In this blog, I will share my experience using ChatGPT in the Aptos CTF MOVEment 2022 competition and discuss the benefits of using this tool in the CTF competition.
CertiK recently participated in the Aptos CTF MOVEment 2022 competition. As with all Capture the Flag (CTF) competitions, we faced the challenge of quickly understanding and summarizing the semantics of complex code snippets. To tackle this challenge, we turned to ChatGPT, a large-scale language model trained by OpenAI. ChatGPT proved to be a valuable tool in this regard, as it was able to understand and explain code written in various programming languages.
First impression
By interacting with ChatGPT in natural language, I was able to ask questions about my code and get clear, concise answers. This allowed us to quickly grasp the functionality of the code and saved us valuable time during the CTF competition. For example, if you present a code snippet written in Move, ChatGPT can provide an overview of the code’s semantics and explain in simple natural language what the code does. This will save you a lot of time and effort when trying to understand your code quickly during a CTF contest.
Example 1: Summary of code functionality
Below is an example of how ChatGPT summarizes the functionality of this code snippet provided in the CTF challenge.
public fun pow(g: u128, x: u128, p: u128): u128 {
let ans = 1;
g = g % p;
while (x !=0) {
if ((x & 1) == 1) {
ans = ((ans % p) * (g % p)) % p;
};
x = x >> 1;
g = (g * g) % p;
};
ans
}
ChatGPT overview: The code defines a public function named pow It takes three parameters: g, xWhen p. This function computes and returns the result of raise. g x-th power, modulo pThis is done by repeatedly squaring using a loop g and hang it ans for the least significant bit of x teeth 1. Then the result is returned. Overall, the code provides a way to compute the modulo exponentiation of g x-th power, modulo p.
I am very impressed with the results I got using ChatGPT. The code wasn’t that long, but it was much faster to understand and summarize it with ChatGPT’s help than reading it directly. This shows the potential value ChatGPT can provide to inexperienced programmers. With ChatGPT, you can quickly get an overview of your code and understand its purpose and structure, saving you a lot of time and effort.
dig deeper
MOVE is a relatively new language, but ChatGPT provided useful information. I decided to try a slightly more advanced program to further test its functionality. Below is another example that illustrates a corner case where ChatGPT leads to a runtime error and helps debugging during code testing.
Example 2: ChatGPT helps identify potential runtime errors
Q: When does the following code fail to run?
fun encrypt_string(plaintext : vector<u8>) : vector<u8> {
let key : vector<u8> = transaction_context::get_script_hash();
let key_len : u64 = vector::length(&key);let ciphertext : vector<u8> = vector::empty<u8>();
let i = 0;
while ( i < vector::length(&plaintext) ) {
vector::push_back(&mut ciphertext, *vector::borrow(&plaintext, i) ^ *vector::borrow(&key, (i % key_len)));
i = i + 1;
};
ciphertext
}
ChatGPT’s answer: The code in question can fail to run if transaction_context::get_script_hash() return an empty vector, or vector::length() Return value 0 When called with plain text or keys. In both cases the while loop in the code is not executed and the function simply returns an empty vector.
ChatGPT may not pinpoint the exact location of exceptions, but it can provide useful insight and explanations for corner cases and potential issues. In this case, ChatGPT is transaction_context::get_script_hash() The function can return an empty vector and can cause errors when used in operations such as: i % key_lenThis information is useful for anyone debugging code and trying to understand potential sources of errors.
Processing moving bytecodes
Beyond just summarizing the semantics of the code, I was also interested in whether ChatGPT could understand the Move bytecode expressed in another form. ChatGPT can understand the Move bytecode if it is written in text, but it cannot interpret the raw bytecode instructions to provide information about their meaning or behavior.
Q: Can you explain the following bytecode?
