Patching Binaries (with vim, Binary Ninja, Ghidra and radare2)
HTML-код
- Опубликовано: 12 дек 2019
- A long time ago I made a video about the basics of cracking, but never got around to make a video about actually patching the binary. So here I show you a few methods how to do it!
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
![Eminem - The Death of Slim Shady [Album Trailer]](http://i.ytimg.com/vi/X0HIrS6kUYI/mqdefault.jpg)
I always thought that the more one prepares for a youtube video the better it gets. But this mix of exploration and tutorial felt good. To see how and where you get your information from and how you play around was interesting.
I was getting stale learning higher level languages but then I found your binary series and now I’m in a new world of discovery down to the bare metal! Thank you for your informative videos
Nice now I finally know how to "fix" the bug in fl studio that prevents me from loading saved project files.
funny to see some FL Studio users here :D i actually thought about patching it for some new functionality (especially bulk exporting, or some sort of headless mode to export)
@Z Box he's joking. He's actually talking about the the trial limitation.
@TheGuy prob doesnt want a virus
@@josephsagotti8786 you can disassemble and check by viruses! :D
When importing a file into ghidra you have to import it as a “raw binary” and not an ELF if you want to patch. It’s also important to note you have to specify the compiler that was used to compile the file when doing this.
However when importing as a raw binary you lose all debug symbols, so here’s what I suggest: Import the binary as an ELF to figure out what you want to do, then once you know what you need to patch, import the file again as a “raw binary” and specify the compiler used(I normally default guess gcc 64 bit). Ghidra provides tabs for multiple files so you can navigate back and forth to determine what you need to patch because in some cases it can be quite difficult to find w/o debug symbols.
If you hit "e" in Binary Ninja it also has an in-line edit like a Ghidra's. It doesn't show a preview the way Ghidra does, but it will automatically pad out a shorter instruction using the appropriate number of nops for you.
I'm more surprised about that vim trick tbh
♥ vim
It only really works when you replace chars or append it at the end, it is hard when you want to insert data in the middle of a binary.
@@happygimp0 But in the video he literally shows replacing stuff in the middle. And i also tried it myself, works just fine
@Pal One
Yes, replacing. But you can't add something in the middle of the file or remove it. bvi could do that.
@@happygimp0 I doubt that. That should break the code
Reminds me of a CTF problem I found an unintended solution for - it was a license checker where you were supposed to reverse the decryption algorithm to decrypt an encrypted flag in memory. It used some logic or another to prevent you from using ltrace to just find the answer - but if you patched the ltrace check, you could invert the protection mechanism, so it would ONLY run under ltrace, and then just pull out the flag character by character. Fun times
Helpful tip for vim. If you type shift R instead of i, you will go into replace mode which will do all modification in place by default.
I came here to say that. Also regex search "/75 *0e"
CI should work too wouldnt it?
Just wanted to say I really enjoyed and appreciated this style of a video. You were able to walk us through your train of thought while re-learning two different tools "live". Which really is the most realistic view for people who are new to exploring reversing tools and methodologies. Thank you and keep 'em coming. Looking forward to seeing some more on the windows side of things.
Just a quick update, better late than never.. i just fixed all the usability issues you had while using r2 to patch the binary. It's very useful for me to see other people using it, all the feedback is great! Keep up the good work, your channel is amazing!
To sumarize:
- wcf : write-cache-file, works with io.cache, so you can patch in memory and write a new binary with the in-memory applied changes, kind of the export to bin option in ghidra/bn
- pa: with no arguments it prints the help message and suggests to use pd
- wao: now accepts jz and je (as well as jnz/jne aliases)
- wa: suggests solution (reusing generic error msg) when file is not open in rw
I patched the binary of a proprietary application to fix a bug where it would crash if it followed a certain codepath. I had to use the program at work, so it crashing was preventing me from doing by job.
Reported
Thank you I had such fun following this tutorial. Radare is awesome
making ones office space beautiful with rich plants and colors and a certain kind of mind enhancing light. so you are in your flow and always constantly feeling your healthy bliss.
Really great video! It also help to compare the different RE tools!
