Proj 9: Patching EXEs with Ollydbg (10 pts + 70 pts extra)

What You Need

Purpose

To practice disassembling and modifying binaries.

9.1: Patching an EXE (15 pts)

Getting the EXE

In the Documents folder of the VM handed out by your instructor, find the 00000.exe file.

Checking the Hash

Click Start. Type HASH and click HashCalc. In HashCalc, make sure the SHA256 box is checked, as shown below.

Click Start, Documents. Drag the 00000.exe file from the Documents folder and drop it onto the HashCalc box.

HashCalc calculates the SHA256 hash of the file. It should match the value shown below.

Running the EXE

Click the black square icon at the lower left of your desktop to open a Command Prompt.

Execute these commands:

cd \users\administrator\documents
00000.exe
It asks for a "Launch code". Enter 1. Your code is wrong, and it insults you, as shown below.

Examining the EXE with Ollydbg

Open the file in OllyDbg, as shown below.

Look at the rightmost section, and you can easily see what the program does; it prints out "Launch codes?", reads in a decimal number (%d), and then chooses to print either a winning message with a result, or an insult.

The choice is performed by two instructions: CMP (Compare) and JNZ (Jump if Not Zero), outlined in green in the image below.

Modifying the EXE

Right-click the CMP instruction and click Assemble, as shown below.

In the Assemble box, enter NOP, as shown below.

Click the Assemble button. Click the Cancel button.

The CMP instruction is replaced by a series of NOPs, as shown below.

Repeat the process to replace the JNZ instruction with NOPs also, as shown below.

Saving the Modified File

In OllyDbg, in the top left pane, right-click and click "Copy to executable", "All modifications", as shown below.

A "Copy selection to executable file?" box pops up. Click the "Copy all" button.

A "File" box appears, as shown below.

Right-click in it and click "Save file".

A "Save file as" box appears. Change the filename to 00000mod.exe, as shown below, and click Save.

Running the Modified File

In a Command Prompt window, execute these commands:
cd \users\administrator\documents
00000mod.exe
It asks for a "Launch code". Enter 1. It accepts the code now, as shown below.

Checking the Hash

Calculate the SHA256 hash of the patched file. It should match the value shown below.

Find the CRC32 hash, which is covered in a green box in the image below. Enter it into the form below.

9.1: Recording Your Success (10 pts)

Use the form below to record your score in Canvas.

Name or Email:
CRC32:

9.2: Patching Three EXEs (10 pts extra)

Getting the EXEs

In the Documents folder of the VM handed out by your instructor, find the 3EXEs.zip file.

Checking the Hash

Calculate the SHA256 hash of the file. It should match the value shown below.

Patch the Files

Patch all 3 files so they will accept any input.

Gather the Results

Run the three patched files. Each one returns a single character as a result. Keep the files in alphabetical order, by filename, like this: If those were the results, the answer would be CAT

The actual results are different, of course.

9.2: Recording Your Success (10 pts extra)

Use the form below to record your score in Canvas.

Name or Email:
Results: 3 Characters like this: CAT

9.3: Patching 19 EXEs (30 pts extra)

Getting the EXEs

In the Documents folder of the VM handed out by your instructor, find the easy.zip file. Unzip it. There are 19 EXEs in it.

Goal

Patch all 19 files, run them, and combine the Results to get a 19-character flag.

Hints

There are hints here.

9.3: Recording Your Success (30 pts extra)

Use the form below to record your score in Canvas.

Name or Email:
Results: 19 Characters like this:
     Impenetrable!Cyber!

9.4: Patching 256 EXEs (30 pts extra)

Getting the EXEs

In the Documents folder of the VM handed out by your instructor, find the 256exes.zip file. Unzip it. There are 256 EXEs in it.

Goal: Gather the Results

Patch all 256 files and run them. Each file will give you one "Result" character. Gather all those characters into a file 256 bytes long.

Calculate the SHA256 hash of that file. It should match the value shown below.

Calculate the CRC32 of that file to win.

9.4: Recording Your Success (30 pts extra)

Use the form below to record your score in Canvas.

Name or Email:
CRC32 hash like this: 07b01710

Credit

This is based on the 67k Challenge from EasyCTF 2017.
Modified 7-12-17 11:35 am
Integrated with Canvas 9-11-18
Form links changed to https 10-9-18