[buuctf.reverse] 105_[FlareOn6]Memecat Battlestation

ida打开程序发现是.net的，改用dnSpy打开。有program，stage1Form,stage2Form,VictoryForm四块组成

program提示了flag的组装方法：2和1的武器代码用逗号连上再处理一下

using System;
using System.Windows.Forms;

namespace MemeCatBattlestation
{
	// Token: 0x02000005 RID: 5
	internal static class Program
	{
		// Token: 0x06000011 RID: 17 RVA: 0x00002E84 File Offset: 0x00001084
		[STAThread]
		private static void Main()
		{
			Application.EnableVisualStyles();
			Application.SetCompatibleTextRenderingDefault(false);
			Application.Run(new LogoForm());
			Stage1Form stage1Form = new Stage1Form();
			Application.Run(stage1Form);
			if (stage1Form.WeaponCode == null)
			{
				return;
			}
			Stage2Form stage2Form = new Stage2Form();
			stage2Form.Location = stage1Form.Location;
			Application.Run(stage2Form);
			if (stage2Form.WeaponCode == null)
			{
				return;
			}
			Application.Run(new VictoryForm
			{
				Arsenal = string.Join(",", new string[]
				{
					stage2Form.WeaponCode,
					stage1Form.WeaponCode
				}),
				Location = stage2Form.Location
			});
		}
	}
}

再看1，它直接给了对照串，所以1的那块是RAINBOW

		private void FireButton_Click(object sender, EventArgs e)
		{
			if (this.codeTextBox.Text == "RAINBOW")
			{
				this.fireButton.Visible = false;
				this.codeTextBox.Visible = false;
				this.armingCodeLabel.Visible = false;
				this.invalidWeaponLabel.Visible = false;
				this.WeaponCode = this.codeTextBox.Text;
				this.victoryAnimationTimer.Start();
				return;
			}
			this.invalidWeaponLabel.Visible = true;
			this.codeTextBox.Text = "";
		}

再看2，这个作了个校验，把这个密文与A异或后就是1的武器代码

private bool isValidWeaponCode(string s)
{
	char[] array = s.ToCharArray();
	int length = s.Length;
	for (int i = 0; i < length; i++)
	{
		char[] array2 = array;
		int num = i;
		array2[num] ^= 'A';
	}
	return array.SequenceEqual(new char[]
	{
		'\u0003',
		' ',
		'&',
		'$',
		'-',
		'\u001e',
		'\u0002',
		' ',
		'/',
		'/',
		'.',
		'/'
	});
}

最后在VoctoryForm进行异或处理

		private void VictoryForm_Load(object sender, EventArgs e)
		{
			byte[] array = new byte[]
			{
				9,
				8,
				19,
				17,
				9,
				55,
				28,
				18,
				15,
				24,
				10,
				49,
				75,
				51,
				45,
				32,
				54,
				59,
				15,
				49,
				46,
				0,
				21,
				0,
				65,
				48,
				45,
				79,
				13,
				1,
				2
			};
			byte[] bytes = Encoding.UTF8.GetBytes(this.Arsenal);
			for (int i = 0; i < array.Length; i++)
			{
				byte[] array2 = array;
				int num = i;
				array2[num] ^= bytes[i % bytes.Length];
			}
			this.flagLabel.Text = Encoding.UTF8.GetString(array);
		}

最后得到

#stage2form private bool isValidWeaponCode(string s)
a = bytes([ord('A')^v for v in b'\x03 &$-\x1e\x02 //./']) + b',RAINBOW'
print(a)

b = [9,8,19,17,9,55,28,18,15,24,10,49,75,51,45,32,54,59,15,49,46,0,21,0,65,48,45,79,13,1,2]
b = bytes([a[i%len(a)]^b[i] for i in range(len(b))])
print(b)

#b'Bagel_Cannon,RAINBOW'
#b'[email protected]'
#flag{[email protected]}