That pattern matching (AoB aka Array of Bytes, scanning) is extremely useful when making your own cheats and trainers in Cheat Engine. Honestly Cheat engine has taught me more about ASM than anything else. And the tutorial is actually really good.
The vim trick was mind blowing!
Though I understand only a little, and forget soon after watching the video, this patching always fascinates me. I remember using a Windows tool known as OllyDbg to crack Nod32 antivirus back in 2007 as a learning exercise. Would love to see that in a video of yours. Thanks for the video bro!
That joke was good. Never change radare!
That is AMAZING work, Man!
Every time you struggle with something I think: "I'm glad that I'm not the only fighting with some syntax issues"...
amazing video, learned a lot!
This is super helpful, thank you
"Oh Radare, ... never change" Lmfao!
Thanks much, this vid was soo helpful
Wow!
Your video put a small on my face!
Greetings from México!
The ending was awesome :)
Im early, keep up the good content
Great resource!
awesome video, thank you
Please continue this series .
I have a rather complex program done in Borland C++ OWL. When MS changed the help file structure, it introduced the only "bug" in the binary, which could not launch the new format. Could I decompile and recompile the old code with these tools?
Would it be possible to have some tool that would let you add or remove instructions and then shift binary and also fix all addresses that were shifted?
Ah changed the Tea shirt! Lot of relief
Okay, so I may have finally understood everything you said in this vid. If you changed the jne to a je/jz, that would result in every key, except the (old) correct one, being accepted?
good work dude
Whoa, I'm just getting into binary exploitation, while following your playlist, and this video was amazing! Nice joke at the end btw...
Nice video, as usual. I think adding in just a plain hex editor like 'hexedit' would have been the old-school way. HIEW was the old-school way to do it on Win/DOS before Linux existed.
Mira mi nombr3 ❤️💋
Awesome work!
Can we get a video about PE executables and basic windows reversing, that would be really helpful!
thanks man!
ruclips.net/video/utUqAbfURko/видео.html
medium.com/@eaugusto/analyzing-mips-windows-ce-pes-with-the-nsa-ghidra-suite-56f3bd1d622d
@@tthtlc i think practical malware analysis is a good book!
Plus they have labs too!
I was waiting for a long time for this video :)
Instead of using Vim's insert mode you could use the replace mode which is triggered by R, or if you only want to replace 1 character r. In insert mode Vim will replace each character as you type it (regardless of how many bytes the character has).
Or just go with nano
Very cool!
Nice video man.
oh man i remember the first time i cracked a software :D
i used the demo version of hopper to disassemble it and find the license verification code before the 30 minute timer ran out and patched it by hand in a hex editor (and used my cracked copy of hopper for newer versions iirc lol)
good memories :^)
First stuff I cracked was using a batch which changed the date before launching so the trial wouldn't expire.
Amazing content as always!!!
with vim instead of insert simply use replace command (shift R in normal mode) to only replace characters
You're the best !!!!
Long Long time ago i used softice 😁
How about patching with adding some logic to the binary? I have read about adding new code segment on the end of binary and redirecting code flow there, but never done it myself.
I think that would be a nice addition to this series.
Hi, can we get the lcm driver of android smartphone with ghidra?
You could talk about dynamic analysis with Frida
Lord Habs mercy. I love this
Amazing work. But how do we can patch a binary and insert call function to a function located in a .so library?
function calls are a little harder because you have to manage register state. arguments, return values, and local values are all stored as registers most often, when there are registers spare. it is easier at that level to try to write in c and compile and inject with dedicated injection tool
awesome!!!
I understand you can't add bytes in the middle of the file (I guess it could screw up other jumps and function calls), but why can't you add code at the end?
You can.
@@dannyparker5858 So why search for code caves if you could write everything below?
@@filipenicoli_ because that will increase the filesize, which usually is a very easy tell to notice that a file has been tampered with or cause issues if an executable is loaded into limited memory. Also some executables may have size information in their metadata, causing potential issues (like an access violation) if memory outside this region is attempted to be read/executed.
If neither are of concern, you should be good to append!
@@filipenicoli_ You generally shouldn't search for code caves. One case I can think is maybe your in memory and for some reason cant/don't want to allocate more memory. At least on windows there's also a lot more padding in memory.
