Santa found this program when he inspected the computer of an elf, who tried to steal all the presents from Santa's sleigh. Can you find out what it does?
I found this one quite challenging. There must be a more straightforward way, but this also worked for me:
-
Check contents of the file with
binwalk -e --dd='.*' ConsoleApp.exe. This will yield a second executable, AC0.exe. -
Checking ConsoleApp.exe in .NET disassembler will prove that there is indeed nested executable which is being ran. I used .NET Reflector
-
Check produced file again with disassembler and get this code, ValidateCode.txt
-
Also check the Assembly1.file, which is one of static resources in AC0.exe.
-
According to ValidateCode method, Assembly1.file is the concatenation of some machine code in MSIL opcodes + 18 bytes at the end of some ciphertext. See Assembly1.bin.file and Assembly1.ciphertext.file
Few resources which helped me to understand what's going on:
-
ValidateCode runs this MSIL code and does something with two strings and then compares the result with ciphertext.
-
I did not found any tool to recover the actual assembly code, so I did manually by using List of CIL instructions on Wikipedia. See my.asm
-
To actually get this disassembled, I combined existing assembler code of AC0.exe with my.asm.
-
To disassemble AC0.exe, run
ikdasm AC0.exe > AC0.asm -
Then add this method with code from my.asm to produce AC0.my.asm
-
Compile new program:
$ ilasm AC0.my.asm
Assembling 'AC0.my.asm' , no listing file, to exe --> 'AC0.my.exe'
-
Load the program to disassembler and get this disassembled source code, see method1.txt
-
According to this code, the program produces XOR of arguments with key repeated if key is shorter than plaintext.
-
However, the key is used in reverse order and with last letter cutted out.
-
We knew beforehand that the flag should start with
xmas{. -
The key used was
5am7s1rh(chr1s7ma5reversed and withoutcletter) -
We used this simple script to actually apply XOR.