PDA

View Full Version : How to assemble in IDA?


oxident
08-04-2012, 03:58 AM
Hi!

I'm making huge progress in learning IDA and I'm already able to break simple protections but one thing remains unclear to me:

If I need to alter the control flow of a target (by changing JZs to JMPs for example) I still haven't figured out how to do this easily within IDA. I know that I can use the "Patch"->"Assemble" command but whenever I try to use it, the resulting opcodes won't fit.

If I need to change an instruction like JNZ short loc_xyz to JZ short loc_xyz, IDA always translates this to a near or far jump, resulting in a bigger instruction and therefore overwriting subsequent instructions :-(

Does anyone know what I'm missing here?

Thanks!

Git
08-04-2012, 07:05 AM
You're not missing anything. You have to find way to make your changes smaller, or relocate them to a hole somewhere.

Git

pivasik
08-04-2012, 07:12 AM
use patch byte instead of patch assemble or use F2 in the Hex view to in-memory patch.

oxident
08-04-2012, 10:22 AM
You have to find way to make your changes smaller, or relocate them to a hole somewhere.
Yes, that's quite clear to me. But switching from a JNZ to a JMP with the same destination shouldn't change the instruction size, should it?

use patch byte instead of patch assemble or use F2 in the Hex view to in-memory patch.
That's exactly how I do it for now but it's quite uncomfortable, especially for beginners to look up the opcodes for the mnemonics. Another problem is that IDA often crashes while redrawing the flow chart after direct memory patching.

Isn't there a way to do it just like it's done in Olly? I mean, Olly even fills resulting gaps with NOPs ...

pivasik
08-04-2012, 01:14 PM
Changing jz/jnz to jmp is obvious, just patch first byte to EB.
To prevent crash do not use graph view or press Space to switch to plain text view.

oxident
08-04-2012, 03:14 PM
Okay, thanks for the hint. It's really stable if I switch to text view. So I guess, having a printed reference on desk with all relevant opcodes is still mandatory ;)

Git
08-04-2012, 05:14 PM
Yes, text view is usually better, you can use hexrays if you want to see structure. I usually use at least 7 or 8 bytes of instructions visible. May sure you have the line :

DISPLAY_PATCH_SUBMENU = YES

in cgf\idagui.cfg . That will enable the byte patching menu. And yes, I wouldn't be without the Intel opcode/assembler manuals :)

Git

pivasik
08-05-2012, 02:31 AM
Exactly, only few opcodes you will use often.
EB - jmp short
90 - nop
C2 xx / C3 - ret
31/33 - xor