This challenge was actually a re-release of the original challenge "Patch Tuesday", which the author accidentally left the flag in the original binary. This version is more interesting and is an example of using revenge to apply a Windows patch.

 

I didn't actually complete this one during the contest, though I was close. The biggest part of this challenge was the lack of documentation about the file formats and how they should be applied. As you will see, it's actually fairly easy.

 

For this challenge, we were provided two files. One was win32k.patched.sys (the actual driver didn't really matter, they just needed something to patch), and "patch-tuesday" which was the patch. The hint for this was effectively telling us that this is a legitimate Microsoft patch type and is of the same variety that Microsoft uses when they update your machines on Patch Tuesday (the monthly Microsoft patch day). But... what is that?

 

Here's a hex dump from the patch file

 

00000000: 893e bc88 5041 3330 a010 0742 c49c d501  .>..PA30...B....
00000010: 1823 4000 33c4 0140 2100 ad75 d72a f0c9  .#@.3..@!..u.*..
00000020: ad39 1678 34e8 349d b178 01ca 00b2 0300  .9.x4.4..x......
00000030: 00aa 0740 4287 4855 9f8e 1ab0 1872 1f91  This email address is being protected from spambots. You need JavaScript enabled to view it......r..
00000040: e54f 43f9 192e fba0 6a47 7d44 1a49 3a03  .OC.....jG}D.I:.
00000050: c87c 2423 1580 a4b9 49ab 1d00 8041 23    .|$#....I....A#

 

After doing some googling, I discovered the "PA30" is a header designation for a Delta Compression Patch type. Further digging on this type lead me to pretty much the only documentation I could find on this on the internet: https://docs.microsoft.com/en-us/previous-versions/bb417345(v=msdn.10). Note, this page is about Delta Compression itself but doesn't speak directly to how Patch Tuesday patches are applied.

 

I'd recommend reading the page for the technical details, but the short of it is that Microsoft has utilized differential patches for a long time in order to save bandwidth when updating. However, these patches can actually be generated and applied by anyone through their PatchAPI (legacy) and MSDelta APIs. I couldn't actually find a reference in there to how PA30 works, however if you read the documentation about "ApplyDeltaA", it notes an optional flag to allow legacy PatchAPI using the flag DELTA_APPLY_FLAG_ALLOW_PA19. Thus, my guess (haven't actually confirmed this), is that PatchAPI probably stopped with PA19, and beyond that is MSDelta type patching. As it happens, that's irrelevant since MSDelta does expose support to apply both PatchAPI and MSDelta patches with the same command.

 

This was the point that got me stuck, unfortunately. As it turns out, Patch Tuesday patches apparently come with a checksum at the beginning on the patch. If someone wants to point me to documentation on that, it'd be great, but the short is that you cannot directly apply the patch to this sys file. Instead, you must strip off the first 4 bytes of the patch file (theoretically validating that the checksum is correct), then you can apply it.

 

I was able to find some articles that discussed compiling your own version of "patcha" (patch apply) to apply a patch. However, this is where revenge comes in handy. With revenge, it's pretty simple to run native API commands. For conciseness, I'm simply including comments in the python example below to walk through the patching process.

 

from revenge import Process

# We need to interact with a process. It doesn't really matter which one. Let's just use calc
p = Process(r"C:\Windows\System32\calc.exe") 

# Since calc doesn't have the required patch library loaded, we need to load it first
p.memory['LoadLibraryA'](r"C:\Windows\System32\mspatcha.dll")

# We can now grab the patch API. We'll use the ApplyDeltaA call. See the documentation linked above for more details
ApplyDeltaA = p.memory["ApplyDeltaA"]

# We will assume here that we already stripped off the first 4 bytes of that file, so that the file now starts with the PA30 header

# Now all we have to do is run the api. The format is:
# ApplyDeltaA(flags, source_file, patch_file, output_file)
# We'll use the value 1 for flags to enable PatchAPI compatability, though that's not necessary here.
ApplyDeltaA(1, r"win32k.patched.sys", r"patch-tuesday", r"out.sys")

# You should see 1 returned from this, indicating success

 

That's all there is to it! You have just successfully patched a file the official Microsoft way. You can use the same method to create patches and play around with those calls.

 

The flag itself was simply in Wchar text in the output binary: RITSEC{NOSERIOUSLYPATCHME}

 

I've uploaded the files here if you wanna try it yourself: https://github.com/bannsec/CTF/tree/master/2019/RITSEC/patch_2sday