Tags: reverse_engineering
Rating:
ReadMe:
> Normal run: qemu-system-i386 pwn.img
> 
> Debug run: qemu-system-i386 -s -S pwn.img
> 
> Figure out how to bypass Zero Cools virus and unlock the FLAG, good luck!
> 
> Shoutout to Jarkko Turkulainen from F-Secure for the inspiration.
just a solution:
By booting the image it asks us for a passphrase
just type a pass and attach qemu in ollydbg, finding our typed password in memory and setting a HWBP on first char of password
back to qemu and hit Enter, olly will stop at checking routine
just a simple check using xor/sub/add (different) for each 2 characters
```
045BFC03     0350 0C                ADD EDX,DWORD PTR DS:[EAX+C]
045BFC06     0FB732                 MOVZX ESI,WORD PTR DS:[EDX]
045BFC09     8BCE                   MOV ECX,ESI
045BFC0B     66:89CB                MOV BX,CX
045BFC0E     8BF3                   MOV ESI,EBX
045BFC10     81F6 37130000          XOR ESI,1337
045BFC16     8BCE                   MOV ECX,ESI
045BFC18     66:89CB                MOV BX,CX
045BFC1B     895D 04                MOV DWORD PTR SS:[EBP+4],EBX
045BFC1E     BE 75520000            MOV ESI,5275
045BFC23     8975 2C                MOV DWORD PTR SS:[EBP+2C],ESI
045BFC26     81EB 75520000          SUB EBX,5275
045BFC2C     895D 28                MOV DWORD PTR SS:[EBP+28],EBX
045BFC2F     0FB7DB                 MOVZX EBX,BX
045BFC32     BE 0F000000            MOV ESI,0F
045BFC37     8975 34                MOV DWORD PTR SS:[EBP+34],ESI
045BFC3A     85DB                   TEST EBX,EBX
```
calculate correct characters and repeat till end
correct passphrase : BADF00DCAF3B4B3
//TMT