Flare On 2014 - Challenge 1 Writeup

This is my writeup for the very first Flare On challenge from the year 2014.

After loading the binary called challenge1.exe into pestudio you can see that it's a .net binary: 6c77e04de284046e5179d8892affd15f.png

This means, the source code can easily be extracted with tools like dnSpy or dnSpyEx (as long as it's not obfuscated which is not the case here).

After loading it into dnSpy v6.2.0 one method appeared to be particularly interesting:

 0		// Token: 0x06000002 RID: 2 RVA: 0x00002060 File Offset: 0x00000260
 1		private void btnDecode_Click(object sender, EventArgs e)
 2		{
 3			this.pbRoge.Image = Resources.bob_roge;
 4			byte[] dat_secret = Resources.dat_secret;
 5			string text = "";
 6			foreach (byte b in dat_secret)
 7			{
 8				text += (char)(((b >> 4) | (((int)b << 4) & 240)) ^ 41);
 9			}
10			text += "\0";
11			string text2 = "";
12			for (int j = 0; j < text.Length; j += 2)
13			{
14				text2 += text[j + 1];
15				text2 += text[j];
16			}
17			string text3 = "";
18			for (int k = 0; k < text2.Length; k++)
19			{
20				char c = text2[k];
21				text3 += (char)((byte)text2[k] ^ 102);
22			}
23			this.lbl_title.Text = text3;
24		}

Said method gets called when someone clicks the button labeled with DECODE!:

 0		// Token: 0x06000004 RID: 4 RVA: 0x00002180 File Offset: 0x00000380
 1		private void InitializeComponent()
 2		{
 3			this.lbl_title = new Label();
 4			this.pbRoge = new PictureBox();
 5			Button button = new Button();
 6			((ISupportInitialize)this.pbRoge).BeginInit();
 7			base.SuspendLayout();
 8			button.Font = new Font("Microsoft Sans Serif", 16f, FontStyle.Regular, GraphicsUnit.Point, 0);
 9			button.Location = new Point(210, 387);
10			button.Name = "btnDecode";
11			button.Size = new Size(139, 52);
12			button.TabIndex = 0;
13			button.Text = "DECODE!";
14			button.UseVisualStyleBackColor = true;
15			button.Click += this.btnDecode_Click;
16[...]

Several breakpoints were set to dump the values of the variables text, text2, and text3:

8f89c211c856ae126e7e3ad63ca08317.png

After clicking the DECODE!-Button the first breakpoint gets triggered:

5dec5a509542066a6618383f12c16b08.png

Continuing to the 3rd breakpoint reveals the values of the three variables: cef5eda190ef2d9e56b49cfdb6204426.png

The flag for challenge1 is the value of the text variable ([email protected]).


Flare On 2014 Challenge 2