Modify value to pass jump and print a message with Radare2

Question

I have a problem with understanding, why after modifying variable var_4h and passing positively through jne at 0x000006c3 I still cannot see the message. I use radare2

In debug mode, just before cmp I use: wv \0x5 @rbp-0x4

 52: main ();
│           ; var uint32_t var_4h @ rbp-0x4
│           0x000006b0      55             push rbp
│           0x000006b1      4889e5         mov rbp, rsp
│           0x000006b4      4883ec10       sub rsp, 0x10
│           0x000006b8      c745fc040000.  mov dword [var_4h], 4
│           0x000006bf      837dfc05       cmp dword [var_4h], 5
│       ┌─< 0x000006c3      7518           jne 0x6dd
│       │   0x000006c5      488d35980000.  lea rsi, qword str.You_win  ; 0x764 ; "You win!"
│       │   0x000006cc      488d3d9a0000.  lea rdi, qword [0x0000076d] ; "%s"
│       │   0x000006d3      b800000000     mov eax, 0
│       │   0x000006d8      e883feffff     call sym.imp.printf
│       │   ; CODE XREF from main @ 0x6c3
│       └─> 0x000006dd      b800000000     mov eax, 0
│           0x000006e2      c9             leave
└           0x000006e3      c3             ret

Can someone help me with this? I just ran out of ideas what I'm doing wrong.

Answer 1

To replicate your issue, I created a simple program:

#include <stdio.h>

int main()
{
  int x = 4;
  if (x == 5)
    printf("You win!\n");
  return 0;
}

and then:

[0x7fb00d000c30]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[TOFIX: aaft can't run in debugger mode.ions (aaft)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x7fb00d000c30]> dcu main
Continue until 0x004004b2 using 1 bpsize
hit breakpoint at: 4004b2
[0x004004b2]> pdf
            ; DATA XREF from entry0 @ 0x4003fd
            ;-- rax:
            ;-- rip:
┌ 38: int main (int argc, char **argv, char **envp);
│           ; var int64_t var_4h @ rbp-0x4
│           0x004004b2      55             push rbp
│           0x004004b3      4889e5         mov rbp, rsp
│           0x004004b6      4883ec10       sub rsp, 0x10
│           0x004004ba      c745fc040000.  mov dword [var_4h], 4
│           0x004004c1      837dfc05       cmp dword [var_4h], 5
│       ┌─< 0x004004c5      750a           jne 0x4004d1
│       │   0x004004c7      bf64054000     mov edi, str.You_win        ; 0x400564 ; "You win!"
│       │   0x004004cc      e8dffeffff     call sym.imp.puts           ; int puts(const char *s)
│       └─> 0x004004d1      b800000000     mov eax, 0
│           0x004004d6      c9             leave
└           0x004004d7      c3             ret
[0x004004b2]> dcu 0x004004c1
Continue until 0x004004c1 using 1 bpsize
hit breakpoint at: 4004c1
[0x004004c1]> pf d @ rbp-0x4
0x7ffff4c0021c = 4
[0x004004c1]> wv 5 @rbp-0x4
[0x004004c1]> pf d @ rbp-0x4
0x7ffff4c0021c = 5
[0x004004c1]> dc
You win!

Few things to notice:

1. check your write - wv command
2. Also note that the output doesn't show up (in my case) if I don't use \n in "you win!\n" string (although I don't know the exact reason why this happens)
3. If you don't have an access to the source code, then edit the string and add \n yourself.

>iz
nth paddr      vaddr      len size section type  string
―――――――――――――――――――――――――――――――――――――――――――――――――――――――
0   0x00000564 0x00400564 9   9    .rodata ascii You win!
>w You win!\n @0x00400564

(in write mode -w) It is not the most elegant way but worked in my case.

If you fix this then your program should work fine.