Reverse Engineering Range

🚀 Forge Free is now live! Try it now

Long Timer

Concepts: time lock, patching

About

The Long Timer challenge introduces you to a technique used to prevent dynamic analysis. Malware sometimes operates on a detonation timer. Waiting for a certain amount of time to pass before it starts executing any malicious code.

This challenge only has one check and should be easy.

Walkthrough

To start this challenge I run the program to see its behavior. I see a string “Timer: “, a countdown and nothing else. Open the binary in a disassembler, I’m using IDA.

In IDA I can see that the binary has been stripped of all symbols so there is no function names and it was unable to find the main function. I was able to find main two different ways, tracing the start function and cross referencing strings.

Cross referencing strings (easier)

Your disassembler should have a feature to view all the strings in the executable, in IDA you click on View > Open Subviews > Strings. Look for any interesting strings, investigate anything that looks like it was user written.

In this case when I ran the program initially I saw the string “Timer: ” printed on the screen. So I find that and double click, now you’re looking at where the string is stored in rdata. Click on the xref and that will take you to main, where the string is printed.

Tracing the start function

Your disassembler should be able to find the “start” function which is the entry point of the program, where execution begins. You can find your way to main from here by tracing function calls.

In IDA there’s only one function call in start so I go to that address. Usually the start function is followed by compiler inserted startup code which is what we see now. You can tell by observing calls to _initterm, SetUnhandledExceptionFilter and _set_invalid_parameter_handler.

We see a good size function with a lot of call instructions. Highlight one of the call instructions so you can clearly see the rest of the call instructions and look for ones that are not surrounded by setup logic like the calls above. Trace into them and see if there’s anything interesting. Look at strings, function calls and code that looks like it was user written, eventually you’ll find main.

Once you found main examine the logic until you have a basic understanding of what is happening. I see a loop, a large counter being decremented by one, and a comparison to zero on each iteration. This looks like our timer check. There’s a few ways to bypass this, the simplest is to find the jump greater instruction and change it to a jump less. Save your patches and run.

Wait a few seconds and you’ll see your flag output. Enter it on The Range to complete this challenge.