v8-randomness-predictor

Using z3 to predict Math.random in v8

YouTube video

Watch the ✨ YouTube Video

Run Instructions

Get a few Random numbers from v8, run to following code in d8, nodejs or chrome.

Array.from(Array(5), Math.random)

Optionally you can set the random seed in nodejs so you'd get the same numbers as shown below.

/*
* Run nodejs with `--random_seed` flag like
* node --random_seed=1337
*/
Array.from(Array(5), Math.random)
// [0.9311600617849973, 0.3551442693830502, 0.7923158995678377, 0.787777942408997, 0.376372264303491]

Next we feed these random numbers into the python script (line 12).

SEQUENCE = [
  0.9311600617849973,
  0.3551442693830502,
  0.7923158995678377,
  0.787777942408997,
  0.376372264303491,
][::-1]

or, feeding them to the script with the -s/--seeds flag

$ python3 v8-randomness-breaker.py -s 0.9311600617849973,0.3551442693830502,0.7923158995678377,0.787777942408997,0.376372264303491

Run the script.

$ python3 main.py
👨‍💻 Break that v8 Math.random()!
🌱   Using 5 seeds
👉   0.376372264303491
👉   0.787777942408997
👉   0.7923158995678377
👉   0.3551442693830502
👉   0.9311600617849973
🚀   Next Random Number: 0.23137147109312428 
💾   State Values:
+--------+---------------------+
| state  |        value        |
+--------+---------------------+
| state0 | 4268050313212552111 |
| state1 | 6942842836049070467 |
+--------+---------------------+

Resources

• Learn z3 by solving simple challenges
• There’s Math.random(), and then there’s Math.random()
• Further scramblings of Marsaglia’s xorshift generators
• (V8 Deep Dives) Random Thoughts on Math.random()
• Hacking the JavaScript Lottery