Skip to content

Bypassing Password-protected Programs with R2 -Easy Binary Patching |Make Software do what You Want!

Posted in VIDEOS

Hello everyone and welcome back
Today Im going to be teaching you how to patch binaries using radare2
What this means is you’ll be able to modify a program to do what you want
For example if you have a program that requires a password you will be able
to overwrite its assembly code to gain access.
These examples are very simple so i’ll try to keep it that way.
So lets get started.

Right here i’ve prepared some files for the video – two of the files are
C code files that i later converted into executables (C CODE DOWN BELOW) and the last one is a crackme which
is intended to be reverse engineered and not patched, but since its a very simple
example i can use it to show you how to make a program do what you want.
And here are the converted C code files in executable format.

I, ofcourse, don’t support solving ctf challenges the wrong way – this is just
for demonstration purposes.

I’ll put the C files on my website so you can compile them yourself using GCC

Before we begin i’ll quickly show you the code of the first 2 files.

First one is just a hello world app – it prints hello world
And second one checks for user’s input – it compares it to the PIN key or the
password – and if its correct it gives us the Flag, if not it says
access blocked.

So anyway, enough introduction, lets get into patching

Firstly lets run the first executable to see what it does and we can see
that it only prints hello world
The second executable asks for our input
and the third one asks for the license key – but we’ll get to those later
Lets first analyze the first one using radare
If we want to analyze it and have the ability to rewrite anything inside of it
we need to run it with a W tag
Once we ran this we need to analyze the executable
for this we will use triple “a” or four “a”s – the more “a”s the deeper the
analysis.
then we can list functions of the program in order to naavigate trough the program
easier. We can see two functions starting with sym. These dont interest us right
now since you usually go for functions that have their own name like “entry” or
“main” or in our case FCN and then the value

We can enter this function by using the “s” tag. “s” stands for “seek” by the way

And now you can see our location has changed, now we are at the address ending
with 11 4D – so the yellow thing is our location, so keep that in mind.

So once we have entered the function we wanna see the code behind it.
Radare doesnt give you the exact code of the program BUT it shows us the assembly code and it is percise enough for us to read it and modify it.

Lets use “v” to view the assembly

I know that this looks confusing now but don’t worry, all you have to look is the left segment with the colored memory addresses and the right part of that segment
where it shows the assembly code. We can use Q to exit out of this view and “v” to go back in.

If i move around using the arrow keys you can see that we have a string variable saying “Hello world”
Since we wanna modify that variable we can click on it and it will lead us to the segment where it is defined
Right here you can see the exact string as well as its length.
If we wanna modify it – the easiest way is to make sure we are at its address – which we can see at the top right corner
as well as left of the string. So the address we wanna be on is the one ending in 2004
Then if we press Q our location should be right on that address – if not just seek to it using “s”
Also a cool hint is you can look for assembly code by using slash “ad” and then writing the assembly code.
Or you could look for strings using slash and then write the string you are looking for
(once outside the view mode ofcourse)

So lets patch this binary – lets modify the string to how we like it.

We can use the “w” command to write what we want.
Also try staying within the length its a good practice.
I’ve used qoutes here which wasnt neccesary but its fine since it works.
Press “q” to exit and run the executable now.
As you can see we modified it! We just patched a binary!


Now let’s get a way more fun example.
So lets run the executable and it asks us for a password or a PIN in order to get the Flag.
lets give it to radare just like we did before with the write parameter
Lets run our analysis as usual – we will use four A’s to get everything
analyzed precisely and AFL to list out functions
As you can guess the function that interests us is the FCN function
since it looks like its the one doing most of the work that isnt tied
to the system actions that usually happen.
we will use s for seek to get to the function we picked.
Then we can navigate to our View mode and you can immidiately see that we
have a string that says You’ve just gained root access – so thats where we want
to end up.
First step in our analysis is looking at the compare function since its the one
comparing our entry to the correct number – the one its looking for
You can see this 0x93651 value which when converted to an integer gives us

