I always thought that the more one prepares for a youtube video the better it gets. But this mix of exploration and tutorial felt good. To see how and where you get your information from and how you play around was interesting.
When importing a file into ghidra you have to import it as a “raw binary” and not an ELF if you want to patch. It’s also important to note you have to specify the compiler that was used to compile the file when doing this. However when importing as a raw binary you lose all debug symbols, so here’s what I suggest: Import the binary as an ELF to figure out what you want to do, then once you know what you need to patch, import the file again as a “raw binary” and specify the compiler used(I normally default guess gcc 64 bit). Ghidra provides tabs for multiple files so you can navigate back and forth to determine what you need to patch because in some cases it can be quite difficult to find w/o debug symbols.
funny to see some FL Studio users here :D i actually thought about patching it for some new functionality (especially bulk exporting, or some sort of headless mode to export)
If you hit "e" in Binary Ninja it also has an in-line edit like a Ghidra's. It doesn't show a preview the way Ghidra does, but it will automatically pad out a shorter instruction using the appropriate number of nops for you.
I was getting stale learning higher level languages but then I found your binary series and now I’m in a new world of discovery down to the bare metal! Thank you for your informative videos
Just a quick update, better late than never.. i just fixed all the usability issues you had while using r2 to patch the binary. It's very useful for me to see other people using it, all the feedback is great! Keep up the good work, your channel is amazing!
To sumarize: - wcf : write-cache-file, works with io.cache, so you can patch in memory and write a new binary with the in-memory applied changes, kind of the export to bin option in ghidra/bn - pa: with no arguments it prints the help message and suggests to use pd - wao: now accepts jz and je (as well as jnz/jne aliases) - wa: suggests solution (reusing generic error msg) when file is not open in rw
Reminds me of a CTF problem I found an unintended solution for - it was a license checker where you were supposed to reverse the decryption algorithm to decrypt an encrypted flag in memory. It used some logic or another to prevent you from using ltrace to just find the answer - but if you patched the ltrace check, you could invert the protection mechanism, so it would ONLY run under ltrace, and then just pull out the flag character by character. Fun times
Just wanted to say I really enjoyed and appreciated this style of a video. You were able to walk us through your train of thought while re-learning two different tools "live". Which really is the most realistic view for people who are new to exploring reversing tools and methodologies. Thank you and keep 'em coming. Looking forward to seeing some more on the windows side of things.
That pattern matching (AoB aka Array of Bytes, scanning) is extremely useful when making your own cheats and trainers in Cheat Engine. Honestly Cheat engine has taught me more about ASM than anything else. And the tutorial is actually really good.
I patched the binary of a proprietary application to fix a bug where it would crash if it followed a certain codepath. I had to use the program at work, so it crashing was preventing me from doing by job.
making ones office space beautiful with rich plants and colors and a certain kind of mind enhancing light. so you are in your flow and always constantly feeling your healthy bliss.
Though I understand only a little, and forget soon after watching the video, this patching always fascinates me. I remember using a Windows tool known as OllyDbg to crack Nod32 antivirus back in 2007 as a learning exercise. Would love to see that in a video of yours. Thanks for the video bro!
Nice video, as usual. I think adding in just a plain hex editor like 'hexedit' would have been the old-school way. HIEW was the old-school way to do it on Win/DOS before Linux existed.
Instead of using Vim's insert mode you could use the replace mode which is triggered by R, or if you only want to replace 1 character r. In insert mode Vim will replace each character as you type it (regardless of how many bytes the character has).
For those (like me!) who are super n00bs, to get the disassembly from gdb, you can run *disassemble main* (or just "disas main") to get the gdb assembler dump. You'll also want to specify 2 bytes for the examine command (*x/2bx* instead of *x/2x*) otherwise it'll default to 32 bits (maybe 64).
