如何优雅地在ARM架构下为IDA Pro 9.0安装keypatch插件

keypatch作为反编译工具ida最强大的漏洞补丁插件，在AWD赛制中可以说是必备的工具。因为驻波用的是Mac电脑，直接把插件放在plugins文件夹下会报错，解决报错花了我一下午。所以对于keypatch相对来说安装流程会比intel的麻烦的多，这里简单记录一下整个配置流程。

基础环境配置

# 安装Homebrew包管理器
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# 安装编译工具cmake
brew install cmake 

# 安装Python3.12版本，这是最稳定的版本
brew install python@3.12

# 安装keystone:
pip3 install keystone-engine

切换架构

由于缺失动态库，或者动态库的架构是x86-64的，我们需要重新编译一个arm64架构的动态库。

git clone https://github.com/keystone-engine/keystone.git
cd keystone
mkdir build
cd build

编译生成的文件就放在build文件夹里

打开keystone文件夹，编辑make-common.sh文件：

# 第4行，原先长这样
ARCH=''

# 改成这样
ARCH='arm64'

再用命令确保cmake编译器的架构改成了arm64:

sed -i '' '4s/ARCH=\'\'/ARCH=\'arm64\'/' ../make-common.sh

在keystone文件夹里搜索cmakelists.txt，均进行如下修改：

# 修改cmake最低支持版本
cmake_minimum_required(VERSION 2.8.7)
 
# 修改后:
cmake_minimum_required(VERSION 3.5)
 
# 注释或删除掉以下代码, CMP0051已经废弃
if (POLICY CMP0051)
  # CMake 3.1 and higher include generator expressions of the form
  # $<TARGETLIB:obj> in the SOURCES property.  These need to be
  # stripped everywhere that access the SOURCES property, so we just
  # defer to the OLD behavior of not including generator expressions
  # in the output for now.
  cmake_policy(SET CMP0051 OLD)
endif()

Cmake参数配置

打开keystone文件夹下的make-share.sh文件：

# 将21行注释掉，改成下面的代码（'\'代表换行符，需保留）
cmake -DBUILD_LIBS_ONLY=ON \
      -DCMAKE_OSX_ARCHITECTURES="arm64" \
      -DPYTHON_LIBRARY="$(brew --prefix python@3.12)/Frameworks/Python.framework/Versions/3.12/lib/libpython3.12.dylib" \
      -DPYTHON_EXECUTABLE="$(brew --prefix python@3.12)/bin/python3.12" \
      -G "Unix Makefiles" ..

版本兼容性修复：

网上找的自动化修复代码：

import os
import re

root_dir = '/path/to/keystone'  # 需替换为实际路径
patterns = {
    'cmake_version': re.compile(r'^\s*cmake_minimum_required\s*\(\s*VERSION\s*2\.8(\.\d+)?\s*\)', re.IGNORECASE),
    'cmp0051_start': re.compile(r'^\s*if\s*\(\s*POLICY\s+CMP0051\s*\)', re.IGNORECASE),
    'endif': re.compile(r'^\s*endif\s*\(?\)?', re.IGNORECASE)
}

for dirpath, _, filenames in os.walk(root_dir):
    for filename in filenames:
        if filename == 'CMakeLists.txt':
            filepath = os.path.join(dirpath, filename)
            lines = []
            skip_block = False
            with open(filepath, 'r') as f:
                for line in f:
                    if patterns['cmake_version'].match(line):
                        lines.append('cmake_minimum_required(VERSION 3.5)\n')
                        continue
                    if patterns['cmp0051_start'].match(line):
                        skip_block = True
                        lines.append('# ' + line)
                        continue
                    if skip_block:
                        lines.append('# ' + line)
                        if patterns['endif'].match(line):
                            skip_block = False
                        continue
                    lines.append(line)
            with open(filepath, 'w') as f:
                f.writelines(lines)
print("✅ CMake配置修复完成")

将代码保存为fixed.py，执行程序：

python3 fixed.py

插件部署

下载核心插件代码：

curl -o keypatch.py https://raw.githubusercontent.com/keystone-engine/keypatch/e87f0f9/keypatch.py

复制到IDA的插件目录：

mkdir -p "/Applications/IDA Professional 9.0.app/Contents/MacOS/plugins"
cp keypatch.py "/Applications/IDA Professional 9.0.app/Contents/MacOS/plugins"

一秒编译！

../make-share.sh

等待编译完成

然后在/keystone/build/llvm/lib下会生成两个动态库libkeystone.0.dylib和libkeystone.dylib

将两个动态库复制到ida报错的路径，我这里是/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/keystone，路径应该都差不多。再打开ida一看，大功告成！