search

keystone-engine / keypatch

Multi-architecture assembler for IDA Pro. Powered by Keystone Engine.
http://www.keystone-engine.org/keypatch
GNU General Public License v2.0
1.49k stars 355 forks source link

About endian switch bug on arm ins assembly #23

Closed Ja5h0n closed 7 years ago

Ja5h0n commented 7 years ago

Details Recently,as a software reverse newbee. I’m try to crack a Ali crackme.apk(attachment). Find the check func is in Android Native Code .So I use IDA Pro to dynamic debugging, find anti-debug method. I need to Turn around this ,I need to alter the memory and didn't find the function in IDA like OllyDBG to alter binary code by alter ASM sentences. So I’d like to appreciate to god that I find. the great works you have built ,And I find some problems(big endian and little endian’ switch) as I twitter U.

image

A little Suggestion If this is my project , I would like to switch endian Mode can be choose by user. If occur a error,it can be corrected manually.

THX TwitterFromDelphicGeek.zip

aquynh commented 7 years ago

i am looking at your libcrackme.so, but this is detected as little endian file, not big endian file?

aquynh commented 7 years ago

btw, make sure you are using the latest version Keypatch 2.1. you can verify version from menu Right-click -> Keypatch -> About.

Ja5h0n commented 7 years ago

Version is the lastest ,and the ida pro version is image image Indeed this is little endian but keypatch can't select the little endian mode . what can I do to fix it?

Ja5h0n commented 7 years ago

I used my classmates pc win7 x64 no python3 is seems no problem. my platform is win 10 both install python2.7 and python 3.6 is that have some sides effect?

aquynh commented 7 years ago

no, IDA uses its internal Python, which is Python 2.7.

so this is not really a bug?

you should find a big-endian binary, and attach here, so i can confirm.

Ja5h0n commented 7 years ago

Here is my Test Result,and test examples,I test two platforms and find diffences between WIn7 and WIn10, it seems occur this problem in diffent way. Check it . finally thx for ur patient~ Desktop.zip

aquynh commented 7 years ago

fixed now, please confirm it works for you.

you just need to get the latest https://github.com/keystone-engine/keypatch/blob/master/keypatch.py from Github, then overwrites your keypatch.py in your plugin directory, then restart IDA.

Ja5h0n commented 7 years ago

It works!!!Thx,you Really did a great works. Actually, I really enjoy the process communicate with you :-)
(pls ignore my poor English expression ability)

aquynh commented 7 years ago

Great! Then give this Github repo a star if you haven't done that :-)

Ja5h0n commented 7 years ago

Absolutely,enjoy ur weekend.