FunctionDefinition { function: FunctionHandleIndex(1), visibility: Private, is_entry: false, acquires_global_resources: [], code: Some(CodeUnit { locals: SignatureIndex(9), code: [Call(11), StLoc(3), ImmBorrowLoc(3), CallGeneric(0), ImmBorrowLoc(3), VecLen(11), StLoc(4), VecPack(11, 0), StLoc(1), LdU64(0), StLoc(2), CopyLoc(2), ImmBorrowLoc(0), VecLen(11), Lt, BrFalse(35), Branch(17), MutBorrowLoc(1), ImmBorrowLoc(0), CopyLoc(2), VecImmBorrow(11), ReadRef, ImmBorrowLoc(3), CopyLoc(2), CopyLoc(4), Mod, VecImmBorrow(11), ReadRef, Xor, VecPushBack(11), MoveLoc(2), LdU64(1), Add, StLoc(2), Branch(11), MoveLoc(1), Ret] }) },
ChatGPT overview: The code you provided is a function definition written in Move bytecode.function is a function function handle, its visibility (in this case Private), whether it is an entry point (false in this case), the global resource to retrieve (none in this case), and the function’s code.
The code for the function itself is a series of bytecode instructions, each performing a specific operation. for example, Call Instructions call functions. StLoc The instruction stores the value in a local variable. ImmBorrowLoc Instructions immutably borrow local variables.
Without knowing more about the context in which the code is used and what the various instructions and values ββmean, it’s difficult to describe in detail what the code does. In general, however, the code looks like it defines functions that call other functions, manipulate local variables, and perform some arithmetic and logical operations. It also uses vector operations such as: VecLen When VecPushBack, and borrow local variables immutably and mutably. Overall the code looks complicated and needs more information to understand the exact functionality.
This result is somewhat expected. ChatGPT doesn’t allow deep understanding of your code. This is understandable because ChatGPT is a language model and not (yet) specialized enough to understand Move bytecode. It still produces a meaningful description of the provided program.
Limitations
However, it’s important to note that ChatGPT has limitations. It can understand the basics of Move source code and provide a general description of its semantics, but it cannot perform detailed logic simulations or provide reliable information about how the code behaves. In short, ChatGPT can be a useful tool for quickly understanding code written in Move, but it should not be relied upon for more advanced tasks or detailed analysis of code behavior.
Example 4: Code Analysis Failed on Target Branch
Q: If Initialize_balance is set to 10 and res.balance has an initial value of 10, how do I call a function to make res.q3 true? (assuming you can)
public entry fun add(account: &signer, choice: u8, number: u8) acquires Challenge {
let res = borrow_global_mut<Challenge>(signer::address_of(account));
assert!(number <= 5, 0);
if (choice == 1) {
res.balance = res.balance + number;
} else if (choice == 2) {
res.balance = res.balance * number;
} else if (choice == 3) {
res.balance = res.balance << number;
};if (!res.q3 && res.balance < Initialize_balance) {
res.q3 = true;
}
}
ChatGPT’s answer: to call add function and set res.q3 To trueYou can call the function with choice set to 3 When number Set it to the value that causes it. res.balance be less than Initialize_balance later res.balance Shift left by number bits.
for example, res.balance teeth 10you can call the function with the choice set to 3 number set to 3which shifts res.balance 3 bits are left and the values ββare: 80because it’s bigger than this Initialize_balanceis set to 10the if condition of the add function becomes false, and res.q3 will remain false.
However, when I call the function as choice set to 3 When number set to 2, res.balance is shifted left by 2 bits to give the following value: 40. less than this Initialize_balancethe if condition of the add function becomes true and res.q3 is set to true.
So to call the function and set res.q3 When set to true, the add function can be called like this: choice set to 3 When number Set it to the value that causes it. res.balance be less than Initialize_balance later res.balance It is shifted left by the number.
In this case ChatGPT fails to give the correct answer and tries to claim that 40 is less than 10.
Conclusion
In summary, the experience of using ChatGPT to resolve CTFs has been a positive one. ChatGPT’s ability to understand and summarize code written in Move was especially helpful. Despite its limitations, we believe ChatGPT will be a useful tool for developers working with the language.
By the way, part of this story is written in ChatGPT-generated text in addition to the answers provided by ChatGPT. If you want to include answers generated by ChatGPT, 90% of this blog content is generated by ChatGPTIt’s not perfect yet, but ChatGPT is a great application.
This article is a press release.
Certik is:
Certik is a blockchain security company that uses its services, products and cybersecurity technology to help projects identify and eliminate security vulnerabilities in blockchains, smart contracts and Web3 applications. .
For more information about Certik, please visit the official link below.
website | twitter | | Medium | Medium | Telegram | YouTube
β
