Hey all, I'm new to the forums. The search feature didn't turn out anything useful for this particular question, so I thought I'd ask...

In IDA Pro 4.xx (I forget the exact version I have, I'm at work right now, will check when I get home) is there a way to actually alter the hex of the program being disassembled inside of IDA? The steps I use to test a patch right now seem horribly inefficient:

1) Run IDA pro, disassemble a file. Locate an instruction I want to patch to a different instruction.

2) Open up the hex view panel, gather a large sample of hex values to do a search with. These sample hex values are just before the instruction I want to patch.

3) Copy these hex values of the instructions into WinHex, or some other hex editor, and find it.

4) Patch the instruction to a different instruction in this hex editor.

5) Save, test patch.

Now, this is okay, but the real pain is after I save the patch to the exe. IDA pro doesn't detect that I changed the exe, so I have to open up another instance of IDA pro and disassemble AGAIN, so that it reflects the change. Ideally, it would automatically detect that I altered the exe and update the assembly instructions realtime to show me what the assembly looks like of what I just did, without re-disassembling the whole exe.

So my question really is two things:

1) Is there a way to alter the hex of an exe directly in IDA Pro 4.xx?

Or

2) Is there a way for IDA pro to detect changes to the exe and reflect the changes without having to re-disassemble the whole exe?

Thanks,
Shawn

JMI will explain you in details but you obviously did not Search before posting this.

HINT: PE utilities, Atli Mar Gudmundsson

Tom

Don't know if there's the features your asking for, but there's an easier way to patch than what you state.

Either: Use OllyDbg along with IDA (you can convert IDA database to Ollydbg format to get all the labels, etc). That way you can search in IDA, and when you find something you want to modify, just goto that address in Ollydbg and modify. Changes are shown immediately in Ollydbg.

Or... On the instruction(s) you want to modify, rather than searching for the hex, just note down the file offset (its shown in the bottom bar), goto this address in your favourite hex editor and patch. No need for search.

I prefer the Ollydbg approach, as you don't have to enter hex - you can enter straight assembler, so you know when you got it right. I only bother with a hex editor if I think the only patch needed is a Jcc to JMP or NOP, anything more complicated get OllyDbg'd.

Once it's modified though, I have to re-disassemble it in IDA for IDA to reflect the modification, right?

With PE utilities you can create new exe after each modification in IDA database.

Tom

For small changes like the ones you do in a hex editor, why do you want ida to show the changes anyway? Surely you can remember those changes in your head?

Sure. But it looks like OllyDbg does exactly what I want So I'll use that.

Don't throw IDA away! IDA has a patch program function but, (for me anyway), it won't write an exe file - using the patch code option just change IDA to reflect your changes and save when exiting, I usually don't do this, my preference is to always have a reference disassembly of the virgin file - if patch code doesn't show in your menus you can enable it in idagui.cfg just change 0 to 1, if I recall.

SiGiNT

See this:

http://www.woodmann.com/forum/showthread.php?t=3670

After exporting the diff file, simply use a generic diff file patcher to apply the patch (or even to generate an automatic patcher for your exact values).