Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-20-2021, 23:24
Mendax47 Mendax47 is offline
Family
 
Join Date: Jun 2016
Location: Earth..
Posts: 162
Rept. Given: 8
Rept. Rcvd 5 Times in 5 Posts
Thanks Given: 429
Thanks Rcvd at 209 Times in 81 Posts
Mendax47 Reputation: 5
Exclamation [NOOB QUESTION] how can i edit a function to return 1 in IDA pro?

i have a function sub_B2A2D0 proc near which is very large... but this is a license check function and if the license is valid then the function will return 1.. so I want to edit the function to do only one thing which is return 1... opcode is C20100.. but when I apply the opcode the function disappear... how can I edit it....? i am very new in this stuff so need help... :3
Reply With Quote
  #2  
Old 08-21-2021, 02:14
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 866
Rept. Given: 325
Rept. Rcvd 217 Times in 111 Posts
Thanks Given: 168
Thanks Rcvd at 373 Times in 209 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
IDA is not very suitable for binary editing/patching
I'm using for this purpose old good (I think best) hex editor - Hiew

for example, I have a simple routine: http://prntscr.com/1qdbek0
I want to patch it so it 'll return 1

I'm navigating to required address, pressing F3, then F2
and typing (wow) asm commands
like
xor eax, eax
inc eax
retn

here we go: http://prntscr.com/1qdbfu3
Reply With Quote
The Following 2 Users Say Thank You to sendersu For This Useful Post:
ivanov (08-21-2021), Mendax47 (08-21-2021)
  #3  
Old 08-21-2021, 03:22
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 152
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 190
Thanks Rcvd at 95 Times in 49 Posts
Stingered Reputation: 2
sendersu is correct. But take a look here:

https://resources.infosecinstitute.com/topic/applied-cracking-byte-patching-ida-pro/

and here:

https://github.com/keystone-engine/keypatch


Update:

In going back, for 32-bit patching, you will need to use PRE-7.0 version of IDA Pro for Keypatch to work properly (not compatible with v7.x) and 32bit python/keystone. For v7.x and later use 64bit python/keystone with Keypatch.py

Grab latest Keypath.py here:

https://raw.githubusercontent.com/keystone-engine/keypatch/master/keypatch.py

Last edited by Stingered; 08-22-2021 at 02:27.
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
Mendax47 (08-21-2021)
  #4  
Old 08-22-2021, 03:30
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 152
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 190
Thanks Rcvd at 95 Times in 49 Posts
Stingered Reputation: 2
Disregard my last post (or just delete it, pls).

Ok, I got this working on 32bit and 64bit IDA Pro v7.2

1. Install Latest Python 2 Release - Python 2.7.18
From here:
https://www.python.org/downloads/windows/
Installer: python-2.7.18.amd64.msi
2. Once installed add c:\Python27 to your OS path.
3. Run cmd.exe as administrator
4. Goto c:\python27\scripts:
5. Run:
pip install keystone-engine --pree
then
pip install six
6. Save latest Keypatch.py from here:
https://raw.githubusercontent.com/keystone-engine/keypatch/master/keypatch.py
7. Copy to \program files\[your IDA Pro install DIR]\plugins
8. Load IDA Pro and check for "Ctrl-Alt-K", and check for errors.
9. Load test .EXE file, highlight a function and use ctrl-alt-k keystroke to load keyPatch
dialog.

That's it.

Last edited by Stingered; 08-22-2021 at 03:31. Reason: update
Reply With Quote
The Following 2 Users Say Thank You to Stingered For This Useful Post:
Mendax47 (08-22-2021), niculaita (08-22-2021)
  #5  
Old 08-22-2021, 04:48
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,259
Rept. Given: 909
Rept. Rcvd 87 Times in 59 Posts
Thanks Given: 3,354
Thanks Rcvd at 465 Times in 329 Posts
niculaita Reputation: 87
why not with 3.9.x?
__________________
Decode and Conquer
Reply With Quote
  #6  
Old 08-22-2021, 05:53
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 866
Rept. Given: 325
Rept. Rcvd 217 Times in 111 Posts
Thanks Given: 168
Thanks Rcvd at 373 Times in 209 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
because Python 2 never dies! (in fact it is dead and unsupported many years)...


https://www.python.org/dev/peps/pep-0404/


Official pronouncement
Rule number six: there is no official Python 2.8 release. There never will be an official Python 2.8 release. It is an ex-release. Python 2.7 is the end of the Python 2 line of development.

Upgrade path
The official upgrade path from Python 2.7 is to Python 3.
Reply With Quote
The Following 2 Users Say Thank You to sendersu For This Useful Post:
Mendax47 (08-22-2021), Stingered (08-22-2021)
  #7  
Old 08-22-2021, 09:38
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 152
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 190
Thanks Rcvd at 95 Times in 49 Posts
Stingered Reputation: 2
Quote:
Originally Posted by niculaita View Post
why not with 3.9.x?
Probably not an issue, I think just because when it was released that was the version?
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
niculaita (08-22-2021)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 20:41.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )