Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > General Forum
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 08-04-2012, 03:58 AM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default How to assemble in IDA?

Hi!

I'm making huge progress in learning IDA and I'm already able to break simple protections but one thing remains unclear to me:

If I need to alter the control flow of a target (by changing JZs to JMPs for example) I still haven't figured out how to do this easily within IDA. I know that I can use the "Patch"->"Assemble" command but whenever I try to use it, the resulting opcodes won't fit.

If I need to change an instruction like JNZ short loc_xyz to JZ short loc_xyz, IDA always translates this to a near or far jump, resulting in a bigger instruction and therefore overwriting subsequent instructions :-(

Does anyone know what I'm missing here?

Thanks!
Reply With Quote
  #2  
Old 08-04-2012, 07:05 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

You're not missing anything. You have to find way to make your changes smaller, or relocate them to a hole somewhere.

Git
Reply With Quote
  #3  
Old 08-04-2012, 07:12 AM
pivasik pivasik is offline
Senior Member
 
Join Date: Dec 2007
Posts: 305
Default

use patch byte instead of patch assemble or use F2 in the Hex view to in-memory patch.
__________________
Want something for free - do it by yourself!
Have a problem - ask Google before post.
Reply With Quote
  #4  
Old 08-04-2012, 10:22 AM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

Quote:
Originally Posted by Git View Post
You have to find way to make your changes smaller, or relocate them to a hole somewhere.
Yes, that's quite clear to me. But switching from a JNZ to a JMP with the same destination shouldn't change the instruction size, should it?

Quote:
Originally Posted by pivasik View Post
use patch byte instead of patch assemble or use F2 in the Hex view to in-memory patch.
That's exactly how I do it for now but it's quite uncomfortable, especially for beginners to look up the opcodes for the mnemonics. Another problem is that IDA often crashes while redrawing the flow chart after direct memory patching.

Isn't there a way to do it just like it's done in Olly? I mean, Olly even fills resulting gaps with NOPs ...
Reply With Quote
  #5  
Old 08-04-2012, 01:14 PM
pivasik pivasik is offline
Senior Member
 
Join Date: Dec 2007
Posts: 305
Default

Changing jz/jnz to jmp is obvious, just patch first byte to EB.
To prevent crash do not use graph view or press Space to switch to plain text view.
__________________
Want something for free - do it by yourself!
Have a problem - ask Google before post.
Reply With Quote
  #6  
Old 08-04-2012, 03:14 PM
oxident oxident is offline
Member
 
Join Date: Jul 2011
Posts: 49
Default

Okay, thanks for the hint. It's really stable if I switch to text view. So I guess, having a printed reference on desk with all relevant opcodes is still mandatory
Reply With Quote
  #7  
Old 08-04-2012, 05:14 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Yes, text view is usually better, you can use hexrays if you want to see structure. I usually use at least 7 or 8 bytes of instructions visible. May sure you have the line :

DISPLAY_PATCH_SUBMENU = YES

in cgf\idagui.cfg . That will enable the byte patching menu. And yes, I wouldn't be without the Intel opcode/assembler manuals

Git

Last edited by Git : 08-05-2012 at 07:19 AM.
Reply With Quote
  #8  
Old 08-05-2012, 02:31 AM
pivasik pivasik is offline
Senior Member
 
Join Date: Dec 2007
Posts: 305
Default

Exactly, only few opcodes you will use often.
EB - jmp short
90 - nop
C2 xx / C3 - ret
31/33 - xor
__________________
Want something for free - do it by yourself!
Have a problem - ask Google before post.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.