IDA 8.4

Patch core

This submenu allows you to patch the image of the input file. More precisely, IDA never modifies the input file. The image of the input file which was loaded to the database will be modified.

You can modify the image of the input file:

        - change a byte
        - change a word
        - enter an assembler instruction (only for IBM PC)

IDA will display the original value, the current value and file offset. If the file offset is equal to 0xFFFFFFFF then the current byte comes from a compressed page (LX/LE/NE iterated pages, for example) and/or it is not possible to tell the file position.

You can create a difference file and use an external tool to apply the patches or you can apply the patches directly to the file using IDA.

The following commands are available:

See also:

Patching the Image

Action    name: PatchByte, PatchWord

You can modify the executable file and eventually generate a new file.

If you patch bytes, then you may enter multiple bytes. Follow this link to learn about format of the input string.

If this command is invoked when the debugger is active, then IDA will modify the memory and the database. If the database does not contain the patched bytes, then only the process memory will be modified.

You can create a difference file too.

See also How to Enter a Number.

Apply patches to input file

Action    name: ApplyPatches

Apply previously patched bytes back to the input file. If the "Restore" option is selected then the original bytes will be applied to the input file.

See also Produce DIF file.

Binary string format

It is possible to enter a sequence of the following items:

  - a number in the selected radix (hexadecimal, decimal or octal)
  - a string constant: "string"
  - a Unicode string constant: L"unicode string"
  - a question mark '?' to ignore variable bytes

The sequence must be separated by a space or a comma.

An entered number will occupy the minimal number of bytes it fits in with the restriction that the number of bytes is a power of 2 (1, 2, or 4 bytes).

Two question marks without a space between them are the same as one question mark. One question mark corresponds to one CPU byte. One CPU byte may consist of multiple octets for a wide-byte CPU, like TMS320C28.

Example:

  CD 21          - bytes 0xCD, 0x21
  21CD           - bytes 0xCD, 0x21 (the order depends on the endiannes)
  "Hello", 0     - the null terminated string "Hello"
  L"Hello"       - 'H', 0, 'e', 0, 'l', 0, 'l', 0, 'o', 0
  B8 ? ? ? ? 90  - byte 0xB8, 4 bytes with any value, byte 0x90

Assemble an instruction

Action    name: Assemble

This command allows you to assemble instructions. Currently, only the IBM PC processors provide an assembler, nonetheless, plugin writers can extend or totally replace the built-in assembler by writing their own.

The assembler requires to enclose all memory references into square brackets. For example:

        mov ax, [counter]

Also, the keyword 'offset' must not be used. Instead of

        mov eax, offset name

you must write

        mov eax, name

See also How to Enter a Number.

Last updated