Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I would like to start learning reverse engineering.
So I decided to start simple.
I created this simple program:
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
printf ("Hello World!\n");
system("PAUSE");
return 0;
}
And I dissembled it in Ollydbg.
So I wanted to try and change the printf to “World Hello”.
But I don’t know what to do now.
Can you guide me, or at least tell me what I should theoretically do?
In this case you’d need to edit the character string that is passed to
printf, but first we need to get its address. looking ad the code fro the call toprintf, we will see something along the lines of this:so if we go to the address
0x1234567, via ctrl + g, we would see:so now you can edit that string to whatever you want, so long as you don’t overflow the space available and you keep the null terminator.
Saving the changes depends on how you loaded the binary (either by attaching or just cold viewing), the easiest way is via cold viewing (using olly purely as a disassembler/assembler). Its access via
view -> filethen right-clicking and choosingdisassemblefrom the context menu. In this mode saving is done by right clicking and selectingsave filefrom the context menu .In debugger mode (aka when you attach), saving is done using right-click, and selecting one of the options from the
copy to executablecontext menu option.Update
If you are debugging GCC generated code, it generally avoids generating
PUSH‘s and favours putting the variables directly into the stack, usingMOV [ESP+c],c/r/m. Compiling your example with GCC, you’d see code similar to (formain):Its important here to notice that GCC optimized the call to
printfinto a call toputs. In a case like this where you know the string you are looking for, you can use olly in debugger mode, right-click and selectsearch for -> all referenced text strings, then simple select your desired string from the list to find the code using it, or follow its address to find its.datasection entry so you can alter it. A longer way to find it is to use the binary search available from the right-click context menu, but this generally is a waste for text strings.And to cover all bases, lets assume we needed to get to the code from the entry point.
If we where to navigate to the code from the module entry point, we would follow the chain like so:
from here we see the only viable call as
GCCOllyT.00401000, following that, we end up here (this is the GCCmainCRTstartup):Now we know the signature for the call to
maintakes 3 args, we also know it will be called before app cleanup and exit, thus we getGCCOllyT.00401AFC. As you can see, it pays heavily to have symbols enabled, this can be done from the disassembly section of the debugging options menu.