Rating:


REM ***** BASIC *****
REM Provided was a excel file with a bunch
REM of numbers in the cells A2 to A82 and
REM a ton of formulas in the cells B2 to E82
REM
REM cells B1 to E4 were setup to have a random number.
REM in between 1 and 256
REM
REM and there was a frormula in cell G2
REM that provided the check for the input.
REM =IF(AND(E82=1,B1>1,B1<=256,C1>1,C1<=256,D1>1,D1<=256,E1>1,E1<=256,B1-C1=46,E1-D1=119),"Congrats! Here is yout flag: INSA{"&TEXT(B1,"0")&"-"&TEXT(C1,"0")&"-"&TEXT(D1,"0")&"-"&TEXT(E1,"0")&"}","Wrong input")
REM ===============================================
REM
REM
REM I took a look at the formula in the cell G2
REM and a quick peak at some in the range[A2:E82]
REM and i realized that what was going on in the
REM cells in the range [A2:E82] was somthing
REM I did't not wish to spend my time on.
REM =IF(MID($A2,4,1)=TEXT(COLUMN()-1,"0"),IF(MID($A2,1,1)="1",MOD(SUM(INDIRECT(ADDRESS(ROW()-1,1+MID($A2,2,1))),INDIRECT(ADDRESS(ROW()-1,1+MID($A2,3,1)))),256),IF(MID($A2,1,1)="2",MOD(SUM(INDIRECT(ADDRESS(ROW()-1,1+MID($A2,2,1))),-INDIRECT(ADDRESS(ROW()-1,1+MID($A2,3,1)))),256),IF(MID($A2,1,1)="3",MOD(PRODUCT(INDIRECT(ADDRESS(ROW()-1,1+MID($A2,2,1))),INDIRECT(ADDRESS(ROW()-1,1+MID($A2,3,1)))),256),IF(MID($A2,1,1)="4",MOD(MOD(INDIRECT(ADDRESS(ROW()-1,1+MID($A2,2,1))),INDIRECT(ADDRESS(ROW()-1,1+MID($A2,3,1)))),256),IF(MID($A2,1,1)="5",MOD(BITAND(INDIRECT(ADDRESS(ROW()-1,1+MID($A2,2,1))),INDIRECT(ADDRESS(ROW()-1,1+MID($A2,3,1)))),256),IF(MID($A2,1,1)="6",MOD(BITOR(INDIRECT(ADDRESS(ROW()-1,1+MID($A2,2,1))),INDIRECT(ADDRESS(ROW()-1,1+MID($A2,3,1)))),256),IF(MID($A2,1,1)="7",IF(INDIRECT(ADDRESS(ROW()-1,1+MID($A2,2,1)))=INDIRECT(ADDRESS(ROW()-1,1+MID($A2,3,1))),1,0),"X"))))))),B1)REM
REM ===============================================
REM so i focust on cell G2
REM
REM INTERESTING STUFF FROM CELL G2:
REM +-------------------
REM | E82=1 <---- the value of E82 the result of
REM | a ton of formulas in the cells
REM | B1>1, \ [A2:E82]
REM | B1<=256, |
REM | C1>1, |
REM | C1<=256, \ so all the input has to
REM | D1>1, / be in between 1 and 256
REM | D1<=256, |
REM | E1>1, | and there are some more
REM | E1<=256, / restraints down there.
REM |
REM | B1-C1=46, <---1B = 1C+46
REM | E1-D1=119), <--- 1E = 1D+119
REM +---------------------------------------
REM with all these restraints we are well within a accepable
REM Range to brute force the correct input.
REM So within a couple of minutes i whiped up a python script.
REM that printed out all posible inputs within the restraints.
REM
REM the only problem we have now is how are we going to provide
REM this to the spreadsheet. I can not just pipe it to libre office.
REM
REM So i decided to readup a little bit on excel macros (or libre-office macros)
REM and the basic language.
REM
REM And came up with this scipt. :-)
Sub Main
End Sub
REM I was to lazy to lookup how to access a cells text.
REM so i added a cell the formula =IF(G2="Wrong input",1,0) to cell M3
REM ( you know, hackers will hack)
Sub BruteForceTheFlag
sjiet = ThisComponent.sheets.getByName("Feuil1")
B = sjiet.getCellRangeByName("B1")
C = sjiet.getCellRangeByName("C1")
D = sjiet.getCellRangeByName("D1")
E = sjiet.getCellRangeByName("E1")
flag = sjeit.getCellRangeByName("M3")

C.value = 1
B.value = C.value +46
D.value = 1
E.value = D.value+119

Do
C.value = C.value +1
B.value = C.value +46
DO
D.value = D.value+1
E.value = D.value+119

Loop Until D.value > 256 OR E.value > 256 OR flag.value = 0
if E.value > 256 then
D.value = 1
E.value = D.value+119
endif
Loop Until flag.value = 0 OR B.value > 256
End Sub
REM found two flags.
REM INSA{75-29-13-132}
REM INSA{203-157-13-132} <--- this one was the valid one.
REM it was pointed out in the challenge
REM decription that the were two valid inputs.
REM and that the correct flag was the one was the one with the highes sum.
REM ..
REM wich was nice of them to point this out..
REM unlike what happends some time when there are
REM over 60.000 valid inputs, and all you get is a
REM md5sum of the valid one in exchage for 20 point.
REM Not pointing any finger here. *cough* uutCTF.*cough**cough*