ctfwriteup.com
Search
K

Puzzle 10

Puzzle

#############
# Puzzle 10 #
#############
00 38 CODESIZE
01 34 CALLVALUE
02 90 SWAP1
03 11 GT
04 6008 PUSH1 08
06 57 JUMPI
07 FD REVERT
08 5B JUMPDEST
09 36 CALLDATASIZE
0A 610003 PUSH2 0003
0D 90 SWAP1
0E 06 MOD
0F 15 ISZERO
10 34 CALLVALUE
11 600A PUSH1 0A
13 01 ADD
14 57 JUMPI
15 FD REVERT
16 FD REVERT
17 FD REVERT
18 FD REVERT
19 5B JUMPDEST
1A 00 STOP
? Enter the value to send: (0)

Solution

Chunk 1

00 38 CODESIZE
01 34 CALLVALUE
02 90 SWAP1
03 11 GT
04 6008 PUSH1 08
06 57 JUMPI
07 FD REVERT
08 5B JUMPDEST
Pseudocode:
if (code_size > msg.value) {
jump(0x08);
}
else {
revert();
}
=> We want code_size > msg.value. Since code_size == 23, this is equivalent to msg.value < 23.

Chunk 2

09 36 CALLDATASIZE
0A 610003 PUSH2 0003
0D 90 SWAP1
0E 06 MOD
0F 15 ISZERO
10 34 CALLVALUE
11 600A PUSH1 0A
13 01 ADD
14 57 JUMPI
15 FD REVERT
16 FD REVERT
17 FD REVERT
18 FD REVERT
19 5B JUMPDEST
1A 00 STOP
Pseudocode:
if (calldata_size % 3 == 0) {
jump(msg.value + 0x0A);
}
else {
revert();
}
=> We want calldata_size % 3 == 0 and msg.value + 0x0A == 0x19.

Building calldata

Basically msg.value should be 15 and calldata with length multiple of 3, such as 0x0a0b0c.