Flare-On 2019 WriteUp: Memecat Battlestation (#1)

Image for post
Image for post

If you want to try it before reading it, you can download it from here.

After extracting the ZIP file we received a .NET binary and run it:

Image for post
Image for post

A couple of seconds after the first image we received this window:

Image for post
Image for post

When we type wrong code, an error pops up:

Image for post
Image for post

To find what code we need to enter, we will reverse it and check what the “Fire!” button does.

I used dnSpy, which is an amazing tool for reversing .NET binaries, on this binary.

We can see that we have “Stage1Form”:

Image for post
Image for post

Inside this form I found the function for the “Fire!” button:

Image for post
Image for post

It easy to see that the “Fire!” button is waiting for the “RAINBOW” code. After typing it we moved to the next stage:

Image for post
Image for post

Like we did in the previous stage, we wen to check the “Stage2Form”, looking for the “Fire!” button function.

Once we type the code and press “Fire!” it passes to a function named isValidWeaponCode:

Image for post
Image for post

Inside this function, our input string (variable s) is converted to an array named array. It copies its address to array2 which is a copy of array’s address, every change in array2 will result in a change in the array. It using XOR with ‘A’ on each item of our input string. After that it checks if it equal to the following array:

Image for post
Image for post

So all we need to do to find the code is to XOR each item in the hardcoded array with ‘A’. Here is the solution code:

myarray = ['\u0003',' ','&','$','-','\u001e','\u0002',' ', '/','/','.', '/']    

flag = ''
for i in myarray:
flag += chr(ord(i) ^ ord('A'))
print(flag)

The result is: Bagel_Cannon

Image for post
Image for post

After entering it and pressing “Fire!” we received the flag to the next stage:

Image for post
Image for post

Flag: Kitteh_save_galixy@flare-on.com

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store