Easiest way to remove a relative jump is just to replace with No Operation instructions (opcode 0x90). As it's only 1 byte, it can used to overwrite any instruction. Admission: didn't watch complete video before commenting. I've used olly (windows) to get a licence key. The code that converted email address (and other registration information) to licence key was too complex to decipher quickly, so I just set a breakpoint once everything was calculated and extracted the matching licence key that way (right before the test of entered and calculated licence key) - no modification of binary required and that can be useful for passing virus scans and making sure the hash of the executable still matched. Some executables can self check and verify their own code in an attempt to prevent tampering, they can also decrypt parts of code at run-time, making any kind of bypass quite a bit harder.
oh man i remember the first time i cracked a software :D i used the demo version of hopper to disassemble it and find the license verification code before the 30 minute timer ran out and patched it by hand in a hex editor (and used my cracked copy of hopper for newer versions iirc lol) good memories :^)
Awsome video. I think it would have been nice if you also mentioned some stuff about compiling the c or cpp file as 32-bit or 64-bit, and also big and little endian. When I was following your tutorial, the part where you used x/8x actually was reversed in my output. For example the output of my gdb was "C4 12 75", so I had to search for "75 12 C4" in vim.
I understand you can't add bytes in the middle of the file (I guess it could screw up other jumps and function calls), but why can't you add code at the end?
@@filipenicoli_ because that will increase the filesize, which usually is a very easy tell to notice that a file has been tampered with or cause issues if an executable is loaded into limited memory. Also some executables may have size information in their metadata, causing potential issues (like an access violation) if memory outside this region is attempted to be read/executed. If neither are of concern, you should be good to append!
@@filipenicoli_ You generally shouldn't search for code caves. One case I can think is maybe your in memory and for some reason cant/don't want to allocate more memory. At least on windows there's also a lot more padding in memory.
I have a rather complex program done in Borland C++ OWL. When MS changed the help file structure, it introduced the only "bug" in the binary, which could not launch the new format. Could I decompile and recompile the old code with these tools?
Ghidra Export Binary Feature Note that the Binary export is not broken, it is simply misunderstood. This exporter simply dumps the initialized memory blocks defined within Ghidra in binary form. The blocks are appended sequentially. It was never intended to recreate a loadable/executable binary. While this is certainly a desirable feature, it does not yet exist within Ghidra. ua-cam.com/video/utUqAbfURko/v-deo.html&ab_channel=0x6d696368 in this video shown how to properly IMPORT and EXPORT file to patch it with Ghidra but for EXE-file. There is nothing different for ELF I think.
Okay, so I may have finally understood everything you said in this vid. If you changed the jne to a je/jz, that would result in every key, except the (old) correct one, being accepted?
function calls are a little harder because you have to manage register state. arguments, return values, and local values are all stored as registers most often, when there are registers spare. it is easier at that level to try to write in c and compile and inject with dedicated injection tool
Now try to patch the binary using curses-based editor hte (sudo apt install ht)... Use F6 -> elf/image to view the linear disassembly. For simple cracks/projects this should be more than efficient than radare or ghidra.
There was a time when I knew how to properly use radare2 without ??? every single command. After just one week of not using radare2 I forgot everything except aaa and q.
How about patching with adding some logic to the binary? I have read about adding new code segment on the end of binary and redirecting code flow there, but never done it myself. I think that would be a nice addition to this series.
Would it be possible to have some tool that would let you add or remove instructions and then shift binary and also fix all addresses that were shifted?
Hi, can someone explain me,plz, here 3:46 he said, if you want to control where it will jump to then you have to control this byte (0x0e) but then we modified 0x75. Why did he mean with 0x0e? Did I get wrong?
0x0e is the offset where to jump to. 0x75 is the opcode that Says “jump if not equal”. So if you want to change the meaning of the opcode you need to change that.
7:03 isnt EB better than 74 as EB is jmp so it will go ether is it correct or not rather it is a must to be wrong Edit: other than that everything is great I love it
'I cant remember anything about Radare everytime I use it' I have the same issue with about everything I try to do on a more complex level of IT related things.
You just need to watch out for the patterns in how people implement things, humans design technology based on their experience with other technology and once you figure out a few patterns of how things work and are implemented you will be able to do learn other things much faster. To learn some of the more complex subjects you will have try and try again, keep failing and you will learn new things along the way.
Create cheats/trainers for games. If you're more creative - mods. If you're even more creative - port the game to modern platforms without rewriting the game logic by patching all of the IO code. Unavowed, Gynvael and company ported DOS game Syndicate Wars to modern systems that way.
@@d3line That's how I started getting into computers in the late 80's - doing cheats for games on the old 6502 based computers (ATARI 800 at the time). I used to think 48k was a lot of code to go through by hand, that is until you try on a PC (thankfully we've got tools for that nowadays).
