STRING PATCHING

this can be used in scenarios where patching instructions is needed to get around a program's anti-debugging mechanism

this method involves altering or patching certain string values in a program's memory or binary code to achieve specific behaviors such as bypassing checks or changing program outputs.

#view initial output of the binary
root@dev:~$ ./lab02.out
 XXXXXXXXXXXXX
 \x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58
 
root@dev:~$ radare2 {binary.out}

#step 1: search for the string to patch
[0x00001060]>/ XXXXXXXXXXXX
 0x00002008 hit1_0 .FV@XXXXXXXXXXXXX.

  * this will identify the memory section where the string was found
 
#step 2: change cursor position and navigate to the memory location
[0x00001060]> s 0x00002008
[0x00002008]>
 
 * s is used to change cursor position
 
 #step 3: identify/dump bytes starting from the current memory location
 [0x00002008]> px
 
 * ps is used to dump bytes at the specified memory location
    - column (1): offset - these are the memory addresses
    - column (0-F): these are the byte arrangements in memory
       - below these are the hexadecimal representation of the binary data
    - column (last): these shows the ASCII representations
    
#step 4: open the file in read/write mode
[0x00002008]> oo+
[0x00002008]> w Stephen Razon
 * w means write
 
 * when string patching, only write/overwrite the exact amount or less
   characters to prevent overwriting valid instructions that the program
   need to run
    - e.g., if the string consists of only 12 characters, then only
      write up to 12 characters; nothing more as you'll overwrite
      data that follows it.
      
[0x00002008]> px
 ...

[0x00002008]> s 0x0000202e
[0x00002008]> wx 0x20             //overwrite the current character w/ null byte 0x20
[0x00002008]> s 0x0000202f
[0x00002008]> wx 0x20             //overwrite the current character w/ null byte 0x20
[0x00002008]> s 0x00002008
[0x00002008]> px

 * zero out the extra characters w/ null bytes by moving to the memory space
   occupied by the "CHARACTER"

 
[0x00002008]> q
root@dev:~$ ./stringPatchedBinary.out
 Stephen Razon
 \x53\x74\x65\x70\x68\x65\x6e\x20\x52\x61\x7a\x6f\x6e\x20\x20\x20
 
 * install the gcc multilib package if an error is received when compiling
   an x32-bit program from an x64 OS
    - gcc compiler ogcc -g -m32 -O1 01.empty.c 01.empty.out
       - fix:  sudo apt install gcc-multilib -y

PreviousREVERSE ENGINEERING NextBINARY PATCHING

Last updated 1 month ago

#view initial output of the binary root@dev:~$ ./lab02.out XXXXXXXXXXXXX \x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58 root@dev:~$ radare2 {binary.out} #step 1: search for the string to patch [0x00001060]>/ XXXXXXXXXXXX 0x00002008 hit1_0 .FV@XXXXXXXXXXXXX. * this will identify the memory section where the string was found #step 2: change cursor position and navigate to the memory location [0x00001060]> s 0x00002008 [0x00002008]> * s is used to change cursor position #step 3: identify/dump bytes starting from the current memory location [0x00002008]> px * ps is used to dump bytes at the specified memory location - column (1): offset - these are the memory addresses - column (0-F): these are the byte arrangements in memory - below these are the hexadecimal representation of the binary data - column (last): these shows the ASCII representations #step 4: open the file in read/write mode [0x00002008]> oo+ [0x00002008]> w Stephen Razon * w means write * when string patching, only write/overwrite the exact amount or less characters to prevent overwriting valid instructions that the program need to run - e.g., if the string consists of only 12 characters, then only write up to 12 characters; nothing more as you'll overwrite data that follows it. [0x00002008]> px ... [0x00002008]> s 0x0000202e [0x00002008]> wx 0x20 //overwrite the current character w/ null byte 0x20 [0x00002008]> s 0x0000202f [0x00002008]> wx 0x20 //overwrite the current character w/ null byte 0x20 [0x00002008]> s 0x00002008 [0x00002008]> px * zero out the extra characters w/ null bytes by moving to the memory space occupied by the "CHARACTER" [0x00002008]> q root@dev:~$ ./stringPatchedBinary.out Stephen Razon \x53\x74\x65\x70\x68\x65\x6e\x20\x52\x61\x7a\x6f\x6e\x20\x20\x20 * install the gcc multilib package if an error is received when compiling an x32-bit program from an x64 OS - gcc compiler ogcc -g -m32 -O1 01.empty.c 01.empty.out - fix: sudo apt install gcc-multilib -y