Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • Ghidra 101: Binary Patching
  • Data Breach
  • Malware
  • Vulnerabilities

Ghidra 101: Binary Patching

4 years ago Craig Young
Ghidra 101: Binary Patching

In this blog series, I will be putting the spotlight on useful Ghidra features you may have missed. Each post will look at a different feature and show how it helps you save time and be more effective in your reverse engineering workflows. Ghidra is an incredibly powerful tool, but much of this power comes from knowing how to use it effectively.

There are several circumstances where it can be helpful to make a modification to code or data within a compiled program. Sometimes, it is necessary to fix a vulnerability or compatibility issue without functional source code or compilers. This can happen when source code gets lost, systems go out of support, or software firms go out of business. In case you should find yourself in this situation, keep calm and read on to learn how to do this within Ghidra. 

Until recently, Ghidra was rather limited in this capability. This changed with the summer 2021 release of Ghidra 10.0 which introduced the ability to export programs with proper executable formats for Windows (PE) and Linux (ELF). Ghidra versions before 10 or for executable formats besides PE and ELF require using a raw import and raw export and is generally far less robust. In this post, I will review a Windows x86 executable, but the general strategy is applicable more broadly with some nuances for specific platforms and architectures.

Strategies

The first step for preparing a program patch is to gauge the complexity/length of the required patch and identify roughly where it needs to be inserted. If the patch is short enough, it may be possible to directly replace existing code inline. Patches introducing completely new functionality generally cannot be written inline and will require a different strategy. In this scenario, we must locate unused bytes which are loaded from the program file into executable memory space. These code caves are commonly generated when an executable section requires specific byte alignment. Longer patches can be written into a code cave along with appropriate branching instructions to insert the patch code into the right code path.

Let’s take an example to see this process in action. In case you haven’t seen them, MalwareTech has a fun set of reversing and exploitation challenges available online. Each reversing challenge presents an executable which, when executed, will display a message box containing the MD5 sum of a secret flag string. You are expected to recover the flag string using only static analysis techniques, but for this blog, we will be altering and then running the challenge program to directly print the flag. (Don’t worry, it’s not cheating if it is in the name of science, right?)

Shellcode2.exe_

In this post, I will use the shellcode2 challenge, and I encourage readers to follow along and then attempt to repeat the process with a different challenge file. The objective for our patch is to reveal the flag value after it has been decoded by the shellcode and before it has been hashed. Let’s start by looking at how shellcode2.exe_ is structured:

In this snippet, we see local­_bc being initialized as an MD5 object followed by the construction of a stack string. When looking at the end of the entry function, we can see where the flag is hashed and the message box is created:

End of entry()

In this snippet, the MD5 object at local_bc is being referenced to invoke the MD5::digestString() method with the address of local_2c as input. A reference to the resulting hash is stored at local_c0. The instructions from 4023a2-4023b2 pass this value into the MessageBoxA API call with a particular window title and style.

Patching

The first patch we’ll look at is to change the arguments to MessageBoxA so that it prints the value from local_2c rather than the value referred by local_c0. The address of the hash is loaded into EAX with the MOV instruction at 4023a9 and then pushed to the stack as an argument for MesageBoxA. This will need to be patched so that the address of local_2c is pushed instead. The LEA (Load Effective Address) instruction allows us to do just that.

Begin by right-clicking the MOV instruction and selecting Patch Instruction:

right-clicking the MOV instruction and selecting Patch Instruction:

The instruction will change to an editable field with autocompletion:

change to an editable field with autocompletion

Patch this to be LEA with the operands EAX, [EBP + -0x28] so that EAX receives the address of local_2c:

EAX receives the address of local_2c

Note that the use of -0x28 rather than -0x2c as an offset to EBP is to account for the original EBP being pushed to the stack before EBP is loaded with the new stack pointer. The resulting offset is converted to its two’s complement as shown here: 

Ghidra 101: Offset is converted to its two’s complement

The program can now be exported from the File -> Export Program menu as PE format. Running the exe file produces our new MessageBoxA:

Ghidra 101: MessageBoxA:

Read More about Ghidra

Ghidra 101: Cursor Text Highlighting

Ghidra 101: Slice Highlighting

Ghidra 101: Decoding Stack Strings

Ghidra 101: Loading Windows Symbols (PDB files)

Ghidra 101: Loading Windows Symbols (PDB files) in Ghidra 10.x

Ghidra 101: Creating Structures in Ghidra

The post ” Ghidra 101: Binary Patching” appeared first on TripWire

Source:TripWire – Craig Young

Tags: Encryption, Linux, TripWire

Continue Reading

Previous Redirecting the Zero Trust Conversation to Build a More Robust Architecture
Next Interpol Arrests Over 1,000 Cyber Criminals From 20 Countries; Seizes $27 Million

More Stories

  • Malware

Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass

4 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Malware

Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures

6 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Vulnerabilities

New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released

6 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Malware

3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)

7 hours ago [email protected] (The Hacker News)
  • Data Breach

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

12 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Vulnerabilities

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

1 day ago [email protected] (The Hacker News)

Recent Posts

  • Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass
  • Block the Prompt, Not the Work: The End of "Doctor No"
  • Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures
  • New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
  • 3 Reasons Attackers Are Using Your Trusted Tools Against You (And Why You Don’t See It Coming)

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT