7

Is it possible to paste a series of bytes into hex view of IDA? Say I have a large buffer I need to fill with a specific value, and I have it in the form most hex editors output... 0A AB EF FF 00 01... is there some quick way to write this value to a segment of the hex view? Or do this through IDAPython?

Edit:

Solved using PatchByte as suggested below:

def PatchArr(dest, str):
  for i, c in enumerate(str):
    idc.PatchByte(dest+i, ord(c));

# usage: patchArr(start address, string of bytes to write)
patchArr(0xCAFEBABE, "\x01\x02\x03")

Note that I am not a fan of edits to volatile debug memory causing IDA to complain about the IDB being patched post-debug...

Ditmar Wendt
  • 547
  • 1
  • 7
  • 15

3 Answers3

8

While in IDA's Hex View you can go to Edit->Patch Program->Change Byte, but I think this only lets you patch 16 bytes at a time. If you need to patch more bytes than that you can use IDAPython's idc.PatchByte / idc.PatchWord / idc.PatchDword to change bytes in the IDA database.

EDIT:

Just a quick note, if you want your patches applied to the original file that you loaded into IDA, you need to go to Edit->Patch Program->Apply patches to input file after you patch the bytes in the idb.

devttys0
  • 2,714
  • 13
  • 10
  • Thanks! Got a python solution working thanks to this. Of course changing single bytes by hand is way too slow, was the reason I asked this question. – Ditmar Wendt Oct 24 '13 at 18:57
3

Below are two functions from fwrapper that give examples on how to patch IDBs and import data from a file. I'd recommend checking out the code. I use it all the time for samples that decodes/decrypts data or when I have to manually dump a block of memory and patch an IDB.

def patch(self, temp = None):
    '''patch idb with data in fwrapper.buffer'''
    if temp != None:
            self.buffer = temp
    for index, byte in enumerate(self.buffer):
         PatchByte(self.start+index, ord(byte))

def importb(self):
    '''import file to save to buffer'''
    fileName = AskFile(0, "*.*", 'Import File')
    try:
        self.buffer = open(fileName, 'rb').read()
    except:
        sys.stdout.write('ERROR: Cannot access file')
alexanderh
  • 1,062
  • 8
  • 14
1

Even though this has been answered, IDA is meant as a debugger. Not as a patching tool, this has to do a lot with how IDA stores works. IDA creates a database file that allows you to remove the exe after loading it first. This can be really useful when you work with intellectual property / malware. I would recommend to use ImmDBG for your patching needs.

Stolas
  • 2,331
  • 14
  • 34
  • Is that a typo? You mean to say that IDA is not meant as a debugger, right? Of course not, it IS meant to interface with various debuggers. IDA not being able to understand a memory segment is unimportant/patching should not be stored in the IDB is a legitimate bug. ImmDBG is a completely seperate use case, and the platforms it supports are very limited in comparison. – Ditmar Wendt Oct 25 '13 at 13:16
  • Indeed I am sorry, it is more a brainfart then anything else. The most important thing I meant to say is that IDA is a tool you need to analyse software not crack it. – Stolas Oct 25 '13 at 22:12