1.5. HELLO, WORLD!
Figure 1.1:HiewAnd we can try to translate our message into Spanish:
Figure 1.2:HiewThe Spanish text is one byte shorter than English, so we also added the 0x0A byte at the end (\n) with a
zero byte.
It works.
What if we want to insert a longer message? There are some zero bytes after original English text. It’s
hard to say if they can be overwritten: they may be used somewhere inCRTcode, or maybe not. Anyway,
only overwrite them if you really know what you’re doing.
String patching (Linux x64)
Let’s try to patch a Linux x64 executable using rada.re:
Listing 1.20: rada.re sessiondennis@bigbox ~/tmp % gcc hw.c
dennis@bigbox ~/tmp % radare2 a.out
-- SHALL WE PLAY A GAME?
[0x00400430]> / hello
Searching 5 bytes from 0x00400000 to 0x00601040: 68 65 6c 6c 6f
Searching 5 bytes in [0x400000-0x601040]
hits: 1
0x004005c4 hit0_0 .HHhello, world;0.
[0x00400430]> s 0x004005c4
[0x004005c4]> px
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x004005c4 6865 6c6c 6f2c 2077 6f72 6c64 0000 0000 hello, world....
0x004005d4 011b 033b 3000 0000 0500 0000 1cfe ffff ...;0...........
0x004005e4 7c00 0000 5cfe ffff 4c00 0000 52ff ffff |......L...R...
0x004005f4 a400 0000 6cff ffff c400 0000 dcff ffff ....l...........