[GitS 2015] Edgy – Programming 300 Writeup

I participated in Ghost in the Shellcode 2015 with the Plaid Parliament of Pwning. Here is my writeup for Edgy, a hard 300-point programming problem.

When you log in to Edgy, you are asked to solve a series of minefield-traversal puzzles, where you have to walk from the center of a minefield to an edge without hitting any mines. But, there’s a twist:

Welcome to Edgy, please solve the following puzzle with the WASD keys

The pattern provided will be repeated until the edge of the map is reached

Example: If WDD is sent then it will repeat WDDWDDWDD… until an edge is reached

The pattern size is quite limited (between 1/3 and 1/5 of the maze size), so you have to take advantage of the repeating property to solve the puzzles.

My solution was to bruteforce the shift, which is the positional offset produced by a single repeat of the pattern (for example, the pattern WDD produces a shift of (-1, 2) – one unit west and two units down). For each possible shift value, I translate the entire maze repeatedly by the shift value, overlaying every possible translation onto the original grid. Then, finding a short path from the center to the first shift in the translated maze yields a repeated path in the original maze.

Here’s the code for that:

# edgy solution by Robert Xiao (@nneonneo)
# bfs with map compression and bit-operations for speed

import sys
from socket import *
TARGET = ('edgy.2015.ghostintheshellcode.com', 44440)

s = socket()
s.connect(TARGET)

def rduntil(*suffixes):
    out = ''
    while 1:
        try:
            x = s.recv(4096)
            if not x:
                raise EOFError()
            sys.stdout.write(x)
            out += x
        except timeout:
            if not out:
                continue
            break
        for suffix in suffixes:
            if out.endswith(suffix):
                break
        else:
            continue
        break
    return out

def pr(x):
    s.send(x + '\n')
    print "sending %s" % x

# Password prompt
rduntil('Password\n')
pr('EdgesAreFun')
graph = rduntil('moves\n')
def parse_graph(g):
    import re
    m = re.search(r'(--[\w\W]*--)\nYou have a maximum of (\d+) moves', g)
    g, moves = m.group(1), int(m.group(2))
    g = [s[1:-1] for s in g.split('\n')[1:-1]]

    w, h = len(g[0]), len(g)

    mines = [0] * h
    pos = None
    for i, row in enumerate(g):
        for j, col in enumerate(row):
            if col == 'x':
                mines[i] |= 1 << j
            elif col == '@':
                pos = (j, i)

    return w, h, pos, mines, moves

DIRECTIONS = {'A': (-1, 0),
             'W': (0, -1),
             'S': (0, 1),
             'D': (1, 0)}

def print_grid(w, h, x, y, mines):
    print '-' * (w+2)
    for yy in xrange(h):
        out = '|'
        for xx in xrange(w):
            if xx == x and yy == y:
                out += '@'
            elif mines[yy] & (1 << xx):
                out += 'x'
            else:
                out += ' '
        out += '|'
        print out
    print '-' * (w+2)

def shift_mines(w, h, dx, dy, mines):
    newmines = mines[:]
    if dx == 0 and dy == 0:
        raise Exception("you done goofed")
    elif dx == 0:
        n = h / abs(dy)
    elif dy == 0:
        n = w / abs(dx)
    else:
        n = min(w/abs(dx), h/abs(dy))

    shifted = mines[:]
    if dx < 0:
        def shiftx():
            shift = -dx
            for j in xrange(h):
                shifted[j] <<= shift
    else:
        def shiftx():
            shift = dx
            for j in xrange(w):
                shifted[j] >>= shift

    sy = 0
    mask = (1 << w) - 1
    if dy < 0:
        for i in xrange(1, n):
            shiftx()
            sy += -dy
            for y in xrange(h-sy):
                newmines[y+sy] |= shifted[y]
    else:
        for i in xrange(1, n):
            shiftx()
            sy += dy
            for y in xrange(h-sy):
                newmines[y] |= shifted[y+sy]

    return newmines

def find_path(sx, sy, tx, ty, mines, moves):
    ''' BFS from (x,y) to (tx,ty) '''
    from collections import deque
    q = deque()
    q.append((0, sx, sy))
    seen = set()
    parent = {}
    if mines[ty] & (1 << tx):
        return None
    while q and (tx, ty) not in seen:
        dist, x, y = q.popleft()
        if dist > moves:
            break
        if (x,y) in seen:
            continue
        seen.add((x, y))
        for d, (dx, dy) in DIRECTIONS.iteritems():
            xx, yy = x+dx, y+dy
            if 0 <= xx < w and 0 <= yy < h and not (mines[yy] & (1 << xx)) and (xx, yy) not in seen:
                q.append((dist+1, xx, yy))
                parent[(xx, yy)] = (d, x,y)

    if (tx, ty) in seen:
        path = ''
        while (tx, ty) in parent:
            d, tx, ty = parent[tx, ty]
            path = d + path
        return path
    return None

def shift_solver(w, h, x, y, mines, moves):
    for dx in xrange(-moves, moves+1):
        if moves > 100:
            print 'big progress:', dx
        for dy in xrange(-moves, moves+1):
            if abs(dx) + abs(dy) > moves or dx == dy == 0:
                continue
            xmines = shift_mines(w, h, dx, dy, mines)
            path = find_path(x, y, x+dx, y+dy, xmines, moves)
            if path:
                return path

def readall(size):
    out = []
    nbytes = 0
    while nbytes < size:
        res = s.recv(size - nbytes)
        if len(res) == 0:
            raise EOFError()
        nbytes += len(res)
        out.append(res)
    return ''.join(out)

import re
while 1:
    w, h, (x, y), mines, moves = parse_graph(graph)
    path = shift_solver(w, h, x, y, mines, moves)
    pr(path)
    graph = rduntil('moves\n', 'though\n')
    if graph.endswith('though\n'):
        size = int(re.findall(r'Sending (\d+) bytes', graph)[0])
        big = readall(size)
        open('big.z', 'wb').write(big)
        graph = big.decode('zlib') + rduntil('moves\n')
Previous Article
Next Article