Random number manipulation possibilities

[h.q.droid]

I got annoyed at the quality gacha and attempted random number manipulation. I didn't succeed yet, but I disassembled and debugged the factorio executable and got some preliminary results:

Quality is rolled at the *start* of crafting, while probabilistic output (like U-238 / U-235 / recycling bioflux) are rolled at the *end* of crafting.

One global RNG instance is shared by at least the following things:

• Quality roll

• Probabilistic output roll

• Asteroid generation, which rolls every tick

• Turret shooting

• Enemy AI

• Some mining activity, maybe the resource consumption reduction of big mining drill

• Some asteroid collection activity?

But not:

• Random mode of selection combinator (each has its own private RNG instance)

The generator is a custom xorshift variant with 96-bit state, easy to evaluate with in-game combinators:

Code: Select all

uint32_t getInt(uint32_t *state){
  uint32_t uVar1;
  uint32_t uVar2;
  uint32_t uVar3;
  
  uVar3 = *state;
  uVar1 = (uVar3 << 13 ^ uVar3) >> 19 ^ (uVar3 & 0xffffe) << 12;
  uVar3 = state[1];
  *state = uVar1;
  uVar2 = (uVar3 * 4 ^ uVar3) >> 25 ^ (uVar3 & 0xffffff8) << 4;
  state[1] = uVar2;
  uVar3 = state[2];
  uVar3 = (uVar3 * 8 ^ uVar3) >> 11 ^ (uVar3 & 0x7ff0) << 17;
  state[2] = uVar3;
  return uVar1 ^ uVar2 ^ uVar3;
}

It's essentially XOR matrix multiplication so you can directly predict the result after an arbitrary number of rolls in one go.

Quality roll logic: roll once p=getInt()/4294967296, if p<quality_percent, bump one level, if p<quality_percent*10%, bump another, continue until highest researched quality is reached or test failed. I haven't reverse-engineered the production roll logic yet.

This enables a few building blocks:

• Probe RNG state with quality / probabilistic production.

• Consume RNG rolls with cheap with-quality production or circuited turrets shooting at something.

But we lack reliability: some unpredictable rolls can happen between controllable rolls every tick. So the most reliable option is to somehow predict future rolls on the same tick we probe the RNG state or abort production after we finished predicting the quality roll, neither seem possible right now.

There are several possible directions:

Expensive semi-auto quality scumming. Say you have ~2k cryogenic plants making expensive stuff like fusion generator from common materials + 96 recyclers leaking RNG state. Start all recyclers on the same tick, then start all cryogenic plants on the exact tick the recyclers will create output. Then you can predict the quality rolls of each plant with combinators from the recylcer results and only enable those producing legendary ones. After you get the legendary products though, you'll have to clean up by manually deconstructing / reconstructing everything and start over.

Math stuff. The RNG quality is not very good and exhibits significant auto-correlation. But I haven't found a way to exploit such correlation reliably in-game yet.

Speedrun-only option: if you have no space platform moving / collecting asteroids, have no random crafting / big-drill mining and somehow kill all enemies within active chunks, you have total control over the RNG for like one minute before biters roll their expansion, during which you can guarantee a bunch of quality stuff from common materials.

[Khazul]

RNG instancing and the method used I expect are to provide determinism in multiplayer ie that the action on the server can be performed by the client and they both end up with the same result so the client only need to know what actions to perform and doesnt need to also be told the result of such actions. This I expect is essential for multiplayer performance as sending action rather than action+state updates would be a significant saving and likely what makes this game viable at all for multiplayer.

[Tertius]

How do you get *state ingame? As long as you don't know the seed, you're unable to predict.

[Nidan]

How do you get *state ingame? As long as you don't know the seed, you're unable to predict.

Unless you mess with the state (~ reseeding), any PRNG will give you a fixed and repeating sequence of numbers(*), the "randomness" comes from the fact that you don't know where in the sequence you are. Therefore, if you can control the questions asked, you get information about its internal state from observing the output: Ask a PRNG for a coin flip (one bit) and you get one bit of information about the current state. (Out of all possible states, half can't give you the result you observed.) Repeat that often enough, and you can get the current state.

OP describes such an attack (and claims factorios PRNG has a particular weakness they can make use of). A bunch of controlled questions are made in sequence. The first part (recyclers) tries to get as much information as possible, the second part (quality) is then predicted.

*) For a PRNG with n bits of state, that sequence should be 2^n numbers long.

