Challenge: Santa found this program when he inspected the computer of an elf, who tried to steal all the presents from Santa’s sleigh. Can you find out what it does?
OK, finally, some reversing.
Since it’s a .NET, lets start with the basic ILSpy.
It looks like we have some embedded code here. First a loader gets a binary from it’s resources, and than that happens again. ILSpy wasn’t able to load the second assembly, since it looked like it was gust the method body IL.
I switched to dnSpy and simply traced the code to that specific method.
The program want’s you to enter a key and than that key will be used to decrypt a sequence of bytes.
The code even provides a “default” key: chr1s7ma5
What the function does is take the inverse key, ignores the last character and does a looped xor over the buffer.
The result is in the array3 argument and can be read from memory.
Flag: xmas{c4ndle_l1ght}
What did I learn: dnSpy is lovely!
