The task gave us a binary that creates a maximum of 400 threads where each one is started with 3 arguments that differs every time a new child process is started. The last arguments is used as a “counter” and the first 2 is used as seed for generate the flag. We have to know which thread has correct arguments that lead us the flag. The routine that calculate the flag is at 0x401070. In this routine , as we said before, the function uses our 2 arguments we passed to the program at the start and do some math on them to generate a sequence that will be placed at ebp-4 (0x0012fecc). Now for find out which thread has correct values to print the flag just make a JMP before the RET of this function to somewhere in the binary were we can print the flag  such as a message box or write into a file.

http://postimg.org/image/kx1gogl9b/

As in the image, after the program return from 0x401070 in EAX still remain the address that points to the flag so we gonna jump to a place of memory where we previously placed our piece of asm code that will print the flag like 0x0040563a.

Now just run the program and see the result till a human readable text comes up.

Razor4x