Hi! Is it possible to know which matches could not be patched? Ideally the addresses of the instructions that could not be patched. Additionally, is there any way to give a "fallback" match pattern, that is only considered if the first pattern is not "patchable"? Thank you.

Is it possible to know which matches could not be patched?

You can try passing --option --debug=true to E9Tool, which will cause E9Patch to print more detailed information. E.g.:

    debug: failed to patch instruction at address 0xc21

Currently there is no machine-readable information, but maybe I should look into this.

is there any way to give a "fallback" match pattern, that is only considered if the first pattern is not "patchable"?

Do you mean something like: "patch instruction B instead of instruction A if A is unpatchable?"

There is not really an automated way to do this currently. There is however:

• BB.best selects the "best" instruction to patch from a basic block (if your application is interested in BBs)
• Use the -CFR mode, which makes it more likely that patching will succeed, although it may introduce rewriting errors for some binaries.

Thank you! I did try the debug option but failed to find those lines in the middle of all the output. As for the second part, I knew of those alternatives but they do not fit my current problem. I might use the debug information to do multiple instrumentation attempts. Thanks once again!

EDIT Actually, I previously used --debug and not --option --debug=true as you suggest. The second does show that info