1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
"Grrrrr". This robot just growls. The other bots tell you that it is angry
because it can't count very high. Can you teach it how?
Overview
--------
The challenge provides a C++ source file and a netcat port. The program code
appears to be a short series of prompts, which passing all of them will print
the flag. At each stage, our input is taken as a single-precision floating
point number which must pass various rounding error and precision checks.
Level 1
-------
bool flow_start() {
// Get user input
float a = get_user_input("Number that is equal to two: ");
// Can't be two
if (a <= 2)
return false;
// Check if equal to 2
return (unsigned short)a == 2;
}
I saw some solutions take advantage of the fact that large numbers would
"overflow" when truncated via the (unsigned short) cast, giving a valid input
like 65538 (0x10002).
My solution leveraged the floating point truncation (aka: loss of decimal
places): 2.0000002384
Level 2
-------
bool round_2() {
float total = 0;
// Sum these numbers to 0.9
for (int i = 0; i < 9; i++)
total += 0.1;
// Add user input
total += get_user_input("Number to add to 0.9 to make 1: ");
// Check if equal to one
return total == 1.0;
}
During the for-loop, precision errors accumulate and the total will overshoot
0.9. Less than 0.1 must be given: 0.09999990
Level 3
-------
bool level_3() {
float total = 0;
unsigned int *seed;
vector<float> n_arr;
// Random seed
seed = (unsigned int *)getauxval(AT_RANDOM);
srand(*seed);
// Add user input
add_user_input(&n_arr, "Number to add to array to equal zero: ");
// Add many random integers
for (int i = 0; i < 1024 * (8 + rand() % 1024); i++)
n_arr.push_back((rand() % 1024) + 1);
// Add user input
add_user_input(&n_arr, "Number to add to array to equal zero: ");
// Get sum
for (int i = 0; i < n_arr.size(); i++)
total += n_arr[i];
// Check if equal to zero
return total == 0;
}
Many random numbers between [1, 1024] are summed up in this function, and we are
asked for two more, for all of them to sum to zero. Since the range of random
numbers is known (<=1024), we can provide relatively large numbers to squeeze
out the randomness.
Given the fixed-precision, yet floating decimal point of floats, adding a large
value to a small value can potentially reduce the smaller value to zero as its
exponent and mantissa are adjusted to match the other.
10000000000000000
-10000000000000000
brck{Th3_3pS1l0n_w0rkS_In_M15t3riOuS_W4yS}
|
