AOC 2021 Day 24 – No U
Finally a reverse engineering challenge in Advent of Code.
This post is a writeup on solving the Advent of Code 2021 Day 24 challenge: Arithmetic Logic Unit.
The Problem
At first glance, I thought it was something similar to the intcode problems from two years ago. After a more thorough read, it turns out this is a completely different problem. To my surprise, the day 24 challenge actually resembles the reverse engineering found in some capture the flag competitions!
To summarise the challenge, we're given a list of assembly-like instructions like so:
Our submarine's arithmetic logic unit (ALU) has four registers: w
, x
, y
, and z
.
There are six different types of instructions in total:
inp a
reads the leftmost digit from input into registera
(if the input is123
,inp w
will store1
inw
),add a b
adds registera
with register/valueb
,mul a b
multiplies registera
by register/valueb
,div a b
divides registera
by register/valueb
(integer division—i.e. divide + truncate—is performed, sodiv 10 3
is3
anddiv -5 2
is-2
),mod a b
takes the remainder of dividing registera
by register/valueb
, andeql a b
evaluates to1
ifa
equalsb
, and0
otherwise.
You may notice that there are no jump instructions, so the ALU program is quite literally straightforward. We just need to run each instruction once until we hit the end.
Given the ALU program, we need to find the maximum (part 1) and minimum (part 2) ALU input which will cause the program to terminate with a 0
in register z
. The ALU input is constrained to 14-digit integers, and all digits are non-zero.
Solving
In the midst of reading the challenge, I had already decided on the tool to use. Z3!
Z3 is a logic programming engine (theorem prover, actually) developed by Microsoft Research. It's pretty useful for working with symbols and constraints and more importantly, deriving possible solutions for said symbols. For example, say we want to know what are the solutions of $x^2 = x$. Z3 can solve this for us:
Initially, since I wanted to stick to my resolution of using Haskell or Rust, I tried looking for Z3 bindings for either language. They do exist. But they seem annoying to wrestle with.
So I decided to make an exception... just for this day... I'll use Python.
(I might return to write a Haskell/Rust Z3 solution later.)
Sokath, his eyes uncovered!
In my experience, whenever starting a reverse challenge and given some assembly, it's useful to start by analysing the control flow of the assembly and look for patterns. Well, the ALU program has super simple barely any control flow, every single instruction will run one after another.
Now if we were given actual binaries, we would be able to throw them into a decompiler and get a control flow graph. But since the ALU instructions here are contrived, I decided not to bother and go with the fallback method of analysis:
STARING AT THE ASSEMBLY.
Here are the first 40 lines (out of 252) of the given ALU program. Now stare with me.
(You can view the full ALU program I was given here.)
Done staring? I find that it also helps to add annotations on the right of the assembly.
After enough staring, your eyes will be uncovered. Or exhausted. Or perhaps both.
Here were my observations:
- There are 14 repeated blocks. One block handling each digit from input.
- Blocks are demarcated with an opening
inp w
. - Each block contains 18 instructions.
- There are only three differences across each block:
- Instruction 5:
div z D
, whereD
is either1
or26
. - Instruction 6:
add x A
, whereA
can be any integer (negatives also appear!). - Instruction 16:
add y B
, whereB
can be any integer (seems like only non-negatives here).
- Instruction 5:
- The other 15 instructions are the same in each block.
- Between each block, only the value of
z
is propagated.w
,x
, andy
are all local within a block. - We can simplify each iteration to the following expression:
- For each input digit
I
,x = (I != (z % 26 + A))
.- If
x
, thenz = (z / D) * 26 + I + B
.
- Else,
z = z / D
.
- For each input digit
Nifty!
This is really all the intelligence we need. The rest is just hacking together the solution with the Z3 API.
Snoring with ZZZ
Firstly, we read our file and gather our intelligence like a shepherd gathering their flock or a mother hen gathering her chicks.
Since all the numbers are at the end of the line, it's sufficient to split each line by whitespace, index the last token, and convert it to an int
.
Next, we'll start doing our Z3 things. We'll define one symbol for each digit, and constrain each symbol to non-zero digits.
We use a special Z3 Optimize
solver. This provides .maximize
and .minimize
methods which will be useful for tackling parts 1 and 2 respectively.
We then implement the iteration logic and add constraints. To keep things clear (and since I'm not too sure how modifying Z3 symbols work), I used a separate z
symbol (zs[i]
) for each iteration.
Finally, we chain together the symbol we want to maximise/minimise (which is our ALU input), then we call the respective .maximise
/.minimise
functions.
Here, I used s.push()
and s.pop()
to create a sort of "scope". Without the "scopes", .maximise
and .minimise
work a bit weirdly in that once I call the first, the second will still return the same .maximise
d number.
And that's pretty much it. On my laptop, it spits out both solutions within half a minute. I would've hoped for better, but eh, at least it's much faster—both coding-wise and runtime-wise—than a brute force scan.
Full Script
For completeness, here's the full d24.py script.
Comments are back! Privacy-focused, without ads, bloatware 🤮, and trackers. Be one of the first to contribute to the discussion — I'd love to hear your thoughts.