Provision Accounting — alfactf

Description

Учёт провизии

ТЕРМИНАЛ УЧЕТА ПРОВИЗИИ

ДОСТУП ЗАПРЕЩЕН

English summary: the challenge is a public Google Sheets document that behaves like a terminal. Exporting it as XLSX reveals that the visible Panel sheet is only the front-end, while the real logic lives in hidden sheets s1, s2, and s3.

Analysis

1. Workbook structure

After exporting the spreadsheet as export.xlsx, the workbook contains:

• Panel — visible terminal UI
• s1 — password validation logic
• s2 — state update / keystream generator
• s3 — XOR output and bitmap bytes

The visible sheet already tells us what must happen. Panel!B11 is:

=IF(AND(COUNTIF('s1'!$B$4:$I$4,1)=8,COUNTIF('s1'!$J$14:$Q$14,1)=8),"ДОСТУП РАЗРЕШЕН","ДОСТУП ЗАПРЕЩЕН")

So the password must satisfy two conditions:

1. all 8 entered characters must map to valid lowercase letters;
2. the 8-byte transformed result in s1!J12:Q12 must equal the target in s1!A18:H18.

2. The screen is a bitmap renderer

The fake terminal is not text output. The panel cells use formulas of the form:

=BITAND(BITRSHIFT(INDEX('s3'!$P$2:$Y$27,ROW()-13,QUOTIENT(COLUMN()-2,8)+1),7-MOD(COLUMN()-2,8)),1)

This means Panel is unpacking bits from the bytes stored in s3!P2:Y27. Since that area is 26 rows by 10 bytes, the final message is an 80 x 26 monochrome bitmap.

3. Reversing s1

s1 first maps input letters through A23:B48, which is just the lowercase alphabet to ASCII table (a -> 97, ..., z -> 122). Invalid characters become 0, which immediately fails the first gate.

The second gate is more interesting. The sheet builds three layers modulo 251:

• J8:Q8 from the input vector and matrix O30:V37, plus constants E30:L30
• J10:Q10 from the previous layer, matrix X30:AE37, matrix AG30:AN37, plus constants E31:L31
• J12:Q12 from matrix AP30:AW37, matrix AY30:BF37, helper values from B6:D6, mixing constants in E34:L36, plus constants E32:L32

...