/ 这个插件,但是必须知道arm指令对应的机器码,使用还是有点麻烦. 
    如图:

    ida-patcher 菜单:

    ida-patcher 菜单

    ida-patcher patch:

    ida-patcher patch2]

    edit selection:

    ida-patcher patch3]

    今天介绍的这个神器插件keypatch 
    Keypatch is confirmed to work on IDA Pro version 6.4, 6.6, 6.8, 6.9, 6.95,7.0

    https://github.com/keystone-engine/keypatch

    支持的CPU架构: 
support Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (include 16/32/64bit).

支持的平台: 
work everywhere that IDA works, which is on Windows, MacOS, Linux.

Based on Python, so it is easy to install as no compilation is needed.
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7

    keypatch底层依赖keystone-engine

    安装keystone-engine

    Windows上32位ida(ida 6.8, 6.9, 6.95, 7.0_x86), 安装keystone-engine, 注意 检查配套的python32

    关键步骤 
    https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win32.msi

    Windows上64位ida(>=7.0), 安装keystone-engine, 注意 检查配套的python64

    关键步骤 
    https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win64.msi

    macOS 安装 
    必须要有cmake, 用来编译libkeystone.dylib (libkeystone.dylib, macOS python是universal binary) 
    典型问题: https://github.com/keystone-engine/keypatch/issues/28 
    Quick start 
    Steps:

    • install brew
    /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
    • 1
    • install cmake
    brew install cmake
    • 1
    • install keystone-engine
    sudo pip install keystone-engine
    • 1

    默认安装目录: /Library/Python/2.7/site-packages/keystone 
    目录结构: 
    image

    检查方法: 
    1. 在ida的python 控制台 print sys.path 
    2. 检查下keystone目录环境 
    在”print sys.path”结果中, 如果存在 “/Library/Python/2.7/site-packages/keystone” 
    不需要 copy

    sudo cp -r /Library/Python/2.7/site-packages/keystone /Applications/IDA Pro <version>/ida[q].app/Contents/MacOS/python
    • 1

    安装keypatch 
    https://github.com/keystone-engine/keypatch.git

    将 keypatch.py 复制到 
    /Applications/IDA Pro 7.0/ida.app/Contents/MacOS/plugins

    重新打开ida

    使用keypatch 快捷键ctrl+alt+k

    arm汇编 
    keypatch

    keypatch界面 
    keypatch界面

    keypatch修改界面 
    keypatch修改界面

    点击patch, 修改成功

    keypatch修改界面后,注意右边的注释(保留前面的代码) 
    keypatch修改界面后]

    如何撤销修改

    ctrl+alt + p 右击revert指定的修改 
    撤销

    或者 
    keypatch撤销

    keypatch工作原理

    • 先了解下ida pro 自带的插件的原理 
      这里写图片描述

      • keypatch 原理 
        这里写图片描述

    keypatch依赖keystone, keystone作为Assembler
  • 相关阅读:
    ORACLE同义词
    eclipse如何检出项目的jar包
    2020-04-03
    十大经典排序算法
    2020-03-30
    world文档设置表格自定义序列
    2020面试记录
    java如何用一个循环实现两个有序数组合并成一个有序数组
    2020-1-8
    好物推荐之抽纸
  • 原文地址:https://www.cnblogs.com/lsgxeva/p/8948113.html
Copyright © 2011-2022 走看看