Keypatch is the award winning plugin of IDA Pro for Keystone Assembler Engine.
Keypatch consists of 3 tools inside.
See this quick tutorial for how to use Keypatch, and this slides for how it is implemented.
Keypatch is confirmed to work on IDA Pro version 6.4, 6.5, 6.6, 6.8, 6.9, 6.95 but should work flawlessly on older versions. If you find any issues, please report.
Sometimes we want to patch the binary while analyzing it in IDA, but unfortunately the built-in asssembler of IDA Pro is not adequate.
Keypatch was developed to solve this problem. Thanks to the power of Keystone, our plugin offers some nice features.
Keypatch can be the missing piece in your toolset of reverse engineering.
Install Keystone core & Python binding for Python 2.7 from keystone-engine.org/download. Or follow the steps in the appendix section.
Copy file keypatch.py to IDA Plugin folder, then restart IDA Pro to use Keypatch.
C:\Program Files (x86)\IDA 6.9\plugins/Applications/IDA\ Pro\ 6.9/idaq.app/Contents/MacOS/plugins/opt/IDA/plugins/NOTE
- On Windows, if you get an error message from IDA about "fail to load the dynamic library", then your machine may miss the VC++ runtime library. Fix that by downloading & installing it from https://www.microsoft.com/en-gb/download/details.aspx?id=40784
- On other *nix platforms, the above error message means you do not have 32-bit Keystone installed yet. See appendix section below for more instructions to fix this.
For a quick tutorial, see TUTORIAL.md. For a complete description of all of the features of Keypatch, keep reading.
To patch your binary, press hotkey CTRL+ALT+K inside IDA to open Keypatch Patcher dialog.
Assembly box (you can use IDA symbols).Encode box while you are typing, without waiting for ENTER keystroke.Fixup control.ENTER or click Patch to overwrite the current instruction with the new code, then automatically advance to the the next instruction.NOPs padding until next instruction boundary if this is undesired.Save original instructions in IDA comment to disable this feature.Edit | Patch program | Apply patches to input file.
CTRL+ALT+K, or choose menu Edit | Keypatch | Fill Range.Assembly box, you can either enter assembly code, or raw hexcode. Some examples of acceptable raw hexcode are 90, aa bb, 0xAA, 0xBB.
To revert (undo) the last patching, choose menu Edit | Keypatch | Undo last patching.
To search for assembly instructions (without overwritting binary), open Keypatch Search from menu Edit | Keypatch | Search.
Assembly box.Encode box while you are typing, without waiting for ENTER keystroke.Search button, Keypatch would look for all the occurences of the instructions, and show the result in a new form.
To check for new version of Keypatch, choose menu Edit | Keypatch | Check for update.
At any time, you can also access to all the above Keypatch functionalities just by right-click in IDA screen, and choose from the popup menu.

Email keystone.engine@gmail.com for any questions.
For future update of Keypatch, follow our Twitter @keystone_engine for announcement.
IDA Pro's Python is 32-bit itself, so it can only loads 32-bit libraries. For this reason, we have to build & install Keystone 32-bit. This section details the steps towards that goal.
It is easiest to just download & install Python 2.7 module for Windows from http://www.keystone-engine.org/download. Be sure to get the 32-bit version, regardless of your Windows edition.
If you prefer to compile from source, just use MSVC 32-bit & follow the instructions in Windows documentation to build keystone.dll. After that, install Python module as in Python documentation. Then copy keystone.dll to the directory of Keystone Python module.
Install the core & Python module of Keystone with the following command:
$ sudo pip install keystone-engine
In case IDA still complains "ImportError: No module named keystone" when Keypatch is loading, then do the following step to copy Keystone Python binding to IDA directory. (replace 6.8 with your actual IDA version)
$ sudo cp -r /Library/Python/2.7/site-packages/keystone /Applications/IDA\ Pro\ 6.8/idaq.app/Contents/MacOS/python
First of all, be sure that your machine already have Cmake installed. On Ubuntu, you can install Cmake with:
$ sudo apt-get install cmake
Then if your system is Linux 32-bit, you can install Keystone via pip as with MacOS above.
$ sudo pip install keystone-engine
In case you are on 64-bit Linux, you need to cross compile Keystone to 32-bit. Since version 0.9.1, Keystone supports lib32 option to make this easy. After building the core, install Python module as in Python documentation.
Note that to cross-compile on Linux, you need to install some multilib libraries. For example, on Ubuntu 14.04 64-bit, do this with:
$ sudo apt-get install lib32stdc++-4.8-dev libc6-dev-i386
After having multilib dependencies, run the following commands in the source directory of Keystone.
$ mkdir build
$ cd build
$ ../make-share.sh lib32 lib_only
Then copy Python bindings to IDA's Python directory, together with disutils from your distro's Python to IDA's Python, like following. (Use your actual IDA directory instead)
$ sudo cp -r bindings/python/keystone /opt/IDAPro6.8/python/
$ sudo cp -r /usr/lib/python2.7/distutils /opt/IDAPro6.8/python/
Finally, copy the 32-bit libraries of Keystone to the Python directory of IDA Pro, like following.
$ sudo cp build/llvm/lib/libkeystone.so.* /opt/IDAPro6.8/python/keystone/
These complicated workarounds are necessary because IDA in Linux 64 bit doesn't use the system's Python.
Done? Now go back to section 2 & install Keypatch for IDA Pro. Enjoy!
$ claude mcp add keypatch \
-- python -m otcore.mcp_server <graph>