It's so well known that engineers and hackers like to wear the same clothes for an extended period. Even multiple of the same item of clothing (stick to what you like in the extreme). There was a sign up on the door of the college computer lab I used to attend, reminding students (of the engineering variety), jokingly, to remember to change their clothes.
Use dnSpy for C# and VB.NET I haven't used any java bytecode editors but you could use something like jd-gui to decompile to a .java file, edit it using a text editor and recompile using javac (I think, haven't actually tried it)
@@slonkazoid You can't edit anything with ILSpy, only view the code (kind of) WinRAR? You could even use Explorer to view the files inside of a jar file. You can't edit the code/instructions using a file archiver
Yes, you can hack java bytecodes in much the same way as assembly language, although it is a lot less understandable (for me at least). Also works for Flash (what's that?!!), although quite hard to do.
Honestly, I'm fine enough patching bytes with a hex editor and using ghidra to figure out what I need to change. This would get pretty gnarly for changing a lot of code though.
I always thought that the more one prepares for a youtube video the better it gets. But this mix of exploration and tutorial felt good. To see how and where you get your information from and how you play around was interesting.
When importing a file into ghidra you have to import it as a “raw binary” and not an ELF if you want to patch. It’s also important to note you have to specify the compiler that was used to compile the file when doing this.
However when importing as a raw binary you lose all debug symbols, so here’s what I suggest: Import the binary as an ELF to figure out what you want to do, then once you know what you need to patch, import the file again as a “raw binary” and specify the compiler used(I normally default guess gcc 64 bit). Ghidra provides tabs for multiple files so you can navigate back and forth to determine what you need to patch because in some cases it can be quite difficult to find w/o debug symbols.
Nice now I finally know how to "fix" the bug in fl studio that prevents me from loading saved project files.
funny to see some FL Studio users here :D i actually thought about patching it for some new functionality (especially bulk exporting, or some sort of headless mode to export)
@Z Box he's joking. He's actually talking about the the trial limitation.
@TheGuy prob doesnt want a virus
@@josephsagotti8786 you can disassemble and check by viruses! :D
Helpful tip for vim. If you type shift R instead of i, you will go into replace mode which will do all modification in place by default.
I came here to say that. Also regex search "/75 *0e"
CI should work too wouldnt it?
If you hit "e" in Binary Ninja it also has an in-line edit like a Ghidra's. It doesn't show a preview the way Ghidra does, but it will automatically pad out a shorter instruction using the appropriate number of nops for you.
I was getting stale learning higher level languages but then I found your binary series and now I’m in a new world of discovery down to the bare metal! Thank you for your informative videos
Just a quick update, better late than never.. i just fixed all the usability issues you had while using r2 to patch the binary. It's very useful for me to see other people using it, all the feedback is great! Keep up the good work, your channel is amazing!
To sumarize:
- wcf : write-cache-file, works with io.cache, so you can patch in memory and write a new binary with the in-memory applied changes, kind of the export to bin option in ghidra/bn
- pa: with no arguments it prints the help message and suggests to use pd
- wao: now accepts jz and je (as well as jnz/jne aliases)
- wa: suggests solution (reusing generic error msg) when file is not open in rw
Reminds me of a CTF problem I found an unintended solution for - it was a license checker where you were supposed to reverse the decryption algorithm to decrypt an encrypted flag in memory. It used some logic or another to prevent you from using ltrace to just find the answer - but if you patched the ltrace check, you could invert the protection mechanism, so it would ONLY run under ltrace, and then just pull out the flag character by character. Fun times
I'm more surprised about that vim trick tbh
♥ vim
It only really works when you replace chars or append it at the end, it is hard when you want to insert data in the middle of a binary.
@@happygimp0 But in the video he literally shows replacing stuff in the middle. And i also tried it myself, works just fine
@Pal One
Yes, replacing. But you can't add something in the middle of the file or remove it. bvi could do that.
@@happygimp0 I doubt that. That should break the code
Just wanted to say I really enjoyed and appreciated this style of a video. You were able to walk us through your train of thought while re-learning two different tools "live". Which really is the most realistic view for people who are new to exploring reversing tools and methodologies. Thank you and keep 'em coming. Looking forward to seeing some more on the windows side of things.
