genpatch
genpatch is IDA plugin that generates a python script for patching binary from Patched Byte
on IDA.
genpatch is confirmed to work on IDA Pro 7.x.
Background
During reverse engineering, we often apply the same patch to another binary. For example, when applying patch for bypassing SSL pinning. Launching IDA just to patch is cumbersome, but patching from the CUI is more convenient, it's easy to share with others who are not familiar with IDA.
Installation
Copy file genpatch.py
, patch_template.txt
to IDA Plugin folder, then restart IDA Pro to use genpatch.
- On Windows, the folder is at C:\Program Files (x86)\IDA 7.2\plugins
- On MacOS, the folder is at /Applications/IDA\ Pro\ 7.2/idaq.app/Contents/MacOS/plugins
- On Linux, the folder may be at /opt/IDA/plugins/
How to Use
After applying the patch using IDA, click Edit -> Plugins -> genpatch
button.
If patch script is successfully generated, a dialog similar to following appears:
Patching Script Example
#!/usr/bin/env python
# coding: UTF-8
import binascii
import os
import re
import sys
target_path = sys.argv[1]
target_data = None
with open(target_path, 'rb') as target_file:
target_data = binascii.hexlify(target_file.read()).decode('utf-8')
# address: 0x100000ecb
# function name: __text: _main
# comment: Keypatch modified this from: jz loc_100000EF6 Keypatch padded NOP to next boundary: 4 bytes
matches = re.findall('0f8425000000', target_data)
if len(matches) == 1:
target_data = target_data.replace('0f8425000000', '752990909090')
else:
print("Patch pattern isn't unique")
sys.exit()
result_path = target_path + '_patched'
with open(result_path, "wb") as result_file:
if sys.version_info[0] >= 3:
result_file.write(bytes.fromhex(target_data))
else:
result_file.write(target_data.decode("hex"))
print("Successfully generated patched binary to '%s'" % result_path)
License
The MIT License