关于ida pro的牛逼插件keypatch
通常ida在修改二进制文件,自带的edit->patch program->assemble( Ilfak Guilfanov在论坛里也提到, 未来很可能会把assemble汇编器相关的功能彻底移除掉) 可以修改x86, x64 但是不能修改arm, arm64,移动端逆向该怎么办?
之前arm下可以使用ida-patcher /projects/ida-patcher/ 这个插件,但是必须知道arm指令对应的机器码,使用还是有点麻烦.
如图:
ida-patcher 菜单:
ida-patcher patch:
edit selection:
今天介绍的这个神器插件keypatch
Keypatch is confirmed to work on IDA Pro version 6.4, 6.6, 6.8, 6.9, 6.95,7.0,7.1,7.2
/keystone-engine/keypatch
支持的CPU架构:
support Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (include 16/32/64bit).
支持的平台:
work everywhere that IDA works, which is on Windows, MacOS, Linux.
Based on Python, so it is easy to install as no compilation is needed.
keypatch底层依赖keystone-engine
安装keystone-engine
Windows上32位ida(ida 6.8, 6.9, 6.95, 7.0_x86), 安装keystone-engine, 注意 检查配套的python32
关键步骤
/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.
Windows上64位ida(>=7.0), 安装keystone-engine, 注意 检查配套的python64
关键步骤
/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.
macOS 安装
必须要有cmake, 用来编译 (, macOS python是universal binary)
典型问题: /keystone-engine/keypatch/issues/28
Quick start
Steps:
- install brew
/usr/bin/ruby -e "$(curl -fsSL /Homebrew/install/master/install)"
- install cmake
brew install cmake
- install keystone-engine
sudo pip install keystone-engine
默认安装目录: /Library/Python/2.7/site-packages/keystone
目录结构:
检查方法:
- 在ida的python 控制台 print
- 检查下keystone目录环境
在"print "结果中, 如果存在 “/Library/Python/2.7/site-packages/keystone”
不需要 copy
sudo cp -r /Library/Python/2.7/site-packages/keystone /Applications/IDA\ Pro\ <version>/ida[q].app/Contents/MacOS/python
安装keypatch
/keystone-engine/
将 复制到
/Applications/IDA\ Pro\ 7.0//Contents/MacOS/plugins
重新打开ida
使用keypatch 快捷键ctrl+alt+k
arm汇编
keypatch界面
keypatch修改界面
点击patch, 修改成功
keypatch修改界面后,注意右边的注释(保留前面的代码)
如何撤销修改
ctrl+alt + p 右击revert指定的修改
或者
keypatch工作原理
-
先了解下ida pro 自带的插件的原理
- keypatch 原理
- keypatch 原理
keypatch依赖keystone, keystone作为Assembler