PatchMe No.1 2024 (x86 32-Bit)

[boot]

View File

PatchMe No.1 2024 (x86 32-Bit)

---

PatchMe.exe

MD5: DD4E072F8B5CA241927EAA63DED47383
SHA1: 08F4699C3A84F5E40343CE9A9AD05046EE15D6DD
CRC32: 9A4C0721

PatchMe No.1 2024

Please check the ReadMe.mp4 in the zip package, you'll understand what I mean...
If you have solved this challenge, please make tutorial(s)...  I will mark the answers with tutorials as a solution.

About This Challenge...
 - Author: boot
 - Date: February 10, 2024
 - Difficulty: ★★☆☆☆
 - Architecture: x86 32-Bit
 - From: Tuts4you
 - Platform: >=Win95

---

• Submitter
  boot
• Submitted
  02/11/2024
• Category
  CrackMe

 

[Sean Park - Lovejoy]

@boot 

Quote

First try to use Ring3 mode to modify memory if failure then try to use Ring0 mode to modify memory...

Do you mean using the M$ windbg by saying "Ring0 mode"?

Regards.

sean.

[jackyjask]

You could try the glorious SoftIce 37 years old (wow!) kernel mode debugger if you dare to

 

[Sean Park - Lovejoy]

33 minutes ago, jackyjask said:

You could try the glorious SoftIce 37 years old (wow!) kernel mode debugger if you dare to

 

No joking please.

Regards.

sean.

[jackyjask]

Quote

 

no jokes

Install VM

install win XP

have some fun as a real oldschool hacker

 

dont be tiktok newbee

[dayeya4896]

2 minutes ago, jackyjask said:

不开玩笑

安装虚拟机

安装 Win XP

享受真正的老派黑客乐趣

别当新手

Use Amiga computer

[boot]

On 2/11/2024 at 5:57 PM, windowbase said:

Do you mean...

It is theoretically impossible or very difficult for typical debuggers (Olly, xDbg) or patch tools (Baymax, Dup) to modify the memory of "Current Address:", so you need other methods to achieve it.

[Sean Park - Lovejoy]

3 minutes ago, boot said:

It is theoretically impossible or very difficult for typical debuggers (Olly, xDbg) or patch tools (Baymax, Dup) to modify the memory of "Current Address:", so you need other methods to achieve it.

Hmm. so you say Ring0 debugger. I see.

Regards.

sean.

[boot]

I provide some tips: typical Ring3 methods cannot directly solve this challenge. Therefore, you can try coding kernel drivers to modify memory and solve this challenge.

[TRISTAN Pro]

5 hours ago, boot said:

I provide some tips: typical Ring3 methods cannot directly solve this challenge. Therefore, you can try coding kernel drivers to modify memory and solve this challenge.

Nice trick 

May be I will analyse when I have free times and it seems very good.RWE>R_E.

[HostageOfCode]

Just hooked NtReadVirtualMemory and changed the first byte to 0x00 and it gives success.

[boot]

43 minutes ago, HostageOfCode said:

Just hooked NtReadVirtualMemory and changed the first byte to 0x00 and it gives success.

This is an indirect method. But what if you run the program directly, wait for it to start completely, and then modify the memory of "Current Address"? In other words, run the program first, and then try to directly modify the memory.

e.g.

Edited February 21 by boot

[HostageOfCode]

Tried but it does not let me to change the page protection. Tried to hook NtProtectVirtualMemory but it is too hard this way... I saw that you create and load a second shadow ntdll.dll that redirects some of the ntdll api to the vmp section of the patchme. Clever trick