Jump to content
Tuts 4 You

3 Screenshots

If you want to try this challenge, please read the following text descriptions:

1. Please try to debug the kernel driver in the virtual machine instead of your real machine to avoid causing a blue screen on the physical machine
    a. Why blue screen? For things like Ring0.sys, as I mentioned earlier
    b. Copy the Tuts4you.ini file to the C:\Windows\ directory of the virtual machine

2. I have added a test signature to the driver, so to load this driver, you need to enable Windows test mode
    a. Press and hold the "WIN+R" key to launch the CMD console as an administrator, enter bcdedit /set testsigning on
    b. Restart your computer
    c. After restarting, there is a prompt similar to "test mode" on the bottom right corner of the computer, indicating that it has entered test mode

3. If you give up this challenge, you can choose to turn off the testing mode at any time
    a. Press and hold the "WIN+R" key to launch the CMD console as an administrator, enter bcdedit /set testsigning off
    b. Restart your computer
    c. After restarting, there is no prompt similar to "test mode" on the bottom right corner of the computer, indicating that the test mode has been turned off and entered normal mode

4. How to load this driver?
    a. Use DriverMonitor to load this driver
        i) Download DriverMonitor from here
    b. Run Ring3.exe and click on "Open Device"
    c. Use Dbgview to view the corresponding debugging information and whether to output Flags
        i) Download Dbgview from here

5. Please note:

Due to *.sys being protected by VMP, unlike *.exe or *.DLL files:
    a. This means that you cannot directly debug it using x32/x64Dbg or OllyDbg
    b. This means that there is no ready-made script/unpacker or one click cracking tool
    c. This means that you need to manually use windbg for debugging

The ideas you can try are:
    1. Use Windbg to debug Virtual Machine
    2. Patch HWID -> Allowed! You can try to do this
    3. Unpack this kernel driver ->  Allowed! You can try to do this

Verify if this challenge has been resolved:
    1. Provide me with the content of Flag1 and Flag2
    2. After patch HWID or Unpack, ensure that the driver's image or dump file can be loaded, and remove VMP protections, which can directly output Flags

If you have already solved this challenge, please create tutorial(s). :)

boot @ Tuts4you

-------------------------------------------------------------------------------------------------------
Reminder:
1. Please do not try on the physical machine, please be sure to try on the virtual machine.
2. Turn on testing mode and restart the virtual machine.

3. Copy Tuts4you.ini to the "C:\Windows\" folder.
4. Operate according to my video.

HWID:
MBuO+WUQR1yD1Z5kzvCoPg==

KEY:
efymqVNO+WNtaujmh3fgD9PzzyU0q9awY+iW8MCUdrv2GIObwrRs9v7rfF2sMQiKBAHIkPf5YbrNHIwfsalY1+YKInnRvOxOr8mrMpViwtihBzJNYDv5Bw58XO7zoOTJBHMuihya/doG+jCD6xQhoblVPHrRpL+aRpVAB7Eix9sAQMqkdQpJM6x3EQ27sFazT/HSn2W5j1JQI3BRODLuEfg3KWKdfq2t3fcHqYSuSveWOm7XzUMSagB1pS+eCNd2DuoFACfki3KU1ipibClLVStmIo0GwtYa2OJqAQYoLQRuClSMnc1eSuxYswLlK49aEMNwRCQagVpxciPB+s2BntbIrjvSm/YOKFWmqLL30RPBHgYo3+aIXb0ggJP4Rp0JfhgO0orEYLbvNC3yYhW3vUHxK6IZKsxWNiKGP6bCmB8A6bWn83RP/KQNMrmG9e8k+aI5YXklxkP3PRoNkZnktaerg3Qj5kD7oaxlm/Bf/QGuIz+71hbU9jazbPZEfmbgNnPgfo7vvywdoHnnJcymCppqXFtUoezjPjQZjm4E2FniYRpSDTfziOoL4xszXwBLjMjcyu0QuYuJ2ueG/B8hH3K0PpLjNg2Wy5Er87UU3blWWtF08gm/QSKm92OJrrjUE6yNnqVrNrQ81WX68nbJ/fmNnOMA9uAN+GD3TOlZzbs=

	...
	switch (irpsp->Parameters.DeviceIoControl.IoControlCode)
	{
	case DEVICE_SEND:
		VMProtectBeginUltraLockByKey("");
		PrintCurrentLocalTime();
		DbgPrint(" [ KMDF ] Ring 0 : \r\nFunction - 1\r\n- Congratulations! ...");
		...
		...
		DbgPrint(" [ KMDF ] Ring 0 : Flag1 ...");
		VMProtectEnd();
		break;
	case DEVICE_REC:
		VMProtectBeginUltraLockByKey("");
		PrintCurrentLocalTime();
		DbgPrint(" [ KMDF ] Ring 0 : \r\nFunction - 2\r\n- Congratulations! ...");
		...
		...
		...
		DbgPrint(" [ KMDF ] Ring 0 : Flag2 ...");
		VMProtectEnd();
		break;
	default:
		status = STATUS_INVALID_PARAMETER;
	}

	Irp->IoStatus.Status = status;
	Irp->IoStatus.Information = returnLength;
	IoCompleteRequest(Irp, IO_NO_INCREMENT);
	...

User Feedback

Recommended Comments

There are no comments to display.

×
×
  • Create New...