  1. This is the password. Ofcourse, just entering this isnt cool enough
    What we wanna do is make the program give us the root access and the flag
    every time we run it.
    So what we will do is we will invert the if statement. This means that program
    checks if the user input matches the password then it will give you root access
    and print out the flag – however if our input is incorrect it will just
    say nice try. What we wanna do is invert the condition – meaning that if we enter
    a WRONG password it will give us root access and the flag, but if we enter
    the RIGHT password it will say nice try.
    Now, you might think that this is hard, right?
    Absolutely not, its really easy.
    Check this out : under the comparison we have the JNE which, if a correct
    value is returned goes to a certain address, and if the other one is returned
    it leads to the other one – meaning our CMP compare line feeds this JNE line.
    At the left side of our addresses you can see these little arrows and where they
    are pointing. Right there you can see it immidiately goes to the “nice try” part.
    Meaning if we invert JNE it will instead lead us to the root part.
    Now, one thing to keep in mind is we shouldnt change the value, just the condition
    Meaning if it was JNE now its going to be JE – which is kinda the opposite.
    So in order to write this we can just press Q to exit View mode.
    Now lets navigate to the address that we wanna modify using seek.

And lets run a command “wa” and after it just write the assembly code.
As i said the value of JNE stays the same, but the condition changes so its gonna be JE.

  • And yes that means that if it was JE you could change it to JNE in most of the scenarios – definitely look into these comparisons tho, they will be useful for you in the future.
  • Here is a little quick explaination about JNE and JE – you can read it if you want to

So now that we’ve patched our binary we can press Q to exit and then run the program.
The program still asks us for a password number and if we enter ANYTHING it should give us root access and the flag…

AND WE ARE IN. That. Was awesome.
We just got our flag and we patched this binary within few minutes.

That was easy enough, right?
Lets move on to the third challenge.
Its very similar to the second one so it should be easy for you to solve.


Lets run our third binary to see whats up.
Right there we can see that it asks us for a license to pass in as a parameter. This doesnt make a huge difference for us, but the program itself might be different to analyze.
As before, lets run it with radare in write mode,
analyze it using four A’s and then display all the functions.
You can already see a few functions more than in the previous one – they are mostly sym (which stands for symbol) functions but the most interesting one for us is obviously “main”.
So lets seek to main and see whats in it.
Press v for the disassembly view as we did before and scroll around to see our comparisons.
You can already see the strings that are used but you will soon also be able to notice that we can just change our JE/JNE value and have the same result we did in the previous program, regardless of the fact that this one is taking in the license key as a parameter. This doesnt bother us since we are changing the checking condition that leads to other functions and prints.

So inputting a wrong license into the program does nothing and returns a message “wrong license code” but in this scenario it isnt as easy as it was in the previous one for us to see what the answer could be. But, as i said – we dont mind.

So we can see that the top here is just the usage,
so we need to move down to where our actual comparisons are. Lets look up a string by using a slash and then the string – which is in our case “Wrong” to find where WRONG LICENSE CODE message is used.
It seems that it didnt really help us to find where the success message is – the one that tells us we won.
But dont worry, all we have to do is print out functions again using afl and then seek (or navigate) to our main.
After looking a little to the right we can see that we have a string that says “PREMIUM ACCESS HAS BEEN ACTIVATED” – meaning this is where we wanna get to.
If we look a little to the left we can see the arrow thing again pointing to the no-access option, we ofcourse wanna invert the condition above it just like we did before. It seems that there are few more comparisons and calls above the condition we want to change but that also doesnt bother us since a simple change of this JNE just like we did before using /wa on the address where it is – should give us our premium access.
And here we go, lets quit and test it out.
We run the program and provide garbage input and BAM we have the premium access. Easy.

So i dont know about you guys but to me this is pretty awesome. This video was about some basics in patching using radare and i hope you understood everything i said, if you are confused about something make sure you leave a comment down below. Also if its not a trouble for you, subscribe to my channel – it takes you a second but it means a bunch to me. If not thats okay.
Anyway so thats it for today I hope you had as much fun as i did – make sure you try this out ill put the code of the first two C files to the website and you can give it a go.

Newfile.c

#include <stdio.h>
int main() {
   printf("Hello, World!");
   return 0;

}

Newfile2.c

#include <stdio.h>
int main() {
    int number;
    printf("Enter an integer: ");
    scanf("%d", &number);

    if  (number == 603729) {
        printf("[+] You've just gained Root access. Flag: CTF{P4TCH1NG_1S_3ASY}");
    }
    else {
        printf("[-] Nice try, Access Blocked.");
    }

    return 0;
}

Compile them with : gcc Newfile.c
and

gcc Newfile2.c

Thank you so much for watching and have a nice day!