That pattern matching (AoB aka Array of Bytes, scanning) is extremely useful when making your own cheats and trainers in Cheat Engine. Honestly Cheat engine has taught me more about ASM than anything else. And the tutorial is actually really good.
I patched the binary of a proprietary application to fix a bug where it would crash if it followed a certain codepath. I had to use the program at work, so it crashing was preventing me from doing by job.
Reported
making ones office space beautiful with rich plants and colors and a certain kind of mind enhancing light. so you are in your flow and always constantly feeling your healthy bliss.
The vim trick was mind blowing!
Thank you I had such fun following this tutorial. Radare is awesome
Though I understand only a little, and forget soon after watching the video, this patching always fascinates me. I remember using a Windows tool known as OllyDbg to crack Nod32 antivirus back in 2007 as a learning exercise. Would love to see that in a video of yours. Thanks for the video bro!
Awesome work!
Can we get a video about PE executables and basic windows reversing, that would be really helpful!
thanks man!
ua-cam.com/video/utUqAbfURko/v-deo.html
medium.com/@eaugusto/analyzing-mips-windows-ce-pes-with-the-nsa-ghidra-suite-56f3bd1d622d
@@tthtlc i think practical malware analysis is a good book!
Plus they have labs too!
Nice video, as usual. I think adding in just a plain hex editor like 'hexedit' would have been the old-school way. HIEW was the old-school way to do it on Win/DOS before Linux existed.
Mira mi nombr3 ❤️💋
That is AMAZING work, Man!
That joke was good. Never change radare!
Instead of using Vim's insert mode you could use the replace mode which is triggered by R, or if you only want to replace 1 character r. In insert mode Vim will replace each character as you type it (regardless of how many bytes the character has).
Or just go with nano
Really great video! It also help to compare the different RE tools!
For those (like me!) who are super n00bs, to get the disassembly from gdb, you can run *disassemble main* (or just "disas main") to get the gdb assembler dump.
You'll also want to specify 2 bytes for the examine command (*x/2bx* instead of *x/2x*) otherwise it'll default to 32 bits (maybe 64).
"Oh Radare, ... never change" Lmfao!
Thanks much, this vid was soo helpful
Please continue this series .
Every time you struggle with something I think: "I'm glad that I'm not the only fighting with some syntax issues"...
Wow!
Your video put a small on my face!
Greetings from México!
with vim instead of insert simply use replace command (shift R in normal mode) to only replace characters
Easiest way to remove a relative jump is just to replace with No Operation instructions (opcode 0x90). As it's only 1 byte, it can used to overwrite any instruction.
Admission: didn't watch complete video before commenting.
I've used olly (windows) to get a licence key. The code that converted email address (and other registration information) to licence key was too complex to decipher quickly, so I just set a breakpoint once everything was calculated and extracted the matching licence key that way (right before the test of entered and calculated licence key) - no modification of binary required and that can be useful for passing virus scans and making sure the hash of the executable still matched. Some executables can self check and verify their own code in an attempt to prevent tampering, they can also decrypt parts of code at run-time, making any kind of bypass quite a bit harder.
Good advice, nops are a very useful opcode for lots of different things.
@@kneesnap1041
0x87 0xc0 xchg eax,eax
to nop 2 bytes :)
oh man i remember the first time i cracked a software :D
i used the demo version of hopper to disassemble it and find the license verification code before the 30 minute timer ran out and patched it by hand in a hex editor (and used my cracked copy of hopper for newer versions iirc lol)
good memories :^)
First stuff I cracked was using a batch which changed the date before launching so the trial wouldn't expire.
Whoa, I'm just getting into binary exploitation, while following your playlist, and this video was amazing! Nice joke at the end btw...
The ending was awesome :)
Awsome video.
I think it would have been nice if you also mentioned some stuff about compiling the c or cpp file as 32-bit or 64-bit, and also big and little endian.
When I was following your tutorial, the part where you used x/8x actually was reversed in my output.
For example the output of my gdb was "C4 12 75", so I had to search for "75 12 C4" in vim.
Mira mi nombr3 ❤️💋
This is super helpful, thank you
I understand you can't add bytes in the middle of the file (I guess it could screw up other jumps and function calls), but why can't you add code at the end?
You can.
@@dannyparker5858 So why search for code caves if you could write everything below?
