The previous post where I solved a reversing challenge was a good example of a place where I could demonstrate a little bit of patching and also use something called a code cave [Thanks Dns]
Patching a program effectively means, change something in the program so that it behaves a little differently - usually this is a change in control flow. In the CSAW example, there's 3 places we can patch the code. We can change the flow of the code so it always chooses 1 in the first switch-case (40109A), 3 in the 2nd switch-case (401120) and we can finally NOP the jump out at 401171 so it calls 401000, no matter what.
Here are 3 screen-shots showing the 3 patches.
If you remember, towards the end of the previous blog, we had to look for the flag inside Olly and the pop-up wouldn't get populated with the flag.The solution that I suggested there was to manually increment the address inside ESI so that it populated the pop-up. There's another cooler solution called a code cave, that will enable us to automatically increment ESI and cause the message box to be displayed.
Here is a screen-shot of the patch that I use, to force the code to jump to a different location, increment ESI, jump back and then call the message box.
This causes the flag to be displayed inside the Message Box itself.
Patching a program effectively means, change something in the program so that it behaves a little differently - usually this is a change in control flow. In the CSAW example, there's 3 places we can patch the code. We can change the flow of the code so it always chooses 1 in the first switch-case (40109A), 3 in the 2nd switch-case (401120) and we can finally NOP the jump out at 401171 so it calls 401000, no matter what.
Here are 3 screen-shots showing the 3 patches.
If you remember, towards the end of the previous blog, we had to look for the flag inside Olly and the pop-up wouldn't get populated with the flag.The solution that I suggested there was to manually increment the address inside ESI so that it populated the pop-up. There's another cooler solution called a code cave, that will enable us to automatically increment ESI and cause the message box to be displayed.
Here is a screen-shot of the patch that I use, to force the code to jump to a different location, increment ESI, jump back and then call the message box.
No comments:
Post a Comment