關於ida pro的插件keypatch
來源 https://blog.csdn.net/fjh658/article/details/52268907
關於ida pro的牛逼插件keypatch
通常ida在修改二進制文件,自帶的edit->patch program->assemble( Ilfak Guilfanov在論壇里也提到, 未來很可能會把assemble匯編器相關的功能徹底移除掉) 可以修改x86, x64 但是不能修改arm, arm64,移動端逆向該怎么辦? 
之前arm下可以使用ida-patcher http://thesprawl.org/projects/ida-patcher/ 這個插件,但是必須知道arm指令對應的機器碼,使用還是有點麻煩.
如圖:
ida-patcher 菜單:
ida-patcher patch:
![ida-patcher patch2]](/image/aHR0cHM6Ly9pbWctYmxvZy5jc2RuLm5ldC8yMDE2MDgyMTE5MTQyMTQ4OQ==.png)
edit selection:
![ida-patcher patch3]](/image/aHR0cHM6Ly9pbWctYmxvZy5jc2RuLm5ldC8yMDE2MDgyMTE5MTUzNjc0OQ==.png)
今天介紹的這個神器插件keypatch
Keypatch is confirmed to work on IDA Pro version 6.4, 6.6, 6.8, 6.9, 6.95,7.0
https://github.com/keystone-engine/keypatch
支持的CPU架構:
support Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (include 16/32/64bit). 支持的平台: work everywhere that IDA works, which is on Windows, MacOS, Linux. Based on Python, so it is easy to install as no compilation is needed.- 1
- 2
- 3
- 4
- 5
- 6
- 7
keypatch底層依賴keystone-engine
安裝keystone-engine
Windows上32位ida(ida 6.8, 6.9, 6.95, 7.0_x86), 安裝keystone-engine, 注意 檢查配套的python32
關鍵步驟
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win32.msiWindows上64位ida(>=7.0), 安裝keystone-engine, 注意 檢查配套的python64
關鍵步驟
https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win64.msi
macOS 安裝
必須要有cmake, 用來編譯libkeystone.dylib (libkeystone.dylib, macOS python是universal binary)
典型問題: https://github.com/keystone-engine/keypatch/issues/28
Quick start
Steps:
- install brew
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"- 1
- install cmake
brew install cmake- 1
- install keystone-engine
sudo pip install keystone-engine- 1
默認安裝目錄: /Library/Python/2.7/site-packages/keystone
目錄結構: 
檢查方法:
1. 在ida的python 控制台 print sys.path
2. 檢查下keystone目錄環境
在”print sys.path”結果中, 如果存在 “/Library/Python/2.7/site-packages/keystone”
不需要 copy
sudo cp -r /Library/Python/2.7/site-packages/keystone /Applications/IDA\ Pro\ <version>/ida[q].app/Contents/MacOS/python- 1
安裝keypatch
https://github.com/keystone-engine/keypatch.git將 keypatch.py 復制到
/Applications/IDA\ Pro\ 7.0/ida.app/Contents/MacOS/plugins重新打開ida
使用keypatch 快捷鍵ctrl+alt+k
arm匯編 
keypatch界面 
keypatch修改界面 
點擊patch, 修改成功
keypatch修改界面后,注意右邊的注釋(保留前面的代碼) ![keypatch修改界面后]](/image/aHR0cHM6Ly9pbWctYmxvZy5jc2RuLm5ldC8yMDE2MDgyMTE5MjA0Mjg5Nw==.png)
如何撤銷修改
ctrl+alt + p 右擊revert指定的修改 
或者 
keypatch工作原理
-
先了解下ida pro 自帶的插件的原理
- keypatch 原理
- keypatch 原理
keypatch依賴keystone, keystone作為Assembler