CTFtime.org / VolgaCTF 2020 Qualifier / Excellent Crackme / Writeup

## 1. Download File

We can download "VolgaCTF_excel_crackme.xlsm" file.

![Download Challenge File](http://about.pwnable.me/CTFtime/0.png)

-----

## 2. Open File

You can use the Excel to open the file.

![Open File](http://about.pwnable.me/CTFtime/1.png)

When the file was opened, a warning about the macro appeared and i try to access the VBA script.

But... I don't know password.

![I don't know password ...](http://about.pwnable.me/CTFtime/2.png)

-----

## 3. Extract the Script

So I extracted the VBA script, using OfficeMalScanner.exe.

```
OfficeMalScanner.exe VolgaCTF_excel_crackme.xlsm info
OfficeMalScanner.exe VolgaCTF_excel_crackme.xlsm inflate
OfficeMalScanner.exe vbaProject.bin info
```

I try to read script, but it is really hard...

![Script](http://about.pwnable.me/CTFtime/3.png)

So I use VBA code Indenter.
[VBA Code Indenter ](https://www.automateexcel.com/vba-code-indenter/)

It is much easier to read using the Code Indenter.

![indented Script](http://about.pwnable.me/CTFtime/4.png)

While reading the script, I found that the script was accessing a specific Cell.

I check Excel VolgaCTF_excel_crackme.xlsm's "Лист1" Sheet Again and Found huge int table .

![i found the 45 * 46 int_table](http://about.pwnable.me/CTFtime/5.png)

-----

## 4. Solution

VBA Script check the flag like my own python psuedocode.

![How does a script check the flag?](http://about.pwnable.me/CTFtime/6.png)

```python

import sys

int_table = [
[620,340,895,-39,945,321,586,487,-935,-641,-233,553,546,389,764,-199,577,-539,547,-50,134,-722,134,571,629,-775,499,-633,-928,-103,975,961,-275,136,165,170,257,559,-656,-207,403,-414,371,885,-885,490493],
[-19,85,-456,228,-127,-777,191,605,292,-181,-652,801,-801,-890,-75,214,22,-52,-4,750,678,-300,82,965,-889,-342,933,736,-677,945,-191,408,-96,916,-739,454,-941,72,414,-373,150,-535,742,-376,-285,-7845],
[598,357,236,8,-163,787,-996,26,-685,257,-620,-959,340,-530,-621,634,-701,-112,737,-781,66,517,566,-915,907,-818,-487,-82,-115,313,414,836,774,-776,-551,920,-548,898,-198,244,822,-741,-185,-589,202,-54593],
[967,-357,-421,-752,-315,413,991,350,873,-122,12,-463,-942,576,657,-108,-375,481,622,-550,-910,167,-184,-392,-111,457,-606,31,-350,583,-716,57,985,842,222,605,-239,-250,280,579,-109,-297,-99,-222,605,210672],
...
...
...
]

flag = input()

for i in range(len(flag)) :
flagsum = 0
for j in range(len(flag)) :
int_element = int_table[i][j]
flag_element = ord(flag[j])
flag_sum = flag_sum + int_element * flag_element
if flag_sum != int_table[i][45] :
print("Bad... Try Again!")
sys.exit()

```

I wrote python code(use z3), i can't get flag. but mementomori helped me.

He wrote the python code, and we could get the flag.

```python

from z3 import *

data = [map(int, _.strip().split('\t')) for _ in open('data.txt').readlines()]
flag = [Int('flag{}'.format(i)) for i in range(45)]

s = Solver()

for line in data:
eq = 0
sol = line[-1]
for i, x in enumerate(line[:-1]):
eq += x * flag[i]
s.add(eq == sol)

if s.check() == sat:
print(''.join([chr(s.model()[x].as_long()) for x in flag]))

```

Excellent Crackme

Comments

Sign in with