[coffee-factorio]

How do you get *state ingame? As long as you don't know the seed, you're unable to predict.

So imagine you have a message and you do some math to each letter to make it different. That's what a prng does too in way. You can imagine taping the the message together to make a loop. And then when you run over the message again you rewrite it. You can't in practice do that with a PRNG because you have to keep your place on the tape to, an eventually that forces you to restart instead of walking forever.

So what OP is doing is smart in that he can get the description of the math operations and I support their interest in computer science.

But I do have to point out that OP could mod in some tuners if someone hasn't already to just make a machine of their choice at the cost they feel is necessary to spend. As that will let them have a machine of whatever speed they want at whatever price they feel is fair without having to reverse engineer code.

Instead of save scumming you can just use a mod to have a machine or item at your price.

And that's how you get a space probe that includes a rock picker as a dependent part -_-

[kovaxis]

Very interesting. How exactly do you think "probing the RNG" would work? You seem to imply that you know how to make it work, but don't explain it.

My guess is that with a recipe that has random output with 50% chance, then whether there's a random output or not reduces (maybe with some error) to

Code: Select all

getInt() < 2^31

. In this case, we can reliably get the most significant bit of output per recipe crafted, and then solve the matrix equations to get the state.

Also, what is the sub-tick ordering of the random queries? Is it just the build order? What about events that are not attached to entities? (eg. asteroids spawning?)

I think quality scumming might work well, maybe with the recursive blueprints mod (although using mods kind of breaks the purpose of this exploit). Maybe change recipes with signals instead of deconstructing the machines? Not sure if it works.

[h.q.droid]

Very interesting. How exactly do you think "probing the RNG" would work? You seem to imply that you know how to make it work, but don't explain it.

My guess is that with a recipe that has random output with 50% chance, then whether there's a random output or not reduces (maybe with some error) to

Code: Select all

getInt() < 2^31

. In this case, we can reliably get the most significant bit of output per recipe crafted, and then solve the matrix equations to get the state.

Also, what is the sub-tick ordering of the random queries? Is it just the build order? What about events that are not attached to entities? (eg. asteroids spawning?)

I think quality scumming might work well, maybe with the recursive blueprints mod (although using mods kind of breaks the purpose of this exploit). Maybe change recipes with signals instead of deconstructing the machines? Not sure if it works.

Since I haven't found a way to exploit the state, I haven't investigated the probing / sub-tick ordering too deeply. I do intend to use a 50% recipe to get the MSB like you said. Need to debug the non-quality code a bit for a fully working solution, though, since it's impossible to get 50% with quality modules due to premature rounding.

I haven't fully checked the sub-tick ordering either. During my debugging, the asteroid spawning always seems to have its own phase, happening in a big clump either after or before other stuff. It could be me never catching multiple surfaces producing stuff on the same tick, though.

Signal-changing recipes waits for the current production session to finish so kinda hard to exploit here.

[kovaxis]

I've made some progress. I'm focusing on a proof-of-concept "speedrun style" exploit for now, in the Factorio sandbox.

I have this contraption:

Contraption

12-25-2024, 04-06-25.png (429.71 KiB) Viewed 541 times

It recycles gears (which have a 50% chance of producing iron plate), and if no iron plate is produced, it places a copper plate on the belt instead. This means that the resulting pattern of copper/iron on the belt should be exactly the MSB bits produced by the RNG:

Pattern of plates on belt

12-25-2024, 04-09-56.png (123.6 KiB) Viewed 541 times

And made a Python script that I can feed the pattern of Iron/Copper plates, and can predict the future production of Iron/Copper!
It turns out you only need 88 samples, since there are 8 bits of state that are simply discarded when transitioning state.
I distilled a matrix that you can just multiply with your 88 MSB bits and get the 96 bits of state at the end of the 88-query sequence:

