After poking around with ghidra I found the part which checks the input and calls the responsible math function (which are all nop). I used ghidras rename feature to rename these functions. Searching for references to this functions shows, that there are also called in another part of the program. The part calculates some string and then displays it on the window.
0040151d 68 70 a0 PUSH 0x1762a070
62 17
00401522 68 d8 b5 PUSH 0x21ceb5d8
ce 21
00401527 e8 8a 00 CALL add undefined4 add(undefined param_1
00 00
0040152c a3 a0 20 MOV [DAT_004020a0],param_1
40 00
00401531 68 98 76 PUSH 0x38b57698
b5 38
00401536 68 13 b9 PUSH 0xaae5b913
e5 aa
0040153b e8 84 00 CALL sub undefined sub(undefined param_1,
00 00
00401540 a3 a4 20 MOV [DAT_004020a4],param_1
40 00
00401545 6a 02 PUSH 0x2
00401547 68 d6 ca PUSH 0xbec8cad6
c8 be
0040154c e8 93 00 CALL div undefined div(void)
00 00
00401551 a3 a8 20 MOV [DAT_004020a8],param_1
40 00
00401556 6a 02 PUSH 0x2
00401558 68 23 b6 PUSH 0x33b0b623
b0 33
0040155d e8 72 00 CALL mul undefined mul(void)
00 00
00401562 a3 ac 20 MOV [DAT_004020ac],param_1
40 00
00401567 68 1a 76 PUSH 0x53bd761a
bd 53
0040156c 68 45 cd PUSH 0x18a3cd45
a3 18
00401571 e8 40 00 CALL add undefined4 add(undefined param_1
00 00
00401576 a3 b0 20 MOV [DAT_004020b0],param_1
40 00
0040157b 68 f4 20 PUSH 0x46c920f4
c9 46
00401580 68 57 96 PUSH 0xa8359657
35 a8
00401585 e8 3a 00 CALL sub undefined sub(undefined param_1,
00 00
0040158a a3 b4 20 MOV [DAT_004020b4],param_1
40 00
0040158f 6a 04 PUSH 0x4
00401591 68 1d 8c PUSH 0x1f5c8c1d
5c 1f
00401596 e8 39 00 CALL mul undefined mul(void)
00 00
0040159b a3 b8 20 MOV [DAT_004020b8],param_1
40 00
004015a0 68 a0 20 PUSH DAT_004020a0
40 00
004015a5 68 e8 03 PUSH 0x3e8
00 00
004015aa ff 75 08 PUSH dword ptr [EBP + param_4]
004015ad e8 42 01 CALL SetDlgItemTextA BOOL SetDlgItemTextA(HWND hDlg,
00 00
004015b2 c9 LEAVE
004015b3 c2 04 00 RET 0x4
I wrote a small python script which does the removed operations.
def add(x,y): return y + x def sub(x,y): return y - x def mul(x,y): return y * x def div (x,y): return int(y / x) def out(x): x = str(hex(x)) x = x[2:] a, b, c, d = int(x[:2], 16), int(x[2:4], 16), int(x[4:6], 16), int(x[6:8], 16) print(chr(d) + chr(c) + chr(b) + chr(a), end='') _DAT_004020a0 = add(0x1762a070, 0x21ceb5d8) out(_DAT_004020a0) _DAT_004020a4 = sub(0x38b57698,0xaae5b913) out(_DAT_004020a4) _DAT_004020a8 = div(0x2, 0xbec8cad6) out(_DAT_004020a8) _DAT_004020ac = mul(0x2,0x33b0b623) out(_DAT_004020ac) _DAT_004020b0 = add(0x53bd761a,0x18a3cd45) out(_DAT_004020b0) _DAT_004020b4 = sub(0x46c920f4,0xa8359657) out(_DAT_004020b4) _DAT_004020b8 = mul(0x4, 0x1f5c8c1d) out(_DAT_004020b8)
This returns the flag which is HV19{B0rked_Flag_Calculat0r}.