@@Marenthyu you can also find code that will not be useful after tampering with it and use it as a code cave.
Easiest way to remove a relative jump is just to replace with No Operation instructions (opcode 0x90). As it's only 1 byte, it can used to overwrite any instruction.
Admission: didn't watch complete video before commenting.
I've used olly (windows) to get a licence key. The code that converted email address (and other registration information) to licence key was too complex to decipher quickly, so I just set a breakpoint once everything was calculated and extracted the matching licence key that way (right before the test of entered and calculated licence key) - no modification of binary required and that can be useful for passing virus scans and making sure the hash of the executable still matched. Some executables can self check and verify their own code in an attempt to prevent tampering, they can also decrypt parts of code at run-time, making any kind of bypass quite a bit harder.
Good advice, nops are a very useful opcode for lots of different things.
@@kneesnap1041
0x87 0xc0 xchg eax,eax
to nop 2 bytes :)
Please Make a video of Control Flow Integrity and bypassing it. Thank you.
Ta embrazado nos vídeos em cachorro.
Kkkkkkkkk
Nice vídeo.
Awsome video.
I think it would have been nice if you also mentioned some stuff about compiling the c or cpp file as 32-bit or 64-bit, and also big and little endian.
When I was following your tutorial, the part where you used x/8x actually was reversed in my output.
For example the output of my gdb was "C4 12 75", so I had to search for "75 12 C4" in vim.
Mira mi nombr3 ❤️💋
GDB and Vim are underrated
Will you be on the congress?
Every video reminds me i havnt sraeted working on my ben eater breadbourd computer
cant you just jump to the end and append more bytes in case your opcode needs more bytes than the op has to offer you are replacing?
Now try to patch the binary using curses-based editor hte (sudo apt install ht)... Use F6 -> elf/image to view the linear disassembly.
For simple cracks/projects this should be more than efficient than radare or ghidra.
There was a time when I knew how to properly use radare2 without ??? every single command. After just one week of not using radare2 I forgot everything except aaa and q.
love ya
Hi, can someone explain me,plz, here 3:46 he said, if you want to control where it will jump to then you have to control this byte (0x0e) but then we modified 0x75. Why did he mean with 0x0e? Did I get wrong?
0x0e is the offset where to jump to. 0x75 is the opcode that Says “jump if not equal”. So if you want to change the meaning of the opcode you need to change that.
@@LiveOverflow ooh now I see. It makes sense. Thanks for the all the tutorials and explanations. Peace.
7:03 isnt EB better than 74 as EB is jmp so it will go ether is it correct or not rather it is a must to be wrong
Edit: other than that everything is great I love it
In this case we rather don’t want to jump, thus replace it with NOP.
Why there is a sudden jump between 1:48 and 1:49. :)
What's wrong with installing radare2 using the packet manager?
Very Outdated
@@LiveOverflow Except for on Termux, that's the only supported way to install it on Android and it's actually updated pretty well iirc.
Ghidra Export Binary Feature
Note that the Binary export is not broken, it is simply misunderstood. This exporter simply dumps the initialized memory blocks defined within Ghidra in binary form. The blocks are appended sequentially. It was never intended to recreate a loadable/executable binary. While this is certainly a desirable feature, it does not yet exist within Ghidra.
ruclips.net/video/utUqAbfURko/видео.html&ab_channel=0x6d696368
in this video shown how to properly IMPORT and EXPORT file to patch it with Ghidra but for EXE-file. There is nothing different for ELF I think.
What, not gonna use x32dbg ?
its remain me 20 years ago i did it with very plain tools.
'I cant remember anything about Radare everytime I use it' I have the same issue with about everything I try to do on a more complex level of IT related things.
You just need to watch out for the patterns in how people implement things, humans design technology based on their experience with other technology and once you figure out a few patterns of how things work and are implemented you will be able to do learn other things much faster. To learn some of the more complex subjects you will have try and try again, keep failing and you will learn new things along the way.
Why do you not use tmux?
And you can use R in vim to replace multiple character in place (like the insert key in other programs).
