Description
For the final duel you must win every single round against the Imp. An imp gate warrior is the classic 100% solution: it destroys Imps passing through a 10-instruction corridor before being overrun itself.
Setup
Craft or copy a warrior with a 100 percent win rate versus the Imp (Herem/Scimitar is a reliable bomber).
Test locally: pmars -r 100 -c 100 herem.red imp.red and confirm 100/0 before connecting.
Pipe the warrior into nc saturn.picoctf.net 54217 and ensure it records 100 wins.
cat <<'RED' > herem.red
;redcode-94
;name Herem/Scimitar
;author aCa
;strategy bomber tuned versus the Imp
bomb dat #4, #4
start add.ab #4, bomb
mov.i bomb, @bomb
jmp start
end start
REDpmars -r 100 -c 100 herem.red imp.rednc saturn.picoctf.net 54217 < herem.redSolution
Walk me through it- Step 1Use a bomber strategyHerem/Scimitar walks memory dropping DAT bombs every 4 cells. The Imp marches at 1 cell per turn, so a 4-stride bomb pattern covers every cell the Imp will ever visit.
Learn more
Herem/Scimitar is a tuned bomber written in ICWS-94 Redcode. Two modifier choices matter.
add.abadds only into the B-field of the bomb pointer, leaving the A-field alone; that is faster and more compact thanadd.f(which writes both fields), and matters when every cycle counts in a sweep race against the Imp.mov.icopies the entire instruction (both fields plus opcode) so the destination receives a realdatbomb, not just one field.Concrete trace. Picture an 8000-cell circular memory. Bomb stride is 4, so on successive cycles the bomber drops
datinstructions into cells 0, 4, 8, 12, .... The Imp starts somewhere random (call it cell 1) and steps cell-by-cell: 1, 2, 3, 4, .... When the Imp reaches cell 4 (or any multiple of 4 that the bomber has already covered), it executesdatand dies. Even if the Imp's starting offset is unfavourable, the bomber laps it long before the Imp completes a full sweep of the core, because writing one bomb takes 1 cycle and the Imp only advances 1 cell per cycle while the bomber covers 4.The 100/100 rule is what raises the bar from Gladiator 1 to Gladiator 2. The server samples random starting offsets across rounds; a 100 percent win rate means the warrior beats the Imp regardless of where they start relative to each other in memory. A warrior that wins 99 of 100 had one offset configuration where the strategy fails, and the server will not award the flag. If you only see 99/1 locally with pMARS, change the bomb stride or pick a stronger warrior; do not just retry hoping for variance.
- Step 2Verify 100 winsRun pmars -r 100 -c 100 herem.red imp.red locally. The cycle limit -c 100 mirrors the server budget, so a 100/0 here means 100/0 there.bash
pmars -r 100 -c 100 herem.red imp.redbashnc saturn.picoctf.net 54217 < herem.redLearn more
-r 100runs 100 rounds with randomised starting offsets, which is the same statistical setup the server uses.-c 100caps the cycle budget per round at 100; many CTF servers cap cycles low to keep matches fast, so a warrior that wins under generous local cycles but loses against a tight server budget is not actually 100/100. Confirming 100-0 locally with the matching cycle cap means submission will succeed on the first try.If you only manage 99/1 locally: tune the stride (Imp moves 1 per turn, so strides of 3, 4, or 5 are the candidate set; a stride that shares a factor with the core size loops on itself), or upgrade to a stronger warrior (a quick scan of the King of the Hill archives turns up dozens of 100/0 anti-Imp bombers).
Beyond pure bomber tactics, this exact analysis (proving a strategy wins regardless of offset) is the spirit of formal verification: do not just observe a few good runs, prove the win condition holds across the entire input space.
Flag
picoCTF{d3m0n_3xpu...24e}
Consistency is key: choose a warrior with deterministic wins rather than probabilistic ones.