For this challenge, we’re provided a file named “CrackDoc.doc” and when we open it, we’re presented with a ‘UsersForm1’ prompt for ‘Key’ value.
Typing in the wrong key displays a message “U can do. Try harder…” accompanied by a sweet picture of doge.
If we attempt to look at the underlying macros, we can see that the VBProject is password protected.
To circumvent this, we’ll simply load the document up in our favorite hex editor and modify the string ‘DPB=”’ to ‘DPX=”’.
We’ve now corrupted the document so that when we re-open the file and it parses this string, it will find it to be an invalid key. However, it still allows us to load the project, thus bypassing the protection ‘DPB’ provided.
Once inside the project, you can go into the ‘Project Properties’ and uncheck ‘Lock project for viewing’ under the ‘Protection’ tab to remove the password permanently.
Looking at the code, we have a form called ‘UserForm1’ and a module called ‘NewMacros’. If we right click on the form and go to ‘View Code’, we see the underlying macro we’re interested in and immediately see a byte-array for the key.
We can see that if X equals the string of bytes, then we get our win message. The value X is derived from the ‘suchcrypto’ function being passed our input and the IV ‘General Vidal’. The function doesn’t look particularly difficult to reverse.
But I opted to take an even lazier route to beat this challenge. I decided to fight macro with macro. By creating an array of potential values and passing each of them to the ‘suchcrypto’ function, I am able to easily enumerate what the key is and when I find a matching value, move on to the next.
By using the full array and Notepad++, I record a small macro of hitting the up arrow a few times and deleting the last byte, before copying and pasting the result then doing it again. What I’m left with is a long list of ‘For’ loops that I can copy into the ‘UserForm()’ macro.
Now we just hit enter a few times and watch the key unwind itself for us!