Does this work on Java and C# too, cause theyre JIT Compiled
No, but you can use ILSpy for C# and WinRAR for Java
Use dnSpy for C# and VB.NET
I haven't used any java bytecode editors but you could use something like jd-gui to decompile to a .java file, edit it using a text editor and recompile using javac (I think, haven't actually tried it)
@@slonkazoid You can't edit anything with ILSpy, only view the code (kind of)
WinRAR? You could even use Explorer to view the files inside of a jar file. You can't edit the code/instructions using a file archiver
Yes, you can hack java bytecodes in much the same way as assembly language, although it is a lot less understandable (for me at least). Also works for Flash (what's that?!!), although quite hard to do.
Wann kommt mehr von dem 8bit Computer?
wow
I think the patch in ghidra failed because you removed more bytes than you readded, at least it looked like that to me...
What can you do with this? I'll follow your whole CS course soon.
Crack and patch. You need a background in demoscene chiptunes though to really be effective.
For example patch a program crashing when the business making it has gone under.
Create cheats/trainers for games. If you're more creative - mods. If you're even more creative - port the game to modern platforms without rewriting the game logic by patching all of the IO code. Unavowed, Gynvael and company ported DOS game Syndicate Wars to modern systems that way.
@@d3line That's how I started getting into computers in the late 80's - doing cheats for games on the old 6502 based computers (ATARI 800 at the time). I used to think 48k was a lot of code to go through by hand, that is until you try on a PC (thankfully we've got tools for that nowadays).
whats the intro music at 1:19?
The End Is Near - Gunnar Olsen
The part you're referring to is around 1:25 in the song.
@@antricks2546 Thanks
Thanks for movie. Use "-j" with make :)
Mira mi nombr3 ❤️💋
Ghidra is growing on me, but there's no way to export the patched executable.
Honestly, I'm fine enough patching bytes with a hex editor and using ghidra to figure out what I need to change. This would get pretty gnarly for changing a lot of code though.
@@kneesnap1041 In my case, it probably would be a lot of code.
Damn, Binary Ninja looked great until I saw the price tag for any worthwhile edition
Bro, I wish I had a brain like yoz, I could be earning a fuckin fat salary at my current job
OoOooo
Nice to see that Ben Eater (inspired) computer on your desk there :D
No space between "if" and open parenthesis... smh
as it should be
don't tell that to anybody in public, you might get beaten up
He had the opening and the closing brackets not on the same horizontal nor vertical line, that is much much worse.
Do you know how many bytes that space costs in a lifetime? Enough to install 3% of visual studio.
I think everyone constantly identifies with LiveOverflow's expressions while using radare2 xd
First time i've seen actual patching. Have used all those tools and didn't know any of those features.. other than strings. LMAO
I think you just change your T-SHIRT or JACKET and create multiple videos at once and then upload them everyday 😅
Of course
@@LiveOverflow Its actually a good idea :D
It's so well known that engineers and hackers like to wear the same clothes for an extended period. Even multiple of the same item of clothing (stick to what you like in the extreme). There was a sign up on the door of the college computer lab I used to attend, reminding students (of the engineering variety), jokingly, to remember to change their clothes.
@@threeMetreJim I do that too . No one cares what we wear 😂
But can you patch Binary Ninja to use it without paying? :D
would be funny if they told you how to do that at the end of its own manual... like a kind of reward for learning
@@WistrelChianti cool!)
radare2 = command line IDA
A RUclipsr with Ublock enabled.
Can it get more ironic than this?
Mira mi nombr3 ❤️💋
Mira mi nombr3 ❤️💋
Заебись объясняшка спасибки
im disapointed that you cant realy patch binnary with ghidra😢
I miss "rad-ah-ray"
Is binja a free software?
I don't think so - the page said "try" or "purchase."
Nope. There's a free cloud version (cloud.binary.ninja/ but unfortunately it doesn't allow patching or downloading of uploaded files. Just useful for analysis.
Well, you can make changes by doing the usual RE things to be clear, just can't patch a binary. You can add comments, structures, rename things, etc.
Wait, after rewatching this video, i just realize this is how you create a keygen or crack for Softwares. lol
I mean I didn't get the joke can somebody explain to me asdasd???
A youtuber with ublock enabled.
Irony