Although IDA is mostly intended to be used for static analysis, i.e. simply looking at unaltered binaries, there are times you do need to make some changes. For example, you can use it to fix up some obfuscated instructions to clean up the code flow or decompiler output, or change some constants used in the program.
Patching bytes
Individual byte values can be patched via the Edit > Patch program > Change byte… command.
You can change up to 16 bytes at a time but you don’t have to enter all sixteen – the remaining ones will remain unchanged.
Assembling instructions
Edit > Patch program > Assemble… is available only for the x86 processor and currently only supports a subset of 32-bit x86 but it still may be useful in simple situations. For example, the nop
instruction is the same in all processor mode so you can still use it to patch out unnecessary instructions.
Patched bytes view
Available either under Edit > Patch program or in View > Open subviews submenus, this list view shows the list of the patched locations in the database and allows you to revert changes in any of them.
Patching the input file
All the patch commands only affect the contents of the database. The input file always remains unaffected by any change in the database. But in the rare case when you do need to update the input file on disk, you can use Edit > Patch program > Apply patches to input file…
Creating a difference file
File > Produce file > Create DIF File… outputs a list of patched location into a simple text file which can then be used to patch the input file manually in a hex editor or using a third party tool.
Patching during debugging
During debugging, patching still does not affect the input file, however it does affect the program memory if the location being patched belong to a currently mapped memory area. So you can, for example, change instructions or data to see how the program behaves in such situation.
Third party solutions
If the basic patching features do not quite meet your requirements, you can try the following third party plugins:
- IDA Patcher by Peter Kacherginsky, a submission to our 2014 plugin contest
- KeyPatch by the Keystone Engine project, a winner of the 2016 contest
See also: IDA Help: Edit|Patch core submenu