simonlindholm

# -----------------------------------------------------------------
# pycparser: __init__.py
#
# This package file exports some convenience functions for
# interacting with pycparser
#
# Eli Bendersky [https://eli.thegreenplace.net/]
# License: BSD
# -----------------------------------------------------------------
__all__ = ["c_parser", "c_ast"]

simonlindholm

full
hål
krona
hund
kniv
snöre
häst
eka
klocka
matta

simonlindholm

#!/usr/bin/env python3

import sys
import struct
import argparse
from collections import namedtuple

REG = {
    "zero":0,
    "at":1,

simonlindholm

#include <bits/stdc++.h>
#include <immintrin.h>
using namespace std;

#define rep(i, from, to) for (int i = from; i < (to); ++i)
#define trav(a, x) for (auto& a : x)
#define all(x) x.begin(), x.end()
#define sz(x) (int)(x).size()
typedef long long ll;
typedef pair<int, int> pii;

simonlindholm

#ifdef USE_AVX256
#pragma GCC target ("avx2")
#else
#define NDEBUG
#pragma GCC target ("avx512f,avx512bw")
#endif
#pragma GCC optimize ("unroll-loops")
#pragma GCC optimize ("O4")
#include <bits/stdc++.h>
#include <immintrin.h>

simonlindholm

namespace ttmath{typedef unsigned int U;typedef signed int sint;typedef uint64_t ulint;typedef int64_t slint;}namespace ttmath{enum LibTypeCode{asm_vc_32=0,asm_gcc_32,asm_vc_64,asm_gcc_64,no_asm_32,no_asm_64};enum ErrorCode{err_ok=0,err_nothing_has_read,err_unknown_character,err_unexpected_final_bracket,err_stack_not_clear,err_unknown_variable,err_division_by_zero,err_interrupt,err_overflow,err_unknown_function,err_unknown_operator,err_unexpected_semicolon_operator,err_improper_amount_of_arguments,err_improper_argument,err_unexpected_end,err_internal_error,err_incorrect_name,err_incorrect_value,err_variable_exists,err_variable_loop,err_functions_loop,err_must_be_only_one_value,err_object_exists,err_unknown_object,err_still_calculating,err_in_short_form_used_function,err_percent_from};struct Conv{U base;bool scient;sint scient_from;bool base_round;sint round;bool trim_zeroes;U comma;U comma2;U group;U group_digits;U group_exp;Conv(){base=10;scient=false;scient_from=15;base_round=true;round=-1;trim_zeroes=true;

simonlindholm

Last year's Battlecode engine did JVM instrumentation to sandbox players on the same team from each other, and to limit the amount of computation they were allowed to do. We found two fun vulnerabilities related to the latter part.

The first vulnerability

The process by which the bytecode instruction limitation was done was by decompiling .class files, adding in instruction-counting instructions in relevant places, and them re-compiling them and running the modified executable. More concretely, say the program contained a method like:

simonlindholm

#!/usr/bin/env python3
import sys

commands = {}
commands['seq'] = {
    # non-arg commands
    0xff: ['end'],
    0xfe: ['delay1'],
    0xfd: ['delay', 'var'],
    0xfc: ['call', 'addr'],

simonlindholm

typedef long long ll;
typedef unsigned long long ull;
typedef __uint128_t L;

struct Barrett {
	ull d, m;
	Barrett(ull d) : d(d), m(ull((L(1) << 64) / d)) {}

	ull reduce(ull a) {
		ull q = (ull)((L(m) * a) >> 64);

simonlindholm

typedef unsigned long long ull;
struct FastMod {
	ull multiplier;
	ull divisor;
	int shift_size;
	int mode = 0;
	FastMod(ull divisor) : divisor(divisor) {
		shift_size = 64 - __builtin_clzll(divisor) - 1;
		if (divisor & (divisor - 1)) {
			auto a = (__uint128_t)1 << (shift_size + 64);