@@filipenicoli_ because that will increase the filesize, which usually is a very easy tell to notice that a file has been tampered with or cause issues if an executable is loaded into limited memory. Also some executables may have size information in their metadata, causing potential issues (like an access violation) if memory outside this region is attempted to be read/executed.
If neither are of concern, you should be good to append!
@@filipenicoli_ You generally shouldn't search for code caves. One case I can think is maybe your in memory and for some reason cant/don't want to allocate more memory. At least on windows there's also a lot more padding in memory.
@@Marenthyu you can also find code that will not be useful after tampering with it and use it as a code cave.
amazing video, learned a lot!
I have a rather complex program done in Borland C++ OWL. When MS changed the help file structure, it introduced the only "bug" in the binary, which could not launch the new format. Could I decompile and recompile the old code with these tools?
Lord Habs mercy. I love this
Ah changed the Tea shirt! Lot of relief
good work dude
Great resource!
You could talk about dynamic analysis with Frida
GDB and Vim are underrated
awesome video, thank you
Nice video man.
Very cool!
You're the best !!!!
Long Long time ago i used softice 😁
Ghidra Export Binary Feature
Note that the Binary export is not broken, it is simply misunderstood. This exporter simply dumps the initialized memory blocks defined within Ghidra in binary form. The blocks are appended sequentially. It was never intended to recreate a loadable/executable binary. While this is certainly a desirable feature, it does not yet exist within Ghidra.
ua-cam.com/video/utUqAbfURko/v-deo.html&ab_channel=0x6d696368
in this video shown how to properly IMPORT and EXPORT file to patch it with Ghidra but for EXE-file. There is nothing different for ELF I think.
Okay, so I may have finally understood everything you said in this vid. If you changed the jne to a je/jz, that would result in every key, except the (old) correct one, being accepted?
I was waiting for a long time for this video :)
Amazing work. But how do we can patch a binary and insert call function to a function located in a .so library?
function calls are a little harder because you have to manage register state. arguments, return values, and local values are all stored as registers most often, when there are registers spare. it is easier at that level to try to write in c and compile and inject with dedicated injection tool
Now try to patch the binary using curses-based editor hte (sudo apt install ht)... Use F6 -> elf/image to view the linear disassembly.
For simple cracks/projects this should be more than efficient than radare or ghidra.
Im early, keep up the good content
awesome!!!
Amazing content as always!!!
There was a time when I knew how to properly use radare2 without ??? every single command. After just one week of not using radare2 I forgot everything except aaa and q.
How about patching with adding some logic to the binary? I have read about adding new code segment on the end of binary and redirecting code flow there, but never done it myself.
I think that would be a nice addition to this series.
Would it be possible to have some tool that would let you add or remove instructions and then shift binary and also fix all addresses that were shifted?
Every video reminds me i havnt sraeted working on my ben eater breadbourd computer
I think everyone constantly identifies with LiveOverflow's expressions while using radare2 xd
Please Make a video of Control Flow Integrity and bypassing it. Thank you.
Why there is a sudden jump between 1:48 and 1:49. :)
Nice to see that Ben Eater (inspired) computer on your desk there :D
Hi, can someone explain me,plz, here 3:46 he said, if you want to control where it will jump to then you have to control this byte (0x0e) but then we modified 0x75. Why did he mean with 0x0e? Did I get wrong?
0x0e is the offset where to jump to. 0x75 is the opcode that Says “jump if not equal”. So if you want to change the meaning of the opcode you need to change that.
@@LiveOverflow ooh now I see. It makes sense. Thanks for the all the tutorials and explanations. Peace.
Will you be on the congress?
love ya
Ta embrazado nos vídeos em cachorro.
Kkkkkkkkk
Nice vídeo.
What's wrong with installing radare2 using the packet manager?
Very Outdated
@@LiveOverflow Except for on Termux, that's the only supported way to install it on Android and it's actually updated pretty well iirc.
cant you just jump to the end and append more bytes in case your opcode needs more bytes than the op has to offer you are replacing?
Hi, can we get the lcm driver of android smartphone with ghidra?
Damn, Binary Ninja looked great until I saw the price tag for any worthwhile edition
I think the patch in ghidra failed because you removed more bytes than you readded, at least it looked like that to me...
