CTFtime.org / SEC-T CTF / Zerocool / Writeup

ReadMe:
> Normal run: qemu-system-i386 pwn.img
>
> Debug run: qemu-system-i386 -s -S pwn.img
>
> Figure out how to bypass Zero Cools virus and unlock the FLAG, good luck!
>
> Shoutout to Jarkko Turkulainen from F-Secure for the inspiration.

just a solution:

By booting the image it asks us for a passphrase

just type a pass and attach qemu in ollydbg, finding our typed password in memory and setting a HWBP on first char of password

back to qemu and hit Enter, olly will stop at checking routine

just a simple check using xor/sub/add (different) for each 2 characters
```
045BFC03 0350 0C ADD EDX,DWORD PTR DS:[EAX+C]
045BFC06 0FB732 MOVZX ESI,WORD PTR DS:[EDX]
045BFC09 8BCE MOV ECX,ESI
045BFC0B 66:89CB MOV BX,CX
045BFC0E 8BF3 MOV ESI,EBX
045BFC10 81F6 37130000 XOR ESI,1337
045BFC16 8BCE MOV ECX,ESI
045BFC18 66:89CB MOV BX,CX
045BFC1B 895D 04 MOV DWORD PTR SS:[EBP+4],EBX
045BFC1E BE 75520000 MOV ESI,5275
045BFC23 8975 2C MOV DWORD PTR SS:[EBP+2C],ESI
045BFC26 81EB 75520000 SUB EBX,5275
045BFC2C 895D 28 MOV DWORD PTR SS:[EBP+28],EBX
045BFC2F 0FB7DB MOVZX EBX,BX
045BFC32 BE 0F000000 MOV ESI,0F
045BFC37 8975 34 MOV DWORD PTR SS:[EBP+34],ESI
045BFC3A 85DB TEST EBX,EBX
```

calculate correct characters and repeat till end

correct passphrase : BADF00DCAF3B4B3

//TMT

![](https://i.imgur.com/J3cFKZa.jpg)

Zerocool

Comments

Sign in with