1

Im trying to find the key for this safe

public start
start proc near
push    cs
pop     es
assume es:seg000
int     87h             ; used by BASIC while in interpreter
push    ax
mov     bx, ax
and     bx, 5555h
and     ax, 0AAAAh
shr     ax, 1
add     ax, bx
mov     bx, ax
and     bx, 3333h
and     ax, 0CCCCh
mov     cl, 2
shr     ax, cl
add     ax, bx
mov     bx, ax
and     bx, 0F0Fh
and     ax, 0F0F0h
shl     cl, 1
shr     ax, cl
add     bx, ax
add     bh, bl
mov     bl, 10h
pop     ax
mov     [bx], ax


loc_137:
jmp     short loc_137
start endp

seg000 ends


end start

I thing that I can get the address of the code from ax register, the safe saves the address of the next instruction in address which stored in bx ( mov [bx], ax). The last part of the address is 10h but I an get the first part. How can I crack this safe?

THE RULES

The simulation of a safe and key is done inside the Core Wars 8086 engine. The rules are:

The survivors cannot place a load on fixed addresses, because the game engine loads them every turn to a random address. The programs that are generated must be COM and not EXEs and contain only 8086 instructions.

Each survivor receives a set of its own complete registers (registers), which is not accessible to the other survivors. In addition, each survivor has a "personal" stack of 2048 bytes, which is also inaccessible to the other survivors.

Before running the first round of the game, the game engine initializes all the bytes in the arena to the value 0CCh (note: this byte value is an "unsupported" instruction - details below). The engine then loads each survivor to a random location in the arena memory, ie - copies the contents of the survivor file exactly as it is. The distance between two survivors, as well as the distance between the survivor and the edge of the arena, is guaranteed to be at least 1024 bytes. The code for each survivor has a maximum of 512 bytes.

Before the first round, the game engine initializes the registers (of each survivor) to the following values:

BX, CX, DX, SI, DI, BP - Reset. Flags - Reset. AX, IP - The position of the initial survivor, the random offset in the arena to which the survivor is loaded by the game engine. CS, DS - The segment of the arena common to all survivors. ES - A segment (segment) for the memory shared by survivors of the same group (see Advanced Techniques ). SS - Beginning section of the personal stack of the survivor. SP - Offset The start of the personal stack of the survivor. At this point the game begins in rounds, with each round running the game engine running the next instruction of each survivor, until the end of the game: after 200,000 rounds, or when a single survivor remains in the arena. The order in which the survivors will play in each round is determined at the beginning of the game at random, and does not change during it.

A survivor is disqualified in the following cases:

Running an illegal instruction (example: byte 060h that does not translate into any assembly instruction). Running an "unsupported" instruction by the game engine (example: "INT 021h"). The game engine prevents running instructions that try to initiate direct communication with the operating system or computer hardware. Attempt to access memory that is not within the realm of the arena, and not within the realm of the "personal" stack of the survivor. Attacking other survivors is done by writing information about their code in the arena memory (in order to get them to perform one of the above three actions), and consequently to disqualify them. Earlier, therefore, one has to find where they are hiding :)

Michael Petch
  • 46,082
  • 8
  • 107
  • 198
Melody
  • 11
  • 3
  • From a quick glance, `bh` can only be `00h`-`10h` so 17 possibilities which you can probably brute force (check for the presence of the `int 87h` I guess?). – Jester Dec 20 '22 at 01:57
  • Its illegal to bruteforce, the key need to open the safe always with the same number of itteration. – Melody Dec 20 '22 at 03:52
  • Just out of curiosity where can I find the full rulebook? This seems like a fun game. – puppydrum64 Dec 20 '22 at 11:15
  • You can bruteforce 17 possibilities with the same number of iterations :) Actually if I understand the rules correctly due to the 1024 byte margin you only need 15. Is that still not allowed? – Jester Dec 20 '22 at 11:39
  • I'm not sure my teacher said that the key must have O(1) cmplexity – Melody Dec 21 '22 at 19:28
  • The game called codeguru extreme, it's kind of corewar game – Melody Dec 21 '22 at 19:30
  • 15 being constant it is O(1). Although not sure what the base is in this case. – Jester Dec 22 '22 at 10:53
  • I tried to brute force but there is a problem. I can't use int 87h since it requires to pass the value that I'm lookin for and I can't know the value (address). Also I can't just write many move and ifs since I don't have enough space. Any idea how to solve it? – Melody Dec 22 '22 at 20:50
  • Erm, the brute forcing is simply to go through addresses 0010h, 0110h, 0210h, ... 1010h. Fetch the address from that location. That should point to the start of the code, so just compare the value with the machine code of `int 87h`. Something like `mov bx, 10h; back: mov si, [bx]; cmp [si], 0x87cd; je found; inc bh; jmp back` should do the trick. (Adjust to run the loop constant times if necessary.) – Jester Dec 24 '22 at 00:29
  • 1
    Thank you very much, you really helped me. BTW I needed to cmpare [si] to the push es and pop es instraction (both of them 1 byte) and not to int 87h since they are the first instractions – Melody Dec 24 '22 at 17:19
  • Ah yeah I missed those two. Glad I could help! – Jester Dec 24 '22 at 22:58

0 Answers0