7:03 isnt EB better than 74 as EB is jmp so it will go ether is it correct or not rather it is a must to be wrong
Edit: other than that everything is great I love it
In this case we rather don’t want to jump, thus replace it with NOP.
'I cant remember anything about Radare everytime I use it' I have the same issue with about everything I try to do on a more complex level of IT related things.
You just need to watch out for the patterns in how people implement things, humans design technology based on their experience with other technology and once you figure out a few patterns of how things work and are implemented you will be able to do learn other things much faster. To learn some of the more complex subjects you will have try and try again, keep failing and you will learn new things along the way.
What, not gonna use x32dbg ?
Thanks for movie. Use "-j" with make :)
Mira mi nombr3 ❤️💋
whats the intro music at 1:19?
The End Is Near - Gunnar Olsen
The part you're referring to is around 1:25 in the song.
@@rattatteb Thanks
A UA-camr with Ublock enabled.
Can it get more ironic than this?
Mira mi nombr3 ❤️💋
Mira mi nombr3 ❤️💋
Why do you not use tmux?
And you can use R in vim to replace multiple character in place (like the insert key in other programs).
No space between "if" and open parenthesis... smh
as it should be
don't tell that to anybody in public, you might get beaten up
He had the opening and the closing brackets not on the same horizontal nor vertical line, that is much much worse.
Do you know how many bytes that space costs in a lifetime? Enough to install 3% of visual studio.
its remain me 20 years ago i did it with very plain tools.
Wann kommt mehr von dem 8bit Computer?
What can you do with this? I'll follow your whole CS course soon.
Crack and patch. You need a background in demoscene chiptunes though to really be effective.
For example patch a program crashing when the business making it has gone under.
Create cheats/trainers for games. If you're more creative - mods. If you're even more creative - port the game to modern platforms without rewriting the game logic by patching all of the IO code. Unavowed, Gynvael and company ported DOS game Syndicate Wars to modern systems that way.
@@d3line That's how I started getting into computers in the late 80's - doing cheats for games on the old 6502 based computers (ATARI 800 at the time). I used to think 48k was a lot of code to go through by hand, that is until you try on a PC (thankfully we've got tools for that nowadays).
I think you just change your T-SHIRT or JACKET and create multiple videos at once and then upload them everyday 😅
Of course
@@LiveOverflow Its actually a good idea :D
It's so well known that engineers and hackers like to wear the same clothes for an extended period. Even multiple of the same item of clothing (stick to what you like in the extreme). There was a sign up on the door of the college computer lab I used to attend, reminding students (of the engineering variety), jokingly, to remember to change their clothes.
@@threeMetreJim I do that too . No one cares what we wear 😂
Bro, I wish I had a brain like yoz, I could be earning a fuckin fat salary at my current job
Does this work on Java and C# too, cause theyre JIT Compiled
No, but you can use ILSpy for C# and WinRAR for Java
Use dnSpy for C# and VB.NET
I haven't used any java bytecode editors but you could use something like jd-gui to decompile to a .java file, edit it using a text editor and recompile using javac (I think, haven't actually tried it)
@@slonkazoid You can't edit anything with ILSpy, only view the code (kind of)
WinRAR? You could even use Explorer to view the files inside of a jar file. You can't edit the code/instructions using a file archiver
Yes, you can hack java bytecodes in much the same way as assembly language, although it is a lot less understandable (for me at least). Also works for Flash (what's that?!!), although quite hard to do.
Ghidra is growing on me, but there's no way to export the patched executable.
Honestly, I'm fine enough patching bytes with a hex editor and using ghidra to figure out what I need to change. This would get pretty gnarly for changing a lot of code though.
@@kneesnap1041 In my case, it probably would be a lot of code.
First time i've seen actual patching. Have used all those tools and didn't know any of those features.. other than strings. LMAO
wow
But can you patch Binary Ninja to use it without paying? :D
would be funny if they told you how to do that at the end of its own manual... like a kind of reward for learning
@@WistrelChianti cool!)
I miss "rad-ah-ray"
A youtuber with ublock enabled.
Irony
Wait, after rewatching this video, i just realize this is how you create a keygen or crack for Softwares. lol
radare2 = command line IDA
im disapointed that you cant realy patch binnary with ghidra😢
don't get the hate towards cutter tbh
OoOooo
Заебись объясняшка спасибки