added writeups exported from ctfnote

pittrap-misc.md

@@ -0,0 +1,203 @@
+# pittrap - misc
+
+The challenge contains a onnx file for a neural network.
+
+The input layer accepts a vector of length 48, with vocab_size 256. This indicates the input is a 48-character string, which is tokenized by `[ord(i) for i in inp]`. The output is a single score.
+
+![](https://notes.c3h2.de/pad/uploads/776d4ba3-3089-4131-802b-e7648ae1e3da.svg)
+
+
+## Code to apply the network to an input
+
+```python=
+import onnx
+
+onnx_model = onnx.load(ONNX_FILE_PATH)
+onnx.checker.check_model(onnx_model)
+print(onnx_model)
+inp = None
+
+# Write code here to apply the model on the input
+# out = ???
+import numpy as np
+from onnx.reference import ReferenceEvaluator
+
+# int64 token ids, shape (batch_size, 48); input name must be "input_ids"
+inp = np.zeros((1, 48), dtype=np.int64)
+
+sess = ReferenceEvaluator(onnx_model)
+out = sess.run(None, {"input_ids": inp})
+score = out[0]
+print(score)
+```
+
+Then I tried a gradient ascent approach to find the input the leads to the maximum score. The input was the flag.
+
+```python=
+import numpy as np
+import torch
+import torch.nn as nn
+import torch.nn.functional as F
+from onnx import numpy_helper
+from onnx.reference import ReferenceEvaluator
+
+# Target format: gigem{just_<middle>_max_and_u'll_be_fine}
+PREFIX = "gigem{"
+SUFFIX = "}"
+ALPHABET = "abcdefghijklmnopqrstuvwxyz0123456789_"
+
+# Only the middle is unknown. Restricting it to a plausible alphabet avoids
+# the optimizer getting stuck in high-scoring non-ASCII byte values.
+n_inner = 48 - len(PREFIX) - len(SUFFIX)
+n_pad = 48 - (len(PREFIX) + n_inner + len(SUFFIX))
+assert n_pad >= 0 and n_inner > 0
+
+weights = {init.name: numpy_helper.to_array(init).copy() for init in onnx_model.graph.initializer}
+
+
+class GigemTorch(nn.Module):
+    def __init__(self):
+        super().__init__()
+        self.register_buffer("embed_mat", torch.from_numpy(weights["embed.weight"]))
+        self.conv = nn.Conv1d(64, 128, kernel_size=3, padding=2, dilation=2)
+        self.fc1 = nn.Linear(6144, 64)
+        self.fc2 = nn.Linear(64, 1)
+        self.conv.weight.data.copy_(torch.from_numpy(weights["conv.weight"]))
+        self.conv.bias.data.copy_(torch.from_numpy(weights["conv.bias"]))
+        self.fc1.weight.data.copy_(torch.from_numpy(weights["fc1.weight"]))
+        self.fc1.bias.data.copy_(torch.from_numpy(weights["fc1.bias"]))
+        self.fc2.weight.data.copy_(torch.from_numpy(weights["fc2.weight"]))
+        self.fc2.bias.data.copy_(torch.from_numpy(weights["fc2.bias"]))
+
+    def forward_soft(self, probs):
+        x = torch.einsum("blv,vh->blh", probs, self.embed_mat)
+        x = x.permute(0, 2, 1)
+        x = self.conv(x)
+        x = F.gelu(x)
+        x = x.flatten(1)
+        x = self.fc1(x)
+        x = F.gelu(x)
+        x = self.fc2(x)
+        return x.squeeze(-1)
+
+
+def chars_to_onehot_row(device, c):
+    v = ord(c) & 0xFF
+    return F.one_hot(torch.tensor([v], device=device, dtype=torch.long), 256).float()
+
+
+def build_probs_from_middle_allowed(middle_allowed_probs, allowed_ids, device):
+    batch_size = middle_allowed_probs.shape[0]
+    middle = torch.zeros(batch_size, n_inner, 256, device=device)
+    middle.scatter_(2, allowed_ids.view(1, 1, -1).expand(batch_size, n_inner, -1), middle_allowed_probs)
+
+    blocks = []
+    if n_pad > 0:
+        pad = torch.zeros(batch_size, n_pad, 256, device=device)
+        pad[:, :, 0] = 1.0
+        blocks.append(pad)
+    for c in PREFIX:
+        blocks.append(chars_to_onehot_row(device, c).unsqueeze(0).expand(batch_size, -1, -1))
+    blocks.append(middle)
+    for c in SUFFIX:
+        blocks.append(chars_to_onehot_row(device, c).unsqueeze(0).expand(batch_size, -1, -1))
+    return torch.cat(blocks, dim=1)
+
+
+def ids_from_middle_indices(middle_indices, allowed_ids):
