I've read the FAQs and think I've come quite a long way, but I'm stuck and would appreciate a pointer in the right direction.

I'm patching a file, it's a dll that runs under WinCE, with a SH-4 processor. So far I've found the only program that will dissemble it IDA, buts that's OK, and I've got it loaded up and I've made the change, now I want to save my change.

I know IDA doesn't re-assemble, so I've tried OllyDBG but it won't load my WinCE dll. I think the only way I can patch this file now is to change the HEX code, I've tried to work out how to make the change using a HEX editor, but can't figure it out. I know the offset and I can find the original HEX code for that location, but how do I get the new HEX code?

The line I have in IDA is for example like this:

and I want to change it to say this, just a one digit change:


The HEX code for the original line is "11 D4 0B D0 02 63 0B 43 09 00 10 D2 22 61 0B 41" I've spent hours trying to work out how to get the HEX code for the alteration. I've come to the conclusion I must be missing something, but I'm going round in circles now.

Is there a way for me find the new HEX code?

I've also tried to produce a diff file, but when I do its empty, just the identifier and file name.

Hi,

you can patch it with IDA.
Open the file idagui.cfg which is in the cfg folder and navigate to DISPLAY_PATCH_SUBMENU = NO
change it to
DISPLAY_PATCH_SUBMENU = YES
after that, you can patch with IDA.

darkelf

Hi, Thanks for your reply.

I should have said before I had already tried that. The patch menu gives three options, to change byte, word, or assemble. To change byte I seem to need to know the new HEX code for the new line, ditto for word. I don't know how to work this out. It won't allow me to assemble because it's not supported with the SH-4 processor mode.

Is there some way to find to find the new HEX code for the altered line?

Well, in this case you should get yourself a copy of the SH programming manual from Hitachi. Since it's afaik no longer offered on the company's site, here is a link:

http://mc.pp.se/dc/files/h14tp003d2.pdf

The opcodes are there in binary.
It's a 412 pages manual. Seems to be quite a lot of fun

Nah, serious - it contains everything you need.

darkelf

Is that how you patch a dll?

Pardon?
What are you talking about? What more do you want?
I gave you a link to a programming manual where you can find the opcodes. They are in binary, so convert them to hex. You said the following:



So what's the matter? You have the place, the original hex (that you want to replace) and you have a manual were you can look-up the new opcode. Did I miss something? Just fire up your favorite hexeditor and replace the old with the new one. Where are you stuck?

edit: I guess I should give you an example:
Say you want to change a branch destination. You may have something like this:

Let's see - we have a Branch if true which has (according to the manual) the opcode 10001001 which is 0x89 in hex. It jumps 0x10 bytes from our current position (0x18008). First, we'll have a look what the full instruction looks like. A complete instruction for SH-4 is 2 bytes long. The first byte of our instruction is 0x89 (we know that already). Lets compute the second byte: A branch to itself is in SH-4 flavor 89FE (like in x86 EBFE). Ok, incrementing 0xFE by 1 means jumping over ONE complete instruction (2 bytes). So 0xFF = +2 bytes, 0x00 = +4 bytes, 0x01 = +6 bytes and so on. We need +16 (0x10) bytes, therefore our second operand is 06. The complete instruction is 8906. When opened in a Hexeditor you will see it as 0689 as it's little endian. If you want the instruction to jump 0x16 bytes instead of 0x10, just change "06" to "09". You see, it's really simple. Note that the furthest possible jump is 0x7F and the furthest jump backwards is 0x80. Hope that helps.