radare2 is a utility that can be used in binary patching
binary/string patching can be used to patch the anti-debugging check/instructions of malware allowing analysts to perform analysis on the malware
Last updated
#DEFEATING ANTI-DEBUGGING CHECK
#step 1: identify where the anti-debugging check is happening
#step 2: change/comment the anti-debugging check instructions
#step 3: save the file so it will always run the malicious actions for analysis
root@revenge:~$ radare2 {malwareBinary.out}
[0x00001060]> / hello
Searching 5 bytes in [0x401c.0x4020]
hits: 0
...
0x00002008 hit0_0 .hello, world;@. //this is the location of the word hello in memory
* this cmd will display which memory section the string "hello" was found in the binary
* the / is used for searching strings
[0x00001060]> s 0x00002008
* this cmd moves the cursor to the specified memory position
- this cmd moves to the memory location of where the "hello" string is found
[0x00002008]> px
* this cmd identifies what bytes existed in the specified/current location
* the "px" cmd dumps all of the bytes
- memory address is on the left (address offset)
- bytes of memory listed on top-middle
- hexadecimal representation of the binary data in the middle
- ascii string is on the right
[0x00002008]> oo+
* this cmd opens the file in read/write mode
[0x00002008]> w hello, name
* w means write
- only write strings that is equal or less than the data length
- do not go beyond the set data length; else, it'll corrupt valid instructions that the program need
- also it is recommended to write null bytes (00) to clear out other data within the data length
[0x00002008]> px
* refresh
- the new value of the string will be visible
[0x00002008]> q
* q exits the radare2 utility and saves the overwritten program
root@re:~$ ./03._hello.out
* new output will be "hello, name"