CTF-Writeups

Gambler’s Fallacy

Summary

The game uses Python’s MT19937 (random) to generate a 32-bit server_seed for each roll, and it prints that seed directly. After collecting 624 outputs, we can reconstruct the MT internal state via untempering, predict all future server_seed values, compute exact rolls from the HMAC formula, and bet the full balance on guaranteed wins until the balance exceeds 10000 to buy the flag.

Key Observations

• server_seed = random.getrandbits(32) is revealed every round.
• MT19937 has a 624-word internal state; 624 outputs fully recover it.
• The roll is deterministic from (server_seed, client_seed, nonce):
  • sig = HMAC_SHA256(key=str(server_seed), msg=f"{client_seed}-{nonce}")
  • Take 5-hex-digit chunks until < 1e6
  • roll = round((lucky % 10000) * 1e-2) (integer 0..99)

Attack Plan

1. Play 624 games with minimal wager to collect 624 server_seed values.
2. Untemper each output to recover the MT state.
3. Predict future server_seed values.
4. For each predicted seed, compute the exact roll using the HMAC formula.
5. If roll is in [2..98], set greed = roll and wager the full balance to win for sure.
6. Otherwise, place a minimum bet to advance the nonce and consume the RNG output.
7. Repeat until balance >= 10000, then buy the flag.

Untemper (MT19937)

Temper in Python is:

y ^= (y >> 11)
y ^= (y << 7)  & 0x9d2c5680
y ^= (y << 15) & 0xefc60000
y ^= (y >> 18)

Each step is reversible with iterative xor-unshifting, yielding the original state word.

Result

Flag: uoftctf{ez_m3rs3nne_untwisting!!}