Flare-On 2019 WriteUp: Memecat Battlestation (#1)

If you want to try it before reading it, you can download it from here.

Stage 1 — Marauding Tabby Frigate

After extracting the ZIP file we received a .NET binary and run it:

A couple of seconds after the first image we received this window:

When we type wrong code, an error pops up:

To find what code we need to enter, we will reverse it and check what the “Fire!” button does.

Reversing .NET binary

I used dnSpy, which is an amazing tool for reversing .NET binaries, on this binary.

We can see that we have “Stage1Form”:

Inside this form I found the function for the “Fire!” button:

It easy to see that the “Fire!” button is waiting for the “RAINBOW” code. After typing it we moved to the next stage:

Stage 2 — Perimeter Defense Kitteh

Like we did in the previous stage, we wen to check the “Stage2Form”, looking for the “Fire!” button function.

Once we type the code and press “Fire!” it passes to a function named isValidWeaponCode:

Inside this function, our input string (variable s) is converted to an array named array. It copies its address to array2 which is a copy of array’s address, every change in array2 will result in a change in the array. It using XOR with ‘A’ on each item of our input string. After that it checks if it equal to the following array:

So all we need to do to find the code is to XOR each item in the hardcoded array with ‘A’. Here is the solution code:

myarray = ['\u0003',' ','&','$','-','\u001e','\u0002',' ', '/','/','.', '/']    
    
flag = ''
for i in myarray:
   flag += chr(ord(i) ^ ord('A'))
print(flag)

The result is: Bagel_Cannon

After entering it and pressing “Fire!” we received the flag to the next stage:

Flag: Kitteh_save_galixy@flare-on.com