Last night I received a couple of emails from friends of mine asking how to patch binaries through IDA Pro. I was pretty tired for writing a full answering email so I decided to send them a good link... I wasn't able to find out a good link on the argument. :O !!
For this reason today I want to show you how to patch a binary using IDA Pro. The patching process is maybe the most difficult part of reversing engineering since you need to modify directly the binary code without compromising the program control flow. You need to figure out what the binary does, where it does what, and how it performs the actions you want to modify. For example, if we consider a key-generator design process what is mainly needed is the key generation function. In order to build the generation procedure (in the key-generator)we need to copy the "generator function" (in the binary) and paste it on a generic assembler "print out" template. Running the compiled template you will see as output the generated keys. If you prefer to patch the original key-generator you need inject/modify/delete instructions directly on the binary without altering the control flow and without triggering exception handlers.
To remember: In this post I am not going into the details on "the binary patching process" but I am going to explain how to use IDA for such a process.
First of all you need to edit an IDA configuration file called idagui.cfg . The file has been placed from the installer into your IDAFolder
/cfg/idagui.cfg. On my Windows machine it is placed into: C:\Program Files\IDA Free\cfg\idagui.cfg.
Running your IDA Pro you now see a new sub menu EDIT -> Patch Program.
Now, using the "Patch program" submenu you are able to edit the IDA database. Don't forget that you are now editing the IDA database which represents the real binary (it isn't the original binary) so you aren't patching you binary yet.
Once you've done with your changes you are now ready to generate the DIFF file through: FILE->Produce File-> Create DIFF File, as shown in the following image.
The DIFF file does NOT include the copy of the modified binary but it simply enumerates what and where changes happened. For example the following listing is an example of what DIFF file includes.
00001545: 7D EB
00001546: 2B 2A
0000158D: 7C 7D
0000158E: B9 B8
000015DE: 75 74
000015DF: 1F 1E
000015E3: 76 75
000015E4: 16 15
00001607: 74 EB
00001608: 29 28
In address 00001545 the byte 7D became EB, in address 000015DF the byte 1F became 1E etc.
Now what you need is to download and compile the following utility called ida_patcher.c (from here). ida_patcher does the real patching.
Lets run the patcher in the following way :
./ida_patcher -i executable.exe -p executable.diff
Where executable.exe is the original binary file and executable.diff is the DIFF file from IDA Pro. Watch out that ida_patcher modifies the original binary, so be sure to have a backup of your original one. Now you've got the patched file ready to be spread ;)
Another great tool to batch binary using DIFF file is here (thanks to StalkR)