Recipe matrix

Code: Select all

Mat(96x88):
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1100100111000101000101011001101000000101011001010010000110011011111011100100001000001000
1011010111111111010001001011011001110000011000100011001100011011001011101110101001110101
0111101101101001100111001010010000101101011000011001101110011011010111100100110000000010
1101011101101010100111100010000001011010001001000001000001101011000011110011110011100100
1001000001111001011101010100101101001101000100000110000101100100101001101001011111100100
0001010011001010100010111100111000101010010100011101100111100001001001101110000110010110
0000011100110110111011100100111110110111001001010110011000101010101100011100011000001110
0011000111101010001100100100000101011010110010111111101101110011101000110111001110000101
1110010001110001110110111011111110110101010010010111111001101100100101011111000011101111
0110110011100010100010101111011011010001111111001101100111010000100111010110101101110111
1001110100000110000000000010111110000110010100001001110100010000011110000010011110100010
0110101010011101010111010100010100010000011011000101011011010001000101011011011000101000
1010111011010001111011101000110111111010100001011010100011110010001101100011111001010001
0101011010100101010011001101010100010000100010111000110111110011101101110110111010101011
1111011011010011001110010100100001011010110000110011011100110110101111001001100000000100
1001001110001110111110011111100101000100000001111100101100010011111101001100001110001001
0001110110101001001011110010111101101010011011110010100100001100101001111001010110001001
0010100110010101000101111001110001010100101000111011001111000010010011011100001100101100
0000111001101101110111001001111101101110010010101100110001010101011000111000110000011100
0110001111010100011001001000001010110101100101111111011011100111010001101110011100001010
1111010110111000011100101100011010011010110111010001011100011100110000010101101110011111
1101100111000101000101011110110110100011111110011011001110100001001110101101011011101110
0000011101010111110001011110011011111100111011101101000111100101000110101111010100000101
1101010100111010101110101000101000100000110110001010110110100010001010110110110001010000
0110000011111000000110001010001000000101010001001011101000100001100001101100011011100011
1010110101001010100110011010101000100001000101110001101111100111011011101101110101010110
1101000011111101101101110010100101000101110010011000010110101000100100111000101001001001
0001101001000110001101100100101101111000010000000111110111100010000000110011110101010011
0011101101010010010111100101111011010100110111100101001000011001010011110010101100010010
0101001100101010001011110011100010101001010001110110011110000100100110111000011001011000
0001110011011011101110010011111011011100100101011001100010101010110001110001100000111000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1010101001111110001010001100100000111100011110110111100111101100100110000010010101011010
0111011111101101000110010000000000110011111000001001011001010111011101000000111100101101
0110001100101111001101001011010110011011010011101010100111100110010000110001010111110110
1000110001100100100111010101011111001010101010001011100110011110101100101101001011000101
0110100110100111100101000010100110001000101110010001100000011100110110101111000011110101
1110111111011010001100100000000001100111110000010010110010101110111010000001111001011010
1100011001011110011010010110101100110110100111010101001111001100100001100010101111101100
0010010110010010111111110001011001100101000111101001100011111000100011110001111111001011
1101001101001111001010000101001100010001011100100011000000111001101101011110000111101010
1110001011101111101000011011100100111111110011011011001010011000001110101000011011110101
1011000111100111000101110110111110011101011101010100110001011100111001101110110110011001
0100101100100101111111100010110011001010001111010011000111110001000111100011111110010110
1001101111000101100101010001111111010010101010111000101110110110100000010111100110010101
1111100010000100100001101100101110001111110101001000111011110101100111111011011110101011
0101111010010101111010110110011011001010101001010111001101111100001001110110000101110011
1001011001001011111111000101100110010100011110100110001111100010001111000111111100101100
0000101011010000111011111000011001010101000110001111110010101000111010000100100101101011
1100110001010010110010000010111011101111111001101111011000101110110101011101010100010111
1011110100101011110101101100110110010101010010101110011011111000010011101100001011100110
0001000111001100001111010000101011011000101110110010110000000001100100100100010000011001
0001010110100001110111110000110010101010001100011111100101010001110100001001001011010110
1010010111111110010101011110010000101111100000100000011110011000010000010001000001101111
0100011100001100011010000010001011011010110110100010011000110101011101110011111110001101
0010001110011000011110100001010110110001011101100101100000000011001001001000100000110010
0010101101000011101111100001100101010100011000111111001010100011101000010010010110101100
0111011010100111011011100111000110101111010010111110010011110101011010001001101010011111
1000111000011000110100000100010110110101101101000100110001101010111011100111111100011010
0100011100110000111101000010101101100010111011001011000000000110010010010001000001100100
0101011010000111011111000011001010101000110001111110010101000111010000100100101101011000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0010101101010000110110111111011011110011001110010110110000111011100100101010010100010101
0111101100000010001101000100010101001101110110111011000101000000101111100000011110000001
0100000100011011000111010001010101100011000001111000101011011111111001101001110111011011
0101111100100000101101110111111100101011101000110001000011000000010001100001001001011101
0101010111100010110101000101001111111101010110000000001110000101101100111111101010100101
1100000110001001111110000110010000101011010110011101011111010101101101010101011001101111
0000001110011011111001011100100101100100100010111110011101101011001110000011001010101101
0001101111011100110111100011111010100011101000010100011110010010100001010010110111100010
1111001111111001100100011001000101000000010111011110000001011101101001100101010111111000
1110110010011010011101111001111010010010001001100001100000101010101110000110011101100001
1011101110000011100000000101101011000010000011101100101100010100001101111111010010010000
0111100011111100000111101011011011000001111001101010001110100010100110100101101001010010
0100111110110110100011110110000011001100111011000011010101101000000100100011100110000001
0000010110100011111011000000110010001011101010101111101110011001001100011110011101011101
1100100111000001101001111101010110101100000100001101111000100000010011000000111001011100
1111101111101010000001111001010111001010011001111100000101001000001111101001100111110011
1111101111001010111100101110001001100110001000011110010110010001000111100001000101001010
0101011010100001101101111110110111100110011100101101100001110111001001010100101000101010
1111011000000100011010001000101010011011101101110110001010000001011111000000111100000010
1000001000110110001110100010101011000110000011110001010110111111110011010011101110110110
1011111001000001011011101111111001010111010001100010000110000000100011000010010010111010
1010101111000101101010001010011111111010101100000000011100001011011001111111010101001010
1011111001001000001101010111000110100110111111000100010001101110100000000001011010011111
0000011100110111110010111001001011001001000101111100111011010110011100000110010101011010
0011011110111001101111000111110101000111010000101000111100100101000010100101101111000100
1101101010101000111001101001101101110000111101000010101101111110101001100001000110110001
1110010001101111001010101000010011010100000000111101101110010000100110100111010010000011
0100101001011100110001010000110001110100010100100111110111101101100001010101001101100001