+    middle_ids = allowed_ids[middle_indices].detach().cpu().numpy()[0]
+    token_ids = [0] * n_pad
+    token_ids.extend(ord(c) & 0xFF for c in PREFIX)
+    token_ids.extend(int(x) for x in middle_ids)
+    token_ids.extend(ord(c) & 0xFF for c in SUFFIX)
+    return np.array(token_ids, dtype=np.int64)
+
+
+def score_ids(model, token_ids, device):
+    token_tensor = torch.tensor(token_ids, dtype=torch.long, device=device).unsqueeze(0)
+    one_hot = F.one_hot(token_tensor, 256).float()
+    return float(model.forward_soft(one_hot).item())
+
+
+device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
+model = GigemTorch().to(device)
+allowed_ids = torch.tensor([ord(c) for c in ALPHABET], dtype=torch.long, device=device)
+
+restarts = 6
+steps = 1000
+best_score = float("-inf")
+best_ids = None
+
+for restart in range(restarts):
+    logits_inner = torch.randn(1, n_inner, len(ALPHABET), device=device) * 0.01
+    logits_inner.requires_grad_(True)
+    opt = torch.optim.Adam([logits_inner], lr=0.2)
+
+    for step in range(steps):
+        tau = max(0.25, 2.5 * (0.992 ** step))
+        probs_inner = F.softmax(logits_inner / tau, dim=-1)
+        probs = build_probs_from_middle_allowed(probs_inner, allowed_ids, device)
+        soft_score = model.forward_soft(probs)
+        entropy = -(probs_inner * probs_inner.clamp_min(1e-9).log()).sum(dim=-1).mean()
+        loss = -soft_score + 0.02 * tau * entropy
+
+        opt.zero_grad()
+        loss.backward()
+        torch.nn.utils.clip_grad_norm_([logits_inner], max_norm=5.0)
+        opt.step()
+
+        if step % 100 == 0 or step == steps - 1:
+            with torch.no_grad():
+                hard_idx = logits_inner.argmax(dim=-1)
+                token_ids = ids_from_middle_indices(hard_idx, allowed_ids)
+                hard_score = score_ids(model, token_ids, device)
+                guess_str = "".join(chr(int(t)) for t in token_ids)
+                if hard_score > best_score:
+                    best_score = hard_score
+                    best_ids = token_ids.copy()
+            print(
+                f"restart {restart} step {step:4d}  tau={tau:.3f}  soft={soft_score.item():.4f}  discrete={hard_score:.4f}  guess={guess_str!r}"
+            )
+
+# Greedy coordinate refinement over the discrete candidate.
+# This fixes the usual softmax-relaxation issue where argmax is close but not exact.
+charset_ids = [ord(c) for c in ALPHABET]
+for refine_round in range(10):
+    improved = False
+    for pos in range(n_pad + len(PREFIX), n_pad + len(PREFIX) + n_inner):
+        current = best_ids[pos]
+        local_best = best_score
+        local_char = current
+        for cand in charset_ids:
+            if cand == current:
+                continue
+            trial = best_ids.copy()
+            trial[pos] = cand
+            trial_score = score_ids(model, trial, device)
+            if trial_score > local_best:
+                local_best = trial_score
+                local_char = cand
+        if local_char != current:
+            best_ids[pos] = local_char
+            best_score = local_best
+            improved = True
+    print(f"refine round {refine_round}: score={best_score:.4f}  guess={''.join(chr(int(t)) for t in best_ids)!r}")
+    if not improved:
+        break
+
+middle = "".join(
+    chr(int(i))
+    for i in best_ids[n_pad + len(PREFIX) : n_pad + len(PREFIX) + n_inner]
+)
+flag_only = PREFIX + middle + SUFFIX
+padded_visual = "".join(chr(int(i)) for i in best_ids)
+print("n_pad, n_inner:", n_pad, n_inner)
+print("middle:", repr(middle))
+print("flag:", repr(flag_only))
+print("full 48 (repr):", repr(padded_visual))
+
+sess = ReferenceEvaluator(onnx_model)
+onnx_score = sess.run(None, {"input_ids": best_ids.reshape(1, -1).astype(np.int64)})[0]
+print("ONNX score (discrete):", onnx_score)
+
+```