Let’s just take a simple “Hello, World!” program written in C, and change it to say “Hello, Terry!” (Or insert your own name, unless you really like me).
The point of this exercise is to show how easy it can be to edit source code, which can have a huge effect. You have the ability to modify anything from simple program output, conditional statements, password verification checks, and much more.The ability to modify a programs source code allows you to gain full control over the program. Some areas will be simple to modify, while others can take an immensely large amount of time to even figure out where to look. Let's get started.
We will begin by writing and compiling the code below for the Hello program and compile it using GCC (or your favorite C compiler).
Next, we will open the program in Radare2 in write mode via the command "r2 -w HelloWorld". If you wish to play around within it rather than modifying the source code directly, we can skip opening it in write mode, and open it in analysis mode instead by removing the -w.
We will begin by telling Radare to analyze all flags, byte lengths of instructions, and more by typing in "aaaa" and hitting enter.
Next, we will enter a command utilized for locating all strings within the program by typing in "iz" and hitting enter. Luckily for us, there is only one, and it is our target.
Next, we will jump the focus of the debugger to the address containing this string by typing in the virtual address of the string and hitting enter. In my case, the address is 0x000006f4. Next, we will type in the command "px" to confirm that we are at the right location.
We will utilize Radare's write command shown below in order to write the text of your choosing into this memory address. Use the w "Your Text" to write the string of your choosing into this memory address. If your string is shorter than the "Hello, world" string which was previously stored there, it will zero out the remainder of the space. Write the string of your choosing now, and utilize px to ensure that we inserted it correctly.
Now, we can quit Radare with the q command, then run the program as usual in order to see the changes reflect back to us.
Now, let's look at another example in which we will modify a conditional statement to jump to an area of our choosing, rather than where the source code originally wants us to go. This can be useful in many ways. For example, imagine a program is created that allows you to enter in a number, and it will tell you if that number is even or odd. The program first asks you to enter a number, then it performs a bitwise check to see if the number you entered is a factor. If so, then you get a message stating that it is indeed a factor. If not, it will tell you that it is not a factor. Let's modify this so that no matter what, it will always tell us that it is an even number that we have entered in. We will begin in the same fashion as last time. Write and compile the code below.
Next, open the program up in Radare, and analyze all symbols. Once finished, let's utilize the command "afl" to list all of the functions found.
We notice our function's name which is responsible for performing the check, which is "isOdd". This is a good place to set a break point. Enter "db 0x557aaec3b75a" (your address will likely be different) and then type in "dc" to continue debugging in order to hit the breakpoint. Now, you are prompted to enter in any odd number of your choosing. We enter the number, and hit our breakpoint. Perfect.
Let's fire up Visual mode by entering "VV". Looking at the graph below, we see that a 'Jump If Equal' (je) instruction takes place directly after comparing the value in the EDI register to a 0. If it equals 0, then we jump to the block on the right, which handles an even number being entered. If it does not equal 0, then we jump to the block to the left, which handles an odd number being entered.
To reiterate: We entered an odd number previously, in my case it was the number 33. We can see that a JE instruction is performed which will jump code execution to the block handling the case of an even number being entered, but only if EDI = 0. Can you guess what we need to change in order to have this program always jump to the statement handling an even number being entered?
There are a couple of ways to do it, and in this case we will change the Jump if Equal (JE) instruction to a plain ol' Jump (JMP). Now, no matter what we enter, code execution will automatically jump to the block assuming we entered an even number. How do we do this in Radare? First, type in the "p" command in order to locate the address that the JE instruction resides in. Your graph should now look similar to the one below.
In my case, the JE resides at 0x557aaec3b769. Let's shift Radares focus to this address. Hit "Shift + :" in order to bring up the CLI. Now, enter in the address which the JE resides, and hit enter. Now comes the fun part. A JE instruction in hexadecimal is represented as a 0x74, as shown in the graph above. A JMP instruction is represented in hexadecimal as an 0xeb. Do you remember from the previous exercise how to overwrite memory with text of our choosing? The "wx" command. So, let's change this to a JMP. Now that the focus in the CLI is directly upon this address, simply type "wx eb" to change the JE to a JMP.
In the CLI, type "q" to exit the CLI, and the graph should refresh. We can now see our changes made successfully.
Bring up the CLI again (Shift + :) and type in the command to continue code execution, dc. Look at that, it tells us that it is a factor, meaning our modification worked successfully.