To use it, multiply the recipe matrix by a column vector of the samples, ordered from the oldest at the top and the newest at the bottom:

Code: Select all

state = recipe_matrix * sample_vector

The state is just a 96-bit vector, with the LSB of the first word at the beggining and the MSB of the third word at the end. I managed to predict quality output using this technique! I recycled 100 gears, figured out I needed to wait exactly 445 crafts to get a 2-step quality increase (random value < 0.001), crafted 444 gears, then crafted 1 exoskeleton out of common materials and got a rare exoskeleton!

There are a few details:
- For some reason I had to negate the inputs. According to the wiki, the formula for the number of items that a recycler will produce is floor(0.25 * I / O + r), with I the number of inputs, O the number of outputs and r a random value. For some reason, I had to consider Iron as an MSB of 0 and No-Iron as an MSB of 1. It looks like r is computed as 1 - getInt()/2^32?
- Implementing the matrix multiplication using combinators in-game looks horrible. 264 arithmetic combinators to combine all 88 samples. The thing is, there is probably a cleaner way, something along the lines of inverting the state-transition function and iterating the same set of combinators many times. I'll give it some more thought when I have more sleep in my body.

Btw merry christmas!

[h.q.droid]

Merry Christmas! Best Christmas gift I ever got!

The product-giving code is really complicated with 2 if-else branches containing 3 different rolls. The shortest path only reaches one. I haven't debugged it yet. Thanks for discovering the inversion! Your contraption looks really cool

For combinators, do you really need a full 88-bit multiplication? Speedrun only needs to predict ~8 bits for a rare product so you only need to multiply 8 columns. With the implicit addition of wire connection, if you could route the 88 inputs to one different belt segment each, you can use the wires to connect the belts corresponding to 1-cells to one iron-AND-1 arithmetic combinator for each column (add is xor if you ignore carry). Just need a few other belts to split wire connections. That's what I thought of when trying for zero-tick signal control. I haven't found a practical way to overflow the high bits or do and-of-even-odd-tests though.

[h.q.droid]

Sorry for necro-ing this, but I just saw on reddit the last-minute-science-recycle trick. When combined with RNG manipulation, this can return 100% science on recycle and last indefinitely! A speedrunner would only need to ship a few of each science back to Nauvis to keep researching until the Gleba one expires (making them rare could allow them to last an entire game). That would also allow reducing competing random draws to virtually nothing and greatly simplify the manipulation process. If enemies ever prove to be a problem, one could even nuke the Nauvis / Gleba bases and do the infinite research in a space platform.