Rating:
The task was based on [coronavirus from teaser](https://ctftime.org/task/18762). The only major modification was that user name was now checked using custom stack-based VM.
### IDA tricks to ease decompiling
#### Stack allocations
Program is using `alloca` extensively and Hex-Rays does not support it flawlesly. I ended up with NOPping out all sequences of `SUB RSP, RAX; MOV RAX, RSP`, it worked nice.
#### x86_64 shadow zone
After patching IDA does not know that SP was modified so some local variables are now stored in "shadow zone" — top 32 bytes on stack, which can be modified by called subfunctions. Hex-Rays skips modifications of those bytes in its analysis and outputs a warning, it all results in red "may be undefined" variables in decompiled view.
This can be fixed by increasing stack frame size since binary uses RBP to work with stack frame, which can be done either by directly increasing a number in `SUB RSP, N` instruction in prolog or by modifying SP change on this instruction in IDA (Alt+K in disasm view) — you need to increase SP diff by 0x20.
### Username check
Stack based VM, reverse engineering involvs usual VM structure reversing, understanding instructions and writing a disassembler, after that virtual program can be understood pretty quickly.
In the end check can be reverse engineered to this username revealing program
```python
import struct
data = bytes.fromhex('BA000000000000008F2EBA0000000000EA75605CBA0000007205A7313D8ABA00DA578C3DB63625B8769F637D65B4DE879F3EFA7A5DE23324EA693482FB2F22CB3F11D0741951652D4F3F73D0136A087D4D95AB8B53EB252F9EBE86F43A75A885ABE9C6EB08CEAF59AB819EEFF89F4CE0D3E9AC79E14DD4D2818B60DB29A4203072554388AD41327CDC0704DEF7B10BD2B2EFD9AA03AAD862AAFD53FBC08155FD')
data = list(struct.unpack('<20Q', data))
data = [0] + data
for i in range(1, len(data)):
t = (data[i] + data[i-1] - (data[i-1] << 6) - (data[i-1] << 16)) % 2**64
print(chr(t ^ 0xFD), end='')
```
### URL structure
In this task following info was sent to server: `<random_string>|<vmdk_first_12_bytes_hex>|<username_xored_hex>|<computer_name_xored_hex>`. Random string can be taken from debugger, first 12 bytes of VMDK file are known `# Disk Descr` (an improvement compared to teaser task where you needed to guess first 12 bytes of MP4 file), xor key was `A!4jvp1n2'0g/(G()`, username `G4D!1-h4T3!V4kCiN3s!` and computer name `WOUHAN-L4B-DC42`.
Final URL to get flag then looks like this `http://coronavirus-the-revenge.insomnihack.ch:61080/C219C0D87DFC4D488433BF90D3F78C8A-19210474324308847031337.php?token=x4KBWsx4vrIqQgKOrh3IwU28UZHy63kHxoIF3bb8TfB|23204469736b204465736372|0615704b475d595a661411311b430441677252156a|166e6122373e1c2206651d236c1c75`