如何在IDA Pro中将反汇编的十六进制代码替换为“返回”

我正在使用 IDA pro 并将“

C:\Windows\System32\notepad.exe

D:\notepad.exe

以下是“IDA View-A”选项卡的内容：

.text:0000000140001000 ; File Name   : D:\notepad.exe
.text:0000000140001000 ; Format      : Portable executable for AMD64 (PE)
.text:0000000140001000 ; Imagebase   : 140000000
.text:0000000140001000 ; Hash        : BDD4ADCD
.text:0000000140001000 ; Section 1. (virtual address 00001000)
.text:0000000140001000 ; Virtual size                  : 000247FF ( 149503.)
.text:0000000140001000 ; Section size in file          : 00024800 ( 149504.)
.text:0000000140001000 ; Offset to raw data for section: 00000400
.text:0000000140001000 ; Flags 60000020: Text Executable Readable
.text:0000000140001000 ; Alignment     : default
.text:0000000140001000 ; ===========================================================================
.text:0000000140001000
.text:0000000140001000 ; Segment type: Pure code
.text:0000000140001000 ; Segment permissions: Read/Execute
.text:0000000140001000 _text           segment para public 'CODE' use64
.text:0000000140001000                 assume cs:_text
.text:0000000140001000                 ;org 140001000h
.text:0000000140001000                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:0000000140001000 byte_140001000  db 8 dup(0CCh)          ; DATA XREF: HEADER:000000014000012C↑o
.text:0000000140001000                                         ; HEADER:0000000140000214↑o
.text:0000000140001008
.text:0000000140001008 ; =============== S U B R O U T I N E =======================================
.text:0000000140001008
.text:0000000140001008
.text:0000000140001008 sub_140001008   proc near               ; CODE XREF: sub_14001FDD0+6D↓p
.text:0000000140001008                                         ; sub_14001FEDC+6D↓p ...
.text:0000000140001008
.text:0000000140001008 var_68          = dword ptr -68h
.text:0000000140001008 var_30          = dword ptr -30h
.text:0000000140001008 var_2C          = dword ptr -2Ch
.text:0000000140001008 var_20          = dword ptr -20h
.text:0000000140001008 var_1C          = dword ptr -1Ch
.text:0000000140001008 var_18          = qword ptr -18h
.text:0000000140001008 arg_20          = qword ptr  28h
.text:0000000140001008 arg_28          = qword ptr  30h
.text:0000000140001008
.text:0000000140001008 ; __unwind { // __GSHandlerCheck
.text:0000000140001008                 mov     r11, rsp
.text:000000014000100B                 sub     rsp, 88h
.text:0000000140001012                 mov     rax, cs:__security_cookie
.text:0000000140001019                 xor     rax, rsp

以下是“Hex View-1”选项卡的内容：

0000000140001000  CC CC CC CC CC CC CC CC  4C 8B DC 48 81 EC 88 00  ÌÌÌÌÌÌÌÌL‹ÜH.ìˆ.
0000000140001010  00 00 48 8B 05 57 F4 02  00 48 33 C4 48 89 44 24  ..H‹.Wô..H3ÄH‰D$
0000000140001020  70 48 8B 84 24 B8 00 00  00 45 33 C9 49 89 43 D8  pH‹„$¸...E3ÉI‰CØ

我要更换

.text:0000000140001012                 mov     rax, cs:__security_cookie

与

.text:0000000140001012                 retn

这是PowerShell代码：

$bytes  = [System.IO.File]::ReadAllBytes("D:\notepad.exe")

$offset = 0x0001012
$bytes[$offset]   = 0xC3

[System.IO.File]::WriteAllBytes("D:\notepad.exe", $bytes)

但是并没有按预期工作，上面的PowerShell代码有什么问题？