[CTF Series #2] Windows PE File Reverse Write-up

Objective:
Find out the time and date that can prompt out the MessageBox of the EXE file.

Topic Covered:
1. Microsoft System Function (SystemTime)
2. Find value in memory dump
3. Basic debugging skills with x32 dbg

Procedure:
Run the 32-bit EXE file under a debugger (x32 dbg), then press Run (F9) to reach the entry point of the file. After glance at the code for a while, it can see that there is a call function to GetSystemTime and 5 cmp instructions that compare with some hex value from the register ESI. If all the conditions were fulfilled, a message box will pop out, else it will exit.

Plain View of the Code

Press ‘g’ for to view at the graph mode.

GraphView of the Code

Then, find out what is the GetSystemTime using some google-fu. From the Microsoft documentation, the GetSystenTime function get the current system data and time in UTC time zone. However, the function only contains lpSystemTime parameter that act as a pointer the the SYSTEMTIME to retrieve the current system time and data. Let’s further the investigation into the SYSTEMTIME structure.

GetSystemTime Function From Mircrosoft Documentation

The SYSTEMTIME structure contains all the variable of the time & date element of the system, such as year, month, dayofweek, day, hour, minute, second and milliseconds.

Then, start to convert the value of the hex into decimal form.

Convert the value of the compared hex into decimal

It can guess that 2020 indicates the year, 4 for month , 17 for day since the esi+6, not esi+4 (dayofweek) , 9 for hour in UTC time zone and 0 for minute. Those values are compare with esi, esi+2, esi+6 , esi+8 and esi+A that the base address starts from [40300]. Follow the memory dump and check all the values.

Example of memory dump view

However, i need to change my time zone into the UTC as below.

Time zone in my place :D

Below is the correct time and date in hex form little-endian that can prompt the message box.

Correct time & date in my current System Timeline in memroy dump

Proof of message box:

Yeah!! The message box!!

Hope you guys enjoy it :D

Extra
Jump Not Equal (JNE)
It will continue with the jump instruction if the zero flag not equal to zero (zf !=0), since the cmp instruction will subtract the left value with the right value to determine whether both number are equal (Intel Syntax). It will help in bypass the compare & jump condition.

Example of jne bypass thru Zero Flag (zf)

File Link:
https://github.com/ghoulgy/Samples/raw/master/FindTimeDate.exe
CheckSum MD5: 70c8afde327a1c77cfe193b593176deb
In PowerShell
: Certutil.exe -hashfile <filename> md5

Reference:
https://docs.microsoft.com/en-us/windows/desktop/api/minwinbase/ns-minwinbase-systemtime

https://www.tutorialspoint.com/assembly_programming/assembly_conditions.htm

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store