0x0G is Google’s annual “Hacker Summer Camp” event. Normally this would be in Las Vegas during the week of DEF CON and Black Hat, but well, pandemic rules apply. I’m one of the organizers for the CTF we run during the event, and I thought I’d write up solutions to some of my challenges here.

gRoulette is a simplified Roulette game online. Win enough and you’ll get the flag. The source code is provided, and the entire thing is run over a WebSocket connection to the server.

Examining the websocket flow, we series of messages:

``````1
2
3
{"message_type":"register","balance":100,"round_id":1991705954}
{"message_type":"round_result","round_result":{"roundid":1991705954,"space":"31","next_roundid":520308631}}
{"message_type":"round_result","round_result":{"roundid":520308631,"space":"8","next_roundid":439000315}}
``````

Taking a look at the source code, we see that the rounds are handled by a function in `roulette.go`:

``````1
2
3
4
5
6
7
8
9
10
11
12
13
func (g *RouletteGame) PlayRound() {
...

// Finish the round
finishedRound := g.CurrentRound
space := g.NextSpace()
g.CurrentRound = g.prng.Next()
res := &RoundResult{
RoundID:     finishedRound,
NextRoundID: g.CurrentRound,
Space:       space,
}
...
``````

This tells us the space where the “ball” lands is computed using a NextSpace function:

``````1
2
3
4
5
6
7
func (g *RouletteGame) NextSpace() SpaceID {
num := g.prng.BoundedNext(37)
if num == 37 {
return "00" // Special case double 0.
}
return SpaceID(fmt.Sprintf("%d", num))
}
``````

Of interest is that both the `CurrentRound` and `Space` values are derived from the same PRNG instance. Depending on the security of the RNG, it may be possible to predict the next space(s) based on the current state of the RNG. The source of the PRNG is provided as well:

``````1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
package main

import (
"crypto/rand"
"encoding/binary"
)

const (
PrngModulus    uint32 = 0x7FFFFFFF
PrngMultiplier uint32 = 48271
)

type PRNG uint32

func NewPRNG(seed uint32) *PRNG {
if seed == 0 {
panic(err)
}
}
p := PRNG(seed)
return &p
}

/*
Algorithm certified by Nanopolis Gaming Commission
*/
func (p *PRNG) Next() uint32 {
tmp := uint64(*p) * uint64(PrngMultiplier)
tmp %= uint64(PrngModulus)
*p = PRNG(tmp)
return uint32(tmp)
}

rv := uint32(0)
for v != 0 {
rv = rv << 1
rv |= 1
v = v >> 1
}
return rv
}

func (p *PRNG) BoundedNext(max uint32) uint32 {
for {
if tmp <= max {
return tmp
}
}
}
``````

The `Next` method is responsible for advancing the PRNG. It multiplies by a constant, then takes a modulus. Searching for the constants reveals that this is an implementation of a well-known Linear Congruential Generator. This implementation is similar to the `MINSTD` RNG, and exposes the entire state in a call to `Next`. Notably the `RoundID` is entirely an output of the PRNG, so every subsequent value can be known. Consequently, we can call the PRNG with our own inputs to find out what the next spins will be.

``````1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
package main

import (
"fmt"
"os"
"strconv"
)

func main() {
seed64, err := strconv.ParseInt(os.Args[1], 10, 32)
if err != nil {
panic(err)
}
round := uint32(seed64)
p := NewPRNG(round)
for i := 0; i < 8; i++ {
roll := p.BoundedNext(37)
v := fmt.Sprintf("%d", roll)
if roll == 37 {
v = "00"
}
fmt.Printf("%d: %s\n", round, v)
round = p.Next()
}
}
``````

When we run it, this will print out the next 8 rolls:

``````1
2
3
4
5
6
7
8
9
% go run . 520308631
520308631: 8
439000315: 0
2059893773: 33
1060020398: 5
1254119902: 32
1689320946: 2
918638365: 28
114073520: 20
``````

Just max bet each one and you’ll have the requisite money in no time. :) (Feel free to automate it. I just did it manually.)

``````1
FLAG: 0x0G{maybe_vegas_next_year_for_real!}
``````