boot Posted February 10 Share Posted February 10 View File PatchMe No.1 2024 (x86 32-Bit) PatchMe.exe MD5: DD4E072F8B5CA241927EAA63DED47383 SHA1: 08F4699C3A84F5E40343CE9A9AD05046EE15D6DD CRC32: 9A4C0721 PatchMe No.1 2024 Please check the ReadMe.mp4 in the zip package, you'll understand what I mean... If you have solved this challenge, please make tutorial(s)... I will mark the answers with tutorials as a solution. About This Challenge... - Author: boot - Date: February 10, 2024 - Difficulty: ★★☆☆☆ - Architecture: x86 32-Bit - From: Tuts4you - Platform: >=Win95 Submitter boot Submitted 02/11/2024 Category CrackMe Link to comment Share on other sites More sharing options...
The Binary Expert Posted February 11 Share Posted February 11 @boot Quote First try to use Ring3 mode to modify memory if failure then try to use Ring0 mode to modify memory... Do you mean using the M$ windbg by saying "Ring0 mode"? Regards. sean. Link to comment Share on other sites More sharing options...
jackyjask Posted February 11 Share Posted February 11 You could try the glorious SoftIce 37 years old (wow!) kernel mode debugger if you dare to Link to comment Share on other sites More sharing options...
The Binary Expert Posted February 11 Share Posted February 11 33 minutes ago, jackyjask said: You could try the glorious SoftIce 37 years old (wow!) kernel mode debugger if you dare to No joking please. Regards. sean. 1 Link to comment Share on other sites More sharing options...
jackyjask Posted February 11 Share Posted February 11 Quote no jokes Install VM install win XP have some fun as a real oldschool hacker dont be tiktok newbee Link to comment Share on other sites More sharing options...
dayeya4896 Posted February 11 Share Posted February 11 2 minutes ago, jackyjask said: 不开玩笑 安装虚拟机 安装 Win XP 享受真正的老派黑客乐趣 别当新手 Use Amiga computer Link to comment Share on other sites More sharing options...
boot Posted February 14 Author Share Posted February 14 On 2/11/2024 at 5:57 PM, windowbase said: Do you mean... It is theoretically impossible or very difficult for typical debuggers (Olly, xDbg) or patch tools (Baymax, Dup) to modify the memory of "Current Address:", so you need other methods to achieve it. 1 Link to comment Share on other sites More sharing options...
The Binary Expert Posted February 14 Share Posted February 14 3 minutes ago, boot said: It is theoretically impossible or very difficult for typical debuggers (Olly, xDbg) or patch tools (Baymax, Dup) to modify the memory of "Current Address:", so you need other methods to achieve it. Hmm. so you say Ring0 debugger. I see. Regards. sean. Link to comment Share on other sites More sharing options...
boot Posted February 21 Author Share Posted February 21 I provide some tips: typical Ring3 methods cannot directly solve this challenge. Therefore, you can try coding kernel drivers to modify memory and solve this challenge. 1 Link to comment Share on other sites More sharing options...
TRISTAN Pro Posted February 21 Share Posted February 21 5 hours ago, boot said: I provide some tips: typical Ring3 methods cannot directly solve this challenge. Therefore, you can try coding kernel drivers to modify memory and solve this challenge. Nice trick May be I will analyse when I have free times and it seems very good.RWE>R_E. Link to comment Share on other sites More sharing options...
HostageOfCode Posted February 21 Share Posted February 21 Just hooked NtReadVirtualMemory and changed the first byte to 0x00 and it gives success. 2 Link to comment Share on other sites More sharing options...
boot Posted February 21 Author Share Posted February 21 (edited) 43 minutes ago, HostageOfCode said: Just hooked NtReadVirtualMemory and changed the first byte to 0x00 and it gives success. This is an indirect method. But what if you run the program directly, wait for it to start completely, and then modify the memory of "Current Address"? In other words, run the program first, and then try to directly modify the memory. e.g. Video_2024-02-21_190859.mp4 Edited February 21 by boot 2 Link to comment Share on other sites More sharing options...
HostageOfCode Posted February 21 Share Posted February 21 Tried but it does not let me to change the page protection. Tried to hook NtProtectVirtualMemory but it is too hard this way... I saw that you create and load a second shadow ntdll.dll that redirects some of the ntdll api to the vmp section of the patchme. Clever trick 2 Link to comment Share on other sites More sharing options...
Solution TeRcO Posted yesterday at 12:59 AM Solution Share Posted yesterday at 12:59 AM i used an old tool 😁 PatchMe_PROCESS_WRITE_by_terco.txt 3 2 Link to comment Share on other sites More sharing options...
jackyjask Posted 15 hours ago Share Posted 15 hours ago Amazing stuff! it is your own build of old good Olly? 1 Link to comment Share on other sites More sharing options...
TeRcO Posted 13 hours ago Share Posted 13 hours ago 1 hour ago, jackyjask said: it is your own build of old good Olly? yes.... 😉 old but Gold 1 Link to comment Share on other sites More sharing options...
boot Posted 13 hours ago Author Share Posted 13 hours ago Hi. I never expected this challenge to be solved by using IceSword before. If it is a 64-bit PatchMe, can it still be solved by using IceSword? 1 Link to comment Share on other sites More sharing options...
boot Posted 13 hours ago Author Share Posted 13 hours ago 39 minutes ago, boot said: 64-bit PatchMe... PatchMe64.zip 1 Link to comment Share on other sites More sharing options...
TRISTAN Pro Posted 12 hours ago Share Posted 12 hours ago 19 minutes ago, boot said: PatchMe64.zip 4.58 MB · 0 downloads Why need after allocate memory calling ReadProcessMemory and GetThreadId everytimes to make the memory unwritable? 1 Link to comment Share on other sites More sharing options...
The Binary Expert Posted 11 hours ago Share Posted 11 hours ago 1 hour ago, boot said: PatchMe64.zip 4.58 MB · 2 downloads In x64 bit OS, the icesword doesn't run. Regards. sean. Link to comment Share on other sites More sharing options...
freddy Posted 5 hours ago Share Posted 5 hours ago 7 hours ago, boot said: PatchMe64.zip 4.58 MB · 3 downloads Is there a way of contacting you privately to discuss something? Freddy, Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now