ctfwriteup.com
Search
K

Puzzle 3

DELEGATECALL

Puzzle

############
# Puzzle 3 #
############
00 36 CALLDATASIZE
01 6000 PUSH1 00
03 6000 PUSH1 00
05 37 CALLDATACOPY
06 36 CALLDATASIZE
07 6000 PUSH1 00
09 6000 PUSH1 00
0B F0 CREATE
0C 6000 PUSH1 00
0E 80 DUP1
0F 80 DUP1
10 80 DUP1
11 93 SWAP4
12 5A GAS
13 F4 DELEGATECALL
14 6005 PUSH1 05
16 54 SLOAD
17 60AA PUSH1 AA
19 14 EQ
1A 601E PUSH1 1E
1C 57 JUMPI
1D FE INVALID
1E 5B JUMPDEST
1F 00 STOP
? Enter the calldata:

Solution

Pseudocode:
// Copy calldata to memory offset 0
calldatacopy(0, 0, calldata_size);
// Create a new contract based on that calldata stored in memory, deposit 0 wei into it.
// Return the new contract's address back to the stack.
contract_address = create(0, 0, calldata_size);
// Delegatecall
// Return 0 or 1
returndata = delegatecall(gas, contract_address, 0, 0, 0, 0);
// Read the storage slot 5
element = sload(0x05);
if (element == 0xAA) {
jump(0x1E);
}
The new contract must store 0xAA in storage slot 5. The runtime code is easy to write:
PUSH1 0xAA
PUSH1 0x05
SSTORE
Compile:
60aa600555
Build a creation code just like what we did in Puzzle 2:
PUSH5 0x60aa600555
PUSH1 0x00
MSTORE
PUSH1 0x05
PUSH1 0x1B
RETURN
Compile:
6460aa6005556000526005601bf3
Last modified 10mo ago