// Patch binary code in IDA Pro using natural language — read, assemble, write, verify
Systematic binary deobfuscation — string decryption, control flow flattening (CFF) removal, opaque predicate elimination, mixed boolean-arithmetic (MBA) simplification, bogus control flow, instruction substitution reversal, dead code removal, and anti-disassembly fixes. Trigger: deobfuscate, unobfuscate, deobfuscation, CFF, flatten, opaque predicate, MBA, obfuscated, OLLVM, Tigress, VMProtect, string decryption, junk code, bogus control flow, instruction substitution, anti-disassembly
Write and execute Binary Ninja Python scripts — full API reference included
Write and execute IDAPython scripts — full API reference included
Expert ELF malware analysis — packing, toolchain ID, kill chain, persistence, C2, rootkits, cryptominers, Go/Rust/Mirai patterns, MITRE ATT&CK mapping
Modify binary behavior using natural language — explore, plan, patch, save
Patch binary code in Binary Ninja using natural language — read, assemble, write, verify
| name | Smart Patch (IDA Pro) |
| description | Patch binary code in IDA Pro using natural language — read, assemble, write, verify |
| tags | ["patching","assembly","binary","ida"] |
| author | Rikugan |
| version | 2 |
| allowed_tools | ["read_disassembly","read_function_disassembly","get_instruction_info","decompile_function","get_pseudocode","get_decompiler_variables","read_bytes","execute_python","redecompile_function","nop_microcode","set_comment","exploration_report"] |
Task: Apply targeted binary patches in IDA Pro based on the user's natural language description. Analyze the function, identify the minimal set of instructions to change, assemble new instructions, write them, and verify the result.
Read the target function's disassembly (read_function_disassembly) and decompiled pseudocode (decompile_function) to understand its current behavior.
Identify which specific instructions implement the behavior the user wants to change. Use get_instruction_info to get exact byte sizes and encodings for the target instructions.
Back up the original bytes before patching. Use read_bytes at the target address for the instruction length, and print them so the user has a record:
Original bytes at 0x{addr:x}: {hex_bytes}
Plan the minimal patch:
Patch using execute_python with IDA's byte-patching API:
import ida_bytes, idc
# Option A: manual opcode (for simple patches like branch inversion)
ida_bytes.patch_bytes(0xADDR, bytes([0x75])) # JNZ instead of JZ
# Option B: use keystone assembler (if installed)
import keystone
ks = keystone.Ks(keystone.KS_ARCH_X86, keystone.KS_MODE_64)
encoding, _ = ks.asm("jg 0x401300", 0x401248)
ida_bytes.patch_bytes(0x401248, bytes(encoding))
# NOP padding
remaining = original_size - len(encoding)
if remaining > 0:
ida_bytes.patch_bytes(0x401248 + len(encoding), bytes([0x90] * remaining))
print(f"Patched at 0x401248")
Verify with redecompile_function — confirm the decompiled output reflects the desired behavior change. If it doesn't match, revert by writing back the original bytes and try a different approach.
Report — If called from /modify, you MUST call:
exploration_report(category="patch_result", address=..., summary="Patched X: old → new", original_hex="...", new_hex="...", evidence="redecompile confirms...")
Annotate each patched address with set_comment explaining what was changed and why.
0x90).ida_bytes.patch_bytes(addr, original_bytes).For obfuscation cleanup, prefer nop_microcode to suppress instructions at the Hex-Rays IR level without touching bytes — useful when byte-level NOP would affect alignment or when the goal is to remove a check from the decompiler output only.
Replace jl with jg, je with jne, etc. Same instruction size, just a different opcode byte.
Change test eax, eax + je to test eax, eax + jne, or patch the comparison operand.
Replace conditional jump with jmp (always) or NOP out the jump (never).
Reassemble the instruction with a new immediate value, e.g., cmp eax, 0xa → cmp eax, 0x14.
NOP out the comparison and conditional jump instructions using nop_microcode.