Multi-architecture assembler for IDA Pro. Powered by Keystone Engine.
GPL-2.0 License
Keypatch is the award winning plugin of IDA Pro for Keystone Assembler Engine.
Keypatch consists of 3 tools inside.
See this quick tutorial for how to use Keypatch, and this slides for how it is implemented.
Keypatch is confirmed to work on IDA Pro version 6.4, 6.5, 6.6, 6.8, 6.9, 6.95, 7.0, 7.5 but should work flawlessly on older versions. If you find any issues, please report.
Sometimes we want to patch the binary while analyzing it in IDA, but unfortunately the built-in asssembler of IDA Pro is not adequate.
Keypatch was developed to solve this problem. Thanks to the power of Keystone, our plugin offers some nice features.
Keypatch can be the missing piece in your toolset of reverse engineering.
pip install six
.keypatch.py
to IDA Plugin folder, then restart IDA Pro to use Keypatch.
C:\Program Files (x86)\IDA 6.9\plugins
/Applications/IDA\ Pro\ 6.9/idaq.app/Contents/MacOS/plugins
/opt/IDA/plugins/
NOTE
For a quick tutorial, see TUTORIAL.md. For a complete description of all of the features of Keypatch, keep reading.
To patch your binary, press hotkey CTRL+ALT+K
inside IDA to open Keypatch Patcher dialog.
Assembly
box (you can use IDA symbols).Encode
box while you are typing, without waiting for ENTER
keystroke.
Fixup
control.ENTER
or click Patch
to overwrite the current instruction with the new code, then automatically advance to the the next instruction.
NOPs padding until next instruction boundary
if this is undesired.Save original instructions in IDA comment
to disable this feature.Edit | Patch program | Apply patches to input file
.CTRL+ALT+K
, or choose menu Edit | Keypatch | Fill Range
.
Assembly
box, you can either enter assembly code, or raw hexcode. Some examples of acceptable raw hexcode are 90
, aa bb
, 0xAA, 0xBB
.To revert (undo) the last patching, choose menu Edit | Keypatch | Undo last patching
.
To search for assembly instructions (without overwritting binary), open Keypatch Search from menu Edit | Keypatch | Search
.
Assembly
box.Encode
box while you are typing, without waiting for ENTER
keystroke.Search
button, Keypatch would look for all the occurences of the instructions, and show the result in a new form.To check for new version of Keypatch, choose menu Edit | Keypatch | Check for update
.
At any time, you can also access to all the above Keypatch functionalities just by right-click in IDA screen, and choose from the popup menu.
Email [email protected] for any questions.
For future update of Keypatch, follow our Twitter @keystone_engine for announcement.
We all know that before IDA 7.0, IDA Pro's Python is 32-bit itself, so it can only loads 32-bit libraries. For this reason, we have to build & install Keystone 32-bit. However, since IDA 7.0 supports both 32-bit & 64-bit, which means we also need to install a correct version of Keystone. Simply install from Pypi, with pip
(32-bit), like followings:
pip install keystone-engine
Done? Now go back to section 2 & install Keypatch for IDA Pro. Enjoy!