Pages

Tuesday, January 25, 2011

How to Patch Binary with IDA Pro

Last night I received a couple of emails from friends of mine asking how to patch binaries through IDA Pro. I was pretty tired for writing a full answering email so I decided to send them a good link... I wasn't able to find out a good link on the argument. :O !!

For this reason today I want to show you how to patch a binary using IDA Pro. The patching process is maybe the most difficult part of reversing engineering since you need to modify directly the binary code without compromising the program control flow. You need to figure out what the binary does, where it does what, and how it performs the actions you want to modify. For example, if we consider a key-generator design process what is mainly needed is the key generation function. In order to build the generation procedure (in the key-generator)we need to copy the "generator function" (in the binary) and paste it on a generic assembler "print out" template. Running the compiled template you will see as output the generated keys. If you prefer to patch the original key-generator you need inject/modify/delete instructions directly on the binary without altering the control flow and without triggering exception handlers.

To remember: In this post I am not going into the details on "the binary patching process" but I am going to explain how to use IDA for such a process.

First of all you need to edit an IDA configuration file called idagui.cfg . The file has been placed from the installer into your IDAFolder/cfg/idagui.cfg. On my Windows machine it is placed into: C:\Program Files\IDA Free\cfg\idagui.cfg.

You want to change the following two lines: DISPLAY_PATCH_SUBMENU = YES and DISPLAY_COMMAND_LINE = NO (but you might want to see it, so put an uppercase YES)

Running your IDA Pro you now see a new sub menu EDIT -> Patch Program.



Now, using the "Patch program" submenu you are able to edit the IDA database. Don't forget that you are now editing the IDA database which represents the real binary (it isn't the original binary) so you aren't patching you binary yet.

Once you've done with your changes you are now ready to generate the DIFF file through: FILE->Produce File-> Create DIFF File, as shown in the following image.

The DIFF file does NOT include the copy of the modified binary but it simply enumerates what and where changes happened. For example the following listing is an example of what DIFF file includes.

name.exe

00001545: 7D EB

00001546: 2B 2A

0000158D: 7C 7D

0000158E: B9 B8

000015DE: 75 74

000015DF: 1F 1E

000015E3: 76 75

000015E4: 16 15

00001607: 74 EB

00001608: 29 28


In address 00001545 the byte 7D became EB, in address 000015DF the byte 1F became 1E etc.
Now what you need is to download and compile the following utility called ida_patcher.c (from here). ida_patcher does the real patching.

Lets run the patcher in the following way :

./ida_patcher -i executable.exe -p executable.diff

Where executable.exe is the original binary file and executable.diff is the DIFF file from IDA Pro. Watch out that ida_patcher modifies the original binary, so be sure to have a backup of your original one. Now you've got the patched file ready to be spread ;)

*UPDATE*
Another great tool to batch binary using DIFF file is here (thanks to StalkR)


8 comments:

  1. Excellent as always. Would love to see you posting these links to Twitter where there is a substantial IT and security audience

    ReplyDelete
  2. Thank you very much GerrC, I appreciated that !
    BTW, you are totally right, I should set-up a Twitter account, and I know that sooner or later I'll do it ! ;) In the meantime could you please post on your private Twitter account what you think is relevant of my blog ? Thank you very much GerryC.

    ReplyDelete
  3. I had the same issue and ended up writing a small python script (http://stalkr.net/files/ida/idadif.py) to patch binary using .dif just like your C code.

    Next step: have this process integrated in IDA and reachable via a convenient submenu "save patched binary". Would be awesome :)

    Cool blog btw!

    ReplyDelete
  4. Hi StalkR, thank you *very* much ! I've just seen your Python code and it's great, I gonna put as update in my post if you don't mind.

    For next step I agree it would be amazing to see the menu File -> Produce file -> Create EXE really working.

    Lets what will happen :D

    ReplyDelete
  5. Actually video was in one of this video tutorials

    http://www.woodmann.com/TiGa/idaseries.html

    Anymore, Good post

    ReplyDelete
  6. antoxar great link !
    Thank you for sharing it !

    ReplyDelete
  7. thank you so much for this guide. I'm new to using ida as well as asm, and was able to fix the exact things i needed. thanks to stalkr also, that python code works great!

    ReplyDelete
  8. Really i appreciate the effort you made to share the knowledge.The topic here i found was really effective to the topic which i was researching for a long time

    ReplyDelete