关于ida pro的牛逼插件keypatch
通常ida在修改二进制文件,自带的edit->patch program->assemble( Ilfak Guilfanov在论坛里也提到, 未来很可能会把assemble汇编器相关的功能彻底移除掉) 可以修改x86, x64 但是不能修改arm, arm64,移动端逆向该怎么办?
之前arm下可以使用ida-patcher http://thesprawl.org/projects/ida-patcher/ 这个插件,但是必须知道arm指令对应的机器码,使用还是有点麻烦.
如图:
ida-patcher 菜单:
ida-patcher patch:
edit selection:
今天介绍的这个神器插件keypatch
Keypatch is confirmed to work on IDA Pro version 6.4, 6.6, 6.8, 6.9, 6.95,7.0
https://github.com/keystone-engine/keypatch
支持的CPU架构:
support Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (include 16/32/64bit).
支持的平台:
work everywhere that IDA works, which is on Windows, MacOS, Linux.
Based on Python, so it is easy to install as no compilation is needed.
1
2
3
4
5
6
7
keypatch底层依赖keystone-engine
安装keystone-engine
Windows上32位ida(ida 6.8, 6.9, 6.95, 7.0_x86), 安装keystone-engine, 注意 检查配套的python32
关键步骤
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win32.msi
Windows上64位ida(>=7.0), 安装keystone-engine, 注意 检查配套的python64
关键步骤
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win64.msi
macOS 安装
必须要有cmake, 用来编译libkeystone.dylib (libkeystone.dylib, macOS python是universal binary)
典型问题: https://github.com/keystone-engine/keypatch/issues/28
Quick start
Steps:
install brew
/usr/bin/ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”
1
install cmake
brew install cmake
1
install keystone-engine
sudo pip install keystone-engine
1
默认安装目录: /Library/Python/2.7/site-packages/keystone
目录结构:
检查方法:
在ida的python 控制台 print sys.path
检查下keystone目录环境
在”print sys.path”结果中, 如果存在 “/Library/Python/2.7/site-packages/keystone”
不需要 copy
sudo cp -r /Library/Python/2.7/site-packages/keystone /Applications/IDA\ Pro\ /ida[q].app/Contents/MacOS/python
1
安装keypatch
https://github.com/keystone-engine/keypatch.git
将 keypatch.py 复制到
/Applications/IDA\ Pro\ 7.0/ida.app/Contents/MacOS/plugins
重新打开ida
使用keypatch 快捷键ctrl+alt+k
arm汇编
keypatch界面
keypatch修改界面
点击patch, 修改成功
keypatch修改界面后,注意右边的注释(保留前面的代码)
如何撤销修改
ctrl+alt + p 右击revert指定的修改
或者
keypatch工作原理
先了解下ida pro 自带的插件的原理
keypatch 原理
网友评论