Support for V8 Javascript Engine's Math.Random()?
innsternet opened this issue · 5 comments
Awesome project by the way.
Would it be possible to support Javascript's Engine (V8) Math.Random() which is used by Chrome/Node.js?
(https://github.com/v8/v8-git-mirror/blob/master/src/math.js)
(http://v8.googlecode.com/svn-history/r8490/branches/bleeding_edge/src/v8.cc)
function MathRandom() {
var r0 = (MathImul(18030, rngstate[0] & 0xFFFF) + (rngstate[0] >>> 16)) | 0;
rngstate[0] = r0;
var r1 = (MathImul(36969, rngstate[1] & 0xFFFF) + (rngstate[1] >>> 16)) | 0;
rngstate[1] = r1;
var x = ((r0 << 16) + (r1 & 0xFFFF)) | 0;
// Division by 0x100000000 through multiplication by reciprocal.
return (x < 0 ? (x + 0x100000000) : x) * 2.3283064365386962890625e-10;
}
For example making it possible to predict the upcoming values from Math.random() on Chrome/Web Applications running NodeJs.
Thanks.
On the subject as well:
https://jonasnick.github.io/blog/2015/07/08/exploiting-csgojackpots-weak-rng/
Nodejs is too popular to ignore, we should really have support for this. I'll try to take it up after defcon.
The line...
return (x < 0 ? (x + 0x100000000) : x) * 2.3283064365386962890625e-10;
...bothers me because it's floating point multiplication. But I'll see what I can do to replicate it...
Yeah I whipped up a quick and dirty brute-forcer a while ago in C++ and had the same issue and in the end I just kept it simple and dealt with everything in integers and then did the floating point conversion in Javascript with the browser manually at the end; which wasn't ideal but I got the end result I was after.
Yea, that's what I'm afraid of. For untwister, we can't do offloading to another engine like a browser, so I'll just have to figure out the floating point division thing. No big deal.